Andrew Breese

Musings of a professional geek

Is the real fallout from the Sony attacks yet to come?

A cancelled film, a company worth of hacked and destroyed computers, stolen personal data, stolen company records, and fear mongering is the first phase of the attacks on Sony. Whoever coordinated this series of attacks has played a very good game so far, and continues to use FUD (fear, uncertainty, and doubt) to channel almost everyone’s thinking. In the face of real violence most people will prefer to play it safe.

I know that I’m certainly not going to do anything to endanger my family; which is where this first phase of the story ends. I’m a little fearful, and I’m watching the news and paying attention. I’m aprehensive about writing a blog post. Good game. You’ve won phase one.

Are changes needed? Perhaps the extreme withdrawal and kowtowing  by Sony is a move by the mega-corp against another of Sony’s dark foes – internet piracy.

The next phase worries me far more because it won’t be about this attack, it will be about the changes that our governments and companies try to introduce to protect us. I’ll be very surprised if governments and corporations don’t wish to further change laws based upon the fallout from these events. Perhaps on the first thought they might be right; some changes are probably needed – Sony was hacked wide open and they have a huge amount of things to fix and recover from. The financial and reputation cost is non-trivial. Geek-types such as myself might have a love-hate relationship with them due to various opinionated view on consoles and games, but the general public think of them as a big movie studio. And that studio just got slapped very hard.

I think we are about to experience in a wider context is these events used as a further strengthening of the arguments for a regulated internet. In my own view the severity of the attacks were escalated when the hackers threatened to do something to the people who when to see The Interview, and then Sony gave permission to withdraw the movie from cinemas. I think this changed the way the public viewed the events, from a company being attacked to limit their profits, to a threat to joe-average-punter.

It is a conflict targeting the balance between our fears and our freedoms. And when the laws are changed to protect against the phase one events it could be at the detriment of our wider freedoms. It is a delicate balance with no perfect solution, but many bad ones.

A superficial rationale is: hackers and their nefarious tools did all this, then (insert country, company, mother’s name) needs to be protected.

I was never going to see The Interview so selfishly I wasn’t fussed that a studio yanked it’s release, or that Sony got hacked in the first place as I wasn’t affected. I am going to be on the internet over the next 40 years, so I am concerned about how much leverage this type of event gives governments to make sweeping changes. Australia (my home) has made changes in law to the powers of police in reaction to both terrorist threats and cyber-threats, and certainly already has some very powerful and uncompromising anti-hacker and anti-terrorism laws.

Yes, I’m possibly wrong too.

Perhaps Sony won’t apply it’s huge financial loss and damaged reputation as a stick to beat the American government with. Perhaps they won’t use FUD to push an anti-hacking (bit torrent, dark-net, etc) agenda any more than they already have. And it’s unlikely that America will be able to directly change Australian internet freedoms soon, … except that most laws past in the US also impact big sections of the internet, and Australia is well known to mimic and support American interests.

(aside – don’t misunderstand that point please – on principal countries working with a unified policy is interesting and can be valuable).

Read the backlog of anti-piracy material from film studios, an the fear around one govt attacking corporations in another.

And then please read widely on the freedom vs security as it relates to both the internet and your rights as a civilian.

And make up your own mind. I’m uncertain, but the FUD is working on me  today. The Sony Hack story is far from over.

Thoughts about Apple’s recent batch of news

It is almost like Apple has a Deck of Many Things, and got all the bad cards at once.

They’ve had a seriously large wave of mixed and poor press, which can’t be helping their position in the marketplace. That said, it feels more like a series of unconnected issues which could have affected any tech-giant. I have to wonder though if they’re spread too thin. MS has had months like this too and folks still use their gear every day, and the laundry list of odd things by most tech-farms reads a similar way – although not as many issues compressed into such a short time frame. We’ve seen:

