Sunday, September 2, 2018

The Frankenmedia and their monster

Trump is rather successful in his attacks on the media.... at least where is followers are concerned. Why is that?

Photo

His attacks work because the media is in a deep crisis.

The crisis is not there because the media is reporting fake news or lying about Trump. It is because the media lost the most critical component of it's business: Trust.

If you do not have trust, the veracity of the news becomes irrelevant.

The trust was lost with the transformation from subscriber to advertiser financed media. It was not lost within a blink of an eye but it eroded slowly away.

The erosion accelerated with the digital transformation. The web was luring with additional advertising income with (allegedly) little effort and next to no distribution costs.

The money came not for the news (where truth mattered) but for attention (where it mattered less and less). Every click-bait headline was a pebble of trust tumbling down the hill of media credibility.

A lot of media companies complained about Google, Facebook & Co. One of their catchlines was "For Google the consumer is not a customer but the product." At that point, it was long true for the main stream media itself and they knew it. But they were riding a tiger and afraid of letting it go.

If I pay a company, I usually trust it. Otherwise it would not receive money from me. But by giving something for "free", the media already sows the seeds of mistrust.

By trying to lure my attention instead of tickling my interest, they loose some more.

By presenting advertisement as a news article, they are sticking a knife into the back of their trust.

By giving idiots space during prime time and on page one, they are kneecapping the trust into them.

Trump is not victim of the media crisis as he paints himself. Instead he is a symptom. He facilitated his rise by exploiting the media crisis. Trump was and is creating money for the media. They make money thanks to him. But that money comes with the stench of a poison pill.

In fact Trump is like Frankenstein's monster that turns on his creator. The media is giving him the attention he uses to attack (and destroy) them.

The monster got smart. Instead of waiting for the mob with torches and pitchforks, it is gathering and leading it.

Media beware! Your monster does no longer need you...

Friday, March 13, 2015

My dear Terry

Very few people have had so much impact on my life as you did: my family, close friends, some teachers in school. But that's it. Together with David Weber, you're the reason I switched my primary reading language from German to English. That had a profound impact on my professional career in which a significant part of all communication is done in English. My patient's provision includes a link to a video with you. But this is only the obvious stuff. The more subtle part is an integral part of my humor and ethics, that even I cannot tell where your influence starts or ends.

            KNOCK, KNOCK
            "Not now! Can't you see I am talking to him?"

We met first at the university. I think Achim introduced us. When I mentioned to him, that I like Monty Python, he suggested that you and I should meet. That was during the late 80's. I just had started to roam the Fantasy circles but had not run into you yet. You baited me with a story about the most improbable sorcerer Rincewind and I took it with hook, line and sinker. I still lived at home with my parents, but you moved in with me any way. No big deal; you only needed a bit of shelf space. I could deal with that.

            KNOCK, KNOCK
            "Come on, give us some space here!"
            "HE HAS TO COME WITH ME"

Our first meeting was in Hamburg at Kampnagel. I learned a lot from you that night. About "drunk" being the universal language of the universe, the importance of fairies in running a nuclear plants in England and how four elderly ladies plundered  an AD&D dungeon. My diaphragm was sore for days, so hard I laughed. There were a few hundred people in the room, but everyone hang on your lips, including me. Instead of giving us bits from your existing universe ("You look like students, so you can probably read yourself"), we had the impression you created another one for us.

            KNOCK, KNOCK
            "This is not fair!"
            "THERE IS NO JUSTICE, ONLY ME"

Afterwards you spent some time with us, chatting and signing. I had a large stack of books from friends to be signed. So, when you signed the first one, I went back to the end of the queue to get the next one signed. About 50 people later, I arrived at your table again. To my complete amazement, you noticed me being there again. And you then insisted on signing all books, one after the other.


            KNOCK, KNOCK
            "One more thing!"
            "I DIDN'T SPARE THAT ONE EITHER"

We exchanged a few emails afterwards.  You already used email at a time when it meant running a UUCP site and required using a lot of "!" to reach someone (not to confused with the use of several consecutive "!" which is a sign for a deranged mind). You posted on newsgroups long before the Internet became a fad. I always admired your patience with us, who took you as our reporter covering the Diskworld and L-Space.

            KNOCK, KNOCK
            "Please!"

You always kept your humor (the only fracture I ever noticed was when I asked you about the Maggi soup ads in your German book). We knew you were not a "jolly elf" and that the embuggerance was serious. I was dreading this day. But you came out swinging. I can only hope I am up to the same standard when MR. UPPERCASE is trying to arrange a date with me.

