john lennon is spinning in his grave

In case you haven’t heard, Paul McCartney is the darling boy of the EU’s Article 13 which hopes to stab out YouTube’s heart with a spork. Since Google owns YouTube, it’s naturally worried about all this. To make matters worse, the EU’s Article 11 link tax is quite possibly aimed at Google itself. The former Beatle has stepped up to urge the European Parliament to…

“PLEASE VOTE TO UPHOLD THE MANDATE ON COPYRIGHT AND ARTICLE 13. YOU HOLD IN YOUR HANDS THE FUTURE OF MUSIC HERE IN EUROPE.”

From the tone and use of ALLCAPS you’d almost think this were the Crusades and they’re all mounted on horses pointed south, defending Christendom.

Let’s not forget though that in a public ranking of all Beatles songs ever made, topping the worst-of-the-Beatles list at #213 is none other than Good Day Sunshine.

From Vulture’s article:

Revolver (1966): Paul McCartney was welcome to write all the happy, upbeat, cheery-cheery songs he wanted. But this one is beyond the pale. It’s blaring, received, and strident. Even by McCartney standards (“Getting Better,” “Hello Goodbye”) the title is inane. It could have been “Yum Food Delicious,” or “Hot Sex Baby,” or any other three random words McCartney took out of his Young Man’s Collection of Positive Synonyms — and note that of these three choices McCartney chose the blandest. McCartney’s piano playing, which graced so many Beatles songs, right up to “A Day in the Life,” is a parody of itself. It’s the worst song in the Beatles’ classic period. And it ruins Revolver, otherwise the most consistent and mind-blowing collection of pop-rock songs ever conceived by man.

John Lennon’s song Imagine was liked much more and for good reason. I think the sentiment resonated more with the average person. But now I’d like to mashup the lyrics a bit in honor of Paul’s recent audacity. Note that I only changed the words in italics below so I’m not far from John’s original sentiment in the last stanza about no possessions (to include even the possession of songs themselves).

Imagine there’s no money
It’s easy if you try
No credit cards before us
Behind us only sky
Imagine all the people living for today

Imagine there’s no currency
It isn’t hard to do
Nothing to buy nor pay for
And no religion too
Imagine all the people living life so free

You may say I’m a dreamer
But I’m not the only one
I hope someday you’ll join us
And the world will be as one

Imagine no possessions
I wonder if you can
No need for greed or hunger
A brotherhood of man
Imagine all the people sharing all the world

I can’t imagine for even a single minute that John Lennon would have begged the European Parliament to protect his song rights from anyone.

Shame on you, Paul McCartney. If you’re mad at YouTube, don’t blindly lash out at the Internet-at-large and encourage the advent of “Lawyer-fest 2019”. You’d have to be daft to support legislation which gives full reign to every vulture of the world to now feed on the average Joe attempting to run a website.

goo.gl broke it

Jumping into the Wayback Machine to the year 2010, Google introduced a means of shortening URLs. Since they’d purchased the goo.gl domain name, they took advantage of this plus an abbreviated means of issuing shorter URLs. The shorter URL would then redirect to the actual target address.

Why?

You might ask why Google would create a seemingly-free service that would redirect URLs for people. Part of it could be explained by re-using a domain name that sounds a lot like Google as a form of advertising their brand name. But the strongest reason would be to build a database of URLs which could be mined in some way, perhaps for their own search engine’s optimization.

It’s clear that analytics was a big reason for offering a service like this. There is value in knowing everything about what other people are doing.

And den?

Good question. What comes next after the Internet has then embraced the concept and created millions of shorter links? You guessed it…

Google is killing the [goo.gl] service in March of 2019.

What will break?

It’s difficult to even fathom how much of the Internet will take a hit in three months. People routinely used these shorter URLs in combination with both Google Drive— and Microsoft OneDrive—related documents. There are numerous one-off solutions which automatically submit URLs to goo.gl vicariously for you. These should be the first things to break.

Google will likely continue to redirect links for a while but they will eventually need to pull the plug.

Imagine the sheer number of times these shorter URLs were used in printed documentation to refer back to online support pages. This would have been typical of many consumer products with small printed manuals. Imagine the number of boxed consumer products still sitting on shelves in stores which contain these soon-to-be-deprecated links.

Is that it?

Google is now moving the service over to Firebase (which they bought in 2015) as Dynamic Links which presumably few people will use since they’re not Google Developers.

 

on the mad exodus from github.com

If you don’t code for a living, you probably didn’t hear about the US7.5B deal in which Microsoft is now purchasing github.com. For the rest of us, this is big news.

GitHub Inc. is a web-based hosting service for version control of software using git. They offer both private repositories and free accounts (which are commonly used to host open-source software projects). With its 28 million public repositories, it’s the largest host of source code in the world.

Github’s competitors are reporting record numbers of customers moving their repositories away from the now Microsoft-owned provider.

