Canada’s Fastest Network! (Yeah, right.)

I’ve mentioned before that I use Shaw as my ISP at home.  Right at the moment, they have an advertising campaign that claims they are, or have, Canada’s fastest network.

Now, I’m willing to believe that Shaw is not being deliberately mendacious or misleading.  There is probably someplace, or some part of Shaw’s network, that transfers data faster than other vendors in that area or for that component.

And, I have to admit that, since I am not, generally, a high volume user, even the basic service I have for them is usually sufficient.  In the afternoon and most evenings.

But, right where I am, Shaw can’t seem to get any data moving in the morning.

I first noticed this a few months ago, and spent quite a bit of time contacting Shaw’s generally unhelpful help staff.  This involved them asking me to try a different network cable to the router, or a different computer, or bypassing the router, and checking their speedtest.  (None of which made any difference.)  They finally sent someone around.  The next day.  Of course, by that time the problem had resolved.  But by that time I’d noticed that traffic was only slow in the morning.

So, over the past few months there have been numerous mornings when it has been slow.  I don’t mean just “they promised me speeds up to 5 Mbps and I’m only getting 1.39″ slow, I mean “they promise a minimum of 1 Mbps and their own speedtest is showing 0.02 Mbps and that’s only when it actually completes” slow.  It doesn’t happen every morning, but often enough to see that the pattern is extremely regular, starting about 8:30 am, and trailing off (as in, network speeds start working again) around 11:30 am.

I’ve reported this to Shaw’s technical support, mostly through Twitter, since it takes less time than fighting your way through their phone voice menu tree and it doesn’t matter what reporting method you use, they never do anything anyway.  (Along the way I have learned that the ShawHelp Twitter people have a “Hello $username. If you follow and DM your account info and phone number we can look into it for you” macro, and that, if you submit details about the speeds and the fact that you have tried various configurations, you will receive a “No issues in your area, modem signal is good. Is computer direct to modem or are you using router?” message about 3 or 4 hours later.

It’s been annoying, but I’ve lived with it for a while.  Except that, for the past week and a half, this has now happened every single day.  It is pretty much impossible to do anything in the morning.  This morning was particularly bad: I couldn’t even get the speedtest to run, for the most part.

So, if I suddenly stop posting, you’ll kn()^(*%(&*(&*(&^ NO CARRIER


More terror from Canada

Kalamazoo cop, on vacation, with his wife, visits Nose Hill Park in Calgary.  He feels threatened that two complete strangers feel free to try and strike up a conversation.

Writes a letter to the Calgary Herald saying how threatened he feels since he wasn’t allowed to bring his gun.

It was later confirmed that these threatening strangers were handing out free passes to the Stampede.

More details can be found in at least 13 news stories by searching the Web.


Ignorance as a human (business?) right?

Rogers Communications Inc. is a company providing cable, cellular, and other services in Canada.

Rogers has a discount brand, Chatr, which they advertise as being “more reliable and less prone to dropped calls.”  Canada’s Competition Bureau, after what it called “an extensive review of technical data,” found no discernible difference in dropped-call rates between Rogers/Chatr and new entrants.

Apparently, Rogers will argue that the court should strike down a section in Canada’s Competition Act that requires companies to undergo “adequate and proper” tests of a product’s performance before making advertising claims about it.  In other words, Rogers is saying that forcing the company to find out if claims are true is unfair, because that means they can’t lie with a straight face.

Q: What is the difference between a computer salesman and a used-car salesman?

A: The used-car salesman knows when he’s lying to you …


What TV understands about crypto

One of only two shows that we actually watch on television is “Murdoch Mysteries.”  Set in Toronto, circa 1900, it shows Detective Murdoch “inventing” much of modern forensics using the technology of the time.  Some of it might actually work  :-)

The latest episode, “Invention Convention” (season 5 episode 9) had someone promoting “i-mail” (instant mail). which Gloria thought was Telex, and I figured was more akin to fax.  (For those in Canada, CityTV runs “Murdoch” a number of times during the week, but won’t say which ones are the current season, and which are older.  I’m pretty sure this episode will be relayed at 8 pm on Saturday.  For those outside Canada, I’m not sure whether you can watch the episode on the Website.)  Part of the plot turned on someone sending encrypted messages.