            KNOCK, KNOCK
            "Please, let him write one more book"
            "NO"
            "One more page"
            "NO"
            "One more sentence?"
            "NO"

Farewell, Sir Terry, I thank you for all you did for me and I miss you dearly.

Saturday, May 3, 2014

Good, bad & ugly - Your password

I have already been ranting about passwords several times. They might be there to protect your digital assets but are also a liability. There are a lot of articles about user passwords being easily guessable. Usually they blame the user and his/her stupidity, the inability to select and remember a password. I consider this plain wrong. Most of those errors are enforced by anachronistic and bad password policies.

Password requirements


A good password must have two properties:

1) It has been memorized by the user
2) It is difficult to guess for a third person (even if he/she knows the user well)


But in most cases another requirement is thrown into the mix:

3) The password shell be complex (have a high entropy)

Usually the requirements take the form of a password policy like this:

  • The password must be at least 8 characters long
  • The password must contain upper- and lower-case letters
  • The password must contain a number
  • The password must contain a non-alphanumeric character

You notice anything? Yep, this policy only focuses on the third requirement. And it does so at the expense of the first requirement and (knowing human psychology) it also has a negative impact on the second requirement.

A good example (on how not to do it) was implemented by the Attorney General of Texas:



They try to specify entropy in details which is kind of ironic.


Threats to passwords


Let us take look at how the security of password can be compromised:
  1. The input of the password has been observed (by eavesdropping, key-loggers or by the ordinary Mark 1 Eyeball)
  2. The password has been re-used by the user in a different context where the attacker has access to it
  3. The attacker gained access to the encrypted storage of password and managed to extract it from there
  4. The password has been guessed by the attacker
How does having a complex password help you against these attacks?
  • In case of an attacker observing the user entering the password, no complexity will help. Rather the contrary, a password with mixed upper/lower-case, numbers and special characters is entered at a significantly slower pace. This helps an attacker observing the password by good old-fashioned peeking.
  • If the password is known to the attacker from the use in a different context, the complexity is no help either. Knowing the psychological side, cryptic passwords are rather compound the problem. Once a user has found a password that fits the typical policy, he tends to use it wherever such a password policy is in place and therefor increases the chances of an attacker to use a known password of the user in a different context.
  • In case of access to the encrypted password store, the complexity clearly helps to hamper the attacker (if the password is encrypted properly).
  • One would expect that password policy should help making a password un-guessable for a third person. From my personal observation the contrary is true. Under the watchful eye of a password policy they tend to stick to first names, upper-casing the first or last letter, replacing characters by similar looking special characters or numbers and/or adding numbers at the end (like birthdays).
Summary: Only in one attack scenario choosing a complex password helps, in all other scenarios it does not have any or even a negative impact. So let us look at this scenario a bit more detailed.

Decrypting passwords


To decrypt the password of a user, the attacker has first to have access to the password storage. At which point the first and most critical security failure has already occurred. And the user had nothing to do with it.

When it comes to decrypting a password, the algorithm used is a more important than the complexity of the password. If the service provider has not done his home work, complex passwords offer only little protection. This is another critical point, where the user has no influence whatsoever.

But in case of the service provider having botched the safety of his password file but made everything correct when choosing the algorithm the complexity of the user passwords can offer extra protection against the attacker. 

Does this case justify all the negative impact?

I want to point out, that the safety of the encrypted password is not the responsibility of the user. So would say: Don't make him part of the process here. Don't shift the responsibility to to him where the service provider is responsible.

Remark: I did not specifically address the issue of an attacker trying out all passwords by automatically entering them one after another. It falls into the same category since it starts with a critical error on the service provider side by allowing this.

What shell we teach users about passwords?


I think we should focus on the first two requirements i started this blog post with:
  • Choose a password you can remember
  • Use a password someone else does not associate with you
and (which is more important than complexity):
  • Use distinct passwords, at least for the most critical uses (Work, Banking, Apple, Facebook, Google, Paypal, Amazon) and never use those somewhere else.
If the user follows those three advice only, his security would be greatly improved. It is much better to use several (cryptographically) weak passwords than one good one for everything.

What about password complexity?


I am not opposed to complex passwords, as long as it has no negative impact on the more important issues. There is nothing bad about advising the user about his password being weak or strong as information.

But if you do so, please do it right. Do not just look for which kind of characters are used. Don't care about the source of entropy as long at it is there.

"Test1234!" is not safer then  "mucho danke shopping magazzini", rather the opposite. Let the user find his way to create a memorable complex password. If you force him into a scheme you think best, you will weaken passwords.

And: Except for the most critical uses, 40 bits of entropy are enough. If it is not enough, you need to rethink the way you store your passwords. 