Apple’s new iphone 6, which people have gone crazy for…

  • I’d love a faster processor and more ram in my old iphone 4. I’ve seen the speed difference between the 4 and 5 and it is dramatic for the same apps, so I can only think that the v6 will be faster too. Add a little OS bloat and App bloat and perhaps the speed difference will fade over time, just like it does in our other computers.
  • I’m certain that IOS8 will be a better operating system than v7, just because it is where they will spend their dev budget. I don’t look forward to the end of life for IOS v7, but it is coming very soon now that the sales have been so good for the new toy.
  • There is a comparison between the Galaxy 5 and the iPhone6 variants which all but says the Galaxy is the same feature-set. I’m not sure that is true give the hardware specs, but the high level feature-set looks darn similar.
  • Larger phones do not appeal a lot to me, because I want a device which is a phone first, then a pda, or tablet, etc. I need to be able to carry it without it being obtrusive, and hold it in hand easily. It needs to fit easy in a pocket, and there is no way in hell the new huge iPhone will fit in the pockets of my wife’s jeans. If Apple made a smaller but faster iPhone that the v4 form factor, or even just slimmer I’d really consider buying that for both of us.
  • I’d also pay for significantly more battery life. Not just an extra few hours, I mean give me a week between charges like the bad old days in the 90s mobile phones.
  • My iphone v1 (which couldn’t be purchased here in Australia) still works fine. I now use it as a music player in the house for one of the bedrooms. Yes, it needs to be always on charge, and it only holds a small amount of music, but it is doing great.

Apple’s iPhones 6s can apparently easily bend in your pocket…

  • If true, sheesh. Smaller tougher phone anyone? Can somebody rush a titanium laced backbone phone cover for the damn thing and sell millions of units…

Apple release a new privacy statement, which might take a broadside at Google

  • It reads well if you don’t think they’re being smart-arses. But only when you consider that it might be snarky, it reads like they are being rude. To be frank I’m not convinced that this was rude at all.

Apple has the (perhaps hack) issues with icloud file security.

  • Blaming the end user is pointless and exploiting them is horrible.
  • Anything and everything can be hacked given enough time.
  • I do not use iCloud because I do not trust ANY of the cloud services (yet). If you want my data, then come to my home (or my offsite back-up server) and get it from my cold dead hands.
  • And they are addressing it.

Apple gift the U2 album to users as a purchase, creating a storm of negative press…

  • Giving away free music from U2 should have been a huge promotional boon, but the auto-purchase rather than opt-in shows that the strategy didn’t consider the negative response at all.
  • Ironically you need to have an iCloud account to get it, so I can’t grab the album. This is where I’m OK with the choice to not use iCould – yes I miss out on the features and offers they are making, but I also know that my data is still mine. That approach adds risk of loss from theft and hardware failure, but I manage that risk through my own back-up.
  • I would like to listen to the album, but not really fussed, and certainly not going to pay for it.
  • I am sure that it will be available on illegal sites straight away.

Apple IOS 8.x Update rolled back due to lost calls and a few other issues

  • New iPhones have an issue with the 8.x update, and rollback has been sent out. Youch.
  • “If it ain’t broke, don’t fix it”. My advice is to never apply an update to your devices (laptops, pc, phone, etc) in the first weeks of it’s release. Let somebody else be the tester and suffer any angst. This has happened to so many devices that only people with issues that are directly affected by the patch should try it.

Apple’s OSX might be affected by the Bash exploit

  • The exploit could affect a variety of Linux based operating systems, but the method of attack is very specific, so isn’t likely to affect most users; especially everyday end users. Don’t panic.
  • The potential for the exploit has been around for decades, and this is something to patch and not something to panic about. The sysadmins will know which systems are at risk and they’ll be stressed enough for everyone.
  • get the systems patched and buy yourself a coffee for being on the ball. Don’t buy into the hype.

Apple is still the device platform I use at home, and unless somebody releases a cost effective way to alter that and maintain the bread of easy in controlling the devices that won’t change soon. I’m locked in for now.

They need a weekend on a beach somewhere to chill, then return to work refreshed. Poor bastards.

Neuromancer is 30 years old today

SoyletNews gave me a great tidbit of random trivia – the novel Neuromancer by William Gibson is 30 years old today. I remember reading this book when it came out and being totally dazzled by the concepts (don’t guess my age please, it’s not polite). Gibson wrote substance which resonated for decades, and is still pseduo-relevant even after so many other fantastic authors have launched further from his base.

Thank you Mr Gibson, the work is darn appreciated.

a bit more haiku malarkey

Here are a few more haiku, pondered while I was trundling home on the train. You sometimes go to strange places when you’re breaking the world into segments of 5-7-5. I’m not sure if there are also supposed to be titles for poems like this, so some have them and others do not.

Can I gantt this?

The office is calling
Tomorrow’s due date is past.
Deadlines are like that.

We’re always recruiting.

The office is calling
Your team is halved again.
We are here to help.

Am I a spy?

The office is calling
We know you are tired and cold.
You need to come in.


That isn’t English?
Tell me who understands you,
they’re a living saint.


