Monday, October 6, 2014

Personal Change

People have a habit of pigeon-holing others.  When you meet someone, they will quantify and classify you.  Sometimes it's good as you're pigeon-holed as:

  • A good person.
  • Fun
  • Intelligent
Other times, you may find yourself being pigeon-holed by others as:
  • Boring
  • Too loud
  • Unprofessional
This pigeon-holing is usually done very early on, and once a box has been put around you, it takes a lot of effort to get people to change their perception of it.  This then leads to a blurring that can be equally hard to shake - for instance if a good, reliable, person makes a monumental mistake once, people will forever think "He's a good guy, and usually reliable, but..."  Sometimes, however, new classifications override older ones to the point that people totally forget the previous classification.  This happened to me in my last job where having programmed Windows for 20 years, just 5 years of iOS programming got me pigeon-holed as "the Apple guy" and so 80% of my previous skills went unused.

Another problem with boxes is that some people, myself included, have a habit of learning new things and self improving. Unhappy with just remaining static, we accumulate new skills and new knowledge that goes equally unused.  Like all years in my life, in the past year I've added multiple new strings to my bow, including learning two musical instruments, improving my electronics knowledge, improving my knowledge of physics, banking processes, perfecting how to bake biscuits (the American kind, that is), cook rice properly, and taken on the new programming language, Swift.  Some of this is applicable to my work as a programmer - knowing how banks work, or knowing how electronics work, or a new language makes a programmer like me become more desirable.  

This means you end up being in the wrong box.  If the box remains unchanged despite these changes, then something is going to break to make you get into a more suitable box.

The two things that can break are:
  1. You stop learning new things and you stagnate because it's not applicable to your job, or your employer doesn't reward self-improvement.
  2. Your current employment stops and you find somewhere that will reward your new found skills.
When personal change means you no longer fit the box that you were comfortable being in, changes and decisions normally follow to correct this.  Being aware of the boxes you operate in and how you influence them is likely the most important thing you can be aware of about yourself.

Wednesday, September 10, 2014

Apple Watch Haters

It doesn't take a genius to work out now that there's a phenomenon where normal, rational, human beings suddenly lose their minds every September.  This is the month that Apple unveils it's new iPhone, but it's also the month when Apple's new products are unveiled to the public.

With these new iterations of phones or new products, we expect to see a cacophony of haters, naysayers and what have you, who prognosticate that Apple is failing to innovate if they don't release a new category product every other year, or that the latest iPhone is only an improvement on an old model instead of a completely new one, and there are those that outright say that a new device is just plain bad.

Even though we know that Apple has pretty much hit each record selling quarter with an even bigger quarter for the past few years, the Internet has a habit of keeping stuff around for long periods of time, so we can see examples of what I mean by these haters who contradict it...

The iPod (the iPod classic got killed off yesterday).
In 2007, the iPhone came out...  Just incase you've forgotten, this was the competition then...
Yes, the Motorola Razr2 was released in 2007, the same year that the first iPhone was released.  So, how was the iPhone with it's touch screen received?
"iPhone doesn't support 3G, it doesn't support multitasking, it doesn't support 3rd party apps, you cannot copy or paste text, you cannot attach arbitrary files to emails." 
Then there was Palm CEO Ed Colligan on Apple's iPhone:
“We’ve learned and struggled for a few years here figuring out how to make a decent phone,” he said. “PC guys are not going to just figure this out. They’re not going to just walk in.”
Or how about this all-out failure prognostication?

Next came the iPad...  We've all heard the "But it doesn't run Flash" argument, or the "It's just a big iPhone... but without the phone functionality" tirades.  Very quickly, though, the device was shifting a million units a month.  5 generations and 2 mini's later, it's still selling very well.  

However, it's very apparent when cheap copies of Apple's design is being ripped off - but then again, some people are happy with a lookalike product if it means they pay less.  Then when the bar is raised again by a new iPhone iOS version, instead of just installing the update so that your hardware lasts two or three years, you need to buy a whole new phone.

Yes, people don't want to upgrade their entire Android phone, but because of carriers and OS fragmentation, they usually have to.

