Singpolyma

's Profile

Author Archive

Dystoparx — Part 7

Posted on

Since the article there has been some activity. Basically, paranoid hackers have congregated in the # chatroom as the most popular location for discussing potential threats. Jack is in there, defending society.

21:58 <jjdavis> No. You guys are crazy. No one is taking this seriously. The media has all but forgotten about it.

21:59 <rjones> There’s no harm in thinking about it. If the populace ever rose up against hackers en masse, and we weren’t prepared…

21:59 <xrll> h4xtex: Why don’t you have a passport? Get one!

22:00 <xrll> rjones: Well, being prepared is good, but we need to think on our feed. Like always.

22:01 <xrll> On our feet. Though I kinda like “think on our feed”. 🙂

22:02 <jjdavis> Right. Even if people started driving us out with pitchforks we are resourceful.

22:02 <rjones> Look. I’m not saying people are going to go crazy over an article. I’m saying there is a growing distrust of technology and technologists and we shouldn’t just act like it’ll all be fine.

22:03 <h4xtex> xrll: Ok, sure. But where would I go? And would they let me leave?

22:04 <xrll> h4xtex: You have to leave early enough. Everyone has their own jump criteria. Early enough that you can still get out, not so early that you leave a good thing behind. Where you go depends a bit on the circumstance.

22:04 <jjdavis> We just need to not get all orked up about this.

Acklas is talking to Nicnus.

21:59 <acklas> How is product work coming along?

22:00 <nicnus> Pretty great. We have discovery working now. It’s mostly decentralized, just needs a list of servers to talk to.

22:01 <acklas> So, one can now plug in a box in two places and have secure communications over the Internet?

22:03 <nicnus> Pretty much. There are some bugs we’re working on, but launch might be as close as a week or two.

22:04 <acklas> Is anyone there worried about Hacker Hate?

22:05 <nicnus> Not really. We’re producing a communications technology to make people’s lives safer and easier. How can you attack that?

22:07 <acklas> People can attack whatever they want. Them Out There hate anything new or innovative.

22:10 <nicnus> That’s just unfair.

22:11 <acklas> Maybe.

Nicnus glances over at #. Jack is still arguing vehemently in there. No one is really sure how to feel about the Hacker Hate meme. It has all but died out now, but for a few weeks people all over the media were posting vitriol about hackers and technologists, and generally blaming the Internet for all manner of social ills.

A message comes in from one of his coworkers, wanting to test the latest software revisions for the product. He disconnects his computer from the Internet and plugs it back in through the box. The device scans for other nodes using the same encryption keys, and then a light on it turns green as the connection is established. He and his coworker are now sharing files and chatting over a point-to-point encrypted connection.

Nicnus feels excited. If encryption is this easy, maybe those who need it, that is, everyone, will be willing to use it. An idea comes into his head and he quickly fires an email off to his boss. The device should be able to set up as many connections as you want, all at the same time! That way, people can join multiple encrypted networks made up of different groups of their contacts and friends.

He now turns to scan news articles coming in from the Internet. One headline in particular catches his eye. The RCMP and FBI have made a number of simultaneous arrests as a result of their MusicBox data collection! Nicnus is not happy. He had hoped that their lack of arrests up until now meant that they were not getting any useful data. Apparently they had just been waiting until they could do a bunch of arrests at once. He looks though the code he has been working on to block MusicBox spying. It works, and even has an option to send benign data out periodically so the server won’t notice that it is not getting spyware data. He and a few others have been testing it out recently, and there haven’t been any problems so far. In a moment, he has decided it’s time to release the code. A few moments later he has made it available to the public, and begins writing the announcement post for his website.

It is now early the next morning. Well, early by the standards of our geek friends. Bill is at work, because he actually sleeps at night. One of the members of his team is knocking on his door. Bill grunts and his team member enters.

“We may have a problem.”

“Oh?” Bill asks, uninterested.

“Someone has posted an application enabling people to block the MusicBox software.”

“Is that all?” Bill yawns, “No one will bother to use it.”

