Friday, 6 March 2015

Cirque du Cash


Back when I was a little boy, my uncle took me to see the circus. I remember the experience as one of my more fascinating childhood memories: the huge circus tent at the banks of Tel Aviv’s Yarkon river, one of my uncle’s employees winning a pressure cooker pot at the fair where one was expected to spend money before the show, and then the show itself. It was called Circus Mederano and it was wow!
Recently, at another continent on a different world, we took our son to see the circus for the very first time. I looked forward to the experience myself, given I’ve only been to the circus once before. Our circus of choice was Cirque du Soleil, whose Totem show is currently visiting Melbourne. And yes, I was hoping to be able to give my son that same awesome experience I once had.
Then it kicked in. The cynicism, I mean. First, there is the unavoidable matter of ticket prices, which border and eclipse the 3 digit realm depending on one’s choice of seat. Then there is the website that forces users to book their seats and enter their credit card details over a Flash built website from 2012 – hackers must love the circus! There really was no ticket ordering choice but online; luckily for us, I noticed the iPad version of the site, inflicted by Steve Jobs' lack of affection towards Flash, lacks seat selection facilities but also lacks the shit security hazard known as Flash, too. So we booked over the iPad.
Long story short: The show was good. It was very well organised, it had all the impressive things one expects to see at a top notch circus, and it had all the money grabbing one expects there too (e.g., $20 for the right to park on the nearby grass). My son? He was excited throughout and so thoroughly enjoyed the affair that immediately upon it finishing he asked (demanded?) we go again next year. If you are considering the experience, I would recommend investing in the more expensive seats as the show does tend to orient itself toward those in the front part of the circle (yes, geometry freaks, in French Canada circles do have a front side).

Did I enjoy the show? No, I didn't. And the fact I didn't troubles me.
I did not enjoy the show because I often see much more interesting things on TV. I watch movies that offer much more elaborate action. I read books that are far more imaginative. I play computer games where I, not some person I have never seen before and will never see again, perform stunts that far eclipse what any earthly circus can perform.
I have been to many different places. I have sampled many different foods. I worked at all sorts of different organisations doing all sorts of different things. At work, I deal with different people from different cultures on an hourly basis. I have even migrated from one country to another myself, with all the cultural shock and adaptation that comes with that.
In other words, I have, in my life time, accumulated a vast number of experiences. These have conspired against me to turn me into some sort of a cynic: it really takes a lot, nowadays, in order to impress me. The competition is fierce, and frankly, a circus does not stand a chance.
Between you and me, I couldn't care less about circuses. I do care, however, when my levels of cynicism rise to degrees that render experiences I do hold dear - such as travel - ineffective. I will admit: when I consider visiting a city I haven't been to before, I am starting to think along the lines of "what can that city offer me that I haven't experienced before". I know there is more to any city than meets the eye, but I also know that I have been to some of this world's most glamorous cities - I live in one of this world's most glamorous cities - and that topping those experiences is a tough act to follow.
It occurs to me that in order to break through this thick layer of cynicism I am required to venture to places I have never been to before. That probably means that, when choosing a holiday destination, I should probably avoid anything Western and instead go for the extraordinary: your India. Your Japan. Your China. Anything else would be just more of the same.


Image by TBWABusted, Creative Commons (CC BY 2.0) licence

Wednesday, 4 March 2015

No Excuses

There are two core reasons why people do not use encryption to make sure their online interactions with friends and colleagues remain private:
  1. They are oblivious to the fact their conversations are being tapped, or otherwise oblivious to the issues with having their conversations tapped, and
  2. Using encryption is a pain in the ass.
Well, as it happens, as of today neither of these reasons need apply. There simply are no excuses for not encrypting your conversations.

