Thursday, July 31, 2014

Technology and Waves

The technology landscape changes quickly, and nearly everyone knows that already.  However, the types of changes that occur fluctuate in waves; such as a hardware innovation like we saw in 2007 where Apple comes out with a touchscreen phone, so then by 2008 everyone else has a touchscreen phone.  Other times it's software, like we saw with digital assistant services such as Apple's Siri, Googles' Google Now or the new Cortana from Microsoft.

Cortana
Microsoft Cortana In Action...


These waves are analogous to ocean waves in more ways than you would think.  Much like the ocean that has small waves that under normal circumstances will produce a predictable wave frequency (x waves per year, often being annual product refreshes), these smaller waves sometimes combine to create a bigger wave.  Examples of this include faster networking, mobile file access, and better data centres combine to give us Cloud-computing, which generates massive upheaval as mobile and desktop operating systems, developer applications, office suites and everything else gets cleavered to hack in this new technology.

So what waves are we seeing right now?  In short, things are coming to a head in two areas:

  • Power
  • Security
Power is an issue because we are on the move so much and whilst CPU's are getting faster, phones do more and data and display requirements go through the roof, the underlying battery technology hasn't exactly changed much in decades.

Security is an issue due to two factors; first the NSA snooping fiasco has gotten everyone from the general public to governments [such as Germany] up tight, then secondly the amount of cyber-crime and cyber-terrorism is going through the roof.  I've said in the past that people will be waking up to what's really going on for a few years, but it seems like this year it finally happened.  Again, some of the reasons behind this being a problem is the underlying technology hasn't changed in a long time, meaning anyone with a nefarious agenda can sit and pore over the code to see how it works and where it's weaknesses are.

This brings us nicely to this week's unveiling of seL4.  After cyber-terrorists hacked into key infrastructure, a new kernel was created, which you can run drones and other complex systems on. Each component in the system is fire-walled off from other parts, and the security professionals who built it claim that in theory the new system can't be hacked.  Putting aside thoughts that shipping professionals built the "unsinkable" Titanic which still sank, I was somewhat concerned when they then Open-Sourced the code.

Yes, the kernel that is currently unhackable can be pored over by cyber-terrorists or cyber-criminals.  To put the icing on this cake, they can now compile this unhackable kernel and pop it into their own missiles, tanks, drones, etc.

Maybe it's just me, but I don't think that was a good idea.





Thursday, July 24, 2014

Why I think CNN is clueless on Technology

Apologies: This Is A Moderately Technical Post


It's not very often that a news article makes me angry, but last night I read this CNN article on Microsoft stopping it's Windows RT product;
Microsoft's most boneheaded product is about to be killed off

The morning has come around, and it's still aggravating me because it's wrong, so I'm going to try and lay out why here, because when you understand what most don't (including the people at CNN) you'll see how wrong it is.

As we all know, computer technology has for decades remained somewhat mystical to the consumer.  Most have no idea about Von Neumann architecture, endian problems, stacks, and such because outside of computing, these things are not used much.  Whilst the recent (past decade) operating systems have become infinitely easier to use, the media is now showing it's ignorance when trying to educate consumers and is actually muddying the same waters that have recently been cleared.

So, let's dive in as to what's wrong, starting with a little history.

Traditionally, the Windows architecture has been successful because of it's open architecture where peripherals is concerned.  By moving core pieces of the OS to drivers that plug-in, the details of these peripherals is shielded from the OS.  This means the OS can accommodate new things as they arrive.  Ironically, however, the core part of the OS is optimized for the Intel x86 instruction set.  This means you need an Intel processor, or Intel clone (AMD, etc) to run it.

Digging further into Windows, we see that it is comprised mainly of DLLs.  
Under 16bit windows, everything sat in C:\Windows\System.
Under 32bit windows, everything sat in C:\Windows\System32.
Under 64bit windows, everything sits in C:\Windows\System32, for compatibility reasons.  