Meeting tomorrow.
Work up to the 13th hour
And it’s a Friday


Servers down again.
Don’t they know it’s past midnight?
Let’s ring the PM.


Time scope cost mantra.
We meet to raise productivity.
Is that irony?


where did the time go?

You must record time,
Liar I don’t trust your times.
Are these bills correct?

Well folks seem to like (bad) PM haiku

I tweeted* a project management haiku recently and my twitter traffic went through the roof – well as through the roof as a change from zero tweets to one tweet can create. I think this is part of the reason why social media carries so much weight – it pays into the stimulation response we get from having something seen and quasi-appreciated.

Like a good doggie, I’ll do it again shortly and see if I get another biscuit**.

Lets not plan for giving up the project manager day job, as it would mean no more snarky tweets about being a PM and I’m under no illusion as to the amount of banter and wind already through into the digital wind

* I really dislike that word as a verb relating to posting content online. Birds should keep this word to themselves, and rise up in feathery rebellion against the human’s technology. Like a Planet of the Apes spoof where all they do is poop on our tablets and eat the phone lines. Rebellion! It is what it is, and the word won’t be changed till twitter dies.

** Yup, it’s Friday down here and I’m feeling tired and strange. Back to the geeky blog posts shortly.

a random haiku

I’m trying to …

A guessed budget
Scope is a little too large
What have we left now?

A bit of banter at work found that a few of us project managers like haiku. When done well (better than the above by half) they cam be a wonderful source of inspiration and calm. This one is a meant to be a bit of an odd riddle too, so try to guess what the title means in context with the haiku itself.

Yup, its a bit wanky.

Spoilers about the answer after the break.


Read more of this post

What are the eBay hack implications for ordinary people?

So eBay was hacked pretty badly (Soylent post, and eBay’s own announcement), which for the geeky type folk is interesting in terms of how they did it; but more importantly – every eBay user should take care and think about what they have shared with these companies.

The nature of the hack is typically complex, and the explanations of how are not really that relevant to every day users (I’m not being condescending by saying that, as I consider myself an end-user too). eBay has made a fair effort to give details recently, but can also be rightly questioned about how long the advice took to reach their customers. Rightly or wrongly it is around 2 months since the actual event, and that is a fairly long amount of time to wait to request password resets.

  • For users it means change your passwords now. Change them to something which is hard to guess; preferably a gibberish nonsensical combination of letters, numbers, and special characters.
  • Also change any passwords for services which you used with ebay too.
  • And please ensure the password is not the same as any other services you are using.
  • Consider using a password vault of some sort. It makes having all these different password easier, and also helps you when using multiple computers. Yes, it can be hacked too, but everything can be.

The reason for this is we don’t know what other attacks are being attempted, or what previous attacks might not have been understood well. PayPal is certainly a regular target for trouble too, so consider altering your credentials with them as well.

The tech jargon translates to mean that your password wasn’t easy to read, but it is only a matter of time until it is. Database encryption is a wonderful thing, but time and brute force will beat almost anything in use today; and by comparison the “safe”encryption methods of five or so years ago and now considered questionable.

Of the 140 million accounts compromised, wouldn’t you rather be one of the ones that isn’t open when the hackers decrypt all those old passwords?

Is this an alarmist approach?  We’ll no. This time resetting your credentials is the first step.

There are additional steps “normal” online users should do too:

  • Consider changing what personal information you are currently saving into and sharing with every online service (a.k.a. website). Each app, each URL, every vendor, all those games, and whatever Facebook widgets all collect information from you and you’re far better off if the collection of information out there is as vague as possible. I recently went through Facebook, eBay, paypal, and a few other services that I use and removed a lot of personal information. From now on they only get the minimum.
  • As part of that depersonalization, consider getting your orders delivered to a place which isn’t your home address. I often use my work address, as there will always be somebody there during postal delivery hours, but it also means that eBay and such have no idea of where I actually live.
  • Don’t trust your app vendors and more than you’d trust the guy at your local clothing store, cafe, or petrol station. Just like it is trivial for somebody working in the store to grab your card number, it is a lot harder but also a lot easier to do in huge quantities for online transactions. This means that while you’re generally more secure online for a single transaction, the methods of attack are far more complex and harder to understand.

Hope this was useful, and also wish the darn hackers would get into something a little less destructive and nasty. The skills to do some of this activity are significant, and there has to be a better way to gain money or notoriety.


Thwarting hackers with “honey encryption”?

A Boston Globe blog reported that a trickier approach to dealing with hackers might be a better approach. Essentially make the data messy and it will not be as desirable. It certainly sounds interesting as a concept. Brainiac wrote “rather than trying to block hackers, maybe it’s better to distract them.”

