Friday, August 08, 2008

Net security, the end of the password, and human evolution

The signs of the end are at hand.

First, this completely asinine alleged (a misquote I hope) comment from someone who must, really, know better:
BBC NEWS | Technology | Net address bug worse than feared

... Mr Silva at VeriSign said even though patches have been put in place, this doesn't mean users can sit back and relax.

'The biggest gap in security rests between the keyboard and the back of the chair,' he said.

'The look and feel of a website is not what a consumer should trust. They should trust the security behind that website and do simple things like use more secure passwords and change their password regularly...
Of course they should. They should also lose 50 lbs, run ten miles a morning, study a new language every month, and master levitation.

I really hope that was a misquote.

Next, I lose my last remaining gasket when the complexity of modern life leads to a security breach, and the need to change my 2 year old high quality primary Google account password:
Gordon's Tech: How to steal my Google account

... Yes, to steal my Google account, my primary digital identity, all you need to know is my first phone number...
  1. Passwords are a complete fail. Schneier has been saying this for years. We are now into the realm of madness. We need multi-factor authentication devices that handle our secondary authentication for us. Yeah, it's not perfect, but, really, this is s#$!@# insane.

  2. We live in the age of the tyranny of the mean. Even the vast majority of geeks aren't going to figure out how to sync 1Password with an iPhone. Regular folks are going to use one password everywhere and then forget it. Google, like everyone else with these asinine security question is bowing to the reality that humans didn't evolve to live in a digital world. We're maxing out right now.
This madness has to stop. The stupidity is hurting my brain.

Really, none of us evolved for this. We either need to reengineer the human mind or we need to implement better security measures.

This is going to need real help from an Obama administration, we've seen decades of banks failing to deal basic with security issues. This won't get fixed by libertarian emergence; the current system is simply providing endless prey for hungry predators.

Oh, and remember, sooner or later, we're all prey.

Thursday, August 07, 2008

An unusual view into Apple, and why MobileMe may be fixed before January

Chuqui has almost as many typos as me, and that’s saying something. Read around ‘em though, because he’s written a very unusual post about how Apple does business. Shockingly, Apple is not Steve Jobs, though he is an amazingly hands-on CEO.

For the first time I’m actually thinking MobileMe might be get fixed before January 2009. That would be very good – especially Apple is also able to add calendar publish and subscribe features. I especially would like to see CalDAV sync with gCal (not entirely far fetched since CalDAV is built into OS X iCal).

Software reviews and the App Store: We do have a problem

It's well known in geek circles that the iPhone App Store doesn't allow "try before you buy" distribution. It's less well known that app sales have been less than some had hoped.

I think slow sales and the lack of demo versions are connected.

I "terminate with cause" at least 75% of the desktop software I try -- and I only try products that I want to buy. In most cases the software is either seriously buggy, or it fails a critical test (such as the ability to export and import data).

Reviews should help with this, but they don't. It's not just that reviewers need to be kind to keep getting software, it's also that readers don't like negative reviews. Illogical, sure, but this is humanity we're talking about. We're hard wired to mix the state of the product with the state of the reviewer.

I'm not just making this up! I've been writing Amazon reviews for many years. My positive reviews are always more highly rated. Sure, it could be a retailer rating effect, but my recollection is this effect has been seen in cognitive psychology studies as well.

This human glitch means that a rigorous software reviewer would soon lack for readers. Even amateur reviewers generally like to have an audience, so those that survive learn to be gentle.

The inevitably weak state of the product review marketplace, and, yes Andrew, the fact that I push the limits of software, means I have to test personally. The App Store doesn't allow this. So geeks like me are slow to buy, and that means we're slow to talk about the software. Even if we're few in number, lack of geek chatter impacts sales.

There's an obvious solution.

The App Store should show two buttons for every item. One is "demo", it downloads the demo version. The other is "buy". The demo version would follow the usual practices of desktop demo software: limited lifespan, some carefully chosen feature limitations, use of watermarks etc.

I expect Apple will do something like this soon (it is kind of obvious, after all). Then App Store sales will improve -- at least for quality products.

Interesting lesson about the limited utility of product reviews however ...

Wednesday, August 06, 2008

Progress is non-linear: Palm vs. iPhone Address Book

My iPhone Address book, with about 400 entries, is pretty darned slow ...

Gordon's Tech: iPhone notes you won't read elsewhere

... The Address Book is very slow to launch (4 secs on my phone), but Google Mobile search also searches the Address Book -- and it's fast...

My Palm address book, with about 600 entries, launches instantly. There's no perceptible delay.

Time to select an address on the Palm? Maybe 1-2 sec. On the iPhone? Maybe 6-7 seconds. (Faster if you use Google Mobile.)

