Facebook has user data slurped

The following has just appeared on Facebook’s press release page:

Security Update

“On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts….”

“Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted… a feature that lets people see what their own profile looks like to someone else.”

Mark Zuckerberg’s understated response to the incident was “I’m glad we found this and fixed the vulnerability. It definitely is an issue that this happened in the first place. I think this underscores the attacks that our community and our services faces.”

Wall Street’s response so far has been a 3% drop in Facebook’s stock.

I’m now waiting to see which of my sock puppets is affected.

Tesco Bank hit with £30m fine for computer breach

According to a Sky News exclusive, the FCA is set to clobber Tesco Bank with a fine of £30m over the data breach in late 2016, where £2.5m was snaffled from thousands of its customer’s current accounts. Except it turned out it wasn’t; only fifty accounts were actually plundered, not for very much, and it was all sorted.

So how does this warrant such a huge fine? It’s hard to see, but the first two theories I have are that Sky News has got of wrong, or the FCA has gone seriously bonkers. If they’re touching miscreant institutions for £600K per customer inconvenienced, RBS and NatWest are toast.

So what’s it all about? Well we don’t know what Tesco Bank actually did. My best guess is that someone cloned cards and cashed out at ATMs. That’s the easiest way, and there is no evidence this was widespread or sophisticated. And its interesting that only current accounts were hit; not credit – which is where the big money is in retail banking fraud.

But that’s just a guess. Why would the FCA be so exercised about some card fraud?

There is not shortage of other theories. There is the usual criticism of the patent company and its insecure non-banking systems. The usual unpatched server card is played. Yes, everyone knows Tesco self-checkouts use Windows XP. There ate criticisms of the lack of protective monitoring. Lack of AV. But this comes from commentators whose employer’s business is selling such things. There is talk of an inside job, which is possible but they didn’t take them for much if it was.

So if the FCA is really that cross with Tesco Bank, why?

The question no one is asking is why Tesco Bank announced a major breach, affecting so many people? Here I’m stacking guesses, but just for fun…

If I’m right about it being ATM bandits, could it be that staff investigating found something horrible and hairy, and jumped to the conclusion it was behind it? They did the right thing, and told everyone about the vulnerability, but the black hats hadn’t. The FCA would have been unimpressed, regardless of the consequences, and whacked them according.

If I’m right, it’s a bit rough on Tesco Bank, fined as a result of being robbed. But this is all one guess based on another. The truth may be still stranger.

Don’t ring 020 3287 4777 or 020 3239 6767

I’ve heard more than one report from local people about calls they’ve received on the landline telephones giving a recorded message. These have a CLID of 020 3287 4777 (and possibly 020 3239 6767). The recorded message says that an arrest warrant has been issued for them and they’re to call back on this number immediately.

If you fancy calling this number you can speak directly to a scammer. When our local cops did they got someone claiming to be HMRC asking for their name and national insurance number.

Please let any vulnerable people in your circle know this is a scam. The police don’t go around trying to arrest anyone using a recorded message.

I’m sure they’ll hop to a different telephone number when this one gets shut down, so be aware of the technique.

Facebook shares worth a punt

The confected row about Facebook and CA’s mining of the latter’s users’ data beggars belief. Facebook’s raison d’être is to profile its users and sell the information to anyone needing to target messages (adverts). The punters sign up to this because access is free. They might not understand what they’re agreeing to; a quick look at Facebook shows that many users are far from the brightest lights in the harbour. Buy hey, it’s free!

This is basically how Web 2.0 works. Get the punters to provide the content for you, collect information of value to sell to advertisers, and use the money to pay for the platform. Then trouser a load of tax-free profit by exploiting the international nature of the Internet.

So why the brouhaha now? Where has the moral outrage been for the last ten years? How come punters have only just started talking of a boycott (about twelve years after I did)? What’s changed?

The media has suddenly taken notice because some messages were sent on behalf of Donald Trump’s presidential campaign. What might broadly be called “left-wing” politicians have been exploiting unregulated social media to sway opinion for a very long time. Some became very uncomfortable when Trump gained traction by “speaking directly to his supporters” on Twitter. And now they’ve finally woken up to the way that the simple majority using a social media platform are able to propagate fake news and reinforce their simplistic beliefs.