The code used by the group is a form of Ceasar cipher, aided by an Alberti disk.  In reality, by 1700 this probably would have been considered old hat: Casanova writes of breaking what must have been at least a shuffled alphabet cipher.  (In the episode an “analytical engine” is used to try and brute force the Ceasar cipher.)  Autocode and other forms were well established by 1900.  (De Vigenere created one form of autocode, rather than the cipher which bears his name, which he considered weak.)

In the end, the code turns out to be based on a keyboard layout, which probably was not completely standard by that time.  Which would, in any case, have been a simple substitution cipher, and easily breakable by frequency analysis (one case of which was said to have failed in the plot).


First “socmed” games?

I have been interested in the LOCOG insistence that the 2012 games are the first “social media” games.  (Apparently 2010 didn’t count since the winter Olympics aren’t “real” Olympic games: ancient Greece had no curling sheets, and there were problems using Mount Olympus for the downhill events.)

It’s particularly interesting that so many people are having problems using networking to watch the “first social media games”

Among other things


REVIEW: “Young People, Ethics, and the New Digital Media”

BKYPENDM.RVW   20120125

“Young People, Ethics, and the New Digital Media: A Synthesis from the
GoodPlay Project”, Carrie James et al, 2009, 978-0-262-51363-0
%A   Carrie James
%A   Katie Davis
%A   Andrea Flores
%A   John M. Francis
%A   Lindsay Pettingill
%A   Margaret Rundle
%A   Howard Gardner
%C   55 Hayward Street, Cambridge, MA   02142-1399
%D   2009
%G   978-0-262-51363-0 0-262-51363-3
%I   MIT Press
%O   +1-800-356-0343 fax: +1-617-625-6660
%O   Audience n Tech 1 Writing 1 (see revfaq.htm for explanation)
%T   “Young People, Ethics, and the New Digital Media”

It is not until more than a tenth of this book has passed before the authors admit that this is, in essence, only a proposal for a study which they hope will be carried out in future.  No actual research or interviews have been conducted, so there aren’t really any results to be reported.  The authors hypothesize that five factors are involved in “media-identity”: “privacy, ownership and authorship, credibility, and participation.”  (Yes, I agree that it looks like four factors, expressed that way.  But the authors repeatedly express it in exactly that way, and insist that it makes five.)

The authors note that social networking (or social media, or new digital media) is a frontier, and thus lacks comprehensive and well-enforced rules and regulations.  Social media permits and encourages “participatory cultures,” with relatively low barriers to artistic expression and “civic” engagement, strong support for creating and sharing creations, and some type of informal mentorship whereby what is  known by the most experienced is passed along to novices.  The goals of the project are to investigate the ethical values and structures of new media and to create entities to promote ethical thinking and conduct.

The project is also to focus on “play,” with a fairly broad definition of that term, including gaming, instant messaging, social networking, participation in fan fiction groups, blogging, and content creation including video sharing.  Some of these activities may lead to employment, but are undertaken without support, rewards, and constraints of adult supervisors, and without explicit standards of conduct and quality.  “Good play” is defined as online conduct that is both meaningful and engaging to the participant and responsible to others in the community in which it is carried out.

A number of questions are raised in this book, but few are answered in any way at all.  While there is some review of existing work in related areas, it is hardly comprehensive, convincing, or useful.  It is difficult to say what the intent of publishing this book was.

copyright, Robert M. Slade   2012     BKYPENDM.RVW   20120125


Censorship with a broad brush

Just in case you have been hiding under a (Higgs or non-Higgs) rock for the past few weeks, TomKat is breaking up [1].  Tom Cruise is a highly visible Scientologist.  Many people have been commenting on possible Scientology aspects of the breakup.  Scientology seems to break out in a rash whenever anyone mentions the cult.

So, someone has provided a simple means for Scientologists to try and ensure that any mention of Scientology, or the event, or anything, is removed.

The main thrust of the instruction is that everybody will have a “code of conduct” on their Website, and every code of conduct will ban anything that “defames, degrades… an individual or group,” or something similar.  So, you just blanket object to everything on that basis.

