Wednesday, April 23, 2014

A thought on privacy and/verses security.

I had a conversation recently and one of the questions posed to everyone was one of those commonly asked questions and I thought I'd expand on my response.

The question was "What do you worry about when it comes to security?"

My response got the attention of the folks at the table and that response was "You."

There's two weak spots in "my security" chain-mail. The first one is the information that is in the hands of people I know. I'm sure you're already saying "Huh?" to this. Let me give you an example. Most of my friends know, by random conversations that my mother's maiden name is Logan. (Yes, like the airport and there's even a chance we're related. Ok, I may also stand as much of a chance of hitting the lottery but that's a digression for another time.)

So, right there is a chink in my security armor because if one of my friends mentions this fact in "the wrong circles", one of my so-called "Security questions" suddenly has no value and that hurdle for a "bad guy" to get through in order to "become me".

Because of the erroneous dependency on this sort of information, the "imperiousness" of that chain-mail security net has a number of weakened links.

So that's one of the two problems. The other one is the companies that get my private information. Not the first level recipients of this information, my doctor, dentist, electric company, etc. the ones I'm worried about are the second and tertiary level entities who are able to get their hands on this information. Every layer/step away from me, the originator of the information is weaker than the one before it and that worries me. Every time we/I'm required to give my personal information out we/I'm also give permission to the primary recipient of this information to use this information and they "give us" their rules of behavior by which they will handle my information. At no time are we/I given any rules or power about these secondary recipients of this information. So, just like previously stated example, every step/layer away from the primary source of information (me) the thinner the wall of security surrounding it.

And the other part of the concept of security is the idea/illusion/belief of punitive responses to compromises of this security. If someone "in my circle" discloses sensitive information, I have *some* recourse to offset any losses I suffer because of this. Additionally, if one of these primary companies does something stupid, I have *some* recourse for compensation but if one of *their* "vendors" who gets this information does something stupid, I'm "S-O-L" and I might as well sit back and watch my life swirl around the bowl because there's nothing I can do about it.

Wednesday, August 1, 2012

Brick & Mortar shops are safe.

If anyone tells you that "Brick and Mortar" shopping is a thing of the past you can point them to this screen shot I got when visiting "Onecall" (got it multiple times too...).

I happened on their site and clicked on the "Best Deals of the Week" banner, and chose "Camcorder" to see what options I might have.

Let's see what the system found for me.....
  1. A panasonic shaver.... Don't know how that'll work.
  2. A "Personal Utility Cart". Damn, I hope the camcorder I get won't need a personal utility cart to use it.
  3. Ah, how about a $200 saute pan. Hmmm... A bit clumsy when visiting Disney.

Why will brick & mortar businesses never completely fail? Because they don't waste our time!

Saturday, February 11, 2012

Product test review for LG BD670 Blueray Player

Unsolicited product test review.

Subject: LG BD670 Blueray Player review.

    LG - BD670 Blueray Player

Manufacturer: LG
Model: BD670
Product cost: $109.00
Would you recommend the product to your friends: (Yes or No) No, I'd warn people away from this unit.
What attracted you to this product: Cost/Manufacturer
What is it's best feature: Size.
What is it's worst feature: High-pitched noise from it.
Support (or lack thereof.)

    Rate it using the terms "Excellent"; "Good"; "Fair"; "Poor"; "Unknown"; or "N/A" for not applicable; in the areas of:
      Performance: Good
      Quality: Good
      Design: Poor
      Ease of Use: Poor
      Durability: Unknown
      Size: Good
      Versatility: Poor
      Power: N/A
      Rated against similar products: Unknown
      Overall rating: Poor

My Comments and Opinions:
  1. The reports found on the web about the high-pitched noise from this unit are accurate. Don't know exactly what it is but I'm sure it's a motor of some sort, maybe a fan. Don't know.
  2. The "Apps" they crow about are horrible, most of them are repackaged movies of highly questionable value. The other thing is the "Apps" that aren't movies seem to be geared to children or niche markets, and trying to dig through the pile of this to find anything interesting is just too much work to be worth it.
  3. Oh yea. When I turn it on and go to the "Premium Apps" "App", I keep getting that there's access for it in my country. Just stupid.
  4. Wait until you have to enter a username/password on the screen using the cursor buttons on the remote! That'll drive you bonkers inside the first five minutes. (The "Auto Login" function doesn't seem to work reliably either.)
  5. Another thing seems to be really poor buffering. It's not unusual to be streaming a movie on my local network only to have it lock up for an indordinatly long time with no indication that it's trying to get the data then to have the audio/video out of sync. The other thing I find amusing when this happens is that the movie attempts to catch up to itself. The movie, once enough data hits the machine the movie runs in "fast forward" style catch up. You'll find that sort of thing listed under "bad engineering".