“Actually, sir, people don’t have to use it. A number of technologists have been pretty on edge recently, and the news of our arrests has not put them in a better mood. Some of them have banded together to develop a number of different, well—”

“Does this story have a point?” Bill knows that over half of their data, in fact, all of their useful data, did not come from MusicBox anyway.

“Well, sir, they have basically written a series of computer viruses that infect systems running MusicBox, using a couple of security holes in MusicBox itself, which then set themselves up to block all of our data-gathering efforts.”

“What?!” Now, Bill is listening. “Have the MusicBox people closed the security holes?”

“They don’t even know about this yet. Even if they do, if they block out the viruses, even if they change the protocol, the code will just get updated and more will come out. We’ve seen exactly this sort of strategy before: it’s the sort of thing that made piracy so hard to track down in the first place.”

“Wait, so they can update the viruses on everyone’s computers?” Bill is actually worried now. If anyone suspects they are collecting other data… they may engineer these viruses to block out the real data sources.

“They don’t need to. They just release a new virus and it spreads to all the computers the same way the first one did.”

Bill thinks about it for a moment, then realises this is no problem at all. “Well, certainly the antivirus makers can stop these as they have stopped computer viruses in the past.”

“Maybe, but we’re not talking about a couple of people working on something, or even about the efforts of organised crime. We’re talking about a huge number of top technologists being interested in keeping this out there. Also, many of the antivirus companies may not consider these programs malicious.”

Bill is not happy, but he’s not going to get into a screaming match with his subordinate. Hopefully interest in this will die out. Hopefully the hackers will not find a way to block the actually useful sources of information.

Nicnus’ brother is downloading a television series. You probably think he is crazy. This is the same brother who is still paying half of his income every month to compensate the music industry for a handful of movies he obtained this way. Why would he risk losing even more of his mostly-nonexistent livelihood?

Well, it isn’t that simple. At least, not to him. It’s not that he thinks he won’t get caught this time. He hasn’t even thought that far. He wants the content, and this is the only real way to get it. He can’t wait for it to come on broadcast television, because the show has been off the air for a few years. He can’t buy it on DVD, because he can’t find anywhere selling it in that format. Basically, he wants to watch it now and this is the only way he can find right now to get it. It’s easy to get it this way, he just runs a Google search and downloads from the first result. There is no conscious decision to break the law.

The media industry is slowly realising that many of those they have recently sued are just like Nicnus’ brother. No matter how much they spy on these people, they cannot catch them all, and no matter how many of them they catch, the behaviour does not change. More radical action may be necessary.

DiSo Actionstream Plugin 1.0

Posted on

Version 1.0 of the DiSo Actionstream plugin for WordPress has finally been released! The upgrade for this version may be a little rough, because the entire data storage model has changed since the last release. Let me know if you have any trouble!

For Debian users, there is a wordpress-diso-actionstream package in my APT repository.

Eduroam on Maemo (on the N900)

Posted on

The University of Waterloo has joined the eduroam international educational institution WiFi access exchange program. I am very happy about this, since eduroam uses good WPA2+RADIUS authentication instead of stupid captive portal stuff. Since I had to do some research to figure out how to connect from my N900, I thought I would share that here.

  1. Go to Settings > Internet connections > Connections > New
  2. Select WPA with EAP for security.
  3. EAP type: PEAP
  4. Certificate: none
  5. EAP method: EAP MSCHAPv2
  6. User name: user@uwaterloo.ca
  7. Password: Your Quest password
  8. Hit “Advanced”
  9. Go to the EAP tab
  10. Check the box “Use manual user name” and enter user@uwaterloo.ca again

The last three steps are the extra part. I go this information from this thread. I have no idea what the difference is between a “manual user name” and the username that is part of the login prompt. Maybe someone else knows?

Comments about Awards API

Posted on

@codenamebowser has written up a minimal Awards API spec similar in nature to what I proposed recently. @wolever has already made some comments. My comments are below.