Yes, System32 holds the 64 bit DLLs on 64 bit systems.  Obviously, to be able to thunk down the pointer instructions and run unmodified 32-bit programs seamlessly, you need to ship the 32-bit DLL's, so these reside in C:\Windows\SysWoW64.  Yes, the 32-bit stuff is in the directory ending in 64, and the 64-bit stuff is in the directory ending in 32.  

If you've no idea what WOW64 (the latest incarnation of Windows on Windows) is, read this.  

Remembering that all the peripheral drivers have to talk to these DLL's, you can appreciate that they need to also be compiled to only run on Intel processors, because when a DLL is loaded and wired up, the VTable needs to point to the function at the correct address, or you'll get a blue screen.

So, lets revisit the "Vista" debacle for a second...

Up until Windows Vista was conceived, the driver architecture had not changed since Windows was first introduced.  If you printed, you still had brushes, canvases and such, but the printer hardware was moving to capabilities far beyond what the OS was aware of.  Same thing for cameras - what started off as a picture device was now turning into a combined picture and video capture device.  Throw in VPN's, smartphones and other new technologies, and it was clear that the driver interface of Windows needed to be updated.

Unfortunately, an update of this magnitude requires breaking changes.  So, Microsoft tore down the driver architecture and brought it up to date.  Then, due to market pressures, they forced this new architecture out of the door before everyone had a chance to rewrite their drivers to use the new specification.  As history shows, what happened technically and what the media and public saw are two different things:
  • Technically, the OS just got future proofed.
  • Consumers thought the OS was broken as their printer/camera/etc stopped working.
This wasn't the OS's fault - though it was certainly Microsoft's fault for pushing it out of the door too quickly.  Today, Windows still uses the same driver architecture, only now the device manufacturers have had time to update their drivers and iron out the kinks.  However, everything was still only compiled to run on Intel instructions.  After Vista was pushed, Windows 7 came out.  Windows 7 was effectively Vista with fixes in place, and some new features.  

The public and the media committed Vista to their collective memory as a total failure, for all the wrong reasons.  Even the media reported Windows 7 as "going back to the old Windows", when in fact it was just Vista fixed and moving forward with the same old plan...  There was no "going back".

The next problem to address was mobile devices.  Intel chips are known to be fast, power-hungry and hot.  If you're going to make Windows a truly mobile operating system, you're going to have to face the fact that the successful devices all run on ARM processors, not Intel.

At this point, it shouldn't take a genius to understand that if you're going to run Windows on an ARM processor, all those Intel optimized DLL's will have to go.  The problem here is that some of the routines in these DLL's are so crucial to the running of the operating system in terms of speed and bottlenecks, they've been tweaked over the decades to include manually written assembly code.  

This is therefore no small undertaking.  

What Microsoft did was rewrite nearly everything - and thus the WinRT (Windows RunTime) was born.  The WinRT component can target both the ARM and Intel processors, and acts as a broker between your app and the hardware underneath.  In a loose sense, this is like putting Windows services into a driver all of it's own.

The next piece of the puzzle was to rewrite the desktop and everything else to sit on top of the WinRT foundation.  This was done, and hence "Windows RT" was born.  So, now you have an RT-ready desktop sitting on an ARM capable runtime.  If you write a managed app to run on the new managed architecture that targets WinRT, you're app will run on desktop, ARM and Windows phones.  This is primarily where "apps" come in, but it's not exclusive to the Metro app style.

So, Windows RT is now created and works.  So what did Microsoft do?  They pushed it out the door too early, again.  They hadn't even finished writing Office when Windows RT was released.  Major software manufacturers like Adobe hadn't had time to go through the WinRT architecture to begin thinking about a migration process...

So, the media deems this marvel of engineering as a piece of crap and then Microsoft puts the icing on this cake by confusing the public as to what Windows RT really is, as well as simultaneously bandying about the WinRT term.

Fast forward, and Microsoft is now killing off RT.  You can bet your bottom dollar this is in name only - after all, we can't make all this progress of finally having a Windows OS and universal apps that run on your desktop and XBox, only to take this away.