The iPhone has, of course, at least fifty times the processor speed and more than 1,600 times the memory capacity of the original Palm.

The Palm had essentially instantaneous responsiveness from day one. It was one of the design goals of the original team. The Palm was to have instant on, no user waiting for a system response, and no crashes. Incredibly, the original Palm team met those goals. Later ... well, that's a sadder story.

Apple will one day fix the iPhone Address Book problems. Heck, Google Mobile already has. It is a good example, however, of the random walk aspect of progress.

The iPhone does a lot that the Palm never could, but the original Palm did a lot of things well that the modern iPhone does poorly or not at all. Technological progress is squirrelly.

The Domain Registry Support fax scan is still in business

I received a cell phone call from a blocked caller ID today. The caller, a woman with a youngish Indian accent, said she was with "Domain Registry Support" and needed to send me a fax number regarding "changes in the Internet" that would affect one of my domain names.

I asked for their phone number so I could google it. The funny thing is that they've used 800-591-7398 in their scam since at least 2006. It's some kind of domain name transfer fraud. I assume they then resell the domain to someone else, or hold it for ransom, or use the personal information for an identity theft project.

I didn't have time to follow it up of course. I get at least 3 non-trivial phishing attacks every week, if I followed up on every fraud attack I'd have no sleeping time. Still, this is the first phone call attack in a while.

It's hard to remember when fraud wasn't a part of everyday life. It all feels like something out of a Charles Stross novel.

Never talk to the police ...

I'd come across multiple references to this talk, but I didn't f/u until Schneier recommended it:
Schneier on Security: Why You Should Never Talk to the Police

This is an engaging and fascinating video presentation by Professor James Duane of the Regent University School of Law, explaining why -- in a criminal matter -- you should never, ever, ever talk to the police or any other government agent. It doesn't matter if you're guilty or innocent, if you have an alibi or not -- it isn't possible for anything you say to help you, and it's very possible that innocuous things you say will hurt you.
It's very persuasive. In particular, there's a funny kink in American law. Whereas "anything you say may be used against you", the converse is not true; exculpatory statements are inadmissible hearsay.

The other lesson that stuck with me is that non-videotaped statements are very prone to being remembered differently by different people. These are the majority of statements made to police.

In comments there's a reference to an ACLU guideline for persons stopped by police. Two of the frequently repeated items are "don't say anything without a lawyer" and "be clear you do not consent to search".

In practice I'll speak with police if I think I can help with law enforcement -- though that's rarely come up in my life. Most of my non-casual conversations with police ended when I bought a car with cruise control.

Tuesday, August 05, 2008

Paris Hilton responds to the wrinkly white guy

Quick check: how many times have I referred to Paris Hilton?

Phew. Just a few times. Once to defend her poor choice in phone passwords, another time to connect her and Paul Krugman to America's deeply dysfunctional journalists.

So I'm still under quota; I can point to Brad DeLong's take on Paris Hilton's presidential campaign video. This is her response to a typically juvenile McCain ad that tried to connect Barack Obama to Paris Hilton, and thus to debauchery, celebrity and hot sex with young blond women.

Paris' comeback is funny, and oddly endearing. I thought she looked a bit nervous, but my celebrity interpretation skills are fairly minimal. In the video battleground she wipes McCain.

She refers to Senator Obama by first name, but his opponent is only a "wrinkly white guy".

I'm guessing she won't be voting for John "wrinkly white guy" McCain.

Ho hum. Another 40 million credit cards stolen

Yawn. The Webtel, Netfill, MJD Services credit card fraud of 1998 (ten years ago) netted about $40 million, so this $60 million + fraud is simply more of the same. I'm guessing Schneier has covered about 3-4 similar scans in the past decade....
11 Charged in Theft of 40 Million Card Numbers - NYTimes.com

BOSTON — The Justice Department said on Tuesday that it had charged 11 people in the theft of tens of millions of credit and debit card numbers of customers shopping at major retailers, including TJX Companies, in one of the largest reported identity-theft incidents on record.

TJX, of Framingham, Mass., which owns the Marshall’s and TJ Maxx chains, was the hardest hit by the ring, acknowledging in March 2007 that information from 45.7 million credit cards was stolen from its computers.

The charges focus on three people from the United States, three from the Ukraine, two from China, one from Estonia and one from Belarus.

The authorities said that the scheme was spearheaded by a Miami man named Albert Gonzalez, who hacked into the computer systems of retailers including TJX, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW Inc. The numbers were then stored on computer servers in the United States and Eastern Europe.

They then sold the information to people in the United States and Europe, who used it to withdraw tens of thousands of dollars at a time from automated teller machines, the authorities said...