I think it should work pretty well.  I’d say that, following Lord Northcliffe’s dictum that “News is what somebody, somewhere wants to suppress.  All the rest is advertising,” any interesting posting could be seen, by someone, as defaming or degrading some individual or group …

Of course, there are many other forms of censorship.  Here in Canada, the government is using funding cuts, threats of funding cuts, and even direct diplomatic office intervention, in order to to block theatrical performances it doesn’t like.


Security unawareness

I really don’t understand the people who keep yelling that security awareness is no good.  Here’s the latest rant.

The argument is always the same: security awareness is not 100% foolproof protection against all possible attacks, so you shouldn’t (it is morally wrong to?) even try to teach security awareness in your company.

This guys works for  a security consultancy.  He says that instead of teaching awareness, you should concentrate on audit, monitoring, protecting critical data, segmenting the network, access creep, incident response, and strong security leadership.  (If we looked into their catalogue of seminars, I wonder what we would find them selling?)

Security awareness training isn’t guaranteed to be 100% effective protection.  Neither is AV, audit, monitoring, incident response, etc.  You still use those thing even though they don’t guarantee 100% protection.  You should at least try (seriously) to teach security awareness.  Maybe more than just a single 4 hour session.  (It’s called “defence in depth.”)

Tell you what: I’ll teach security awareness in my company, and you try a social engineering attack.  You may hit some of my people: people aren’t perfect.  But I’ll bet that at least some of my people will detect and report your social engineering attack.  And your data isolation won’t.


Citizen cyber-protectors?

Marc Goodman (who I believe is FutureCrimes on Twitter and the Web) gave a recent TED talk on trends in the use of high technology in crime.

The 20 minute talk is frightening, with very little in the way of comfort for the protection or security side.  He ends with a call for crowdsourcing of protection.

Now as a transparent society/open source/full disclosure kind of guy, I like the general idea.  But, as someone who has been involved in education, security awareness, and professional security training for some time, I see a few problems.  For crowdsourcing to work, you need a critical mass of at least minimally capable people.  When you are talking about a weather reporting app, that minimal capability isn’t much. When you are talking about detecting cyberwar or bioweapons, the capability levels are a bit different.

Just yesterday the PNWER (Pacific NorthWest Economic Region) conference became the latest to bemoan the lack of trained employees.  I rather suspect these constant complaints, since I see lots of people out of work.  But the people who are whining about employees are just looking for network admins and such.  We need people with more depth and more breadth in their backgrounds.  I get CISSP candidates in my seminars who are network admins who simply want to know a few ACLS for firewalls.  I have to keep telling them that security professionals need to know more than that.

Yes, I am privileged to be able to meet a number who *are* interested in learning everything possible in order to meet any need or problem.  But, relatively speaking, those are few.  And my sample set tends to be abnormal, in that these are people who have already shown some interest in training (even if only job related).  What Goodman is talking about is the general public.  And those of us who have actually tried security awareness know how little conceptual awareness we have to build on, let alone advanced technical knowledge.

I think awareness, self-protection, and crowdsourcing is probably the only good way to approach the problems Goodman outlines.  I just worry that we have a long way to go.


Trust me, I didn’t look right as I typed this …

‘Lying eyes’ are a myth – looking to the right DOESN’T mean you are fibbing.

“Many psychologists believe that when a person looks up to their right they are
likely to be telling a lie.  Glancing up to the left, on the other hand, is said to
indicate honesty.

“Co-author Dr Caroline Watt, from the University of Edinburgh, said: ‘A large
percentage of the public believes that certain eye movements are a sign of lying,
and this idea is even taught in organisational training courses. … The claimed link
between lying and eye movements is a key element of neuro-linguistic

“According to the theory, when right-handed people look up to their right they
are likely to be visualising a ‘constructed’ or imagined event.  In contrast when
they look to their left they are likely to be visualising a ‘remembered’ memory.
For this reason, when liars are constructing their own version of the truth, they
tend to look to the right.”

“Psychologist Prof Wiseman, from the University of Hertfordshire, said: ‘The
results of the first study revealed no relationship between lying and eye
movements, and the second showed that telling people about the claims made by
NLP practitioners did not improve their lie detection skills.’