Having a thorough understanding of the monumental engineering that happened, lets go back to the CNN article where we see stuff like this:
  • "Windows RT was supposed to usher in the tablet era for Microsoft. But Windows RT has two fatal flaws: it's missing crucial apps, and it's poorly designed."
  • "The biggest failure of Windows RT was that it took away the single best part of Windows -- the fact that it can run just about every app ever created."
  • "Still, you can't run iTunes. There's no Chrome or Firefox browser. You likely can't run your company's custom-built software. Pretty much anything that requires a desktop is a no-go."
Yes, these people probably complained that they can't put diesel in their petrol consuming car... This is the same problem - it's not the OS's fault that 3rd parties haven't yet ported their apps to the WinRT platform.  

Another point that also got my goat was this:
"Microsoft didn't take away the desktop in Windows RT. No, no, no. Curiously, Microsoft kept the desktop around so you can run a separate, more robust version of Internet Explorer."

They missed the point again.  The "desktop" version of IE is the WinRT ported version of IE that will get reused on other platforms.  The core components of that desktop version (such as the rendering engine) are shared with the metro version which is designed for fat-fingered use on smartphones and tablets, not mouse/trackpad with precision.

To drive the penultimate nail in the coffin on this CNN article, we can use the article against itself.  On the one hand, it says this:
"You likely can't run your company's custom-built software."

And on the other hand, it says this:
"But Microsoft never made a compelling case for why you should buy a Windows RT tablet over a rival tablet except for the fact that it runs Office. And that argument just went out the window when Microsoft brought Office to the iPad earlier this year."

The simple answer to this is you open up your custom software that you likely spent a lot of money on in the latest version of Visual Studio and you port it (something you generally have to do every 5 years or so anyway, unless you want to be stuck only working on Windows NT 3.51 forever).  Once you port it, you have a lower learning curve for the users, lower cost devices (ARM is cheaper than Intel) and so the list goes on.

But I said that was the "penultimate"nail in the coffin...  So what's the final nail?

Simply that regardless of what happens to Windows RT in name, it has no bearing on it's technology - the guts of RT will proliferate.  That RT desktop that currently has few apps will be the same WinRT-based desktop you're running in a few years on your shiny new laptop.  Yes, the RT-debacle will clear up in exactly the same way that the Vista one did - it's an adoption/timing issue.  

The catalysts for this move though will be the Windows Phone and XBox.  Microsoft is moving it's "Universal Apps" to more devices, and what this means is that if companies want you to run their software on those devices, they'll be porting it over to the new architecture.  

The irony of this, of course, is that whilst the media no doubt fawns over Windows 9 and it's ability to write once, run everywhere, they will simultaneously forget that we were already there with Windows RT and yet whilst they stand on the shoulders of this huge endeavour, they will likely be mocking it in ignorance.

I hope that now you understand why the ignorance of the CNN article makes me so mad.



Tuesday, July 22, 2014

Thoughts On The 2014 Bell Canada Hack

In Canada, a large portion of our news comes from two monopolies - Rogers or Bell Canada.  They own the phone lines, the cable/satellite broadcast systems, the news desks, the sports channels, the sports teams and the sports venues (that latter chunk of sports is part of the next decade’s fight to keep TV subscriptions going - because you’re forced to not cut the cable if they’ve the monopoly on live sports).

Last month, there was a story (http://www.theglobeandmail.com/news/national/mounties-charge-quebec-teen-for-hacking-bell-customer-data-posting-it-online/article19156480/) about a teen being charged for hacking into Bell Canada and posting lots of small businesses information online.  If you don’t know this story, here’s the crux of it as far as it’s generally told:

  • About 20,000 records were leaked.
  • It was done by a hacking crew.
  • Only five valid credit cards were in the data.
  • The blame lies with a third party that had Bell’s data, but all Bell’s residential customers are safe.


Now, apart from the odd math indicating that bell would have thousands of invalid credit cards on file and only 5 valid ones in a dump of 20,000 accounts, everything seems fairly cut and dry.  And that is how the news is delivered to the public.