So what about the new Apple Watch?   There are already a few watches in the market.  Let's take a look at them.  

First, there is the Pebble.
This is a low-cost watch that looks very 1990s in it's heritage.  You could easily imagine the name Casio stamped across the top.

Then there is the Samsung Galaxy Gear S watch.
This is an improvement on the Pebble, but it's largely just an iPhone UI shrunk onto the wrist.  You can change the colour of the strap to suit your style.

And there's the Sony one...
Sony have made watches for a long time, but they also went for the "shrunken" PDA kind of UI.  Again, you can change the strap colour.

Then Apple comes along with the Apple Watch.
This is a marked departure from the "PDA" interface.  The fact it has a crown (knob) too is a reminder that this is not a 1980s inspired "digital" design.  I won't go through the list of features as that's been done elsewhere, but I do want to turn to the naysayers.

Wearable tech is something I'm familiar with.  Go back to 2001 and I basically wore a "bat-belt" where I had my GPS, my phone, and my Palm PDA.  Now it's all in one device and there's still something else I wear - my fitbit.  However, some people still don't like the idea that people are already wearing Nike Fuelbands, Fitbits and other health related products.

So it begins with the watch.
All I know is that above the cacophony of naysayers, there will be a slew of developers such as myself who know that many people will buy this device, and it will likely sell lots of them.  Apple is rarely first into any market, be it computers, media players, phones or watches - but when it does go in, it generally raises the bar and disrupts things.

I'll put my money on the Apple Watch nailing it, not failing it.

Friday, September 5, 2014

Ontario Smart Meters and Security

Sometimes, I see something that doesn't seem right to me, and internally I begin questioning it or trying to work out if it's deliberately not right for some other reason.  In Ontario, our Smart Meters are one such item that perplexes me because for all the hay-making in the media about security, it's actually wide open.

In Ontario, places such as Ottawa and Toronto have this meter.

As meters go, it's pretty standard.  There's an ID plate, an LCD screen that gives you basic information, then there's an IR port on the right (it's the dot in the left hand part of that enclave on the right).  Internally, there's a transmitter that sends your home's data to a designated neighbouring smart meter that acts as a master and aggregates and sends on the data from it's neighbouring slave meters.

The government and other electricity bodies went to great pains to point out that this data is secure and the remote meter repository where the data goes is secure, and the transmission is secure, and ... well, you get the picture.  


There's that little IR port on the front.  It's just spilling live data onto your driveway or beaming it your next door neighbours wall...

And that is a problem.

As with many attacks on your privacy, 9 out of 10 require little more than access to the hardware itself.  There's no reason someone can't slide an IR receiver (about $2) over the port, connect it to an Arduino Mini Pro ($13) and wire the input to output to a pen-laser ($5) and now for $20 they've extended your private data to across the street, where it's picked up by a solar cell and decoded.  Now, that neighbour knows when you come and go, your habits and other patterns, etc.

The simple solution is just stick some black electrical tape over the port.  A better solution is use a Blueline Powercost monitor on it - not only do you get informative information from it, but there's an added security angle in that you're blocking the port from prying eyes (and you get the added warning that it's being tampered with if you stop seeing data).

Now you understand this simple flaw in logic, go and have a chuckle as you look through this FAQ document from the IPC.


Thursday, September 4, 2014

CIBC Customer Communications Fails After Data Breaches

The news over recent years has become increasingly peppered with stories about large scale data breaches.  Notable examples include:

  • Adobe - 152,000,000 records.
  • EBay - 145,000,000 records.
  • Target - 70,000,000 records.
  • JCPenny/Dow Jones/JeyBlue/etc - 160,000 records.
  • Sony PSN - 77,000,000 records.
  • Heartland Payments - 130,000,000 records.
  • TJ / TK Maxx - 94,000,000 records.
  • AOL (2014) - 2,400,000 records.
  • AOL (2006) - 20,000,000 records.
  • AOL (2005) - 92,000,000 records.

As you can see, these aren't small numbers.  

