Rants.org now has a comments policy.

July 14th, 2016

This blog now has a Comments Policy.

I heard you like comment policies... So here are some comments on your comment policy.

Comments welcome?

Starbucks buys their TLS certs on fiscal year boundaries?

July 5th, 2016

This screenshot is from just after agreeing to the Terms of Service for the Google/Starbucks free wifi at the Starbucks at Bryn Mawr and Winthrop in Chicago. My best guess at an explanation is that Starbucks buys their TLS certificates on fiscal year boundaries, but then they’re very busy around the end of the fiscal year and forget to renew? ๐Ÿ™‚

close-up view of 1 July TLS cert expiration, shown on 5 July

Either that or the wifi here is being hijacked by devious delinquents determined to defenestrate my data. But I’m not worried — between certificate pinning and SSH host-key checking, surely nothing could possibly go wrong.

Here’s the full screenshot:

close-up view of 1 July TLS cert expiration, shown on 5 July

Trusties and Suspies: Knowing Your Place in the New U.S.A.

June 24th, 2016

U.S. House of Representatives, Democratic Party sit-in, 22 June 2016

I wish I had time to write a better post about this, but it’s more important to write about it soon than well:

Something very bad is happening in this country, and legislators — of all kinds, but especially in the Democratic Party — are not only not stopping it, they’re actively encouraging it.

We’re gradually dividing ourselves, step by incremental step, into two classes: trusties and suspies.

Trusties, you know who you are. Probably most readers of my blog are trusties. You’re trusted by default. You’re not on the no-fly list. You don’t ever wonder whether you’re on the “terrorist watch list”, because you know you’re not. You hear about people — people who have not been convicted of any crime — having to pass drug tests to get a job or to receive government benefits, but it doesn’t affect you: you don’t have those kinds of jobs, and you aren’t in a position where you need those benefits.

Suspies, you know who you are too: you think you might be on a terrorist watch list, though of course you can’t be sure. You might know that you’re on no-fly list, because you had a bad experience at the airport. Or maybe you didn’t even bother to try flying, because you knew there was no point. Even though you haven’t been convicted of any crime, some legislators would like to make sure you can’t buy a gun (trusties are allowed to buy guns, of course). Every time you post things on Facebook or other social media sites, you wonder whether what you say might be misinterpreted and used against you, without due process of law.

By the way, I’m not opposed to gun-control legislation at all. I’m just in favor of the law applying equally to everyone. If you haven’t been convicted of a crime, then you shouldn’t lose some right that others retain. To their credit, many of the House Republicans are objecting on exactly this principle to the Democrats’ proposals that people on one or another of the terrorist watch lists — when did we get so many lists, anyway? — be blocked from buying guns.

This division into two classes has been happening for many years. I can’t pinpoint when it started, but I remember when I first noticed it: when the federal government insanely decided that it was okay for your commercial relationship with a particular private-sector company (an airline) to affect how quickly you can get through the security screening at airports. That’s right: do more business with a certain company, and you can skip ahead of other people in a public queue — one organized and managed by federal government employees, not by the airline — whose purpose is our collective safety. Imagine if you could pay more money to go to the front of the line at the Post Office, or to skip ahead of everyone else at the Drivers License renewal bureau. Or, say, pay money to avoid being drafted, when a draft is in effect.

Instead of prohibiting this, the government decided to get into the business itself, and now offers federally-approved channels for buying your way out of the security responsibility — but only if you’re a trustie, of course. Suspies still have to take the slow line. No, it doesn’t matter that you haven’t committed any crime and have no intention of committing a crime. If you’re not positively identifiable as a trustie, then by definition you’re a suspie. Get used to it.

When did this become okay? Why don’t more people see how deeply not okay it is?

(Those are not rhetorical questions. I’m truly baffled that we aren’t hearing more objections to this trend, and particularly baffled by how willing the House Democrats have been to abandon the principle of equal protection under the law.)

Security is a shared burden, or should be. When we allow some people to conspicuously buy their way out of that burden, right in front of the noses of those who can’t, it damages our entire sense of collective responsibility; it atomizes our society.

The problem is not that government security agencies watch some people more than others — that’s their job, and it would be ludicrous if they treated everyone as equally dangerous. Some people are indeed more dangerous than others. The problem is when the unequal treatment is done publicly and without due process of law. There’s a big difference between the government keeping an eye on someone (not that the monitoring seems to do a whole lot of good, but that’s another matter) and treating them differently in a way that they experience directly and that other people can see. The latter is the problem, and it’s a pretty basic abrogation of the principles we claim to have organized our country on.