What you don’t hear is how this is allowed to happen.

Five whole months before this breach took place, I was already on my second major pow-wow with Bell over exactly this type of third party runaway data (http://coulls.blogspot.ca/2013/09/bell-canada-and-yellow-pages-data-issue.html).  Now, whilst the Bell breach has been dissected and explained (basic ASP site + SQL Injection) in detail at third party security blogs, the problem remains that Bell has major security flaws. 

It’s been some years since I first raised the flag with Bell’s Privacy Office about compromised accounts, and how I found them.  Bell hasn’t fixed the issue, so there’s a number of people out there who are at risk of identity theft.  Just recently, I reported another issue to Bell, where they’re allowing people to share private credentials - seeing that Bell didn’t look for this is indicative of what’s on their “security” radar as far as I’m concerned - and that radar doesn’t look far from head office. 

Looking at what Bell Canada can see and can’t see, we can infer three fatal flaws:
  • The internal culture of thinking they’re more secure than they are is breeding opportunities for hackers.
  • The misunderstanding of the security risks means that hackers can target Bell Canada who won't see what they’re doing until it’s too late.
  • Bell Canada is clearly none the wiser about where things are heading;  They’re too focused on routers, encryption and technology to see how policy and mismanagement is counteracting that same technology.


So, the next time you hear about hackers taking Bell customer information, remember that the stable doors have been open for a while.

Monday, July 21, 2014

I just tried to give Microsoft more money.

As regular readers of my blog or people that know me well will know, I sit in both the Microsoft camp and the Apple camp.  

  • I program in both .Net and Objective-C (and lately, Swift too). 
  • I have an iPhone and a Windows Phone.
  • I have a Mac and a PC.
  • My Mac has Windows on it too.
  • I have an iPad and a Surface RT.
I like to think that I'm fair and knowledgeable about both sides of the camp.  I really like the effort both teams are putting into technology.  I also really like the ease of use for the cloud offerings.  Aaand I'm also getting really tired of Microsoft's inability to deal with me as a consumer in a reliable way.  (We've been here before - see here)  

As a programmer, things are great.  You set things up in Windows Azure and things just work...  

"You want Visual Studio 2013 Pro? No problem, we'll just tack on the subscription to your Azure account." - and shazam - you got a valid copy of it up and running.

 As a consumer, I have to fight tooth and nail...  
"You want Windows 8 to run under Parallels?  Sorry, we don't sell Windows for Mac"...
... and when you do finally get it...
"OK, we'll sell you the full copy of Windows, but you can only download an install stub that runs under Windows, which we understand you don't have yet".
...or even this...
"You can't order a Windows Kinect device to be picked up and paid for at the store".

So this week, it was time to update my Surface RT.  I've had a good time with the device, and it has served me well, but I can't run on old tech forever - especially in my line of work.

First I took a trip to Toronto's Eaton Centre, where Microsoft has a retail space.  I spoke to the people there who told me if I bring in the old device, I was eligible to get about $200 for the old device to put towards the new one.  This sounded reasonable.  Over the weekend, I had to go to Toronto's Yorkdale Shopping Centre, and Microsoft has a big store there, so I brought along my decommissioned Surface RT.

I knew something was going wrong the moment I walked through the door and said "Hi! I'd like to trade in my Surface RT and upgrade to a Surface Pro 3".  The assistant looked at me for about three seconds and replied that there is no program that uses old devices as part of the purchasing process for new devices.  

Rather than get into a long-winded argument, I pointed out what the other Microsoft store had said and then asked him if they had lied to me?  He said he'd go speak to his manager (a tall blonde guy that was parading around with his arms in a "Y" shape as he'd just scored a goal on the XBox One soccer game).  A few minutes later, he came back and said that yes, there was actually a program for this - and promptly delivered me to the back desk.

At the back desk, I was told there was three options to choose from (Cheap, middle & expensive).  I opted for the cheapest one.  The guy went out the back of the store for five minutes and came back saying the option I'd chosen wasn't in stock - and really there was only two options.  So, I chose the cheapest of the two (the middle one).  He disappeared again to confirm they had that one.