The latest breach appeared this week and it points to Home Depot.  Now, Home Depot operates in Canada as well as the USA, Guam, Mexico and Puerto Rico, and much hay has been made over the issue in the media.  Home Depot themselves put out a statement on the matter, and many security experts are looking at the issue.

Neal O’Farrell, an identity theft and security analyst for credit monitoring site Credit Sesame recommends consumers use the breach as “an earthquake drill” and go through the “security routines you’ve been putting off.”...   

I had a quick think and knowing that I use the Home Depot regularly, I know there's a fair chance I could be caught up in this one if Canada is part of the breach.  Whilst I can look at my statements after a breach, I've no idea about one key aspect of my financial protection:  One way I may be protected is if they geo-fence transactions and can flag a transaction that's trying to go through outside of some safety area.

It turns out I'm not the only one thinking about this.  A Krebs report on the matter (source) even says this: 

The ZIP code data allows crooks who buy these cards to create counterfeit copies of the credit and debit cards, and use them to buy gift cards and high-priced merchandise from big box retail stores. This information is extremely valuable to the crooks who are purchasing the stolen cards, for one simple reason: Banks will often block in-store card transactions on purchases that occur outside of the legitimate cardholder’s geographic region (particularly in the wake of a major breach).

Thus, experienced crooks prefer to purchase cards that were stolen from stores near them, because they know that using the cards for fraudulent purchases in the same geographic area as the legitimate cardholder is less likely to trigger alerts about suspicious transactions — alerts that could render the stolen card data worthless for the thieves.

So, I did the sensible thing and asked my bank to clarify what, if anything, exists to protect me:

I thought this was a straight-forward question to ask a financial institution...  So, you can imagine the face-palm I did when I read the response pointing me to a T&C page that makes no mention of geographic protection radii.

Needless to say, I had to point out that they've not answered the question... Then I re-asked the same question, but using a different wording.

At this point, it should be pretty clear to the bank a) what I'm asking, and b) why I'm asking it.  So having not answered the question, it tries to obfuscate the issue.

Now, anyone that's followed my previous gripes with this bank will know what I think about their relaxed security policies, history of foul-ups and bad communication will know I was getting suspicious that such a number doesn't exist.

So, I changed the question to see if this reveals any security context, or if it generates blow-back:

The following answer came back...

This was the most telling response of all.

In a simple enquiry to the bank to understand how/if I'm protected on a geographical basis, the bank had first actively failed to answer the question, then tried to obfuscate the issue, then finally fell back to an "argument from ignorance" stance and tried to draw a line.

Last time that CIBC drew a line like this, the wager was made where I had to try and extract credit card information from CIBC using a labrador retriever's nose.

Now, "absence of evidence" does not imply "evidence of absence", but as a customer this is highly worrying when the "burden of proof" is on the bank and they can't explain it.

To add to the litany of other security issues I know about, I don't think CIBC has me covered on this one either.  My guess is it's not geofenced and probably not even geocoded from an address of banks, shops, or ATM's, where cards are used.

I can test this pretty easily too.  Thankfully, this time it doesn't require a dog.

Thursday, July 31, 2014

Technology and Waves

The technology landscape changes quickly, and nearly everyone knows that already.  However, the types of changes that occur fluctuate in waves; such as a hardware innovation like we saw in 2007 where Apple comes out with a touchscreen phone, so then by 2008 everyone else has a touchscreen phone.  Other times it's software, like we saw with digital assistant services such as Apple's Siri, Googles' Google Now or the new Cortana from Microsoft.

Microsoft Cortana In Action...

These waves are analogous to ocean waves in more ways than you would think.  Much like the ocean that has small waves that under normal circumstances will produce a predictable wave frequency (x waves per year, often being annual product refreshes), these smaller waves sometimes combine to create a bigger wave.  Examples of this include faster networking, mobile file access, and better data centres combine to give us Cloud-computing, which generates massive upheaval as mobile and desktop operating systems, developer applications, office suites and everything else gets cleavered to hack in this new technology.