But it wasn’t until the recent revelations that Donald Trump was using it that anyone batted an eyelid.

This rabbit hole goes very deep.

Does this spell the end of Facebook? I somehow doubt it. Social media addicts are just that. They don’t want to lose all their virtual “friends”. They want people to “like” them. Those that realise it’s a load of fluff try to cut back, or “detox” for a few weeks, but they always come back for more. And for those who see social media for what it and have nothing to do with it are constantly pressured by the addicts, like a drug user turned pusher.

“You don’t use Facebook? How are we supposed to contact you?”

No. This row doesn’t spell the end of Facebook. I know MySpace, bix, CompuServe, Geocities and the rest went out of fashion, but Facebook and Twitter are too well established, and even promoted on the BBC. And if the addicts were outraged enough to move to a different platform, where would they go? Part of their addiction comes from Facebook being “free”, and no one has come up with an alternative business model that works. They’ll stick with the devil they know.

Meanwhile investors have the jitters and the share price has fallen. This won’t last.

TalkMobile GPDR security weirdness

I needed a pair of talkMobile SIMs to fit new handsets, so used their recommended option of Web Chat.:

Why do people on the phone think they can use GDPR in the same bonkers way they used to use the DPA 1998? Probably because most of the people they talk to have never read it.

Info at 9:50, Jul 27: Thank you for choosing to chat with us. An agent will be with you shortly.

Info at 9:50, Jul 27: You are now chatting with AbdAllah.

AbdAllah at 9:50, Jul 27: Hello, you’re chatting with AbdAllah, one of Talkmobile’s Help Team. How may we assist you today?

Frank at 9:50, Jul 27: Need a new smaller SIM. Please send one. Thanks.

AbdAllah at 9:51, Jul 27: Sure, no worries.

AbdAllah at 9:51, Jul 27 We’ll check that for you straight away.

AbdAllah at 9:51, Jul 27: For the security of the account, could you please confirm the full name, first line of your address and post code along with your date of birth?

Frank at 9:52, Jul 27: Frank J Leonhardt, XXXXXXXXXXX, PINNER, Middx XXX XXX

Frank at 9:52, Jul 27: I never give anyone I don’t know my DOB for security reasons, so you don’t have it anyway.

AbdAllah at 9:53, Jul 27: We have it, of course, that’s why we asking as we want to make sure that we talk to the account holder.

AbdAllah at 9:54, Jul 27: All chats are 128-byte SSL (Secure Socket Layer) encrypted. This helps to protect the confidentiality of all information provided.

Frank at 9:55, Jul 27: No, you don’t have it. You might have a date but it won’t be my DOB. And this chat is TLS v3.0 encrypted. SSL has been defunct for a while now.

Frank at 9:55, Jul 27: Is it perchance the first of january 1970?

Frank at 9:55, Jul 27: The time zero on Unix?

AbdAllah at 9:57, Jul 27: I quite sure that this chat is completely secured and there’s nothing to worry about, It’s a major company and out IT and data protection team are up to date.

Frank at 9:57, Jul 27: Great!

Frank at 9:58, Jul 27: However, it’s very unlikely I would ever have told you my real DoB.

AbdAllah at 9:59, Jul 27: No problem.

Frank at 9:59, Jul 27: So is it 1/1/1970?

Frank at 9:59, Jul 27: Might be 1/6/66

Frank at 9:59, Jul 27: (the mark of the antichrist)

AbdAllah at 10:01, Jul 27: Actually, we have to pass the security questions first.

Frank at 10:02, Jul 27: So it’s none of the above?

Frank at 10:02, Jul 27: In which case it’s something random.

AbdAllah at 10:02, Jul 27: Excuse me, we need to be accurate, please?

Frank at 10:02, Jul 27: Try another question. How about payment details?

Frank at 10:03, Jul 27: I DO NOT KNOW what DoB you might have for me. It’s not my real one.

AbdAllah at 10:04, Jul 27: We can not go further before the security questions.

Frank at 10:05, Jul 27: How about I call the bank and cancel the DD?