OAuth: yes. Be aware that OAuth (and really any other system) cannot securely identify non-web apps. This is because auth keys stored in an app in the possesion of a user can be got by that user. Many people (including myself and the IETF OAuth spec editor, Eran Hammer-Lahav) feel that desktop/mobile apps should not use consumer tokens at all, but should use empty or “anonymous” tokens so the app can say to the user “an application claiming to be…”

User Accounts: whaaa? I guess you’re trying to let sites use the system if their users don’t, but you really probably want to be publishing to an actual usr account, not an invented thing. Make a way for new users to seamlessly get an account. You could start OAuth from the client and when they come if they have an account, log them in and associate. Otherwise get some ID from them (email address or web address) and use that to authenticate them (using email verification and/or openid and/or relmeauth).

I agree with @wolever that if you’re going to have limits, you should make them early on. Most things shouldn’t need limits, though.

I would make sure all properties are accessed as though they are just keys in the allswed kvp. That way the whole API is simpler and feels the same as itself. Some keys are just predefined with meaning and some aren’t.

Threshold seems like overkill for v1. The client probably knows that anyway.

If you want likits for IDs, look up the limits on the HTML ID attribute.

As @wolever says, don’t count on one user = one email.

This draft doesn’t say how the kvps are going up to the server. form encoded post? While a bit more complex, I would look into POSTing activity streams ATOM, since that will allow distributedness and resyndication to work very well.

Before I got to publishing this a new version of the API spec came out. More comments below.

Authentication: what? I’m reading this, and you have exactly re-invented OAuth. As always when re-inventing a security technology, you have done it poorly (md5? are you on crack?) Use OAuth… it’s the same basic tech you’re suggesting, but is actually good.

Must have for icon is PNG. I think size restrictions would be bad at an API level, though for your implementation you may want to institude a MB limit to prevent abuse.

140 characters is a nice arbitrary limit for SMS, but saying it makes things fit on one line in web designs is just not fair.

In the KvP, are values 8-bit safe? Can I use a 255-byte blob? 8-bit safety is *good*. Make your limits in bytes, not in characters.

users/create_and_retrieve seems like the only one that’s really useful (except maybe retrieve). What’s the use case for users/create? Of course, as above, I think it would be useful to handle user accounts somewhat differently.

Your XML seems like a good candidate for ATOM, as I suggested:


<entry>
	<author><email>dgrace@doomstick.com</email></author> <!-- this could be activity-actor as well/instead -->
	<id>test</id>
	<award:points>10</award:points>
	<title>Test achievement</title>
	<content>Got this for being a guinnea pig.</content> <!-- could use summary for this instead -->
	<link rel="logo" type="image/png" href="data:..." />
	<award:testkey>testvalue</award:testkey>
</entry>

This format (or something similar) has resyndication benefits, and also means that one could pass awards around easily using Salmon or Ostatus.

Generic Achievement System

Posted on

I’ve been thinking a bit recently about generic achievement systems. Basically what I want, is a web service where I’ve got a profile showing off the achievements I’ve unlocked in different ways. This could have some scraping of well-known social web achievements (StackOverflow, FourSquare), but that doesn’t really scale so I’d want an API that any service or application could tie into to publish unlocked achievements to my profile. I’d also want read APIs so I can put achievements I really want to show off on my actual profile page at singpolyma.net. Achievements should be able to take any image+text form, from high scores to badges.

If social web sites can publish achievements to the site and read them back out, that’s great, but there are already a couple of services that sort of serve that purpose (though I’m not sure either serves their own local profile pages). The real benefit here is that applications (especially including games) could easily tie into this as well.

Of course, now that I’ve described it you can see I don’t necessarily want a web service at all. I want an API specification and a reference implementation. Web apps and games should be configurable with my actual “achievement host” (or discover it over LRDD/Webfinger) so that I can just host my own list and not sharecrop on someone else.

Now, on top of all this, I want the same protocol (or something very close to it) to work with a local on-my-machine service that serves a similar purpose: storing scores and achievements for local users. One could then build nice local scoreboard/achievements unlocked display dashboards, which could be very useful in a gaming-heavy environment like the games at www.lionwins.com (some games already do shared local highscores, this is just one up on that).

The right way to build something like this, probably, is to use Activity Streams concepts and publish the content over HTTP as an “achieved” or “scored” event.