However, this study raises a much more serious question.  These types of “skills” are being extensively taught (and sought) by law enforcement and other agencies.  How many investigations are being misdirected and delayed by false suppositions based on NLP “techniques”?  More disturbingly, how many people are being falsely accused, dismissed, or charged due to the same questionable “information”?  (As I keep telling my seminars, when you get sidetracked into pursuing the wrong suspect, the real culprit is getting away free.)

(I guess we’ll have to stop watching “The Mentalist” now …)


Quick way to find out if your account has been hacked?

In the wake of the recent account “hacks,” and fueled by the Yahoo (and, this morning, Android) breaches, An outfit called Avalanche (which seems to have ties to, or be the parent company of, the AVG antivirus) has launched

They are getting lots of press.

“If you don’t know, a website called will
tell you. Just enter your email—they won’t store your address unless
you ask them to—and click the button that says, “Check it.” If your
email has been associated with any of a large and ever-growing list
of known password breaches, including the latest Yahoo hack, the
site will let you know, and advise you to change it right away.”

Well, I tried it out, with an account that gets lots of spam anyway.  Lo and behold, that account was hacked!  Well, maybe.

(I should point out that, possibly given the popularity of the site, it is pig slow at the moment.)

The address I used is one I tend to give to sites, like recruiters and “register to get our free [fillintheblank]” outfits, that demand one.  It is for a local community site that used to be a “Free-net.”  I use a standard, low value password for registering on remote sites since I probably won’t be revisiting that site.  So I wasn’t completely surprised to see the address had been hacked.  I do get email through it, but, as noted, I also get (and analyse) a lot of spam.

When you get the notification, it tells you almost nothing.  Only that your account has been hacked, and when.  However, you can find a list of breaches, if you dig around on the site.  This list has dates.  The only breach that corresponded to the date I was given was the Strategic Forecasting breach.

I have, in the past, subscribed to Stratetgic Forecasting.  But only on the free list.  (Nothing on the free list ever convinced me that the paid version was worth it.)  So, my email address was listed in the Strategic Forecasting list.  But only my email address.  It never had a password or credit card number associated with it.

It may be worth it as a quick check.  However, there are obviously going to be so many false positives (like mine) and false negatives (LinkedIn isn’t in the list) that it is hard to say what the value is.


Submarine patent torpedoed …

For some years I have been peripherally involved (hired to research prior art, etc.) in some of the submarine patent/patent troll cases in the AV world.

I’ve got plenty of prior art.  Programs demonstrating and using technologies that were granted patents years after those programs were available.  Email discussions showing that concepts were obvious and well-known years before patent applications were filed.

Of course, as the “expert” I’m not privy to the legal strategy.  Bt I can figure it out.  US patent office issues patent that never should have been granted.  Troll sues Big Firm for $100M.  BF’s lawyers go to IP law firm.  IP lawyers find me.  IP lawyers ask me for the weirdest (and generally weakest) evidence.  IP lawyers go back to BF’s lawyers.  BF’s lawyers go back to BF.  (At this point I’m not privy to the discussions, so I’m guessing.  But I suspect that …)  IP and BF lawyers advise that evidence available, but patent fight expensive.  BF offers troll $100K to go away.  Troll happy with $100K, which is all he wanted anyway.  BF lawyers happy with large (and now more secure) salaries.  IP lawyers happy with $1M fees.  BF happy to have “saved” $99M.  The only person not happy is me.

Well, Kaspersky got sued.  Kaspersky fought.  Kaspersky won.

So, today I’m happy.  (I just wish I’d been part of *this* fight …)

(By the way, patent trolls cost money …)


Apple and “identity pollution”

Apple has obtained a patent for “identity pollution,” according to the Atlantic.

I am of not just two, but a great many minds about this.  (OK, admit it: you always knew I was schizophrenic.)

First off, I wonder how in the world they got a patent for this.  OK, maybe there isn’t much in the way of prior art, but the idea can’t possibly be called “non-obvious.”  Even before the rise of “social networking” I was prompting friends to use my “loyalty” shopping cards, even the ones that just gave discounts and didn’t get you points.  I have no idea what those stores think I buy, and I don’t much care, but I do know that they have very little about my actual shopping patterns.

