Tag Archives: internet

Security For All First Birthday: Revisiting Technology generation gap

Posted on by

The #3 spot on the Security For All top posts list entitled Moving On, was about my experience as a Software Engineer at StillSecure on the eve of my departure for a new gig. If you have ever wondered about what it would be like to work for a cutting edge start-up in Colorado you should definitely check out the post. But since I don’t have anything to add or amplify in that post we’ll head straight to the 4th most popular post and revisit January 26, 2009 and the Technology generation gap.

The first occasion to get me thinking about this was when an older family friend was the victim of a fairly benign scam that essentially convinced her to forward some nasty political tripe to folks on her email list. Luckily no harm was done, other than embarrassing WTF responses from the message recipients. I was explaining to her that there are many unscrupulous people and other entities on the net that have no problem with misleading, lying and scamming anybody they can when she remarked that she thought it was “sad that you can’t trust people on the internet“. This remark kind of took me by surprise. I’ve always started from the assumption that internet content is not trustworthy. Not sad, that’s just the way the net works.

She was assuming that email was equivalent to handwritten correspondence from an entity that is known to you. While I was assuming that email is equivalent to bulk mail from an anonymous source. Now certainly there have been grifters and scam artists around since time immemorial, but it’s only been with the advent of the ubiquitously anonymous internet that the scams, schemes and spam have become pervasive. Back in the day, a grifter’s work was strictly up close and personal as opposed to nowadays when you can hit millions of marks with a single shot. Kind of like a knife fight versus carpet bombing. The point is that in my friend’s experience, a person who would lie, cheat or scam others was quickly discovered and was considered an anti-social aberration. And in general, you could trust most people. Not so on the internet, where there are no people to trust.

No people, as in actual living human beings, to trust. This has a number of other disturbing aspects that I take as a given but are shocking and appalling to my friend.

Actual humans are not directly responsible for a fair portion of internet traffic. Much of the content on the web is generated by bots or other automated processes. That’s why we have CAPTCHAs for everything from webmail sign-up to comments on blogs. Problem here is that the mitigation is often more annoying to older folks than the threat we’re trying to mitigate.

Another disturbing aspect is that web content generated directly by younger or more web savvy people can more accurately be attributed to their online persona. Think about it. Starting back in the early days of BBSs and propagated by AOL is the concept of screen name. Check out Facebook or YouTube – or even Security Bloggers Network and you’ll find a whole lot more “LonelyGirl16″ or “G@m3rBoy” IDs than “JoeSmith”. Be sure to check out the content that you find there. What you are looking at is performance art by the online persona of the author. Even here. What? You think I’m really this witty and urbane in real life? Well, okay maybe I am but the rest of those posers… But again I digress. The point is that my older friends treat email and social network posts as direct communication between themselves and other actual humans. They even use their real names. And give out real addresses. They don’t have an online persona, and don’t expect others to either.

Perhaps the most appalling aspect is that the allegory of the web most familiar to older people is print media. Newspapers and magazines. URLs are even referred to as web pages. Unfortunately this carries some very misleading and often dangerous assumptions. For example if a writer in People magazine writes “[hot Hollywood starlet de jour] is a slut”, People will certainly have to print a retraction and possibly face libel charges. But if Perez Hilton writes it in his celebrity gossip blog, well that’s just what Perez does. The point is that print media is held to a much higher standard of veracity than the web where anyone can post anything with very little chance of reprisal or responsibility. There are no standards of veracity on the web. Nor can there be. The dangerous part of this is that there are journalists and editors who don’t understand this. Recently sports publications and sports news outlets reported that Iranian football [soccer to us yanks] stars Javad Nekounam and Masoud Shojaei [who play for Spain] had been sacked due to an incident in a Pamplona nightclub. This story made the wire services and was widely reported. The source was a report on the Osasuna club’s web site. Problem is the site had been hacked and the report was bogus. You can read the real story here. Too bad – damage done.

The next occasion that caused further rumination on this subject was when I was helping my mom with a computer problem. She noticed that several names in her address book application were appearing out of alphabetical order. I diagnosed the problem easily – the names had leading spaces. Apparently the OS/X address book doesn’t do a trim on entry fields. So once I removed the offending space characters the sorting worked as expected. Try as I might, I could not explain this to my mother. She could not get her mind around the idea that a space character is ultimately a binary value like any other alphanumeric character. As far as she was concerned, when you hit the space bar on the keyboard it just “moves over” and doesn’t print anything. In other words a space is nothing. The absence of a letter. Kind of like electrons and holes from my EE days. A hole is where an electron is not. Therefore holes have a positive charge. Yeah like that.

