Share

Sunday, July 13, 2014

Privacy theft via "free" apps

I'm a privacy advocate.  And so I get very tired of the myriad of companies that try to make a buck by selling my "profile" to the highest bidder.

Many (but not all) of the "free" apps available for your smartphone are simple privacy sieves.  Their primary purpose is to provide you with a little bit of value in exchange for a huge amount of your private data.

My case in point are 3rd party smartphone email and GPS apps.  There are hundreds available, almost all for free.  They provide a little bit of value, such as "a new way to use gestures to archive your email".  But these free 3rd party apps often take all kinds of data about you, such as:

  • All of your email
  • Your basic information (your name, home address, phone number, etc)
  • Your location at all times, via your phone's GPS capability
  • Your calendar
  • Your entire address book

Of course, the companies state that they can do this in their "privacy policy".

And within that policy they promise that they will anonymize your data as they sell it to their partners.

Truly anonymizing data is nearly impossible.  As seen in the Netflix case, it is quite simple for a high school student to take large data sets to de-anonymize the data.  That's a very scary proposition, particularly given that there are thousands of large data sets available for purchase through many suppliers.

These app developers let you know that your data may be held off-shore, in a foreign country.  Now I'm a big fan of foreign countries, so why should this matter?  And why would they want to hold the data in a far-off land?  After all, American data centers are less expensive than data centers anywhere else in the world.

The short answer to this question is that by holding your personal data outside of the country, app developers hold the data in a place where you have limited (or no) legal standing, and where the laws of this country simply do not apply.   They are simply kidnaping your data and bringing it overseas where to a place where you cannot win.

Finally, these privacy policies clearly state that they can be changed at any time, without your consent or knowledge.  So if they decide to sell your private data outright, they may change their policy and do so immediately.

What we need is a blog.  A blog that covers those apps with that guarantee to protect the privacy of their users in perpetuity. Let me know when you find apps that do protect privacy.

Sunday, July 06, 2014

iPhone 6 Release Party: Friday, September 26th, 2014

There are a lot of rumors out there in terms of when the iPhone 6 will be released.

Let's just cut to the chase:

Friday, September 26th, 2014

Here is my logic:
  • Apple will want the iPhone 6 to be released out of the gate as boldly as possible - with iOS 8.
  • Apple explicitly says that iOS 8 will not be available until Fall 2014.
  • Apple will likely want to make the iPhone 6 readily available to all customers by the Christmas Shopping Season - mid-November.  They'd want to eliminate any waiting lists by then.
  • Recent prior releases of iPhones have been between September 20th and October 15th.
Therefore, I predict that Apple will release the iPhone 6 sometime in the early fall.  This year fall begins on Tuesday, September 23th, 2014.

But wait, there's more!  Over the past few years Apple has put their device on sale starting on a Friday.

So given that additional fact, I refine my prediction to include only the following dates:
  • Friday, September 26th
  • Friday, October 3rd
  • Friday, October 10th
  • Friday, October 17th
If I were a serious wagering man (I am not), I would wager on the earlier side of things to better align with last year.  And so, in conclusion, I find that the iPhone 6 will most likely be released on Friday, September 26th.

Of course, certain types of events could influence that date, including but not limited to:
  • Component supply line issues
  • Manufacturing issues
  • Unexpected design issues
  • iOS 8 availability/completion
  • External factors (Geo-political issue, major natural disaster, etc)
Manufacturing must have started!

There are a lot of iPhones to be made.  Last year Apple sold 9 million iPhones on its first weekend.   And so I assume that manufacturing is ramping up now, as to hit that mark starting today, Apple needs to make nearly a million iPhone 6's a week.

See you in line on September 26th!

Saturday, July 05, 2014

My iPhone is being remotely controlled by a hacker! (and how to fix it)

Who is remotely controlling my iPhone???


This is a personal story that scared the hell out of me.

On Monday I was awoken by my iPhone alarm telling me that it was time to get up to go to work.   I picked up the phone and looked at the day's calendar.  Ug.  I put it back down in its dock for a couple more Z's.

Seconds later, I heard it clicking.

I looked at my phone, and it looked like someone was typing on it!  Click.  Then a swipe.  And then more clicks.  One of my business apps was being operated, but NO ONE was touching my iPhone!  I was sure that a Hacker was remotely operating my iPhone, digging around for my private data!