That is why i think XKCD has it right, no matter what Bruce Schneier says (i never thought i would agree on a security topic rather with a comic author than one of my most respected security experts).

Are there exceptions?


Yes, of course. There are always exceptions. But in those cases you should rather look into using two factor authentication than trying to get the users brain work in a way that evolution did not intend it to. 

Password Managers


It seems to have become a fashion to prohibit the use of password managers, either by written policies or enforcing it in web application. I consider this a bad idea. If a user tells me, that he has problems memorizing passwords of sufficient complexity, i tend to believe him. Password managers are a great help, but personally i want to be able to recite my critical passwords (Amazon, Google, Apple, Paypal) directly.

Wednesday, February 19, 2014

Review: Influx by Daniel Suarez

The nobel prize seems to be within the grasp of Jon Grady.  Being an academic dropout seems to be no longer a real obstacle since he just implemented his first prototype of a gravity reflection device. While the Wall Street bankers bankrolling his startup don't seem too happy about being misled about the direction of his research, their expert confirms the validity of his claims.


But when something seems to be to good to be true, it usually isn't. The visiting "expert" makes a telephone call and the bomb goes off, quite literally. A neo-luddite terror organisation storms the lab, knocks out everyone and blows it all up.

To his own surprise Jon Grady survives the experience and finds himself in the clutches of the Bureau for Technology Control (BTC). As it turns out, they are having both feet on the breaks concerning the deployment of new technology (of course purely due to concern for mankind). Scientists and Developers who threaten to disturb the status quo too profoundly are offered a choice: join, disappear and play with the good stuff or just disappear.  

So Jon has to consider the gravity of his situation. As he soon finds out, the governmental oversight of the Bureau has been slightly neglected.

After his novel "Kill Decision" was published, some complained to Daniel Suarez that he has written more a blueprint than a novel.  Like his works "Daemon" and "Freedom (TM)" it gave the technology-versed reader quite a chill. Since John Brunner passed away, no other author has managed to radiate such feeling of frightening authenticity in his books. Together with the author we can only sincerely hope  that he is further off the mark this time. 

His past as system consultant and software developer gives him his ability to describe just-around-the-corner technology. But the real hitter are his credible predictions on how and where those will be used. While the apparent technology in 2016 (where "Influx" is set in) does not differ too much from today (thanks to the untiring efforts of the BTC), he takes a lot more liberties on the "suppressed" technologies.

His previous books were not short on humor, but he has given it a lot more leash here. One can't do other than appreciate the irony of US intelligence and law enforcement agencies being spied upon by superior technology. There are several of such hidden gems inside the book. Furthermore the clones of the top BTC operative have some QA issues and regularly provide comic relief.

When reading the previous books, my professional personality was never completely switched off.  The job-me was permanently looking myself over the shoulder and doing some appraisal. With "Influx" the entertainment nearly does a solo performance. But Daniel Suarez can't completely get rid of his habits and there are still some very sobering parts. The gulag for scientists comes straight from the worst nightmares.

The pacing of the book is high right from the start and it is hard to lay aside once you begin flying through the 380 pages (hardcover). The story mostly flies straight as an arrow, the supposedly good cause of the bad guys is threadbare right away. With the roles clearly assigned early on, "Influx" makes an relaxing and enjoyable read.

Of course there is another possible alternative explanation for this book: Daniel Suarez got snatched by the Bureau for Literary Control since he was getting close to the reality prediction and was forced to write more freewheeling stuff. If the results remain that entertaining, that is fine with me.

In any case, you find his book on Amazon.

Saturday, February 8, 2014

Review: Directive 51 by John Barnes

Directive 51 is the first book of the Daybreak series with currently three novels. The title is derived from from the "Executive Directive 51", a Presidential Directive which claims power to execute procedures for continuity of the federal government in the event of a "catastrophic emergency". This may give you a "slight hint" about the direction this book is going.

The novel takes place in the near future of the United States of America. Technology has advanced especially in the area of nanotechnology, where even students become capable of creating nanites (nanobots) in their home lab.

The "Daybreak" is a terrorist organisation devoted to bring down the "Big System". It consists of several groups (from radical ecological to radical islamists) which only share their disgust for the status quo. 

It is introduced as a meme that has reached a critical mass. But the author also casts some doubts on that assumption. 

The Daybreak is surprisingly effective in creating a nanoplague (self-replicating nanites) devouring petroleum-based fuels, rubber, plastics and several metals. But it also has a new type of nuclear bomb at its disposal. 

This and some other facts create the impression that "Daybreak" is not what it seems. The riddle is not resolved in this book.