Again I realized that we were having a fundamental disconnect. I’ve always realized that everything I see on a computer screen is an abstraction. At the lowest level it’s all just zeros and ones. Actually high and low voltages or positive and negative charges. Even the zeros and ones are an abstraction. The desktop and windows are an abstract paradigm. Not so with my mom. She sees literal windows or cute little boxes called windows when she looks at her monitor. She clicks on buttons, types stuff into forms and moves sliders up and down. It’s not abstract at all. It’s literal for her.

When you think about it, the information age introduced something unprecedented in human history: the central enabling agent. computers, inserted a layer of unreality between users and tasks. Stay with me here. Even relatively modern devices like telephones were intimately connected to the underlying task. Any abstraction, like say entering a phone number to connect to a specific party, was completely transparent – you entered in the number using a keypad or dial. Now look at my iPhone – a hand-held computer. I could still enter phone numbers from a keypad – a virtual, abstract, keypad – but I usually just touch the picture of the person I want to contact. And that contact can be SMS, IM, email or even a telephone call. Depending on the context of the underlying abstraction. The point is there are no actual walls in Facebook, no windows in Windows, no trashcan on your desktop and no desktop. Abstractions and allegories [or user paradigms if you prefer] all. Can’t wait for virtual reality? Good news – you don’t have to. Bad news – you probably don’t even recognize it.

Technology generation gap

Posted on by

Recently while helping older relatives and friends I had an epiphany about technology usage and age. Specifically older people approach technology with a completely different set of assumptions than younger people. Before you decide to file this under Well DUH! just hear me out.

The first occasion to get me thinking about this was when an older family friend was the victim of a fairly benign scam that essentially convinced her to forward some nasty political tripe to folks on her email list. Luckily no harm was done, other than embarrassing WTF responses from the message recipients. I was explaining to her that there are many unscrupulous people and other entities on the net that have no problem with misleading, lying and scamming anybody they can when she remarked that she thought it was “sad that you can’t trust people on the internet“. This remark kind of took me by surprise. I’ve always started from the assumption that internet content is not trustworthy. Not sad, that’s just the way the net works.

About the same time Bruce Schneier had this article wherein he reaches the following conclusion (emphasis mine).

The Internet is the greatest generation gap since rock and roll. We’re now witnessing one aspect of that generation gap: the younger generation chats digitally, and the older generation treats those chats as written correspondence. Until our CEOs blog, our Congressmen Twitter, and our world leaders send each other LOLcats – until we have a Presidential election where both candidates have a complete history on social networking sites from before they were teenagers– we aren’t fully an information age society.

When everyone leaves a public digital trail of their personal thoughts since birth, no one will think twice about it being there. Obama might be on the younger side of the generation gap, but the rules he’s operating under were written by the older side. It will take another generation before society’s tolerance for digital ephemera changes.

I realized that this was exactly the disconnect my older friend and I were having. She was assuming that email was equivalent to handwritten correspondence from an entity that is known to you. While I was assuming that email is equivalent to bulk mail from an anonymous source. Now certainly there have been grifters and scam artists around since time immemorial, but it’s only been with the advent of the ubiquitously anonymous internet that the scams, schemes and spam have become pervasive. Back in the day, a grifter’s work was strictly up close and personal as opposed to nowadays when you can hit millions of marks with a single shot. Kind of like a knife fight versus carpet bombing. The point is that in my friend’s experience, a person who would lie, cheat or scam others was quickly discovered and was considered an anti-social aberration. And in general, you could trust most people. Not so on the internet, where there are no people to trust.

The next occasion that caused further rumination on this subject was when I was helping my mom with a computer problem. She noticed that several names in her address book application were appearing out of alphabetical order. I diagnosed the problem easily – the names had leading spaces. Apparently the OS/X address book doesn’t do a trim on entry fields. So once I removed the offending space characters the sorting worked as expected. Try as I might, I could not explain this to my mother. She could not get her mind around the idea that a space character is ultimately a binary value like any other alphanumeric character. As far as she was concerned, when you hit the space bar on the keyboard it just “moves over” and doesn’t print anything. In other words a space is nothing. The absence of a letter. Kind of like electrons and holes from my EE days. A hole is where an electron is not. Therefore holes have a positive charge. Yeah like that.

Again I realized that we were having a fundamental disconnect. I’ve always realized that everything I see on a computer screen is an abstraction. At the lowest level it’s all just zeros and ones. Actually high and low voltages or positive and negative charges. Even the zeros and ones are an abstraction. The desktop and windows are an abstract paradigm. Not so with my mom. She sees literal windows or cute little boxes called windows when she looks at her monitor. She clicks on buttons, types stuff into forms and moves sliders up and down. It’s not abstract at all. It’s literal for her.

