The Daily Parker

Politics, Weather, Photography, and the Dog

Seven billion dollars for nothing

Security guru Bruce Schneier, writing for CNN, is not surprised that TSA screeners missed 95% of guns in a recent drill:

For those of us who have been watching the TSA, the 95% number wasn't that much of a surprise. The TSA has been failing these sorts of tests since its inception: failures in 2003, a 91% failure rate at Newark Liberty International in 2006, a 75% failure rate at Los Angeles International in 2007, more failures in 2008. And those are just the public test results; I'm sure there are many more similarly damning reports the TSA has kept secret out of embarrassment.

The TSA is failing to defend us against the threat of terrorism. The only reason they've been able to get away with the scam for so long is that there isn't much of a threat of terrorism to defend against.

Even with all these actual and potential failures, there have been no successful terrorist attacks against airplanes since 9/11. If there were lots of terrorists just waiting for us to let our guard down to destroy American planes, we would have seen attacks -- attempted or successful -- after all these years of screening failures. No one has hijacked a plane with a knife or a gun since 9/11. Not a single plane has blown up due to terrorism.

Of course, what American politician would ever vote to reduce security spending? The incentives on the individual representatives are too strongly skewed in favor of an ever-ratcheting security state. This is one of the things that did in Rome.

That said, Italy is a lovely country these days...

User Self-Blame

Microsoft's Scott Hanselman blames us computer professionals for users thinking they don't know computers:

In my recent podcast with UX expert and psychologist Dr. Danielle Smith the topic of "user self-blame" came up. This is that feeling when a person is interacting with a computer and something goes wrong and they blame themselves. I'd encourage you to listen to the show, she was a great guest and brought up a lot of these points.

Self-blame when using technology has gotten so bad that when ANYTHING goes wrong, regular folks just assume it was their fault.

This harkens back to the middle ages when the average person couldn't read. Only the monks cloistered away had this magical ability. What have we done as techies to make regular folks feel so isolated and afraid of all these transformative devices? We MAKE them feel bad.

This on the same day that Jeff Atwood tells us our passwords suck (and he's right):

The easiest way to build a safe password is to make it long. All other things being equal, the law of exponential growth means a longer password is a better password. That's why I was always a fan of passphrases, though they are exceptionally painful to enter via touchscreen in our brave new world of mobile – and that is an increasingly critical flaw. But how short is too short?

...[Y]ou can't really feel safe until the 12 character mark even with a full complement of uppercase, lowercase, numbers, and special characters.

This is also a UX failure, but of a different kind. Until two-factor authentication becomes ubiquitous—and until users start accepting the need for it—passwords are going to be the chink in Smaug's armor.

Of course, it doesn't help that users typically don't have accurate conceptual models for things. The number of times I have explained the difference between authentication and authorization (which is a necessary conceptual model for understanding why you should never, ever give your passwords to anyone)

Chase enters the 2000s

Chip-and-PIN cards have ruled Europe for almost 10 years, because (a) they reduce fraud that (b) customers are liable for over there. In the U.S., where banks are liable, consumers haven't pushed as hard for the security measure, so it's rare. I've had a chipped card for two years now but even my bank hasn't gone the whole way to requiring PINs for purchases with it.

Chase, however, has had enough, and has decided to issue them to everyone:

Chip cards have significantly cut into fraud globally. For example, in the United Kingdom, card fraud in stores dropped by 75 percent from 2004 — when a large-scale rollout began — to 2012, said Zilvinas Bareisis, a senior analyst for Celent, a consulting firm to the financial services industry.

A December 2014 report by the Payments Security Task Force, whose members include Visa, Bank of America and Riverwoods-based Discover, estimates that 47 percent of U.S. terminals will accept chip cards by the end of 2015.

Chase, which holds almost 25 percent of deposits in the Chicago area, said its rollout here will be followed nationally.

Other banks are slowly introducing chip cards. BMO Harris Bank, which holds 12 percent of deposits in the Chicago area, said it recently began issuing chip debit cards. Any new or replacement debit cards include chips, spokesman Patrick O'Herlihy said.

It's sometimes amusing and sometimes sad that the U.S. lags the rest of the OECD in technology. This one is sad. I'm glad Chase is making this push. We could finally have chip-and-PIN cards in time for Europe to roll out whatever comes next.

Internet memes live forever

NPR takes a look at how the Internet never forgets and what that means to people who find themselves going viral:

Some unwitting meme celebrities embrace their fame. Earlier this year the Washington Post profiled Kyle Craven, more popularly known as "Bad Luck Brian," a meme about a boy with hilariously and often very dark bad luck. Craven, who was always a class clown, capitalized on his fame. The Post reports that between licensing deals and T-shirts, he has made between $15,000 and $20,000 in the past three years.

Others have tried to use their Internet fame as a catapult for an entertainment career. Laina Morris' picture is easily recognizable — the bulging, crazy-looking eyes and loopy smile made her best known as the Overly Attached Girlfriend who makes ridiculous demands and accusations. Morris has tried to create a comedic career out of her online celebrity. She has a YouTube channel where she posts skits, and a Twitter account.