So what waves are we seeing right now?  In short, things are coming to a head in two areas:

  • Power
  • Security
Power is an issue because we are on the move so much and whilst CPU's are getting faster, phones do more and data and display requirements go through the roof, the underlying battery technology hasn't exactly changed much in decades.

Security is an issue due to two factors; first the NSA snooping fiasco has gotten everyone from the general public to governments [such as Germany] up tight, then secondly the amount of cyber-crime and cyber-terrorism is going through the roof.  I've said in the past that people will be waking up to what's really going on for a few years, but it seems like this year it finally happened.  Again, some of the reasons behind this being a problem is the underlying technology hasn't changed in a long time, meaning anyone with a nefarious agenda can sit and pore over the code to see how it works and where it's weaknesses are.

This brings us nicely to this week's unveiling of seL4.  After cyber-terrorists hacked into key infrastructure, a new kernel was created, which you can run drones and other complex systems on. Each component in the system is fire-walled off from other parts, and the security professionals who built it claim that in theory the new system can't be hacked.  Putting aside thoughts that shipping professionals built the "unsinkable" Titanic which still sank, I was somewhat concerned when they then Open-Sourced the code.

Yes, the kernel that is currently unhackable can be pored over by cyber-terrorists or cyber-criminals.  To put the icing on this cake, they can now compile this unhackable kernel and pop it into their own missiles, tanks, drones, etc.

Maybe it's just me, but I don't think that was a good idea.

Thursday, July 24, 2014

Why I think CNN is clueless on Technology

Apologies: This Is A Moderately Technical Post

It's not very often that a news article makes me angry, but last night I read this CNN article on Microsoft stopping it's Windows RT product;
Microsoft's most boneheaded product is about to be killed off

The morning has come around, and it's still aggravating me because it's wrong, so I'm going to try and lay out why here, because when you understand what most don't (including the people at CNN) you'll see how wrong it is.

As we all know, computer technology has for decades remained somewhat mystical to the consumer.  Most have no idea about Von Neumann architecture, endian problems, stacks, and such because outside of computing, these things are not used much.  Whilst the recent (past decade) operating systems have become infinitely easier to use, the media is now showing it's ignorance when trying to educate consumers and is actually muddying the same waters that have recently been cleared.

So, let's dive in as to what's wrong, starting with a little history.

Traditionally, the Windows architecture has been successful because of it's open architecture where peripherals is concerned.  By moving core pieces of the OS to drivers that plug-in, the details of these peripherals is shielded from the OS.  This means the OS can accommodate new things as they arrive.  Ironically, however, the core part of the OS is optimized for the Intel x86 instruction set.  This means you need an Intel processor, or Intel clone (AMD, etc) to run it.

Digging further into Windows, we see that it is comprised mainly of DLLs.  
Under 16bit windows, everything sat in C:\Windows\System.
Under 32bit windows, everything sat in C:\Windows\System32.
Under 64bit windows, everything sits in C:\Windows\System32, for compatibility reasons.  

Yes, System32 holds the 64 bit DLLs on 64 bit systems.  Obviously, to be able to thunk down the pointer instructions and run unmodified 32-bit programs seamlessly, you need to ship the 32-bit DLL's, so these reside in C:\Windows\SysWoW64.  Yes, the 32-bit stuff is in the directory ending in 64, and the 64-bit stuff is in the directory ending in 32.  

If you've no idea what WOW64 (the latest incarnation of Windows on Windows) is, read this.  

Remembering that all the peripheral drivers have to talk to these DLL's, you can appreciate that they need to also be compiled to only run on Intel processors, because when a DLL is loaded and wired up, the VTable needs to point to the function at the correct address, or you'll get a blue screen.

So, lets revisit the "Vista" debacle for a second...

Up until Windows Vista was conceived, the driver architecture had not changed since Windows was first introduced.  If you printed, you still had brushes, canvases and such, but the printer hardware was moving to capabilities far beyond what the OS was aware of.  Same thing for cameras - what started off as a picture device was now turning into a combined picture and video capture device.  Throw in VPN's, smartphones and other new technologies, and it was clear that the driver interface of Windows needed to be updated.