So what can I do with this insight other than blog about it? Well immediately I realized as I was trying to make the argument to my QA lead that a bug where the back end process was working correctly but the GUI was displaying incorrect state should not be serious was a definite loser. On a larger scale I am able to articulate what is wrong with our industry’s release fast and patch often business model. It’s fundamentally based on our customers trusting us. Which they should not. And they probably won’t when the next generation starts making the buying decisions.

Great stuff that never happened

Posted on by

Bury your memories bury your friends,
Leave it alone for a year or two.
Till the stories go hazy and the legends come true,
Then do it again. Some Things never end.
From “Eleventh Earl of Mar” Genesis

John Brandon has an article in ComputerWorld, Famous tech myths that just won’t die. Wherein he attempts to lay to rest some of our most treasured tech myths. Submitted for your approval is a concise list of those myths. And my brief comments. Seriously you didn’t think you were going to get off that easy did you.

  • Bill Gates dropped a $1,000 bill and didn’t bother to pick it up – Can you imagine the guy who ruled the Microserfs dropping a $1 bill much less not picking it up?
  • The iPhone 3G has a kill switch that Apple can use to disable the device – Actually it does. It’s called AT&T here in America. No wait, that’s a killjoy switch. My bad.
  • Internet2 will replace the Internet – Now this is just silly. Everyone knows the internet will be replaced by the Cepheid Galactic Internet.
  • PC gaming is dying or already dead – Just keep telling yourself this while you’re getting fragged online by newbs with an unfair advantage (a PC), X-box boy.
  • Apple is working on a MacTablet – What, the Newton wasn’t good enough?
  • Forwarding an e-mail has rewards of some kind – Only if you forward it from someone else’s account and can watch the comedic aftermath. And not get caught.
  • Al Gore said he invented the Internet – Well maybe not, but Ted Stevens discovered that the internet is “not a truck. It’s a series of tubes.” Which is a good thing since the truck couldn’t get to where it needs to go via another Stevens invention, the bridge to nowhere (actually that’s not completely true it could go to Gravina Island – population 50).

Come on John, the next thing you are going to tell me is that my long lost uncle really didn’t die in Nigeria and leave me millions. Just be that way.

Security ideas for your mom part 1

Posted on by

So here’s the scenario:

Your mom wants to get a PC so she can get email, check out those internets and use the google. She’s heard about all the nasty stuff out there like in those commercials with the little old lady speaking with the voice of a biker. So she knows it’s a dangerous world out there on the internets and knows she must get some of that security to protect her. Of course she calls you, since you use that stuff all the time at work. Oh … and she thinks those “I’m a Mac, I’m a PC” commercials are really cute and that a Mac would be great because it doesn’t get any of those nasty viruses.

Sound familiar? Thought so. So what do you tell her? How about, “Gee mom, sounds like what you really need is a good cell phone, not a computer” or “Sure, get a Mac and then you can be stylish while getting pwned“. Problem is, you like your mom and want to help her make the right choice. Other problem is that you also like your significant other and really don’t want to commit to a full-time tech support gig.

What you’ve just encountered is the fundamental problem in personal computer security. For years Bill and Steve have been telling us that a personal computer is an appliance, just like a television or a toaster. That certainly sells lots of PCs and Macs but the problem is that, well, it’s balderdash. Hogwash. Crapola. When you purchase your first computer you discover this right away. Ahh, but not to worry – Uncle Bill (actually Uncle Steve now) has you covered. They’ll automatically push out fixes (to stuff they built wrong!) to keep you safe and secure. Okay… But wait! There’s more! There are many companies out there just dying to help you be more safe and secure who can’t wait to get their hands on your money. So before you know it that spiffy new computer you bought runs like a bloated turtle and you get to pony up annual payments for that privilege. And are you really safe and secure? Maybe. Possibly. Who knows?

So let’s go back to the original question: what is security in this context? What are the risks that your mom will face online and how does she manage them? Can you really “buy security” (or lease it per current business models) to manage these risks? Hang on there, Hoss! You just listen to Uncle Joe before you turn over any of mom’s hard-won dinero. Here is the Joe’s official in order list of security ideas for your mom.