The larger part of the novel is about the executive power trying to fight back and within itself. As one may assume from the title, the original president and his vice-president are not around for long. And even with the end of the world close by, there are enough remains to squabble for. The failure of the leaderships encourages other to claim power for themselves. Only a few, the heroes of the book, are trying hard to hold it all together.

The book starts with a fast, gripping pace, a doomsday plot at its best. When it comes to the political side and dealing with the fallout, the novel remains more interesting than senate proceedings but requires some stamina on the reader side. The amount of characters is confusing (we go through four presidents alone) and even at the end, the purpose of some characters remain unclear. 

I have the followup novels on my reading list, but they are not as high prioritized as they would have been after the first third. 

You find this novel on Amazon,

Wednesday, January 22, 2014

Review: Bone Season by Smantha Shannon

I seem to be in for debut novels currently. Here is another one of a new author. At 22 years, Samantha Shannon is one of the youngest writers i have in my current portfolio (aka Kindle) and it does not require much scrying to see a lot of read-worthy books coming from her in the next years.

It is 2059 and not a good type to be magically gifted (or voyant as it is called here). The use of your talent is highly illegal and if you are caught, death will be your fate. So better keep your abilities hidden from everyone, even your only close family member. The best way to make a living is to join the syndicate and pursue a life of crime.

Paige Mahoney is not a happy but a content person when she is introduced. She feels safe within her environment. Her boss sees a lot of potential in her, more than she thinks she has. Her talent is a rare one as she can enter the minds of other people.

Her talent is put to a test when she is cornered by hunters of the Scion, the fascist, anti-voyant regime that has taken over England. While she manages to escape at first by using her power to kill, she is caught soon after. 

To her own surprise, she is not executed but shipped to the Gulag of her 21st century: Oxford (or "Sheol I" as it is now called.) The prison is not run by professors but near-human creatures called Rephaim. The rules of her life change dramatically.

Until that point the reader has not even finished half the book. Samantha not only fervently builds a world but also a huge vocabulary. Dreamwalker, floxy, rotties, mime-crime, flux, NVD are just a few examples of (i would guess) a low three digit number. 

It takes quite some learning from the reader and the complexity sometimes does not help but hinder the story development. On the other hand there are sequences where you are literally fleeing at her side over the roofs of London and really feel the breath of her pursuers in your own neck. In those action packed sequences she is at her best.

Another, easily forgiven, weakness is the language which feels to be stuck between the young adult and adult style. I expect this point to solve itself automagically during the sequels.

The overall construction of the story is solid and she even plays the reader by what seems to be plot device at first glance and turns out to be an important story element later in the book. I awarded bonus points for cheekiness here.

The book came to me highly praised through one of my wife's many magazines. While it did not fully live up to the (admittedly high) expectations, i am still impressed by an early work like this. You'll find it on Amazon.

Sunday, January 19, 2014

Review: Ancillary Justice by Ann Lackie

Devilish complex main character: Check! Non-linear storytelling: Present and accounted for! World building: Massive! New author: Yes! A combination that would challenge any experienced writer makes up the stunning debut of Ann Leckie. She is an author on which you will want to keep an eye on.

Let's start with a few highlights of the main character Breq: about 2.000 years old, once part of a hive mind and an excellent fighter inflicted with the disability to discern the gender of most dialog partners.

He started of as an Ancillary "One Esk Nineteen" of the starship "Justice of Torren". Ancillaries are former criminals who were mind-wiped and became (with boosted physical properties and reflexes) part of a hive minded ship AI. They have been a strong weapon in the expansion of the Radch Empire.

But the expansion has slowed down, ancillaries are being slowly replaced by humans, Beq has become alienated with his empire and is separated from his hive mind. How all of this is connected to each other is told in cutbacks that span a millennium.

Other authors manage to confuse their readers with a story a tenth as complex as this one. But this seems to be Ann Leckies talent: to never lose her audience throughout the story. Though some concentration is required and some quirks of Breqs perspective (per default everyone is a "she", memories are always plural) are challenging at the beginning, one is rewarded with insights into a very fascinating character, society and universe. The book really covers an alien perspective quite thoroughly.

While the aspect of the hive mind is clearly a central one (covering among other things: moral responsibility of single a part of the hive mind, split brain situations, synchronization), one will find a lot more to think about. Calling the novel a space opera does not do it justice. There are more aspects to it than i want to cover in this review. It would take too much pleasure away from the reader when (s)he discovers a lot of reminiscences to other classics of Science Fiction within.

While the novel does not end on a cliffhanger, it clearly calls for a sequel which i will eagerly wait for.

You can get this book on Amazon. I stumbled upon it in John Scalzi's blog, which has been a source of several reading inspirations for me.