Unfortunately, an update of this magnitude requires breaking changes.  So, Microsoft tore down the driver architecture and brought it up to date.  Then, due to market pressures, they forced this new architecture out of the door before everyone had a chance to rewrite their drivers to use the new specification.  As history shows, what happened technically and what the media and public saw are two different things:
  • Technically, the OS just got future proofed.
  • Consumers thought the OS was broken as their printer/camera/etc stopped working.
This wasn't the OS's fault - though it was certainly Microsoft's fault for pushing it out of the door too quickly.  Today, Windows still uses the same driver architecture, only now the device manufacturers have had time to update their drivers and iron out the kinks.  However, everything was still only compiled to run on Intel instructions.  After Vista was pushed, Windows 7 came out.  Windows 7 was effectively Vista with fixes in place, and some new features.  

The public and the media committed Vista to their collective memory as a total failure, for all the wrong reasons.  Even the media reported Windows 7 as "going back to the old Windows", when in fact it was just Vista fixed and moving forward with the same old plan...  There was no "going back".

The next problem to address was mobile devices.  Intel chips are known to be fast, power-hungry and hot.  If you're going to make Windows a truly mobile operating system, you're going to have to face the fact that the successful devices all run on ARM processors, not Intel.

At this point, it shouldn't take a genius to understand that if you're going to run Windows on an ARM processor, all those Intel optimized DLL's will have to go.  The problem here is that some of the routines in these DLL's are so crucial to the running of the operating system in terms of speed and bottlenecks, they've been tweaked over the decades to include manually written assembly code.  

This is therefore no small undertaking.  

What Microsoft did was rewrite nearly everything - and thus the WinRT (Windows RunTime) was born.  The WinRT component can target both the ARM and Intel processors, and acts as a broker between your app and the hardware underneath.  In a loose sense, this is like putting Windows services into a driver all of it's own.

The next piece of the puzzle was to rewrite the desktop and everything else to sit on top of the WinRT foundation.  This was done, and hence "Windows RT" was born.  So, now you have an RT-ready desktop sitting on an ARM capable runtime.  If you write a managed app to run on the new managed architecture that targets WinRT, you're app will run on desktop, ARM and Windows phones.  This is primarily where "apps" come in, but it's not exclusive to the Metro app style.

So, Windows RT is now created and works.  So what did Microsoft do?  They pushed it out the door too early, again.  They hadn't even finished writing Office when Windows RT was released.  Major software manufacturers like Adobe hadn't had time to go through the WinRT architecture to begin thinking about a migration process...

So, the media deems this marvel of engineering as a piece of crap and then Microsoft puts the icing on this cake by confusing the public as to what Windows RT really is, as well as simultaneously bandying about the WinRT term.

Fast forward, and Microsoft is now killing off RT.  You can bet your bottom dollar this is in name only - after all, we can't make all this progress of finally having a Windows OS and universal apps that run on your desktop and XBox, only to take this away.

Having a thorough understanding of the monumental engineering that happened, lets go back to the CNN article where we see stuff like this:
  • "Windows RT was supposed to usher in the tablet era for Microsoft. But Windows RT has two fatal flaws: it's missing crucial apps, and it's poorly designed."
  • "The biggest failure of Windows RT was that it took away the single best part of Windows -- the fact that it can run just about every app ever created."
  • "Still, you can't run iTunes. There's no Chrome or Firefox browser. You likely can't run your company's custom-built software. Pretty much anything that requires a desktop is a no-go."
Yes, these people probably complained that they can't put diesel in their petrol consuming car... This is the same problem - it's not the OS's fault that 3rd parties haven't yet ported their apps to the WinRT platform.  

Another point that also got my goat was this:
"Microsoft didn't take away the desktop in Windows RT. No, no, no. Curiously, Microsoft kept the desktop around so you can run a separate, more robust version of Internet Explorer."

They missed the point again.  The "desktop" version of IE is the WinRT ported version of IE that will get reused on other platforms.  The core components of that desktop version (such as the rendering engine) are shared with the metro version which is designed for fat-fingered use on smartphones and tablets, not mouse/trackpad with precision.