This was shocking.  My phone stores a lot of good stuff - my email, photos, finances, passwords and all sorts of other goodies.  If someone compromised my phone they could know where I am.  They could operate the cameras, the microphones - in short, they could know almost everything about me.

It looked like the hacker didn't know what he was doing - he was just bopping around.  Maybe he was just a kid in some far-off land searching for anything of value.  And in the end, I figured out EXACTLY who was to blame.

I quickly decided that immediate action was necessary.

First step: power it down

After taking a quick video of my phone being operated remotely (as evidence), I decided that I should prevent any further damage to my privacy.  I picked up the device and turned on airplane mode.  Then I powered it down.

Second step: wipe

I hooked my iPhone up to iTunes and chose "Backup" to ensure that evidence of the compromise was captured and that any of my remaining data was saved.  Then I performed an iPhone reset via iTunes - which wipes the device and reinstalls a brand new copy of the operating system downloaded from Apple.  And then I chose to do a restore, using the logic that my data was OK, it was just a software compromise.

Third step: rebuild

During the restore I had the iPhone restore the apps from the iTunes store - over the air - again using the logic that my apps may have been compromised and there is nothing like getting the latest from iTunes.  I plugged my phone into my iPhone dock and let it pull down the apps wirelessly over WIFI.

Fourth step: passwords!

My phone was compromised, so someone could have got their hands on my passwords as I typed them (keyboard compromise) or by stealing them from poorly behaving app data stores.  So I hoped on my computer and proceeded to change dozens of key passwords (email accounts, Facebook, banking accounts, etc).

Fifth step: WTF!!!

So I was on my computer, in the midst of making my password changes, when I heard my phone clicking on its keyboard again. WTF???  My phone was STILL compromised!  Maybe the low-level firmware was compromised, and even wiping off iOS and all the apps wasn't good enough.  I picked up the phone, and whomever was remotely controlling it stopped!  Undoubtably the hacker sensed my presence via the motion detector or the camera! VERY SCARY.

Sixth step: Eh?

Then I got to thinking, maybe it was NOBODY.  Maybe my screen was going bad, detecting false touches and swipes.  Hmmm.  I downloaded and installed a "finger paint" program to see what was happening.  Nothing interesting appeared on the screen.  And then I docked it my iPhone, and within in a few minutes, some crazy dots and lines started to appear all on their own, as shown below:
Crazy lines from Paint program

Seventh step: Dang

So I figured my iPhone was dying.  "Dang, out of warranty, still under contract" - this was not great timing.  Then I noticed that the phone was quite warm.  A little more investigation found the power adapter to be rather HOT.  I was running a cheap knockoff USB adapter for the past year - and a little test with a voltmeter showed the knock-off adapter to be providing chaotic power, from 3v to 9v.  Very far away from the 5 volts (±0.55) of the USB standard.

Dangerous knock-off power adapter was the problem all along!


Eighth step: The fix!

So I try all this on another AC adapter, and my "remotely controlled screen" problem completely goes away.  My phone wasn't compromised - it was a very bad (but very official looking) AC Power Adapter.  I chucked the crappy adapter and now I'm back in action.   Yay!

Lesson Learned!

It was all my fault - I bought and used a crappy 3rd party adapter.  It failed in a way that I could never see, and in a way that could have damaged your phone.  Always get a name brand adapter - at least you can go back to them if it damages your phone.  Luckily for me, I suffered no damage other than a few hours of paranoia and work.


Sunday, June 08, 2014

Upgrading my white MacBook with an SSHD Hybrid Hard Drive

A couple of weeks ago the hard drive on my white plastic MacBook started to go south. After years of service, my MacBook suddenly couldn't be booted.  I had to either repair or replace my MacBook.

The first option was to buy a new computer.  My MacBook is from 2009 - and that's a bit old in terms of computing technology.  The MacBook Air is a great high-performance, high-quality machine, but  my old MacBook is still a great white plastic workhorse for me!