Let's start with reason #1. Edward Snowden has already informed us of our friends at the NSA listening in to everything we do online; just the other week we learned the NSA has broken into the vast majority of this world's mobile phones (imagine how many years in jail you would get for committing the same crime). Even if you sincerely do believe the folks at the NSA are your friends, then surely you would have a problem or two with their just as capable counterparts from China or Russia. Face it, you're never alone anymore.
Then there is the mandatory data retention that the Liberal government is about to impose on Australia and Labor will help them do so because Labor are such wimps and because Labor is not much better than the Liberals in the first place. Any criminal with half a brain would be able to avoid their data retained, but you - do you really want the whole of your life to be available to any clerk? Any policeman wishing to check on their ex? Or any hacker managing to put their hands on the data, simply because it's there to be picked and it's looked after by the lowest bidder?
Or do you seriously trust the likes of these two cronies being interrogated by Green Senator Ludlam here to look after you and your retained data?
No, you probably don't. I can't blame you; even our own Communications Minister and wannabe Prime Minister Malbolm Turnbull doesn't. That's why he's using Wickr, a Snapchat like service that seems to actually provide the security that Snapchat was alleged to provide until it turned out to be a complete fraud. Well, if encryption is good enough for the guy in charge of Australian communications, it should be good enough for you.

The question is not whether to use encryption or not, but rather how. And as of today we have an answer.
It comes down to this: if you're an iPhone user, install an app called Signal; if you're an Android user, go for the equivalent app called TextSecure. What Signal and TextSecure do is provide end to end encryption for all your communications with other users of these apps; Signal can also encrypt calls, a service that in Android is handled by another app called RedPhone.
Messaging encryption apps have existed for a while now; Telegram offers a fine example that I still favour. Where Signal/TextSecure rise a level above the rest is:
  1. Signal/TextSecure use of top notch encryption, including forward secrecy. Whereas Telegram uses the same encryption key throughout the life of a secure chat, Signal negotiates a new key for each session. If our NSA friends put their hands on such a key they would find its use rather limited.
  2. Signal/TextSecure use encryption constantly and by default.
  3. Signal/TextSecure can be used by the dumbest of users. Unlike email PGP encryption, for example, the user is not required to know anything special or do anything special.
  4. Signal/TextSecure are open source. We do not need to trust a vendor like Wickr to tell us that we can trust them and that their service is robust; affairs are open for public scrutiny.
  5. Signal and TextSecure are totally free to install and use.
Through these bullet points, Open Whisper Systems - makers of Signal and TextSecure, headed by famous hacker Moxie Marlinspike - has managed to offer the public an incredibly useful service. Us people can, once again, use the Internet in order to communicate with one another freely and without fear.
As for me, I'm stopping my use of insecure chat services. I already got rid of the abomination called Google Hangouts from my phone. I also see no point in investing any more efforts in acquiring and maintaining PGP email capabilities.
If you want to get me, you know how to.


Image copyrights: Open Whisper Systems
Check here and here for more details on Signal/TextSecure as well as installation links.

Thursday, 26 February 2015

No Comment


Many interesting things happened today, no doubt about it. I learnt that the much anticipated Deluxe Edition of Led Zeppelin's Physical Graffiti is finally out. But then I also learnt something about Google's use of CAPTCHAs.
You probably encountered many of those during your journeys through the Internet. You know, those annoying things that ask you to type a cryptic pattern of text in order to verify you are no bot? Well, Google recently took them a step further. The layman thought this was in order to make the human verification process simpler; but the cynic read this article to learn that Google's CAPTCHAs are just another trick from the vast Google arsenal that is aimed at sucking in more private information from the people of this world.
Since Google's CAPTCHAs are a required step when one seeks to leave a comment on the pages of this blog, I urge you to not leave comments here.