Next came the trading in of the old device.  I was looking forward to my $200 credit being put on a device that was now already more expensive than I'd planned, so you can imagine my disappointment when the new valuation came in at $92.  I'm not kidding.

I left the Microsoft Store with the more-expensive-than-planned device, minus $100 worth of planned discounts, and just as peeved as I always do when I have to do something with Microsoft that involves me being a customer.

Having said that, the device is as nice as I'd expected it to be... It's just a shame that every time I look at the device, I'm miffed by the memory of the purchase experience (again!).  


Wednesday, July 16, 2014

Review: A Year With The Fitbit Flex

Over a year ago, I started wearing a fitbit flex.  I said on twitter that at some point I'd write a review on it, and now I've had sufficient time with it, here goes.

What is it?  
This is a fitness tracker/pedometer that encompasses a battery, accelerometer, LED display and bluetooth antenna in a wristband and looks like this:


The Fitbit Flex

How good is it?
Depending on what you want to get out of it, it's going to be either a hit or a miss.  When I bought mine, I bought an identical one for my significant other. If she recharged her device twice that may be overstating it. Why? Simply that wearing it doesn't make you slimmer, faster, fitter - it tracks the work you still need to do yourself - and for most people that's still not fun.

Personally, I'm a partial practitioner of the Quantified Self movement - whilst I'm not "all in", I can't help being driven by data about myself and my own habits.  That alone makes this device a hit for me, whether I opted to be a couch-potato or an athlete. 

For Example:
Me: "Oh, that's interesting:  I just learned that if I sit on the couch all day and watch movies, I still get in 500 steps a day."

Next day... 
Me: "Oh, that's interesting:  I just learned that if I track a normal working day, I get in 9,000 steps a day."

Yes, this was going to be a hit for me as long as I can understand the data.  For someone like my partner, it was not likely to be as enthusiastically received.


What does it record?
This has two modes; During daytime mode, it's tracking steps (so it's a pedometer). During nighttime mode, it tracks the duration of your sleep and how restless you are.  The sleep-tracking part was a big factor for me as I wanted to find out why I was so tired in the mornings. 

The data is then uploaded to an app that runs on your smartphone or tablet.  Personally, I run it on my iPad.  I then enter manual weight information from my scales to the same app, this then allows the app to calculate your calories expended throughout the day.  Combined with a food log (also in the app), you can work out if you're eating too little or too much.  The app is then tied as a feed provider to my www.tictrac.com account and everything is dashboard-presented there alongside my runkeeper data and other apps.

Issues
There's two flaws with the fitbit flex:
  • The rubber they use for the band splits. The flex comes with a large and a small bracelet band. Only the large one fit me - and it split in four places.  Luckily, I had a spare band (see unused purchase at top of article) to fall back on.  The band scuffs and scratches easily too.
  • There was a period where it stopped syncing.  Support to get this working again wasn't exactly good.  A hard reset (put it in the charger and drive a paperclip into a hole) in addition to an app update seemed to fix all of these issues, but for the month of problems I had to endure waiting for a fix still nags in my mind.
Power
Battery life is good.  It generally runs for about 9 days - and I recharge it every weekend, so it never runs out.  You get a warning via iOS notification when the batteries are getting low if you sync every day, however, if you skip a day of sync'ing and the battery is low, it does have a habit of just dying on you.  After a year though, it does not show any sign of capacity shrinkage.

Switching Modes
Switching modes is done by repeatedly tapping on it a few times for about a second.  It's actually fairly sensitive - and this means it often goes into night mode when doing things like pushing a supermarket trolley over 12 inch ceramic tiles.  (The "ka-chunk ka-chunk ka-chunk" of the wheels will send vibrations through the handle into your wrist and put the device into sleep mode).  

Alarm
A handy feature is the alarm - you can set it to buzz in the morning at a set time and it'll quietly wake you up, without disturbing others.  The only gripe have with it is I can sleep through it some times as it doesn't vibrate very long. 