Tuesday, January 24, 2012

Cheap NAS at home.... The saga...

For those that have read my previous postings about the Coolmax CN-330 and are looking for those posts, forget it. I've taken them down. Why?
  • 2012-January:
    Another update. I called them after hunting around for a number and I got the same basic crap. "Tough Luck", they'd be willing to sell me a fan but they won't make good on the ones that have failed. When I asked for the name of the person in charge, the guy told me "There's no need for that." and then hung up on me.
  • 2012-January:
    Well, I am sorry to say that I'm now compelled to report that I've had yet another fan die on this product, that makes for a total of four fans since I got this unit in July of 2010. Way too many for anyone to say that it's a fluke.

My most recent exchange with them "ended" with their statement:
Basing on the date, is 2010. This unit comes with 1 year warranty only.

Yes, that's the dumbest thing any company could say to a customer.

Why? Dunno.

The long and short of it is, I can not recomend this product in the slightest. Yea it's slow but it was cheap. The problem is, coolmax fans are pieces of crap. I've now done some poking around the net and I've found that there's a lot of folks complaining about the fans on the power supplies (and this NAS) and subsequently complaining about the crappy support. So.... Move on, time to find a new toy. It just occurred to me, here's a product review I did:
Unsolicited product test review.

Subject: Coolmax CN-330 NAS (Network Attached Storage)

Manufacturer: Coolmax
Model: CN-330
How much: US$100
Would you recommend the product to your friends: (Yes or No) No, never.
What attracted you to this product: Simplicity. DIY. Cost. Features.
What is it's best feature: Simplicity. Not feature laden.
What is it's worst feature: Toss up between the lousy fans that constantly fail or the support organization that doesn't answer emails or even care about the customer.
If you were in charge, how would you improve it: There's many ways but they don't pay me for this.

Rate it using the terms "Excellent"; "Good"; "Fair"; "Poor"; or "N/A" for not applicable; in the areas of:
Performance: Fair
Quality: Fair
Design: Poor
Ease of Use: Fair
Durability: Poor
Size: Good
Versatility: Poor
Power: Good
Rated against similar products: Poor
Overall rating: Poor

My Comments and Opinions:

I think I've made my opinions clear now.

Saturday, November 12, 2011

A Most Religious Day For "Computerphiles"

This is something I wrote a long time ago...

A Most Religious Day For "Computerphiles"
by Michael Tiernan (c) 1986-2011

You could feel the tension in the air, for according to the prophets this was the day it would happen. We, meek pilgrims would behold the words of a god. A few chosen ones would be able to catch a glimpse of him as he spoke those holy words usually reserved for high priests and the powerful.
Pilgrims came from far and near in hopes of being able to get closer to him. Some came dressed in the traditional clothes of the religion, some came from obviously more affluent positions.

Quietly we entered the hallowed halls of this place of worship. Through the great doors we approached the temple itself. Sentry at the door stood fast. No one but the chosen would enter. We were earlier than most and he suggested that we pay homage to the gods by meditating in front of the implements through which they ministered our religion.

As we did, images of of slaves freed from their bonds of torture and the enslavers caught in their own web of toil came to view. These great mechanisms of worship were still powerful, capable of building or razing a complex structure in seconds, though they sat dormant. Artifacts of a world few remember or can imagine. The holy words were encased in glass so any could read them. Here we were, common peasants, reading the holiest of scriptures like any of the high priests were able to do. Truly beautiful icons, the work of obviously superior beings, here for all to see. We passed many other pilgrims in varying states of meditation, sOme quiet and sublime, studying the holy words to remember them for all time; some were exalted, disbelief of where they were showing on their faces.

The moment came. We were escorted into the alter room itself. Peasants sitting elbow to elbow with the affluent, all here for the same purpose, to be blessed with the words of the god himself. Quietly a hush fell over the crowd; it was beginning. The highest of high priests, the minister of the temple, was about to speak. He welcomed us in a strange, but not-so-strange tongue. He explained why a god would choose to bless this temple, for this was a day of praise for the early martyrs. The works of their religion were on the alter in proud display. We were told of their dedication to the religion and the personal credos that they lived by and how through these people we were given a purpose in life. As he spoke on his words became lost in the euphoria of the moment.

Then it happened, an image appeared in the room. IT WAS HIM. The god himself. He came forward and spoke to us. "Let me tell you a story," he began. "A guy goes to see his doctor and the doctor tells him "I've got bad news for you, you've got only six months to live." Shocked the patient exclaims "What am I to do? Six Months? That's all?" The doctor calms him down and says "I've got an answer. Move to Cupertino, California and get a job writing software for Apple Computer Co." The patient pauses a moment the asks "This will cure me?" "No, but it will be the LONGEST six months you'll ever have."