Wednesday, 25 February 2015

Great Expectations

A friend had recently told me of their school plans for their toddler.
At the area they lives in there is only one high school that's considered good. It happens to be a Catholic school. In order to ensure the child will be able to get into that school, the parents need to have to child enrolled into a feeder primary school; naturally, this feeder school is also a Catholic school. In order to be able to register the child to that feeder school, the parents are required to have their child baptised. In order to achieve baptisation, the parents need to attend meetings with a Catholic priest, get their child presented before the congregation, and attend mass. Which is quite a pain, but even more of a pain given they are agnostics who generally try to steer away from religion.


I know what you're thinking: you've been reading this blog for a while, you know what this blog's attitude towards religion is, and you're pretty sure I'm telling you the above story in order to express my utter disgust with a parent about to sacrifice their child on a Catholic church's altar.
Thing is, I'm not. It would be very hard for me to criticise a parent who, lacking in choice, goes to great lengths in order to provide their child with the best education on offer. Sure, I think I can say with certainty I am never going to send my child to a Catholic school, but I am also not in a position to criticise my friend here.
The real problem is not my friend sending their child into the throes of the Catholic church. The real problem is with Australia's education system. And the real problem is with Australian culture, a culture that sends parents very strong signals telling them that sending their child into a state run high school is the equivalent of rape while sending them to a private school is far more an indicator of social status than wearing the dearest Rolex and driving a Ferrari.

I will admit feeling the stress myself.
Almost everyone around me is planning on sending their children to private high schools. Due to the waiting lists involved with that, the majority has already put their children in some private school's waiting list since they were of the age 0. As a direct result of doing so, these parents have pretty much signed and sealed their kids' path through school, from Prep to VCE.
In contrast, I stand out as a parent who has no idea what high school would even be remotely suitable for my child, not to mention sorting enrolment out. The conclusion is therefore obvious: I'm a bad parent who is letting his children down by failing to secure the best education for them.


Image by www.audio-luci-store.it, Creative Commons (CC BY 2.0) licence

Sunday, 22 February 2015

Tightened iOS App Tracking

When one spends double or more the amount of money in order to put one's hands on one of Apple's gadgets, one's sanity has to be examined. Apple smartphones cost about double that of Androids of similar technical prowess, so the rational person needs to justify the waste. With me, one of the main justifications is privacy: iOS is almost always better at looking after the privacy of its users than Google's Android.
However, as I have already discussed here, the differences tend to be in the flavour rather than essence.
App tracking offers a case in point.

I am not a fan of Apple's sealed garden approach, as implemented through its AppStore: any app developer that wishes to have their code to be considered for sale in the AppStore needs to comply with rather draconian terms & conditions. On the positive side, those terms & conditions include clauses intended to protect users.
One such protection measure is an obligation to avoid tracking app users via unique identifiers. Want to identify and track your app users? Get them to create an account or login through Facebook; however, you - as a developer - are not allowed to track an iPhone/iPad user just because they bothered to install and run your app.
This measure does not only sound like a great privacy protection measure; it is a great privacy protection measure. It allows users to enjoy the best of what the AppStore has to offer, such as the tons of quality games kids can play with, without fear of them being the victims of corporate marketing schemes.
Hooray to iOS!

Wait a minute.
As Apple security expert Jonathan Zdziarski has been pointing out lately, Apple hasn't been particularly good at enforcing its own policies. All the while, developers have been quick to cease on the commercial opportunity offered by Apple's recent relaxed attitude in order to make a buck out of the millions of unsuspecting iOS users out there.
I noticed the trend myself with games that seemed to know who I was despite me never logging in to anything and despite me uninstalling their games and reinstalling them back on. Never saving the game or backing them up anywhere did not prevent them from knowing exactly where I got to in the game last time around.
Then there the examples Zdziarski comes up with. Unlike your truly, Zdziarski comes up with proper evidence to support his claims with. He clearly demonstrates how Google abuses the privacy of the Waze navigation app users and how Apple turns a blind eye to these abuses, probably because Google is not a monster worth getting into a tassle with. Zdziarski's is a must read analysis of a privacy policy that should be labeled "no privacy policy" instead, especially given Waze's popularity; I am very well aware of just how popular this app is with Israeli users, for a start.
Zdziarski does not stop with Waze. He looks at Whisper and he points out at how this blog's favourite con, SuperFish, was also able to get away with abusing Apple users.