Conclusion
All in all, it does what it's supposed to do, and it does it well.  The $99 price tag is a little steep for some, especially if you find out you don't like it.  The wrist band could do with some updating to a more durable material because it didn't last as long as I'd expect (being someone with a desk job, I'd expect more than 9 months out of it).  The fact the data is open to services like tictrac is a big bonus, and the battery life is quite amazing.  

In short, I don't regret buying it.




Tuesday, July 15, 2014

How to resync Toronto Hydro's PeakSaver Plus Meter

I hit a problem last night which I've never experienced before and the manuals were not entirely accurate, where the PeakSaver Plus Meter stopped talking to the transmitter.  No matter what I tried for about half an hour, nothing would get the two devices to pair-up and start talking again.  I even looked up the manual at Toronto Hydro, which stated this:


Naturally, I followed the instructions, but was confused because if I "press PROG/SYNC unil [sic] you hear two beeps to put the Display Unit in ID mode", it would only give me a single beep and put the unit into programming mode.

After about ten minutes of trying to work out if this only happens when you first fire up the unit (so I hard reset it, took out batteries, reset the transmitter, etc), it then dawned on me what they really want you to do:


  • Press the PROG/SYNC for about a second or so, and you'll hear a single beep.  You're now in programming mode.
  • Press and hold the PROG/SYNC button for another 5 seconds in programming mode and you'll go into ID mode.
Now you can hit "reset" on the transmitter outside and things will beep on the device and transmitter - and after a minute or so, things will start to work as normal again.

Hopefully this bit of clarity will save someone else from wasting time like I did.

Monday, June 9, 2014

CIBC Security vs A Labrador Dog

Anyone that follows me will know that I have some long running gripes with one of my banks, CIBC.  Normally, I'm just complaining about run-of-the-mill stuff at CIBC, like bad customer service, the odd occasion of lying software, or people at the bank doing stuff they shouldn't with my records (that spawned an investigation, so details are not being made public).  All of that stuff, though, pales in comparison to security.  

I take my security rather seriously.  Given how low the customer/bank trust has fallen in this relationship, we do things like give the bank a unique email address on file, and this serves as a basic breach warning if I get an email from a company other than the bank.  

I also raise security issues with the bank like this one recently when their security policies meant that they failed to proactively block their domains from credentials sharing sites (in comparison, my other bank ScotiaBank had proactively sought this out and blocked it).


May 23 2014's Twitter DM to CIBC to raise the alarm.

Now, to bring in the dog in the title...

Back in April, I asked CIBC about a security hole in their Credit Card IVR system.  In short, the hole looks like this:
  • The bank's computer calls your number.  
  • You're asked to press 1 for English.
  • You're asked to press 1 if you are the person they want to talk to.
  • The computer relays sensitive balance information over the phone.
It doesn't take a genius to spot that CIBC has no idea if you are the nanny, the cleaner, or just the thief that took possession of your handbag five minutes earlier from just pressing the "one" key - either way, the bank just blindly spills out information without verifying who it's talking to.

Here's the conversation thread on Twitter with CIBC where this was first raised...

Twitter Conversation With CIBC

As you can see, the people at CIBC dropped the conversation there and then... 

However, I did speak with someone who works as a consultant at a rival bank about this over beers, so the issue didn't go away just because the bank wasn't taking things seriously.

A challenge was then laid down to see if we can train a dog to press the "1" key on a telephone every time it hears "Press One" on the speakerphone.  If we can train a dog to do that, we can prove the current security measure can be breached at the bank.

Before I started training a dog to do this, a seed of doubt had been sown in my mind by "EH" above...  What if my memory was incorrect and it had asked for a password, or some other code and I'd just entered it without thinking?  We would have to wait until CIBC's computer called again to double-check this...

Tonight, it called.  It didn't ask for anything, and the above script of pressing the "one" key twice will get the details spilled, just as I thought.

This mean's it's game on... the challenge has been accepted and I will now attempt to train a labrador dog to show it can circumvent CIBC's security.