To drive the penultimate nail in the coffin on this CNN article, we can use the article against itself.  On the one hand, it says this:
"You likely can't run your company's custom-built software."

And on the other hand, it says this:
"But Microsoft never made a compelling case for why you should buy a Windows RT tablet over a rival tablet except for the fact that it runs Office. And that argument just went out the window when Microsoft brought Office to the iPad earlier this year."

The simple answer to this is you open up your custom software that you likely spent a lot of money on in the latest version of Visual Studio and you port it (something you generally have to do every 5 years or so anyway, unless you want to be stuck only working on Windows NT 3.51 forever).  Once you port it, you have a lower learning curve for the users, lower cost devices (ARM is cheaper than Intel) and so the list goes on.

But I said that was the "penultimate"nail in the coffin...  So what's the final nail?

Simply that regardless of what happens to Windows RT in name, it has no bearing on it's technology - the guts of RT will proliferate.  That RT desktop that currently has few apps will be the same WinRT-based desktop you're running in a few years on your shiny new laptop.  Yes, the RT-debacle will clear up in exactly the same way that the Vista one did - it's an adoption/timing issue.  

The catalysts for this move though will be the Windows Phone and XBox.  Microsoft is moving it's "Universal Apps" to more devices, and what this means is that if companies want you to run their software on those devices, they'll be porting it over to the new architecture.  

The irony of this, of course, is that whilst the media no doubt fawns over Windows 9 and it's ability to write once, run everywhere, they will simultaneously forget that we were already there with Windows RT and yet whilst they stand on the shoulders of this huge endeavour, they will likely be mocking it in ignorance.

I hope that now you understand why the ignorance of the CNN article makes me so mad.

Tuesday, July 22, 2014

Thoughts On The 2014 Bell Canada Hack

In Canada, a large portion of our news comes from two monopolies - Rogers or Bell Canada.  They own the phone lines, the cable/satellite broadcast systems, the news desks, the sports channels, the sports teams and the sports venues (that latter chunk of sports is part of the next decade’s fight to keep TV subscriptions going - because you’re forced to not cut the cable if they’ve the monopoly on live sports).

Last month, there was a story ( about a teen being charged for hacking into Bell Canada and posting lots of small businesses information online.  If you don’t know this story, here’s the crux of it as far as it’s generally told:

  • About 20,000 records were leaked.
  • It was done by a hacking crew.
  • Only five valid credit cards were in the data.
  • The blame lies with a third party that had Bell’s data, but all Bell’s residential customers are safe.

Now, apart from the odd math indicating that bell would have thousands of invalid credit cards on file and only 5 valid ones in a dump of 20,000 accounts, everything seems fairly cut and dry.  And that is how the news is delivered to the public.

What you don’t hear is how this is allowed to happen.

Five whole months before this breach took place, I was already on my second major pow-wow with Bell over exactly this type of third party runaway data (  Now, whilst the Bell breach has been dissected and explained (basic ASP site + SQL Injection) in detail at third party security blogs, the problem remains that Bell has major security flaws. 

It’s been some years since I first raised the flag with Bell’s Privacy Office about compromised accounts, and how I found them.  Bell hasn’t fixed the issue, so there’s a number of people out there who are at risk of identity theft.  Just recently, I reported another issue to Bell, where they’re allowing people to share private credentials - seeing that Bell didn’t look for this is indicative of what’s on their “security” radar as far as I’m concerned - and that radar doesn’t look far from head office. 

Looking at what Bell Canada can see and can’t see, we can infer three fatal flaws:
  • The internal culture of thinking they’re more secure than they are is breeding opportunities for hackers.
  • The misunderstanding of the security risks means that hackers can target Bell Canada who won't see what they’re doing until it’s too late.
  • Bell Canada is clearly none the wiser about where things are heading;  They’re too focused on routers, encryption and technology to see how policy and mismanagement is counteracting that same technology.

So, the next time you hear about hackers taking Bell customer information, remember that the stable doors have been open for a while.