(If you’d like to share this, you can retweet or redent here.)

Obligatory Post Opposing Donald Trump.

June 20th, 2016

Never Trump

After reading Scott Aaronson’s “Daddy, why didn’t you blog about Trump?” post and Terence Tao’s “It ought to be common knowledge that Donald Trump is not fit for the presidency of the United States of America” — relax, Tao is not indulging in liberal tribalism but rather is using a technical definition of “common knowledge” in a very interesting way — I realized that anyone who agrees should make a similar post.

So here’s mine:

The United States should not elect a narcissistic con-man to the Presidency.

Donald Trump has already done a measure of harm to our country; if elected President he would do much, much greater harm. This country is important to me. If you’ve ever lived in a place that doesn’t have freedom of speech, freedom of association, and a widely-shared commitment to the rule of law, you’ll understand that that patriotic sentiment is wholly unironic. We’re not perfect, but we’ve got a lot that’s worth preserving, and we should try to keep it (and if possible improve it). Donald Trump understands nothing of this; he understands nothing to be more important than his own overweening self. His Presidency would be a disaster for the United States and for the world.

Thanks to a very poorly thought-out voting system, the best way to prevent Donald Trump from becoming President is to vote for Hillary Clinton in November. That’s what I plan to do, and I hope you will do so too, if you’re a citizen of the United States, even if you aren’t a Hillary fan. Remember, you’re not voting for a candidate, you’re voting for an outcome. If the outcome you want is for Donald Trump not to be President, then vote accordingly.

I think there’s actually a chance Donald Trump won’t be the Republican nominee, because his candidacy is cratering rapidly in the polls, and he’s psychologically incapable of persisting in a situation where he can’t think of himself as a winner. If he withdraws before the convention, then great. But if he’s on the ballot in November, please do whatever you have to do to prevent him from becoming President.

Here’s something you can retweet or redent, if you want a convenient way to signal that you’re on board.

Starbucks in China Displays Their Wi-Fi Terms of Service Only as a PNG Image File.

May 31st, 2016

Apparently, Starbucks in China doesn’t want you to save a copy of the wi-fi Terms of Service you agree to — it’s available only as a PNG image file, embedded in a vertically scrollable cell in an HTML table layout:

You can’t copy the text to your clipboard, or save it somewhere (say, for comparing with later versions to see if their Terms of Service changed). And what do you do if you have poor or no vision and rely on a screenreader?

Is it even legally binding (in China) to agree to an online contract that isn’t represented as text? Or is that a distinction programmers would make but lawyers never would?

See the top-level portal HTML page for the full glory. This is from the Starbucks on the outdoor second level of the Hai An Cheng Mall in Shenzhen, on 1 June 2016.

Unrelatedly, in the page source, note the “var temp = url.length;” and the subsequent failure to actually use the temp variable in the loop control or anywhere else.

I’m not sure which bothers me more, the unparseable ToS text or the sloppy coding. Okay, that’s not true — I am sure: the unparseable ToS text. This is supposed to be a contract, but only one side actually has the text. Come on, Starbucks. If the issue is worries about the Chinese characters displaying correctly in all browsers, then present the PNG image for display but still provide the text as an underlay, so that it can be saved as text.

Here’s the full ToS image:

Starbucks Shenzhen (Hai An Cheng) Wi-Fi Terms of Service, as of 2016-06-01

Commenting on ITAPS’s comments on the Federal Source Code Policy.

April 29th, 2016

My response to ITAPS’s comments on the Federal Source Code Policy is posted here.

Dissecting The Myth That Open Source Software Is Not Commercial

April 14th, 2016

My article Dissecting The Myth That Open Source Software Is Not Commercial is now up at the IEEE Software Blog. (Comments over there, please, not here.)

It’s gotten a surprising amount of Twitter activity, which is pleasing. The article’s message is one I’d like to see spread widely!

Many thanks to editor Stefano Zacchiroli for editing, and for suggesting an article in the first place.