All of which brings me to say:
Dear Apple, if you want me to continue wasting my money with you, you need to make sure I get my money's worth. Lately you've been quite effective at demonstrating the exact opposite.
Sure, Google is much worse than you. But the thousand dollar question is, is Google a thousand dollars worse than you?


Image by EFF, Creative Commons (CC BY 3.0 US) licence

Saturday, 21 February 2015

Le-NO-vo


Over the past day or so I have been reading an intriguing amount of intriguing analysis over the latest computer world privacy fiasco coming at our direction from the House of Lenovo.
In case you haven't heard about it, the story goes like this. Since some time during 2014, Lenovo has been installing software called SuperFish on many of its Windows laptops. SuperFish thus joined a long line of bloatware computer purchasers get when they buy a preinstalled Windows computer, but unlike normal bloatware SuperFish is actually adware. And not just your regular adware, it is proper malware.
The way this application works is that it analyses whatever you're viewing online, regardless of the browser you use and regardless of whether you do so with an encrypted/secure connection or not, and replaces the ads on the pages you're watching with ads from Lenovo. If you run a website whose earnings are built on ad viewing, tough luck; Lenovo will take what should have been your money.
It gets worse. In order to do what it does, SuperFish replaces any security certificate used while browsing with its own. Thus when you think you're conducting your online banking with your bank, you could actually be dealing with any weasel out there who knows their way around the SuperFish's certificate (a kind of hacking attack known as "man in the middle"). And we have plenty of weasels out there: on the left side of the map we have the NSA, on the right China, and in between there are plenty of nice people who would love to get between you and your wallet.
But wait, it gets worse. As it turns out, SuperFish uses a single certificate in all of its installations. This means that all it takes is for this certificate to be cracked once before all Lenovo SuperFish users are under the radar. Lucky for them, the guy who discovered the problem already manage to crack the certificate, and quite easily so; surely, he's not alone there.

If you're stuck with such a Lenovo machine, you're rather limited for options.
Uninstalling SuperFish is a fine start, but it won't do on its own without removing the SuperFish certificate, too. The catch is that such an operation is not a trivial act to the vast majority of Windows home users. You can read more on how to do it here.
The optimal solution to the problem is to reinstall Windows from scratch. No, you cannot use the Windows image Lenovo gave you, because that would just reinstall SuperFish together with all the rest of Lenovo's approved bloatware. Indeed, as this guide attests, reinstalling Windows is not a trivial operation even for people who know their way around such operations, let alone your typical PC user.

Lenovo's reaction to the affair demands its own post.
First it came out with a statement along the lines of SuperFish being a service to Lenovo users in order to help them become aware of goods and services they were previously unaware of.
Eventually, in the third round of company replies, they acknowledged the problem but added that they have ceased the SuperFish servers. What a problematic reaction this is! For what does it say about Lenovo if it had central control, an HQ of sorts, for spying on all of its clients' allegedly secure online operations? Second, the fact Lenovo ceased the servers has zero effect on any hacker's ability to abuse the SuperFish certificate that is still very much installed, and come in the middle of a user and their money.