The MacBook with its new Hybrid Drive; old broken drive on top
And so I went shopping for a new hard drive for my MacBook.  Unfortunately thousands of drives are available on the market, but which one should I buy?  I made a quick list of criteria:
  • Storage.  I want plenty of storage for photos, music, and video
  • Performance. My MacBook seemed to have slowed down with time.
  • Cost: This is an older laptop.  It is still good, but I don't want to over-spend.
In the end, I decided to go with this Seagate 1TB Solid State Hybrid Drive.  This drive would fit perfectly inside my MacBook, would offer huge storage, and the great hybrid features would provide good performance at a good price.  

After receiving the drive I used the repair guide at iFixIt.com to install.  Since installing the drive, I find performance to be improved, and I have plenty of storage.  In fact, I am writing this on the very same MacBook.  This will likely be the last upgrade for this 2009 MacBook - I predict that the final OS for this machine will be obsolete by 2018.  By then, a full machine upgrade will be in order!

¡¡¡ 1 Month Update !!!

It has been a month and the new drive is working wonderfully.  My MacBook is noticeably faster than before, and I have more storage than ever.  I will definitely be upgrading some other older Macs with SSHD's in the near future.

Thursday, April 24, 2014

On Kilobytes, Megabytes, and other computer-centric factors

I started programming way back.  In those olden days I was working close to the machine - on machine language stuff (assembly languages).  Bits were important: shift left, shift right, AND/OR/XOR.  And memory pages were important too: fitting an important routine within a 256 byte page could really help performance.

These days life is different.  You allocate objects.  If you're storing a boolean, you create a boolean object.  Who knows how that's represented under the hood, but it certainly isn't represented in one bit of RAM.   Most people don't even use the bitwise operators offered through the programming languages given to them.  Sure, some do.  But most do not.

And so now we get into our prefixes: kilo, mega, giga, terra, and peta (and beyond, I suppose!)

Many people still want these prefixes to be based on powers of 2.  One kilobyte is 1024 bytes (2^10). One megabyte is 1024*1024 bytes (2^20).  Etc.  It's an OK system, but it really makes little sense. Why is a kilobyte 2^10?  Because the number, when converted to decimal, is the power-of-two  number that's closest to 1,000.  2^11 and 2^9 simply aren't as close to 1000 as 2^10.

Anyhow, all this mades some (but not much) sense in terms of addressing RAM.  Then these same people wanted everything else related to computing to work the same way.

Disk Storage



So the programmers decided that since physical RAM layout was important, and that it was good to have a funny math for it, that others should follow their methods.  The programmers wanted disk drives to follow the same memory conventions.  At first there was some practicality to this: programmers wrote code to stick pages of RAM onto disks in what they called "disk sectors".  This was primarily done because it was very easy to treat a page of RAM (perhaps 2^8 bytes) as a body of work.  This was key because performance ruled the day with 1 MHz computers.  (By the way, the M in MHz means exactly "1,000,000").

But over time the disk drive guys were not interested.  Sectors were a false abstraction, and under the hood of the drive sectors changed size to pack in more bytes and low-level ECC and other techniques made it pointless. Furthermore, programmers were no longer dumping pages of RAM to disk, they just wanted to store files in a file system.

And so the drive guys started to sell disks using normal base-10 units.  100 MB drive means 100 Million Bytes.  This was convenient to a lot of programmers because most left base-2 mathematics behind when higher level languages became practical.  Before long, if a programmer said that there were 1K of rows in a database, they meant a normal thousand and not 1,024.

And that was the start of the first war.  Programmers screamed at the drive guys for abandoning their "base 2" convention.  The programmers still wanted 1 MB of disk storage to mean 1024 *1024.  But why?  Programmers were no longer worrying about pages of RAM and sector sizes.  Those same programmers also complained when they got less storage than on the box due to the overhead of things like the realities of how a file system works.  Talk about babies, they couldn't even appreciate a file system.  They just liked their silly "my way or its wrong" math despite the fact that their way no longer had a purpose.

Let me give you a practical example: Let's say you are dumping 1 billion records onto a disk.  Each record is 40 bytes long.  Quick, do you have enough room if you have 38.1 GB free?  WHO KNOWS!  Because bonehead holier-than-thou programmers that never shifted any register on any CPU wanted to confused everyone.

Networking

Throughout all this the network guys were not interested in this "new math".  They did things in bits per second.  Bytes?  No way!  That was 8 bits, or an octet.  kilo?  That meant 1000.  Nothing else.  Mega?  1,000,000.    100 Megabits per second meant 100,000,000 bits in one second. And it still does to a network guy.