SOLVED: Error on ‘git clone’ for Redis GitHub repository

April 14th, 2016

If you encountered this error when trying to clone the Redis repository from GitHub recently, there is a solution. The error looks like this:

  $ git clone https://github.com/antirez/redis
  Cloning into 'redis'...
  remote: Counting objects: 42713, done.        
  remote: Compressing objects: 100% (33/33), done.        
  remote: Total 42713 (delta 15), reused 0 (delta 0), pack-reused 42680        
  Receiving objects: 100% (42713/42713), 19.29 MiB | 6.81 MiB/s, done.
  error: object 1f9ef1b6556b375d56767fd78bf06c7d90e9abea: \
  zeroPaddedFilemode: contains zero-padded file modes
  fatal: Error in object
  fatal: index-pack failed

The problem is that your ~/.gitconfig file probably has this setting:

          fsckObjects = true

…and/or perhaps these settings:

          fsckobjects = true
          fsckObjects = true 

Solution: set the value(s) to false while you clone Redis, then set them back to true afterwards.

See also this discussion for more; that’s where I originally stumbled across the solution. I’ve now cross-linked between this post and a ticket in the Redis issue tracker.

Pro non-tip: you might think that running

  $ git config --global fsck.zeroPaddedFilemode ignore

so as to get

  	zeroPaddedFilemode = ignore

in your .gitconfig would solve this problem in a nice targeted way, but it won’t, so don’t bother. See here for some discussion about that.

(This post is part of my SOLVED as a Service series, in which I post solutions to technical problems with open source software that I use. The point is the next time I encounter the same problem and do an Internet search, my own post will come up; this has now actually happened several times. If these posts help others, thatโ€™s a bonus.)

My Accidental Radio.

December 11th, 2015

Wow. I had no idea this could happen!

(Rest of this post is by Michael Albaugh, except for the parts that quote me.)

From: Michael Albaugh
Subject: Re: Wait, what?  Can speakers pick up radio by themselves?
To: Karl Fogel
Cc: The Usual Suspects
Date: Fri, 11 Dec 2015 10:03:22 -0800

Disclaimer: It has been quite a while since I had to deal with this stuff for pay, and my amateur license expired so long ago they recycled my call.

On Dec 11, 2015, at 9:13 AM, Karl Fogel wrote:

This is happening, this is literally happening right now:

I have plugged my phone headset (which double as my desk headphones) into my computer speakers. This a standard pair of small standalone computer speakers, one of which plugs into the computer’s sound port with a standard 2.5mm connector, and the other speaker connected to the first. The first speaker also has a headset jack and a volume control on the front.

It presumably also has a power supply. That is, these are amplified speakers.

With my headset plugged into that speaker’s jack, and the speaker volume turned all the way down, I can hear a radio station playing in the headset, faintly and with some staticy fuzz, but clearly. I don’t know which station it is, but sometimes the pop music stops and an announcer comes on (I can’t quite hear what he is saying, though I might be able to catch it next time he comes on).

This is not surprising. What you have is some consumer-grade cables (i.e. not particularly designed to reduce the reception of stray signals at all cost, or any cost) plugged into a device with some non-linear components (inherently, such as transistor and diodes, or unintentionally, such as inductors with other than air cores) and including a means to amplify the result. That is, you have a crystal radio hiding in your amplifier.

See also “Why do I get the local radio station on my fillings?”

However, if I turn the volume knob on the speaker up at all, then the station fades out and I get silence.

Or, you have shifted the sum of the intended input and the signal that being “detected” out of the range of the non-linearity.

If I unplug the speakers from the computer, then I don’t hear the station anymore.

Here I am leaning more on speculation, but perhaps the speakers are sensing the (lack of) DC bias on their input and shutting down the output.

So my… computer is acting like a radio?

Actually, I suspect that your speakers are. You should immediately rush out and buy various models of Bose, Harmon Kardon, and Beats by Apple speakers and repeats the experiment. ๐Ÿ™‚

Why? And why is it only audible when the speaker’s volume is turned down?

See above.

In related news, perhaps you missed the hack that was in the news a short while back. If you have your Siri, Google, or Cortana “assistant” enabled to work without pressing anything, and you have a wired handsfree header plugged into your phone, then someone can inject audio into your phone and say “Siri, post all my photos to Instagram”. or “Siri, find goat porn”.


In older news, back when phones were always wired, heavy enough to be a murder weapon, radio stations that didn’t want their “personalities” to have to drive out to a shack in the marshes would lease lines from the phone company, running from their handsomely appointed studios to that shack. These lines would run through one or more phone company facilities. In one such facility (cough — [[redacted]] — cough) some of the workers had connected a speaker across the line as it went through, so they could have music in their workplace. One day, a worker experienced one of those WTF moments, and verbalized the feeling. Of course, every speaker is a microphone, and the exclamation was sent out over the air, causing a fair bit of consternation, agitated phone calls, and denials from the on-air host. Not to mention a mad scramble to disconnect that speaker and look innocent.