Now for my personal observations.
First, I would like to note that the chances of me ever touching a Lenovo PC again have significantly diminished. It is worthwhile noting I am making this statement just a few days after I have shortlisted its Thinkpad X1 as one of two laptop models to replace my current Windows laptop with. For the record, my current Windows laptop is a Lenovo.
Second, the affair raises doubts about the Windows ecosystem as a whole. Virtually all Windows laptops come with bloatware; what guarantee do I have that Dell, Asus or any of the other Windows laptop manufacturers do not pull the same trick on me as Lenovo? As long as those companies rely on bloatware for their bottom lines, none.
I do not have many options left if I want to avoid such concerns altogether. Fact of the matter is, I need a Windows PC for work purposes; I much prefer open source systems, like Ubuntu, and most of the time I am an Apple OS X user, but with all the love I have towards the latter two I am still forced to use Windows. It therefore looks as if my next Windows laptop would be... an Apple MacBook Pro, on which I will install Windows in a separate partition. It's a very expensive solution, I know, but at least I would get to enjoy Apple grade hardware in the process (and if you don't know what I'm talking about, try using an Apple laptop for a week or so and then go back to your average Windows laptop; once you come close to perfection, going back is very hard).
Third, and last, and perhaps most importantly, I want to ask a simple question: where was the NSA in all of this? Or, for that matter, the GCHQ? The NSA is an organisations with billions in its budget whose role is supposed to be the protection of Americans. Well, where was the NSA when it came to protecting American Lenovo users, undoubtedly numbering in the millions?
There are two possible answers to this question. One is that the NSA was simply unaware of the problem, in which case we may as well ask whether it is worth all the taxpayer money it is sucking out of the economy. The second is that the NSA knew about the whole affair, but chose to sacrifice the security of the people it is meant to protect in order to be able to tap on the seemingly secure online activities of all Lenovo users (and who cares if the Chinese or any two cent hacker can do the same just as well?).
Then again, by now it is taken for granted there is no low the NSA won't sink deeper from.


Image by Graham Holliday, Creative Commons (CC BY-NC-SA 2.0) licence

If you'd like to learn more about Lenovo's SuperFish affairs, I recommend the following sources:
  1. Ars Technica
  2. Anandtech
  3. Jonathan Zdziarski
  4. InfoSec Taylor Swift tweeted a lot about the affair.

Tuesday, 10 February 2015

Physical Graffiti


One of my core music related pursuits, in this age of Spotify and the seemingly unlimited availability of music, is to scan through new music on a daily basis in order to find those rare gems that are worth re-listening to. By now this is done in a very slick, mechanical like manner: I have my regular sources for identifying new music, and I just go through most of their offerings one by one.
I guess it is almost like an obsession. I dedicate so much of my time to finding good music and less of my time to actually listening to the good music I have already found. All the while there is this lingering fear: I must listen to this and that pieces of music, because Goddess knows what would happen if this best album of the year would slip right between my ears. And it's not like I do not discover, quite frequently, there was this great album that I have missed which was released a few months back and really stands out.
One can easily see that this pursuit of mine is doomed. By virtue of the filtering process itself, it is hard for music to stand out before my ears. Perhaps this is the reason why, lately, I can't get no satisfaction. Finding good new music is hard, and lately a generally disappointing process.
But there are exceptions to the rule. This post is here to tell you of my favourite new music.

First comes an album from a band you might have heard of. It's called Pink Floyd, and a few months back they released their first album in like 20 years, The Endless River. Perhaps the most notable feature of this new album is that one of the musicians taking part, Richard Wright, has been dead for almost ten years now.


Yet, for this Pink Floyd fan, the album sounds good. More than good, it's great. I did not like the Floyd's previous album, 1994's The Division Bell; indeed, it is the only Pink Floyd album I dislike. But Endless River is good; it is classic Floyd. An album whose greatest achievement was to make me skin shiver the way it hasn't shivered in the decades since I last heard a Pink Floyd album for the first time.

The Endless River, however, is not my favourite newly released album. That title goes to a bunch of new albums released by a guy called Jimmy Page. This Page guy has been busy lately, going through the archives of this band called Led Zeppelin and releasing deluxe editions of its albums. Mr Page has been going through them one by one, from Led Zeppelin (the first album bears the band's name) to - as of this point in time - Houses of the Holy.
The result? Some of the best releases of recorded music in history, period. Personally, I cannot wait for Page to get a move on and re-release the next album in his pipeline, Led Zeppelin's best - Physical Graffiti. [No, I won't argue with you too much if you were to claim Led Zeppelin IV is the best; but one has to agree that songs like In My Time of Dying and Kashmir pack a mean punch.]