AbdAllah at 10:06, Jul 27: Why?

Frank at 10:06, Jul 27: I need to prove I am who I say I am, right?

Frank at 10:06, Jul 27: Only I could cancel the DD.

AbdAllah at 10:06, Jul 27: It’s all about your data protection, Mr Frank.

Frank at 10:07, Jul 27: You mean GDPR?

AbdAllah at 10:07, Jul 27: Yes, exactly.
AbdAllah at 10:08, Jul 27:I do apologize but if you do not answer the question we can not go any further.
Frank at 10:10, Jul 27: So how do we get passed this point? Using DoB as ID is a very bad thing, as I’ve said may times.
At this point their representative hung  up so I called instead and spoke to someone reasonable, who sorted it out immediately using an alternative question. And someone who understood the implications herself! So I’m still happy with TalkMobile and I’ll probably be with them for another ten years.
But someone really needs to sort out their GPDR training, and point out that it’s no blanket excuse.

Look at the size of my virtual pipe!

Many years ago I decried the new mania for virtual servers as a fix for Windows’ limitations in allowing services to be moved from one host to another. They’re also being used in the Linux world (particularly) in the form of “appliance architecture”, where services are not run on operating systems but whole systems are run within systems. I guess this allows non-technical people to visualise them better or something.

The situation is getting out-of-hand. People don’t understand they’re using a paradigm, and not a computer. This is leading to a lot of nuttery.

I’ve seen an instance when two virtual servers (running on one host) were running a service between them with a virtual load balancer in front in an attempt to improve performance. This was in a production environment. I only hope that whoever designed the system assumed it was going to run on real hardware, and then some muppet came along and simply copied a prototype to “the cloud”.

Reality check people: You may have something that looks like lots of small computers, but underneath there’s just one of them – and you’re sharing it with other customers. By virtualizing lots of small servers you’re just burning cycles on the big one, and retarding its disk performance. It’s a bonkers as a perpetual motion machine; it’s never going to run as fast as it would have directly on the host.

I’ve even heard people comparing one virtual host with another as if it was real hardware. Mine’s got 64Gb of RAM! Well mine is all SSD and a 16-core Xeon!

No you haven’t! You’ve got a software emulation of whatever your provider has sold you, running at whatever speed is left after the other customers have taken their chunk. You don’t have any RAM at all. Your OS thinks it has, but the whole OS could be swapped out. It’s disk accesses go through the hypervisor cache, and to its backing store at whatever speed it goes at. It may not look like your memory is paged, but the hypervisor is certainly going to be paging it anyway. If you feel better thinking you’ve got all the RAM you need, please continue in your virtual wonderland.

Ah, but you’ve got Elastic Computing, and can inflate the size of your RAM number of CPUs as demand increases. Let me tell you, an inflatable is never as good as the real thing. And your high demand may coincide with someone else’s. So you “reserve” the resources needed to cope with your peak demand. Hmm. Sounds a bit like having your own hardware to me.

I use one cloud server provider – vultr.com. It’s a bit of a love-hate relationship as, in case you didn’t realise, I don’t think much of cloud computing and anyway, I can afford to have my own. But if you need a small service on the end of an IP address on the other side of the world, they’re just what you need. I was amused to note that my “512Mb/20Gb” virtual server believed it came equipped with a 10Gb NIC talking to the Internet. Software emulation of 10Gbps anyone? And then there’s the contention ratio to worry about.

 

If I had a pound for every time someone asked me about BitCoin

IFrank Leonhardtt was no surprise when people started asking me about Bitcoin. Money is of great interest to a lot of people; mix it with technology and they want to talk about it.

The main question asked is “Should I buy some?”, closely followed by “Is it safe?”, and “Do you think it’s a bubble?”

To answer the last one first: “Of course it’s a bubble you idiot”. I don’t think there’s anyone who believes it isn’t, but greed conquers common sense. And investing in a bubble can be a rational strategy as long as you make sure you take your capital out before it bursts. You could say the same about any form of investment to some extent. The value of shares will rise and fall in the long term, and everyone knows you should spread the risk. Seeing the return for a punt on Bitcoin at the moment persuades some to abandon this golden rule and put all their funds at risk.