But then the uncultured programmers got in there with their stupid math and confused everyone.  They started to apply their way to other realms for NO REASON.

What does 100 MB/second mean?

  • Normal Person: 100,000,000 bytes in one second (100 * 1,000,000)
  • Networking Person: 100,000,000 bytes in one second (100 * 1,000,000)
  • Programmer:
    • Normal: 100,000,000 bytes in one second (100 * 1,000,000)
    • Very Stupid: 104,857,600 bytes in one second (100 * (1024*1024))
    • Very Very Stupid: 102,400,000 bytes in one second (100 * (1024*1000))

Unfortunately, most programmers are at least "Very Stupid".

These same annoying programmers no longer use the bin/oct/hex functions of their HP16C.  In fact, I'd say they most wouldn't be able to use an HP16C to add two hex numbers together.

Conclusion

It's time to give up the obsolete base-2 notion of kilo, mega, and giga.  If you really love powers of two, use them explicitly like a REAL tech expert would.  My laptop has 2^33 addresses of active RAM. And now how many 2^8 byte pages of RAM fit into that address space?  Comment with your simple assembly language program that calculates this number (any architecture).

Sunday, March 09, 2014

A Calendar for Everyone

We all kind of dislike calendars that we aren't accustom to, and tons of folks over the centuries have thought they could do a better job.  And some people around the world see calendars as being a primarily religious instrument since Pope Gregory XIII's people pushed for the one we use today.

Here's my proposal, which combines the Herschel and a modified Holocene calendar.
  • Take on the proposal of Sir John Herschel, so that there are 969 leap days every 4000 years.
  • Take on the concept of the Holocene calendar year numbering system, but modify it as such: 
    • The year number is an aggregate of the top 30 year numbers of the calendars of the world, modulo 100.  Then add 10,000.  My calculation comes up with the year 10043.  For you Gregorian fans, just subtract 8029.
  • Retain the other structures of the Gregorian/Julian calendaring system, notably: month numbering, month length, weekdays.
  • Call this the Earth Solar Calendar.
Result:
  • A calendar that is not the Gregorian calendar
  • A calendar that is generally compatible with the Gregorian calendar for all practical purposes
  • A calendar with a new year style which clearly identifies itself from other commonly used calendar styles
  • A calendar that is generally not affiliated with any specific religion or society
Concerns:
  • The proposed calendar retains the Gregorian correction to the Julian calendar.  The timing of that reform is tied to a religious event.
  • The calendar retains the month model of the Julian calendar.
  • Those that appreciate the supposed linkage of the Gregorian calendar with religion may be unhappy with the proposal.  However, the Gregorian calendar is a weird hodgepodge of lunar and solar calendars with a stem several thousand years older than the current Gregorian calendar year. Furthermore, the Gregorian year number is widely known to be inaccurate.
  • No one likes change.

My Computer Security Failures

I'm a security-concious guy, but I have screwed up before.  Here are my security failures over time that I know about:


1994: I downloaded and executed a program from the Internet.  The program spun through the Windows 3.11-based system, overwriting all files.  This resulted in significant data loss.

Root cause: User trusted untrustworthy software.  User failed to back up system.


2001: Fell victim to an SSH exploit on my Linux-based router machine.  The machine was compromised by a remote attacker and used to send spam.  The machine needed to be wiped and reloaded.

Root cause: Zero-day exploit vulnerability, and/or failure to keep on top of security patches.


2006: I gave administrative rights to my brother's au pair's Windows XP-based PC, under pressure from the au-pair who wanted to install software.  The machine was quickly overwhelmed by malware despite anti-virus practices.  The machine was kept in service after significant cleanup.

Root cause: The platform assumed users would need powerful privileges; administrator inappropriately complied.


2008: My account at a popular Internet Service, Twitter, was compromised and misused.

Root cause: I followed poor password management practices: I re-used an identical username/password pair with multiple service providers for accounts "I didn't care about".


2008: Unprivileged Mac OS X user account was compromised remotely over SSH via brute force, due to simple username and matching simple password.

Root cause: Administrator enabled remote SSH access but failed to restrict ssh access to specific accounts.


2014: Wireless access point unsecured, resulting in open network access over-the-air.

Root cause: Administrator created a second wireless SSID without properly securing it.