... TJX has agreed to pay more than $60 million to credit-card networks Visa and MasterCard to settle complaints related to the incident, which is one of the largest on record based on the number of accounts involved.
It's only the largest based on the number of accounts involved, sounds like a lot of the accounts haven't been hit ... yet.

The $60 million only represents losses from people who noticed the transactions and then complained. The article doesn't describe the size of the per-person losses, but typically these scammers will hit an individual for $40 to $100 bucks.

I probably wouldn't even notice the hit, we long ago ran out of time to audit our credit card statements for petty thefts (big thefts are another matter). As long as the crooks don't get to greedy we're better off bleeding than fighting with Visa.

I suspect the basic Visa/Master Card security infrastructure is about as pathetic as it was in 1998, and that AMEX is still the best alternative (though not invulnerable).

The only way this will be addressed will be if we make the banks liable for cost plus punitive damages.

It's going to take a fortune to improve our credit card security infrastructure, and no bank can afford to make that investment if it has any plausible alternative. Making the banks pay more for security breaches is the only way to make change possible.

Update 8/12/08: The NYT has more details on the crime.

The Fermi Paradox in science fiction: a review

There's nothing new for me in this Tor.com review of the Fermi Paradox in Science Fiction, but it's a good start. Read the comments for additional examples.

If you read good science fiction the future always feels familiar.

PS. The review includes a link to a delightful short story.

Sunday, August 03, 2008

Why the undead Palm is great news for my Palm to iPhone conversion

It's a movie cliche.

The demon
is dead and the popular kids have returned to their debauched ways, partying by the demon's grave.

A hand thrusts out of the fresh grave ...
Palm sells 2 million Centro’s - John at myITforum.com

So why isn’t this getting much press? The Apple cult media sure played up all the iPhone sales right? Why isn’t Palm getting the same recognition for selling 2 million Centro’s?

Palm, Inc. (Nasdaq:PALM) today said it has sold its two-millionth Centro smartphone, confirming the $99 [jf: bogus new-contract price] product's growing momentum with traditional mobile phone users who want to move up to a phone that offers more functionality.(1) Palm is now offering Centro in more than 25 countries in North America, South America, Europe and Asia Pacific....

Palm Centro growth has been particularly strong among a demographic Apple wants to own - women.

Now why would that be? What does the Centro do that's particularly interesting for women? What can the Centro do with a core OS technology that was old in 1990?

Is it the pretty colors?

Well, my daughter likes pretty colors, and I suspect she'll still like them twenty years from now. Personally, I like lime green -- it's easy to find.

Obviously it's not the pretty colors. The connection is the other way. Vendors with a product women buy always offer more color choices.

So what does the Centro do that's particularly appealing to women?

To answer that question, let's go back before the Palm.

Those were the days, before Palm and BlackBerry and Windows CE/whatever and Getting Things Done, when the Franklin Planner ruled. Emily and I had a matched set -- burgundy and navy.

Back then, the The Franklin Co sold planners, books and courses to mid-level managers (ie. people without admins) - a mix of men and women. They also sold to millions of non-managers, mostly women, who all had one thing in common.

Complex lives. Lives involving lots of people and tasks and things to plan and coordinate. People who needed to plan -- and who couldn't keep it all in their head.

That's why Franklin Covey's front page still features a collection of purses (bags). Most men have simple lives, most women have complex lives.

Now jump to the 1990s, and the PalmPilot. Unlike every other gadget before or since, it was popular with women -- because it was designed to help manage complex lives. Emily used one until Palm began making very unreliable devices, and blew away its market [1]. (She's been back on the paper Franklin Planner ever since, though she uses a BB Pearl for email and map services.)

Fast forward. In 2008 middle-managers use Outlook and a Blackberry, so there's no opening there for the iPhone or Palm device.

That leaves the non-corporate complex life market -- which is largely female.

So what do these women see when they go to buy a phone? They see the iPhone, which is a $500 technological wonder and a completely brain-dead PDA. On the other hand, there's the Centro, a $300 phone that inherits 1980s technology and the skeleton of a once brilliant PDA design. (With a kb, so the horror of Grafitti Two is irrelevant.)

Sold by Franklin Covey, by the way.

The Centro is the only logical choice.

Two million smartphones is a pretty a nice bit of the growing market. It's probably enough to keep Palm on life support. It's also enough to put a crimp in Apple's sales targets.

Good.

I like most things that make Apple miserable and worried.

Maybe Palm's dead-man-walking act will make Apple decide that they need to add 1980s-class functionality to the iPhone (hint: tasks? memos?), fix their broken-everywhere synchronization, and enable multi-calendar publish-subscribe on MobileMess.

Thank you Palm Centro customers. Thanks for making it conceivable that I'l really be able to one day migrate from my Palm to my iPhone.

Keep up the good work.