As to whether the technology is safe: No way! It’s as safe as the security of the computers it is stored on, and the integrity of those storing it. Good luck with that. Technically, blockchain technology itself looks very secure but that isn’t where the risk lies.

And now we get back to the main question: Should I buy some? Well I wouldn’t, simply because it’s immoral.

Yes folks, if you can see beyond the chance of a fast buck, Bitcoin is sleaze. There are a few fundamental truths about cash it might be worth reiterating.

Back at the dawn of history, humans realised they’d be better off if they traded. If you had a lot of grain but no apples, find someone with apples and no grain who wanted to do a swap. Cash emerged so you could defer a transaction; or enter in to multi-party deals more easily by extracting the value from the item and placing it in to something more convenient (small pieces of soft shiny metal).

A coin’s value depends on whether you can buy what you need with it at a later date. If you exchange your grain for a coin you have to be convinced that the apple dealer will exchange the coin for your apples. Coins are a matter of confidence; confidence that they can be exchanged for something useful later.

If coins were easy to make, people would just make coins and the apple dealer would end up with a load of inedible shiny metal fragments; so there must be a finite supply for cash to work if the cash has representative rather than commodity value. Prisoners have often used cigarettes as they also have commodity value in that you can smoke them. Leaves, on the other hand, are a poor choice of currency as they grow on trees.

With no commodity value, you might ask why Bitcoin works at all? There are effectively a finite number of valid bitcoins, so you can’t make your own. And people have confidence that they can be exchanged for the goods they need at a later date. Perhaps not as much confidence as they do with regulated currencies, but their big advantage is that they are outside the regulatory system, and like cash or cigarettes, are ideal for black market transactions.

The bottom line is that criminals accept Bitcoin for the purchase of drugs, weapons and extortion payments. Like the legitimate world using BACS/CHAPS/CHIPS (electronic Bank payments), organised crime in the 21st Century benefits from a black money clearing system: Bitcoin. Cryptocurrency has a value because it can be used for buying drugs in large quantities across international borders far more conveniently than using the old-school suitcase of dollar bills. No questions asked. If you want to buy narcotics, you need to buy Bitcoin to pay the dealers with.

And if you want to know what I mean by extortion, take a look at Cryptolocker. This nasty piece of malware encrypts the victim’s files until they pay a ransom in, you guessed it, Bitcoin. I can only see this so-called “Ransomware” business model expanding in the future.

Like any currency with a floating exchange rate, the value of a Bitcoin should fluctuate based on the supply and demand for the illegal goods and services it represents. If the demand goes up and supply remains the same, the value of Bitcoin would rise as purchasers out-bid each other to secure enough Bitcoin to pay their dealer. I strongly suspect that knee-jerk (or just jerk) investors are seeing a rise in cost, and not looking too deeply at the tangible commodities backing it. Or perhaps city speculators are not being greedy and stupid; perhaps they really do need Bitcoin to pay for their coke habits.

So, as to whether I think Bitcoin is a good investment, they only answer is: “Yes – it’s can be just as profitable other parts of the drugs trade if you can get it right.”

The Religion behind Climate Change

Global Warming is real. The high priests of the peoples’ religion have proved it to the satisfaction of all true believers. Or do I mean science has proved it to all right-thinking people?

Famously, Donald Trump thinks it’s all a conspiracy. He also thought (thinks?) that Obama was a foreign import jihadist and the American Democratic Party is run by commuinists. So if Donald Trump thinks Climate Change is a trick, logic dictates that it must therefore be real, right?

I think it’s time we looked at some facts:

The world’s climate has been getting warmer. For a long time. Between the 15th and 18th Century the River Thames froze over in London. In the early 1800’s it stopped, and hasn’t done so since. Therefore things must be getting warmer. Of this there is no doubt.

Is our industrial activity the reason? Well no. We didn’t start to industrialise and burn fossil fuels until well in to the 19th Century.

So it’s pretty clear that the planet has been warming up for a long time prior to major human industrial activity. We couldn’t have started it, because it began before we burnt fossil fuels to any scale.