The approach is built into a new piece of software called Honey Encryption, created by Ari Juels and Thomas Ristenpart, and it works on a simple model. After hackers steal a trove of encrypted data, they hunker down to crack the code. It can take them thousands of tries before they’re able to guess the right cryptographic key, and Honey Encyyption makes them pay for each failed attempt.

Each time hackers enter the wrong password, Honey Encryption adds a piece of fake data to the dataset—by the time hackers finally get access to the data, it’s swimming with so many fake credit card numbers, for example, they’ll have no idea which ones are real.

Pardon? I think the readers might be missing a key aspect of the information here. This is a very specific circumstance and very unlikely frequency where this is plausible.

For this approach to work the “honey encryption” software needs to be running with the stolen data-set.  In fact it is unlikely that the data would be stolen at all, rather it is being attacked on it’s normal infrastructure. Frequently when data is stolen the database itself is extracted on mass; the encryption used on the information in the database is broken later. A hacker is not going to willingly run an application which does Honey Encryption on the data they are trying to hack. Is the assumption that the software for accessing the encrypted data is somehow packaged with the data in the DB? Huh? No! This means that for the times where the hack attempt is happening on the system live this approach might work, but otherwise it does not apply.

The same software could also alert very quickly to the admin teams that a potential attack is in progress too. This is the approach taken with the “honey words” concept, where a dataset is setup with a number of “deliberately bad” datasets for each user account so that when the hacker tries to decrypt the data an alert or action is triggered. That makes a heap of sense.

So this approach adds junk data into a live system to increase the ratio of bad data to good data for when it gets stolen? Yes, and as long as the good data is not altered by the “honey” then the end user is not affected, but the system owners can know of a potential exposure. Interesting.


How to almost sync with BitCasa mirrors

BitCasa is a free cloud backup tool, which has a basic mirroring function for files that you want to be automatically backed up into the cloud instead of scheduling a backup. I was looking for a replacement for SugarSync’s folder synchronisation feature, and BitCasa’s functions are close but not really there yet. It seems that they have a beta app which is based upon bittorrent, but again not for a live sync.

Aside – the BitCasa cloud solution is pretty neat. I’m impressed by what they offer and their price point. The paradigm that it uses is not an attached storage volume really, but more like an external drive which happens to be on a remote server. That drive is almost read-only to your machine, and certainly read only from any other machine that tries to access the files. It is cloud backup, not a sync service.

This is the scenario:

Initial setup was a folder on my laptop and desktop were set to always be kept in sync. This meant that files were always kept in reasonable sync, and I didn’t have to worry about manual copying or a scheduled copy which I might forget.

Now what I have is a folder on each location which are both copied up into BitCasa’s servers (yes, up into that fluffy white cloud of absolute trust). The difference is that each machine is used for slightly different things, so that what I do on the laptop generally isn’t used on the desktop. The sync is for emergencies, so it might work.

The trouble is that each machine uploads the selected mirrored folder into a separate space in that cloud, and the two areas are never sync’ed together. I’d love them to, but for the purposes of having my files backed up somewhere, this is enough.

When it comes to wanting to use one of the files which is on the other machine’s backup it needs to be copied back down to the new machine and stored. Just like an offsite solution, you don’t go editing the back-up tape. Now that I get the mindset, I don’t mind so much. If something exceptional happens in the file-sync space I’ll probably post it here, but till then BitCasa will get a bit of playing around.

Happy backups.

SugarSync goes paid only, darn it

SugarSync has cancelled their free offering, in a similar time frame to LogMeIn. Like LogMeIn the product itself was solid, and it was tempting to pickup a paid service for SugarSync. Unlike LogMeIn though the SugarSync people actually gave a fair warning for the product going to paid only, and offered a humungous discount for the people who are singing up. I reviewed and recommended SugarSync in Feb 2011 and liked their product all this time. Unfortunately the reason I use it is not something that allows me to generate extra income, so it is harder to justify signing up for.

The free equivalent I’ve started trialing is BitCasa. They offer the same sync-a-folder option between two computers which was the key feature I liked. BitCasa offers a staggered set of storage options, including an unlimited one, which I’d be tempted to see really how “unlimited” it was, given that these things usually have some sort of cap written into the fine print.

I’ll write up the impressions of BitCasa shortly. Secretly I’m hoping I can get a few folk on it too, and up my default free storage.

%d bloggers like this: