The Daily Parker

Politics, Weather, Photography, and the Dog

Things in my Inbox

Some articles:

Today's other tasks include cleaning my house and writing code for about four hours.

They have to be monsters

Jeff Atwood blogged yesterday about the emotional abuse people heap on others over the Internet:

I admired the way Stephanie Wittels Wachs actually engaged with the person who left that awful comment. This is a man who has two children of his own, and should be no stranger to the kind of pain involved in a child's death. And yet he felt the need to post the word "Junkie" in reply to a mother's anguish over losing her child to drug addiction.

Isn’t this what empathy is? Putting myself in someone else’s shoes with the knowledge and awareness that I, too, am human and, therefore, susceptible to this tragedy or any number of tragedies along the way?

Most would simply delete the comment, block the user, and walk away. Totally defensible. But she didn't. She takes the time and effort to attempt to understand this person who is abusing her mother, to reach them, to connect, to demonstrate the very empathy this man appears incapable of.

As one Twitter user said, "falling in love, breaking into a bank, bringing down the govt…they all look the same right now: they look like typing."

Clean your damn data!

Because no one has actually cleaned up a database of IP address geocodes, a Kansas farmer is getting blamed for all manner of bad behavior on the Internet:

As any geography nerd knows, the precise center of the United States is in northern Kansas, near the Nebraska border. Technically, the latitudinal and longitudinal coordinates of the center spot are 39°50′N 98°35′W. In digital maps, that number is an ugly one: 39.8333333,-98.585522. So back in 2002, when MaxMind was first choosing the default point on its digital map for the center of the U.S., it decided to clean up the measurements and go with a simpler, nearby latitude and longitude: 38°N 97°W or 38.0000,-97.0000.

As a result, for the last 14 years, every time MaxMind’s database has been queried about the location of an IP address in the United States it can’t identify, it has spit out the default location of a spot two hours away from the geographic center of the country. This happens a lot: 5,000 companies rely on MaxMind’s IP mapping information, and in all, there are now over 600 million IP addresses associated with that default coordinate. If any of those IP addresses are used by a scammer, or a computer thief, or a suicidal person contacting a help line, MaxMind’s database places them at the same spot: 38.0000,-97.0000.

Which happens to be in the front yard of Joyce Taylor’s house.

And, of course, since most people don't understand (a) default data, (b) data errors, or (c) how anything at all actually works, default IP mapping by MaxMind and other companies (including Google and Facebook) has resulted in people behaving stupidly all over the U.S.

Pro tip: Never live near a major data center.

Reading list

Here we go:

It's also a nice day outside, so Parker will probably get two hours of walks in.

Newsletter widget removed

On Thursday I merged in the latest Github code from the BlogEngine.NET project and published it to Azure. I didn't realize at the time that the update contained a new widget called "newsletter" that let anyone sign up to receive a notification for each post on the blog.

By the time I got my weekly email report with its hundreds of bounces, apparently every robot from here to Vladivostok had signed up.

So annoying. Well, I now know the widget code a lot better, and I've killed the thing. I hope my bounce rate drops back to zero.

If you want to know when I post something, there's an RSS feed to which you're welcome to subscribe.

Did Reddit get an NSA letter?

Reddit recently published their 2015 Transparency Report, in which they tell how many times they received official requests for user information. However, NSA letters often require that the companies receiving them keep the letters themselves secret. So how to let the world know you've received one? Kill a canary:

At the bottom of its 2014 transparency report, the company wrote: "As of January 29, 2015, reddit has never received a National Security Letter, an order under the Foreign Intelligence Surveillance Act, or any other classified request for user information. If we ever receive such a request, we would seek to let the public know it existed."

That language was conspicuously missing from the 2015 transparency report that was published Thursday morning.

Warrant canaries work like this: a company publishes anotice saying that a warrant has not been served as of a particular date. Should that notice be taken down, users are to surmise that the company has indeed been served with one. The theory is that while a court can compel someone to not speak (a gag order), it cannot compel someone to lie. The only problem is that warrant canaries have yet to be fully tested in court.