Such began an evening to remember. For here in the auditorium of the Computer Museum in Boston, I, along with hackers and business men alike, got to meet one of those people that you only hear about - as if he was a vapor that no one really can prove exists. I listened as he recounted how the simple idea of two mischievous and creative kids would become the cornerstone to what we now know as the computer revolution. Never would I have imagined that I would even get to shake the hand of Mr. Steve Wozniak afterwards.

Sunday, October 9, 2011

What do you mean you still don't know what we mean?

So, I'm chatting with a friend about people's quality of work and we were laughing about some random things when he mentioned my earlier post about the Amtrak "Downeaster". He asked me if I'd ever tried it again. "Nope, never did." So, while were talking on the phone, I decide to try it.

We had a good bunch of laughs about this again. I really wonder how crap like this can make it through the most basic of software development processes.

How did it go? Like this.

I go to the website and enter into the "fare finder" the same basic information. I put in "boston", "December 1" as a departure and "portland, me" as a destination and include "December 10" as the return date.

Here's the input screen:

How simple is that? Not easy to screw it up! Oh but wait! We have professional monkeys writing this code! What do I get when I hit "Next"? TWO errors:

"Problem with Station or City Name"?  WTF? The first screen says clearly Boston on it. Obviously "Portland ME" made sense, it parsed that and figured out "POR" as the three digit code. Ok, so what's wrong with "Boston"? The error message says "select a station from the lists provided". Oh goodie. Here we go again! So, while we're both on the phone laughing at this stupid crap, I click the link for "Station List" and get the same popup list... Ok, let's see what's under "B" for Boston....

Ok, I can choose any one of four entries for "Boston" oh... except that the *ONLY* choice I can make for a trip to Maine (after all, this is the "Downeaster" I'm booking my ride on) is "Boston's North Station", guess "Boston" isn't clear enough still. 

Ok, so that's stupid *S*T*I*L*L*.

Let's look at the second error. The year automatically picked last year? Was someone out to lunch when they coded this part? We're almost apoplectic talking about this as we do this.

So, while we're talking, he sees the banner on the screen adverising "Specials & Promotions" and there's a two-for-one package so he clicks on it and gets the following screen:
Nice! Errrr.... How do you book it? Hmmm.... Not a single button that will take you to any screen that will allow you to book the trip. But they do tell you what "train numbers" get the discount. Great, and that information is useful how?

I think I'll drive.

Sunday, February 20, 2011

Yea... about that..... (The long version.)

(I deleted my original post and rewrote it here.)
I guess my previous comment about security is moot.

[Updated 2012-02-16: It seems that in my haste (ok, and fury) I stepped on some of the salient points that would have made this post easier to understand. I'll try and add them back in now.]

I was sitting here [in front of my Mac] talking to someone about GPSs and the software that goes with them. During the discussion, I clicked on a Garmin product [on the Garmin product webpage] that we were talking about. [Without warning, consent, or discussion, the application began to install on my Mac.] Did it offer any information? No, it just got installed!

Sure I clicked the wrong thing BUT THERE WAS NO STOPPING IT! I tried to stop it, I pulled it out of the dock (which is normally hidden) and that didn't stop it. I now have this Garmin software installed on the company's computer!

In their infinite wisdom Apple has not seen fit to create a clean method of removing an application from a machine. Lots of people have come up with sophisticated tools to try and do it but none are assured to work. That means that this application is on my computer no matter if I want it or not. What would be the impact of doing something like this with a controlled product that uses zippitty-do-da class encryption and you were going to travel outside the country?

Now what? [In my case, the Garmin software I want as a "package" so that I can transport it to a system that has no network access. How do I do that now? The software that we were discussing, when I clicked on the icon is the software I want but not on this Mac, not on my company machine but on my *personal* machine that I have at home which has no network access. Why no network access? Because I don't want it on the net. I use it for *MY* purposes and I don't need to justify that to Apple.]

What a disgraceful POS this idea is. What moron thought this up? How do people come up with these ideas and keep their jobs? No one had the good sense to say "Gee, we should provide a 'download only' option." No, they're too freakin' smart for that and they think we're too stupid for it[3]. What idiot decided it'd be a good idea to just install software on the system with no warning, recourse, or agreement?

And then, not to stop there with the good ideas, there's the lovely quirk of the background application that runs without your knowing it so that it can 'call home' and make sure you have the most updated versions of the applications. What? you didn't know about "Storeagent"?[2] Sure. Apple has decided that it's in your best interest for them to modify your system so that it calls home on a regular basis for checkups. What checkups? Dunno, no one seems to be sure of what the answer to that is but rest assured, it's in our best interest. Why else would they do it? And what's the agreement on this magic elf running around in the background? What's to stop Apple from enhancing the offering by making sure .... I don't know.... How about "We'll back up your system to our servers for you!"? Sure it is unlikely but if you don't have any control over the elf, how can you be sure they won't do it?