But… is burning fossil fuels accelerating this natural change in our climate? Well that’s another question. 97% of Climate Change scientists say it is, so it must be true. I mean: who’s going to argue with one scientist, never mind the vast majority? Scientists are honourable people, not interested in worldly matters, and have no reason to lie to us about stuff we don’t understand.

Yeah, right!

Scientists are no more or less honourable than anyone else; they do care about money and there are all sorts of reasons not to believe them. This is strikingly similar to the high priests of the old religions, don’t you think? And when you look at it, the same driving forces appear to be shaping their behaviour.

For a long time the sun went around the earth. The priests said so. Anyone with deviant views was shouted down as an idiot, and if they persisted they could eventually be burnt at the stake as an example to others. No one who argues with priests or scientists is going to be taken seriously. OR ELSE!

Did the priests have any proof that their view of the cosmos was correct? They had irrefutable evidence. Ask any priest and they’d tell you – everyone knew it was true so it must be. Who was going to appear foolish (or be put to death) by disagreeing with the consensus? But in reality the priest had other reasons to believe they were correct: their careers and livelihood depended on them sticking to the story. If you were a priest you had a good job for life. People would respect you, give you money, a nice house and plenty of food, and not expect you to get involved in nasty worldly stuff. Becoming a priest has always been a good career choice. The only career-limiting thing you could do would be to question the “truth”. If anyone did, other people would too, and eventually the religion would lose control. And if a priest did it, even more so. Errant priests would never do.

Is the modern-day scientist really any different? It’s always a good idea to follow the money. They have a job in research and their salary is paid for by someone. To get on in the world they need to publish papers, so they can’t remain silent. When they’re working for a university department set up to study climate change, its not politic to say that the subject is over-blown and the world would be better off studying something else. They’re going to say it’s important, and probably real (but that funding is needed for further research). So the the majority of scientists who are paid to believe in climate change that express an opinion are unlikely to express one that’s going to see them out of a job; and then torn apart by their colleagues for breaking the faith.

Ask a scientist not involved in climate change research whether global warming is caused by human activity, and they won’t have a strong opinion because it’s not their field. Or they’ll close ranks with the rest of the “priesthood”, or “scientific community”.

Likewise, I don’t know if human activity is accelerating climate change. I suspect it may well be, but I can’t discount the fact that most academic researchers of the subject also say their pay-cheque is justified. Always follow the money.

Then there are the environmentalists, myself included. I don’t bang on about human-caused climate change. I don’t know how much we are to blame. I don’t know if we can slow or reverse it. But I do know that using irreplaceable resources as though the supply is infinite is a stupid idea. I do know that polluting the environment and destroying the natural world is a bad thing. So when a government, with the backing of its high priests of science, says it wants to reduce pollution and fossil fuel consumption I’m hardly likely to disagree, whatever the government’s real motive. (I suspect the real motive is tax revenue).

So what is it with society and its deference to scientists? In the past, if you were ill, you went to the priest for help. Not just the church infirmary; you did whatever the priest told you to in order to be cured. At the very least, you had nothing much to lose by trying. In the modern world we go and see a medical scientist (doctor), as we believe their results are better than the priests. Doctors can’t cure everything, in fact you could argue they can cure comparatively little. Many ailments cure themselves and the priest or doctor gets the credit anyway. But doctors do have demonstrably better outcomes than the priests they’ve displaced. If you’re ill, anyone you believe can cure you is going to be your best friend.

And then there are the politicians. Since the beginning of time the priests have been used by rulers to persuade the populous to go along with some policy or other. Do you want to plunder the tribe up the valley? Get your holy man to call it a religious duty and the plebs will do anything you ask of them, however foolish. Even if they’re not scared of you, they are of the priest. More precisely, they’re scared of the power that only the priest understands and can control. So the tribal chief is happy. The priest is happy because the chief keeps him in the easy life, and the plebs are happy because they’re doing the right thing for them and their mates without having to think for themselves. Or they’re dead on the battlefield, but living it up in the afterlife.

Now, if you’re a politician and announce you want to hike taxes it’s unlikely to have a positive effect on your chances of re-election. Unless you can persuade the people it’s a really good idea for some reason or other. The problem is that they won’t listen to you, because you’re a politician. If you can get the high priest (or scientists) to tell them that raising taxes is virtuous, and the wrath of something will descend on them otherwise, then you can still raise the taxes you need and avoid the blame when people have less money in their pockets and you have more to spend.