Welcome to the future, here’s your whoopee Cushion


Please Stop Locking Out Users After 3 Failed Login Attempts.

December 3rd, 2015

Update 2015-12-03: I just found out from a response tweet from @jacobian that the user flogging is apparently a requirement of the PCI standards, and thus many online services are essentially forced into it. Would love feedback or further information from anyone familiar with how PCI standards get baked.

Calling all designers of online systems that do user authentication… Wait, that could be shorter:

Calling all designers of online systems:

Please stop locking out users after three failed login attempts.

That security measure is left over from the days of Unix consoles that were just dumb terminals connected to a server somewhere else in the building. It makes less and less sense in the modern era. These days, large distributed botnets are engaged in constant automated login attempts against all publicly reachable online services of any size, using guessed username/password combinations, on the principle that only a tiny fraction of the attempts need to succeed for the effort to be worthwhile. The result is that users with strong passwords but human-readable usernames are penalized for being the target of failed hacking attempts.

It happened to me recently:

From: Karl Fogel
To: Mailing List Of Various Techie Friends
Subject: Speaking of passwords

I just found out from a rep that the reason Wells Fargo Bank kept
resetting my (incredibly secure) online access password, thus
forcing me to do a password reset dance about twice a month, is that
online accounts get automatically locked after three failed login
attempts.  Since my username was "karlfogel" -- it's changed to
something less guessable now -- some jerk with a botnet was causing
Wells Fargo to lock me out on a regular basis, presumably by trying
a username generated from my real name and passwords that were
various combinations of my birthday, relative's names, etc.  The
same is probably happening to thousands of other customers.  After
all, the hackers only need a tiny number of successes.

I wonder if Wells Fargo has really thought carefully about the
usefulness of a 3-failures lockout policy in the modern era of
distributed attacks against your entire user base.  This was not a
topic I felt it profitable to take up with the phone rep, though.
*cough cough*.

Every time you force your users to do a password reset dance, which usually involves some kind of email confirmation step, you are decreasing their security. First, because if a user is forced to change her password frequently, she is likely to start making passwords that are easier to remember, because why invest in memorizing a hard password if one is just going to have to reset it soon anyway? Second, and more importantly, because you are giving hackers the power to lock someone out of their own online account, which creates two vulnerabilities: one, now the hacker has an additional attack surface (the user’s email account), and two, your user support staff also becomes an attack surface because the hacker can now call up and impersonate the legitimate user, saying “Help, I’m locked out of my account” — a fact that the support rep can easily confirm, and which will lend credibility to the hacker’s attempt at social engineering.

Just as a general principle, it’s usually not good to allow attackers to change the behavior of the system for legitimate users. When you allow that, you give the hackers more material to work with, and they will always be more imaginative than your programmers or your support reps, because once they sense that they have a good target, they can spend all day thinking about how to approach it.

It’s fine to have a delay between login attempts. Maybe it’s even okay to increase the delay somewhat when there are a suspicious number of failed login attempts for a given user (although I’m not sure about that, and it is a minor violation of the general principle above).

If you want to help users who have weak passwords, have your security team run guess-in attempts itself (without the rate-limiting), or even run cracking attempts against the password database itself, and then follow up with the users whose passwords fail the test. You can just let them know the next time they log in, or if you want to provide especially deluxe service, follow up via an automated phone call or something. Don’t let them know by email, though: it’s not a great idea to send cleartext email across the Internet telling someone their password is insecure.

But don’t treat failed login attempts as special events that need some kind of reaction. They are more like spam: inevitable, ubiquitous, and best handled in ways that have no effect on the target. It’s not your users’ fault that people are trying to hack into their accounts, so don’t punish them for it.

Agree? Feel free to retweet #EndLoginFailureLockout, or redent.

Addendum: One of my friends on that mailing list followed up with this story:

Anthem Blue Cross, in order to let you make online payments, redirects
you to a random payment processing with a scammy-sounding domain name,
which tells you the following:

1. You need to make a new account with us because we're not tied into
Anthem's database. Because, you know, I can personally take credit
cards - but that's apparently beyond the capability of the largest
health insurance provider in the country.

2. By the way, you might already have an account with us from some
other place, so you'll have to log in with that account instead. No,
we can't tell you whether that's the case or not.

3. You must choose a password between 5 and 8 characters.

I'm not kidding. 5-8 characters.

I make my payments over the phone.