[I didn't ask for it,
you snuck it into my system without my permission and] 
I want this trash the heck off of my system,
out of my life, and so do a lot of other people!

I've been reading "the boards" about this and no, I'm not the first one to complain. And I suspect, not the last. I'm not even the loudest. The comments about all this are fast and furious. Lots of ideas about how to disable and remove it. None are concrete yet. One of the comments someone made was along the lines of:
"If you don't trust the company, don't run their OS."
Ok, somewhat of a valid statement but there's more to it than that. It's not a black/white issue. Trust and security are not digital "Yes" or "No" but they're shades of gray. Security is not an absolute. It's best described as a high wall. The more important what you have to protect the higher wall you put up. You just have to keep in mind that if someone wants what you have bad enough, they will be willing to purchase a taller ladder and breach your wall.

My complaint about the "elf" is that I want security holes closed. I trust people but I always assume that human nature can sneak in. How many of you work with someone who's answer to tough questions is something like "That's someone else's problem." or "Hell, that's good enough, who cares if its done right."? While annoying, it's reality. My personal take on people saying such things is usually an unpleasant response but that's for another conversation.

Sure I have faith in the OS maker for competence but like the Russians said in the '60s "Trust but verify." I don't assume that the company (any) is perfect. I watch for mistakes. I don't want to be the guy who is in the textbook under "Sad case of being hacked." and y'know what? For the day-to-day operation of my system, those two applications, App Store and Store Agent, don't need to run or reach out to the home office. If they need to, they can ask me for permission. Until then, stay out of my way, and leave the door locked.

When discussing security, a smart friend of mine, who's also a Star Trek fan, always reminds me of the scene in one of the ST movies where two characters are in a brig/jail and one says to the other (something like)
"I designed this jail, there's absolutely no way to break out of it, there are no weak spots or flaws to take advantage of."
At that moment, the entire back wall of the jail gets blown open accompanied by the cry of:
"Dontcha know a jail break when you see one!?"
Yea, great movie gag but it's very applicable to this sort of thing too. The folks who come up with the ways of protecting things can be brilliant but they're not (usually) the bad guys who are trying to be kept out. You must, and I mean *MUST* assume that not everything is perfect and that errors creep into things. So you layer security measures on top of each other to minimize your exposure. Having some wild card punching a hole in your security measures without your knowledge or control is a very bad thing.

Switching perspectives for a moment....

Now, all this has been a rant from the point of a single machine owner, probably like most folks who own Macs *BUT* there's another side to this whole mess. Apple has been trying to work it's way into the business world. The reason companies purchase INTEL machines running Macro$lop Windoze is because the people who make money off of them are the ones who are asked "What should we buy?" If Apple spent more time addressing the problems that system administrators have to contend with, there'd be more people willing to walk out on that thin limb and suggest Apple products for their companies.

Let's take a scenario here. Some user has a machine that is "company owned". It is their's to use but it is managed by the IT department. There's rules about what that user can and can't do with the machine. Now Apple hasn't made it easy for the system management process but these SysAdmins struggle through as best they can. So, now comes Apple with this means for letting anyone add software to their system BY ACCIDENT as well as this magic elf who's doing who-knows-what to the system without permission. Not smart. Add to that what about when the user has a piece of software that is preinstalled on their system by these admins and a specific version was chosen for good and solid system administration reasons. Like it or not, we chose "this" version and it isn't up to you the user to change it. So, now a user can change that version and who knows what, violate a licencing rule, break a security policy, open a security hole, who knows what. And regardless of the why the answer is, it's not up to the end user to change it nor is it up to an uninvested and third party to make the choice, decision or to implement.

Apple, smarten up or is that too much to ask?[1] I expect stupid things like this from Macro$lop but not from Apple.

In short:
  • Apple not only shouldn't have taken it upon itself to install this spyware. (Yes, that's what it is!) They should have thought out the process a lot more with some professionals who are familiar with the real world use of their systems.
  • They shouldn't have disguised it as a system software upgrade/update but made it a downloadable option to add. (aka "Be up front about it.")
  • Make it cooperate with the system, user, and company policies.
  • When the users began to storm the virtual walls of Apple about it, don't ignore it.
  • Don't act like you're doing us a favor!
  • Be up front about the security concerns people have and don't ignore them.
[1] (I suppose *I* should smarten up... I purchased the Newton and suffered through the after effects of that too.)
[2] So you can see some of the comments for yourself, check out what a quick Google search turns up.
[3] A quote/sig on a forum post about this very problem hit my ironic bone pretty hard:
Nothing in all the world is more dangerous than sincere ignorance and conscientious stupidity. - Martin Luther King, Jr.