But for others, it's a nightmare. Perhaps one of the most notable cases is Ghyslain Raza, "Star Wars Kid," who in 2003 became one of the first viral memes. This was before YouTube launched, and Raza did not even post the video. He simply taped himself doing Star Wars-style fighting for a school video club. His classmates secretly posted the video online, and it spread like wildfire. By the end of 2006, it had been clicked on more than 900 million times. It has more than 27 million views on YouTube and was parodied on Family Guy, The Colbert Report and South Park.

Oh, poor "Star Wars Kid."

My question is, how long until people adapt and wonder what was this "privacy" thing the old people keep babbling about?

Hello, GCHQ

A joint US-UK operation has obtained the master encryption keys to billions of mobile phones:

The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ. The breach, detailed in a secret 2010 GCHQ document, gave the surveillance agencies the potential to secretly monitor a large portion of the world’s cellular communications, including both voice and data.

With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.

Oh, goody. Essentially, if you have a phone with a SIM card (in the U.S., that means you have AT&T or T-Mobile), the NSA and Britain's GCHQ can listen in to your conversation in real time. (The article goes into some good technical depth about the exploits and how they did it.)

Of course, they would have to be looking for you in order to do that, but still. This is the kind of revelation that (a) makes me think Edward Snowden may not have been such a bad guy after all, and (b) that because so few people care, the world is a scarier place.

By the way, I'm right now reading The Honourable Schoolboy, having finished Tinker Tailor Soldier Spy in London last weekend. I'm rooting for Smiley and Westerby just the same. But you know, the USSR had 15,000 nuclear bombs pointed at us, and Western spying back then was aimed at the USSR, not at its own citizens.

Take the Orange Line to King's Landing

While we're getting ready to celebrate the birth of Baby X this Xmas, links are once again stacking up in my inbox. Like these:

That might be it for The Daily Parker today.

What's going on with the Microsoft Azure blog?

For the last couple of days, I've had trouble getting to Microsoft's Azure blog. From my office in downtown Chicago, clicking the link gives me an error message:

The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.

However, going to the same URL from a virtual machine on Azure takes me to the blog. So what's going on here? It took a little detective work, but I think Microsoft has a configuration error one of a set of geographically-distributed Azure web sites, they don't know about it, and there's no way to tell them.

The first step in diagnosing a problem like this is to see if it's local. Is there something about the network I'm on that prevents me from seeing the website? This is unlikely for a few big reasons: first, when a local network blocks or fails to connect to an outside site, usually nothing at all happens. This is how the Great Firewall of China works, because someone trying to get to a "forbidden" address may get there slowly, normally, or not at all—and it just looks like a glitch. Second, though, the root Azure site is completely accessible. Only the Blog directory has an error message. Finally, the error message is coming from the foreign system. Chrome confirms this; there's a HTTP 200 (OK) response with the content I see.

All right, so the Azure Blog is down. But that doesn't make a lot of sense. Thousands of people read the Azure blog every day; if it were down, surely Microsoft would have noticed, right?

So for my next test, I spun up an Azure Virtual Machine (VM) and tried to connect from there. Bing! No problem. There's the blog.

Now we're onto something. So let's take a look at where my local computer thinks it's going, and where the VM thinks it's going. Here's the nslookup result for my local machine, both from my company's DNS server and from Google's 8.8.8.8 server:

Now here's what the VM sees:

Well, now, that is interesting.

From my local computer, sitting in downtown Chicago, both Google and my company's DNS servers point "azure.microsoft.com" to an Azure web site sitting in the North Central U.S. data center, right here in Chicago. But for the VM, which itself is running in the East U.S. data center in southern Virginia, both Microsoft's and Google's DNS servers point the same domain to an Azure web site also within the East U.S. data center.

It looks like both Microsoft and Google are using geographic load-balancing and some clever routing to return DNS addresses based on where the DNS request comes from. I'd bet if I spun up an Azure VM in the U.S. West data center, both would send me to the Azure blog running out there.

This is what massive load balancing looks like from the outside, by the way. If you've put your systems together correctly, users will go to the nearest servers for your content, and they'll never realize it.

Unfortunately, the North Central U.S. instance of the Microsoft Azure blog is down, has been down for several days, and won't come up again until someone at Microsoft realizes it's down. Also, Microsoft makes it practically impossible to notify them that something is broken. So those of us in Chicago will just have to read about Azure on our Azure VMs until someone in Redmond fixes their broken server. I hope they read my blog.

Weird routing issues at CDG

No, not aviation routing; IP routing.

From the Terminal 2 American Airlines club, I am unable to hit most *.cloudapp.net IP addresses. This is significant because it's basically all of Microsoft Azure, including logon.microsoft.net, Weather Now, and a bunch of other sites I use or have some responsibility for.

I've just spent a few minutes testing DNS (everything is fine there) and then using tracert and pathping, and it looks like the entire 168.62.0.0/16 and 168.61.0.0/16 ranges are just not visible from here. (The Daily Parker is also in Azure, but its IP is in the 191.238.0.0/16 subnet, which seems to be visible just fine.)

I wonder if Microsoft knows that its U.S. East data center is being blocked by some French ISP? Or why?