[1] Palm set some kind of capitalist record for self-inflicted wounds. It's a credit to the astounding work of the original PalmPilot team that the company still exists.

When McCain sold his soul

I haven't been surprised by McCain/Bush III's embrace of Rove.

Why wasn't I surprised? He once had a reputation for integrity. I couldn't remember when he'd thrown that away, when I realized what he was.

Joe Conason reminded me: "By the time McCain spoke up feebly against the Swift boat campaign, the damage had been done -- to him as well as to Kerry."

Yes, that was it. That was when McCain sold his soul, the day he realized he'd betray anyone and anything to win the presidency.

The day he became George Bush III.

Bringing laptops across the border

As a young traveler I had mild run-ins with the occasional border official. That's when I was told that they have extraordinary legal authority - judge, jury and executioner basically. Understanding that helped my patience, and gray hair eliminated most of the hassles.

This is something to remember if you're a young man traveling with a laptop:
Crossing the line at the border | Good Morning Silicon Valley

...Without explanation, we can seize your laptop or any device capable of storing information (including cell phones, thumb drives, video tapes, and old-fashioned analog paper). We can keep it as long as we want. We can look through the contents, and we can share them with other agencies or private entities. And we can do all this whenever and to whomever we want...
This is Bush appointee policy, so if you really don't like it you might consider the voting implications. The obvious recommendations are:
  1. Don't carry any sensitive data or apps across the border
  2. If you want a seized laptop back quickly don't encrypt anything. If you must encrypt, then be ready to provide keys.
  3. Have a current backup - you may never see your data again.
  4. Be very polite to border officials. They have their share of dull, troubled, and resentful people [1], but they're all very good at detecting sarcasm.
  5. Don't carry or wear anything that insults any GOP officials or christian deities.
[1] There's a legislated and institutional preference for veterans in the customs service. Since untroubled veterans have a broad choice of employment, there's a bias for troubled veterans to end up in customs (and the post office too).

Update 8/5/2008: Schneier has an essay on how to carry a laptop across the border. In a later article however, he simplifies his advice, and recommends storing sensitive data in an encyrpted file on a secure server back home. The data can then be retrieved from the server after crossing the border. Don't bother carrying the data with you.

Strange loops: Google custom and customized search - and a memory blog

This is a strange loop story.

It began unremarkably. I was finding my own blog posts when I searched on various topics. I felt a bit chuffed -- the GGG (great god google) liked my sacrifices. Often I chose my own posts; since I write in part to extend intracranial memory they worked for me.

Then things got odd. I was getting back more and more of my own results -- often at the very top of a search. GGG likes me alright -- but not that much.

Around the same time, as I discovered new ways to use search against my extended and interconnected memory, I changed my home page to my Google custom search page. Using this page my blog search results were not sorted by date, but rather by GGG assigned value -- the "best" posts came first. Now my extended memories were being organized by Google, searches were more effective, and I leveraged more of my old posts.

The Solipsistic Strange Loop was strengthening, for I was seeing Google's customized search results. The combination of my Google Custom Search Page, my extracorporeal memories (blogs), my use of Google's web history, my location information and my default digital identity have been building a recursive loop of public-private interconnectivity.

As a fringe benefit these web-of-one searches are making a mess of sleazy search engine optimization hacks. It's hard enough to game one set of search results -- really hard to game millions of different result sets.

Where will it go next?

My iPhone lets me take geo-tagged pictures, and it lets me bookmark my location. Inevitably I'll be able to combine the images, locations, time stamps and annotations, and weave them into my extended memory. Custom search means they'll live in a neural network that merges into the GGG metamind.

Interesting times.

Friday, August 01, 2008

Alzheimer's disease: 70 genes?!

This doesn't sound like one coherent disease:
Alzheimer's disease | A tangled tale | Economist.com

...The Cure Alzheimer’s Fund, a charity, also had an important finding. It announced that its mapping of the disease’s genetic basis has found 70 genes that may be involved, far more than expected...
70 genes?! This sounds like schizophrenia -- lots and lots of mutations.

I've long felt that "Alzheimer's" wasn't a disease, but was the normal destination of the aging brain. Not so bad when it hits at age 105, but genuinely horrible when it hits at 55. A "70 gene" story fits with the theme that
  1. It's really quite tricky to build a functioning human brain out of the flotsam of primate evolution. The current model has a lot of hacks and glitches.
  2. Any one of hundreds of faults will derail the train early. To get to 105 without full dementia takes a perfect performance.
  3. We ain't going to cure this anytime soon.

Consumer safety bill: whiplash

What planet am I on again?

The new consumer safety bill seems to be a very positive development.

It passed the House 424-1 and the Senate 89-3 -- and the WSJ doesn't like it. The toy industry seems in favor.

Even Bush probably won't veto it.

Weird.