You can dismiss this post and the claim I have made in the previous paragraph as the words of an old person stuck with 50 years old music. Hey, I'm a firm believer in freedom of speech, so yeah - go ahead and say it, if this is how you feel.
Yet, for me, it is definitely a case of "they do not make them like that anymore". The surprising thing is that neuroscience had caught up with the world of music geezers such as yours truly and is now offering an explanation for this phenomenon. I'm talking about the phenomenon that makes people, everyone, claim that the music they grew up with is so much better than the new trash that passes for music nowadays.
Apparently, chemical processes in the brain solidify the music you have heard through your teen years so that this music becomes your baseline. In my case, that music happened to be composed of primarily of Pink Floyd with Led Zeppelin claiming a fair share. Your own mileage will vary.

Science aside, I think there is more to it. I really do think that today's music isn't half as good as that of Led Zeppelin, and the evidence I bring to the table is in the above video of Led Zeppelin performing Stairway to Heaven live at Madison Square Garden.
Fast forward to 6:30 minutes in and witness the above mentioned Jimmy Page play guitar.
Now, I'm sure you're familiar with recent theories claiming that it takes about 10,000 hours of practice to make a person into an expert in something. Well, watch the video and you will witness an expert at work: it stops being Jimmy Page playing guitar and it turns into Jimmy Page being a guitar.
It's not just Page; the same can be demonstrated for band members John Bonham and John Paul Jones. Listening to In My Time of Dying, either in its original album release or the recent 2007 performance through my headphones powered by my USB DAC makes that very clear.
So yes, best music ever.

Wednesday, 4 February 2015

The Strange Case of Dr Jekyll and Mr Hyde

It was obvious long before Borders went for a date with St Peter that the establishment we know as the book shop is on its way to heaven. Between the might and magic of Amazon and the game changing concept of ebooks, not much wiggle room is left for your friendly neighbourhood shop. So no, I was not surprised to read yesterday that a famous San Francisco book shop is closing down, although I will admit the reason – being unable to pay its employees the minimum wage now that the minimum wage has been raised – did make me feel for the average American employee. Stuff that the people of other countries take for granted, like leave days and a decent salary for doing one's job, seem to be a bonus in the Land of the Free.
The news did make me reflect on the book shops of my childhood. One of them, Mr Hyde Books, still stands erect at Israel. I even paid it a visit last year.


At its day, Mr Hyde claimed to be the biggest book store in Israel (actually, the sign in the above photo still makes the claim). In my memories it is still a gigantic venue, the hall of many a great childhood memories. Mr Hyde was where I bought my copy of Frederik Pohl’s Gateway, a cornerstone book in the genre of science fiction and a very influential book as far as this blogger’s imagination is concerned. Mr Hyde was the place I could get my copies of Mad Magazine, including two issues whose memory will remain forever etched in my head – the one featuring Inbanana Jones and the Temple of Goons and the one featuring Top Gunk.
So yes, I was curious to see what’s going on in that giant hall of fame nowadays. I got my chance last year and went in.
Gone was the giant book shop of my memories. Yes, I know I am influenced by the standards of scale of Australian shops, but that "biggest book store in Israel" looked small! I guess the worst thing about it was not the size; it was the fact this was no longer a book store, at least not what I would call a book store. Shelves that used to host the best of human imagination now store junk one would expect to find at a $2 shop; the few shelves that are dedicated for books host used books, to be bought and sold in bulk for next to nothing.
Hall of fame turned out to be more like a hole of fame. Then again, as a regular shopper at your local Amazon or Book Depository, and as an avid consumer of ebooks that now considers paper an abomination, who am I to complain? I cannot mourn the loss of the book store when I represent the very reason for its extinction. Yet I still do.