In our advice to the general population in regard to Internet and online safety in general, we have frequently suggested a) don’t say too much about yourself, and b) lie.  Isn’t this (the lying part) exactly what Apple is doing?

In similar fashion, I have created numerous socmed accounts which I never intended to use.  A number of them are simply unpopulated, but some contain false information.  I haven’t yet gone to the point of automating the process, but many others have.  So, yet another example of the US patent office being asleep (Rip-Van-Winkle-level asleep) at the technological switch.

Then there is the utility of the process.  Yes, OK, we can see that this might (we’ll come back to the “might”) help protect your confidentiality.  How can people find the “you” in all the garbage?  But what is true for advertisers, spammers, phishers, and APTers is also true for your friends.  How will the people who you actually *want* to find you, find the true you among all the false positives?

(Here is yet another example of the thre “legs” of the security triad fighting with each other.  We have endless examples of confidentiality and availability working against each other: now we have confidentiality and integrity at war.  How do you feel, in general, about Apple recommending that we creating even more garbage on the Internet than is already there?)

(Or is the fact that it is Apple that is doing this somehow appropriate?)

OK, then, will this work?  Can you protect the confidentiality of your real information with automated false information?  I can see this becoming yet another spam/anti-spam, CAPTCHA/CAPTCHA recognition, virus/anti-virus arms race.  An automated process will have identifiable signs, and those will be detected and used to ferret out the trash.  And then the “identity pollution” (a new kind of “IP”?) will be modified, and then the detection will be modified …

In th meantime, masses of bandwidth and storage will be consumed.  Socnet sites will be filled with meaningless accounts.  Users of socmed sites will be forced to spend even more time winnowing out those accounts not worth following.  Socnet companies will be forced to spend more on storage and determination of false accounts.  Also, their revenues will be cut as advertises realize that “targetted” ads will be less targetted.

Of course, Apple will be free to create a social networking site.  They already have created pieces of such.  And Apple can guarantee that Apple product users can use the site without impedance of identity pollution.  And, since Apple owns the patent, nobody else will be able to pollute identities on the Apple socnet site.

(And if Apple believes that, I have a bridge to sell them …)


Linded-Indiots in the stock market

OK, as some of you may be aware, LinkeDin had a semi-massive leak of passwords that came to light yesterday.

How are the markets taking it?

Well, today the stock is up, slightly.

That’s because ad revenues are up.  Since everyone is loggin on today, in order to change passwords …

Sometimes I wonder why we bother …


Transit of venus safety tip

Many people around the world are hoping for clear skies to view the transit of Venus across the face of the sun, an event which will not occur again for more than a century. [1]

However, public safety officials are concerned that people may endanger their eyes by looking directly at the sun without eye protection.  Not only will they not be able to see any indications of the transit, but this can, of course, burn the retina of the eye, causing permanent damage, and possibly complete blindness.

However, I have confirmed that ordinary sunglasses are sufficient protection, as long as used correctly. [2]

And the great thing is, this works no matter what “Venus transit” webcam you view, and no matter how brightly you have your monitor cranked up.

(In the spring, generally we would have at least some clear skies for viewing.  However, typically Vancouver, it’s pretty much completely overcast here for the entire run of the transit.)

So, thank goodness for NASA

[1] It’s rather interesting that the transits occur in pairs, eight years apart, and then more than a century between the eight year pairs.

[2] I hope I don’t have to point out that this is just a joke, and that staring into the sun with only sunglasses as protection is no protection at all.  If anyone doesn’t get it, at least I have a hundred and five years before I get sued.



No!  I’m *not* asking for validation to join a security group on LinkedIn!

Apparently several million passwords have been leaked in an unsalted file, and multiple entities are working on cracking them, even as we speak.  (Type?)

So, odds are “low but significant” that your LinkedIn account password may have been cracked.  (Assuming you have a LinkedIn account.)  So you’d better change it.

And you might think about changing the password on any other accounts you have that use the same password.  (But you’re all security people, right?  You’d *never* use the same password on multiple accounts …)