Security Ideas for Mom

  1. Think. Don’t be an idiot. The vast majority of cyber incidents that result in actual damage could have been prevented by a simple smell test. This covers a lot of territory, but basically it comes down to this – use common sense. Obvious stuff like, don’t open email attachments you weren’t expecting or can’t identify. Or if something pops up you don’t understand – find out what it is before you click on it. My friend, a computer novice, recently upgraded to get online. He had all of the stuff you are supposed to have including anti-virus software from a leading vendor (think yellow box). So he gets this browser pop-up while he’s surfing that says “Your computer is infected with a virus!!! Press this button to remove it and make your system safe!!!” So he does. And it does heinous things to his computer, including disabling his spiffy yellow AV. DOH! It’s time to put that PC out of it’s misery and start over. This ugliness could have been prevented had my friend, an otherwise intelligent person, just thought about it for a moment and asked himself one simple question: “does this seem fishy?” (the smell test!). But isn’t that a little harsh? I mean we already established that he’s a computer novice. No, actually, it’s a dandy segue into the next point.
  2. Learn how to use your hardware and software. Or stated in the reverse, don’t use something you don’t understand. What I’m not suggesting here is that mom should become a hacker just so she can check email. Look at it this way: I don’t understand the complete operation of the stability control system in my Honda, but I do know that when the “TPS (Tire Pressure Sensor)” light comes on that I better check and adjust the tire pressure, and if the light doesn’t go off when I’ve done that I should take it in to my local Honda dealer. (Honda – here is an excellent sponsorship opportunity). The point is that you don’t need to be an expert, you just need to know basically how the system works and what it’s trying to tell you. In the example of my friend of #1, Had he known what to expect from his AV software when it encountered a virus, he wouldn’t have been fooled by the phony. If you don’t understand what a program does, then you almost certainly don’t need it. But wait – what about all that stuff that comes with mom’s new computer? Isn’t the point of that to take care of everything so that she doesn’t have to know anything about computers? In a word, NO! The purpose of that stuff – which is mostly crapware – is to sell you more stuff you don’t need. You think the company who manufactured your computer has your best interest at heart? See #1. And once again another dandy segue into the next point.
  3. It’s your computer. You don’t have to run anything you don’t want. Mom needs to show that machine who’s boss – Yeah who’s your mama! The point here is that just because your computer came with XYZ security suite (one month trial!) and your internet service provider gives you ABC security suite (the “lite” version – but for a fee you can get the real version!) you don’t have to use either. Remember – who’s your mama! If you really want to use a security suite then do a little research (see #2) and check out the many excellent free and open source packages. Chances are you can get out of this without parting with more of your dough. But more to the point, choose your computer wisely in the first place. Most folks walk into their local electronics superstore and expect the friendly sales staff to educate them about what they should buy. Duh – see #1. Why not, instead, make the idea of computer as appliance your goal? Lets take this from the top: Mom wants to a. get email, b. surf the web, c. search for information (as translated from the earlier mom-speak). My iPhone does all that and much more. In fact my iPhone does way too much for what mom needs, so she shouldn’t spend the money. My son has a modestly priced smart phone that does everything mom needs. Both phones are totally cool and pretty easy to use and you can turn off stuff you don’t need. And both are quite a bit more like an appliance than your average PC. The idea here is that you should get something that does what you need and only what you need. Also, forget the idea that you should “buy something that you can grow with”. Balderdash. Hogwash. Crapola. Whatever you buy today is going to be landfill fodder in 5 years (actually 3 years if you depreciate it with the IRS). There is no rule that says you must be able to read email, surf the web, chat with your friends, edit photographs, make music and produce movies all on the same device. Despite what the commercials say. See #1. In fact, let me assure you as a semi-serious electronic music producer, I definitely do not want my studio machine to be surfing the web. Remember – who’s your mama! Yeah I have multiple machines. One to do email and internet-related stuff and, well, lots of others to do other stuff (I admit it – I’m a geek). But my email and internet box is old (like 8 years old!) and cheap and it does it’s one job really well. Just like a toaster. Don’t be afraid to look into a mini laptop. These babies are small, cheap and will do everything mom needs. So on to the next idea (which is really a corollary to #1). Sorry lame segue this time.
  4. Your friends are clueless. Sad but true. When mom starts getting email she will no doubt have friends and relatives who think that chain letters really do bring good luck and/or prosperity and everyone they know should be alerted to the latest (to them) internet jokes and inspirational (why are angels supposed to be inspirational?) ravings. These well meaning folks will grab onto an internet hoax or urban legend and spam every one they have ever known with it. Some of these will turn out to be phishing scams, or “manual malware” (e.g. “to defeat this evil virus that no AV software can detect remove the KERNEL.SYS file“). Bottom line is, mom should seriously suspect any content she receives from these lovable – but clueless – folks. Especially when they state “you must see this adorable …” – no you must not. But just in case mom refuses to believe that Aunt Helen would ever send her something nasty. I know this guy in Nigeria who really needs to get a bunch of money out of the country and he’s willing to cut someone in if they’ll help him.

So before this post gets (even more) out of hand, notice that these first – and most important – four ideas have nothing to do with which anti virus software is best, or whether Macs are more secure than PCs. They are about common sense. Which isn’t all that common. I’ll actually get into addressing specific risks when “Security ideas for your mom” continues in another post.