When users wondered if this meant the site had been subjected to a secret court order in the /announcements/ subreddit, CEO Steve Huffman, known on the site as "spez," wrote: "I've been advised not to say anything one way or the other."

Secret warrants are totalitarian instruments that have no place in an open democracy. We need to end the practice. I hope someone with the balls and bucks challenges one soon.

The FBI's Apple hack made us all less secure

Bruce Schneier explains:

The FBI...has been given whatever vulnerability it used to get into the San Bernardino phone in secret, and it is keeping it secret. All of our iPhones remain vulnerable to this exploit. This includes the iPhones used by elected officials and federal workers and the phones used by people who protect our nation's critical infrastructure and carry out other law enforcement duties, including lots of FBI agents.

This is the trade-off we have to consider: Do we prioritize security over surveillance, or do we sacrifice security for surveillance?

The problem with computer vulnerabilities is that they're general. There's no such thing as a vulnerability that affects only one device. If it affects one copy of an application, operating system or piece of hardware, then it affects all identical copies. A vulnerability in Windows 10, for example, affects all of us who use Windows 10. And it can be used by anyone who knows it, be they the FBI, a gang of cyber criminals, the intelligence agency of another country -- anyone.

I understand the frustration of cops everywhere who see these troves of data that didn't exist 10 or 15 years ago just out of reach thanks to manufacturers' security measures. But it shouldn't take a security expert like Schneier to convince people that those features protect us more than they hurt us.

Hackers attacking law firms

Interesting. A Ukrainian criminal has essentially announced his intention to attack 50 law firms worldwide in order to get insider information on securities:

The mastermind, a broker named "Oleras" living in Ukraine, has been attempting since January to hire hackers to break into the firms' computer systems so he can trade on insider information, according to a Feb. 3 alert from Flashpoint, a New York threat intelligence firm.

Kirkland & Ellis, Sidley Austin, McDermott Will & Emery and Jenner & Block all were listed on a spreadsheet of potential marks. It named 46 of the country's largest law firms, plus two members of the UK's Magic Circle.

In this latest scheme, Oleras posted on a cyber criminal forum a plan to infiltrate the law firms' networks, then use keywords to locate drafts of merger agreements, letters of intent, confidentiality agreements and share purchase agreements. The list of targeted law firms also included names, email address and social media accounts for specific employees at the firms.

Now, having worked in both law and IT, I am a bit worried about this. Attorneys, bless their hearts, are not the most technically-savvy group of people, usually. I hope the targeted law firms have really good IT staffs—but that won't matter if the attorneys themselves get targeted in spear-phishing attacks.

Maybe we just need to make them liable for information disclosure. That will get their attention.

Quiet implementations of Moore's Law

Jeff Atwood uses a complaint about how computers have ruined chess forever to make an important point about security:

What's not clear in this table [of exponentially decreasing dollars per gigaflop] is that after 2007, all the big advances in FLOPS came from gaming video cards designed for high speed real time 3D rendering, and as an incredibly beneficial side effect, they also turn out to be crazily fast at machine learning tasks.

Let's consider a related case of highly parallel computation. How much faster is a GPU at password hashing?

Only 155 times faster right out of the gate. No big deal. On top of that, CPU performance has largely stalled in the last decade.

I'd like to emphasize how much it sucks to be an 8 character password in today's world. If your password is only 8 characters, that's perilously close to no password at all. That's also why why your password is (probably) too damn short. In fact, we just raised the minimum allowed password length on Discourse to 10 characters, because annoying password complexity rules are much less effective in reality than simply requiring longer passwords.

Talk about burying the lede. But Atwood is correct; unless you're in the habit (as I am) of using a strong, unique password for every single website, use a set of strong passphrases instead. (The Ars Technica article Atwood cited is pretty good.)

Also, I'm looking for a really good video card now...