I’m not saying that using taxation to reduce pollution, or finite resource consumption, is a bad thing. Anything that does that is good. But I can’t help having a nagging feeling that the motivations of governments have more to do with the revenue, as government policies usually contradict these supposed ideals unless they can make money out of it.

The switch to sustainable transport is a good example – jobs and taxes are created by cars, so building more roads is a good thing as far as they’re concerned. And they can even boost economic activity by changing the rules to encourage people to buy newly produced cars. This is contradicts the idea that they want to reduce consumption, emissions and pollution. When Trump says he wants to put industry before environment he’s just being honest.

When it comes to whether pumping carbon dioxide and methane into the atmosphere is a good idea, it clearly isn’t. Atmospheric carbon dioxide levels have increased rapidly in the 20th century and it can only make the planet heat up. Victorian scientists raised the red flag at the boom in burning coal, and all the evidence suggests they were correct. What’s a stretch is the idea that by reducing carbon dioxide we can stop or reverse a trend that started a long time before we started; we need to accept the earth has been warming up since records began and plan accordingly. And please stop burning fossil fuels as this would be A Good Thing in itself.

My first draft of this diatribe ended about here, but in the summer the president of the Royal Statistical Society gave a very interesting address at their annual jamboree, which deserves a much wider audience as it drew together threads concerning why people are becoming disenchanted by experts, especially where statistics are concerned.

What’s the point of Docker on FreeBSD or Solaris?

Penguinisters are very keen on their docker, but for the rest of us it may be difficult to see what the fuss is all about – it’s only been around a few years and everyone’s talking about it. And someone asked again today. What are we missing?

Well docker is a solution to a Linux (and Windows) problem that FreeBSD/Solaris doesn’t have. Until recently, the Linux kernel only implemented the original user isolation model involving chroot. More recent kernels have had Control Groups added, which are intended to provide isolation for a group of processes (namespaces). This came out of Google, and they’ve extended to concept to include processor resource allocation as one of the knobs, which could be a good idea for FreeBSD. The scheduler is aware of the JID of the process it’s about to schedule, and I might take a look in the forthcoming winter evenings. But I digress.

So if isolation (containerisation in Linux terms) is in the Linux kernel, what is Docker bringing to the party? The only thing I can think of is standardisation and an easy user interface (at the expense of having Python installed). You might think of it in similar terms to ezjail – a complex system intended to do something that is otherwise very simple.

To make a jail in FreeBSD all you need do is copy the files for your system  to a directory. This can even be a whole server’s system disk if you like, and jails can run inside jails.  You then create a very simple config file, giving the jail a name, the path to your files and an what IP addresses to pass through (if any) and you’re done. Just type “service jail nameofjal start”, and off it goes.

Is there any advantage in running Docker? Well, in a way, there is. Docker has a repository of system images that you can just install and run, and this is what a lot of people want. They’re a bit like virtual appliances, but not mind-numbingly inefficient.

You can actually run docker on FreeBSD. A port was done a couple of years ago, but it relies on the 64-bit Linux emulation that started to appear in 10.x. The newer the version of FreeBSD the better.

Docker is in ports/sysutils/docker-freebsd. It makes uses of jails instead of Linux cgroups, and requires ZFS rather than UFS for file system isolation. I believe the Linux version uses Union FS but I could be completely wrong on that.

The FreeBSD port works with the Docker hub repository, giving you access to thousands of pre-packaged system images to play with. And that’s about as far as I’ve ever tested it. If you want to run the really tricky stuff (like Windows) you probably want full hardware emulation and something like  Xen. If you want to deploy or migrate FreeBSD or Solaris systems, just copy a new tarball in to the directory and go. It’s a non-problem, so why make it more complicated?

Given the increasing frequency Docker turns up in conversations, it’s probably worth taking seriously as Linux applications get packaged up in to images for easy access. Jails/Zones may be more efficient, and Docker images are limited to binary, but convenience tends to win in many environments.