What Microsoft now controls

Presumably, Microsoft now controls both Atom and Electron, two extremely powerful platforms in the coding space. The former is a great code editor and the latter is the underlying executable program which allows others to code in JavaScript to create a very usable desktop/GUI application.

Microsoft also now control the revenue stream. Each private repository costs $7/month or $9/month, depending upon whether its personal- or business-related.

Microsoft now apparently has access to the code in those private repositories. Just imagine what their competitors must be thinking, now that Microsoft has a copy of their internal project code to include any secret ideas those competitors have been working on.

Alternatives

We’ve all been lulled by github’s ease-of-use, it’s free nature and such. We haven’t even considered alternatives before now, to be honest. The specter of this new playing field means that we must look at our options.

Gogs.io is an open-source option for hosting your own github-like service.

Gogs

Over the last three days, I’ve now setup my own private, internal Gogs service called gitjs.io. Since I own the domain name I may later push this into the cloud but for now, it’s running on one of my computers here at home.

After the initial hurdles to get OSX to startup the Gogs service on a privileged port (http/80) and to automatically start upon bootup, I must say that I love it.

It’s a full-featured github-like experience throughout with all the screens you’d expect. You can create users, organizational levels and do the things you did over on github.

The command line git program interacts with the service as expected. The underlying code creates a global repository folder to stores everything much the same way that github might.

Screen Shot 2018-06-09 at 6.38.00 PM

The Future of Source Control

I don’t need a crystal ball to suggest that Microsoft’s purchase is going to be a game-changer for open source. The world of open source is the very antonym of what Microsoft stands for.

I would suggest that anyone and everyone with a github account highly consider the immediate need to move your code elsewhere. Microsoft has a long history of buying up competitive technologies only to starve them of air over time. In fact, internally Microsoft used the term “starve them of air” to describe how they would ruin a competitor’s advantage in the market.

It’s time to take your code and run.

is it safe?

Today’s title comes from the movie Marathon Man with Dustin Hoffman as the lead. I must admit that I haven’t seen it. The concept sounds scary enough, though: someone is expected to know information which they simply don’t possess. Somewhere in the movie the lead character is mistaken for a spy, perhaps and finds himself in a dentist chair where he is asked repeatedly this question.

Believe it or not, we have a very big security problem at the moment and few people are focusing much attention on it. Let me explain…

IPv6

IPV4

For a long time, we’ve all enjoyed the Internet. Packets of information are sent here and there. The underlying mechanism is usually called TCP/IP and that last “IP” part is described as version 4 or simply IPV4. Within all these specifications, there’s the concept of the sending computer’s address and the recipient’s. These “IP addresses” are critical to delivering content. A popular IP address is 8.8.8.8 which is Google’s primary DNS server. There are four numbers in each case, separated by periods.

Zipcodes

A good analogy here is the zipcode system in place at the United States Postal Service, for example. Some five-digit combination of codes like 90210 points to a specific post office. If you were fortunate enough to have a P.O. box there, 90210 plus that box number would allow you to receive your copy of Beverly Hills Magazine or similar.

Often, though, cities grow bigger and the USPS needs to break up zipcodes (re-issuing new ones) or other clever methods to accommodate more and more people. They decided to extend the five-digit system to add four more digits to the end. An example might be 90210-1234.

IPV6

In a similar fashion, the Internet got more popular and something needed to be done. We ran out of IP addresses a long time ago, to be honest. There’s only so many individual computers which may be addressed using those four numbers from the IPV4 section above.

For decades, they’ve been putting off doing anything serious about this problem because of some reasonably-good workarounds. The best of these is to have everyone inside their own homes, businesses and even colleges use what is essentially, an unusable set of IP addresses. The technical term is a private IP address range. Buy a Netgear router for your home, plug it in and I could reasonably guess that your new home router now has the IP address of 192.168.0.1 just like other consumers. In one way, it’s not really a valid, routable address but things just work because of some trickery involved.

So, making those four-number styles of IP addresses longer in theory might make everything better, right? For two decades now, various people have been pushing hard to add those extra numbers to everyone’s computers, to every router, to all routing software, to all computer operating systems, to all software development kits.

Imagine thousands and thousands of ants silently working hard to build something that most of us cannot see, don’t understand and then one day twenty years later we find out that some huge anthill has taken over. The work happened so slowly that we didn’t take much notice.

IPV6 is here and we didn’t even know it. In fact, few know anything about it at all.

Rest Inertia

Unfortunately, the current system is what everyone understands. If you ask the average computer geek to “issue an IPV6 address” you will be met by a blank stare, shortly followed by hostility in many cases. Nobody wants to deal with these new addresses. Nobody wants to test their computers with these new addresses. Nobody wants to test their software or their websites with these new addresses.

I will go further to suggest that nobody knows how to do any of these things.

Too Long, Didn’t Read

Here’s an excerpt from the Wikipedia page on IPV6. Part of the problem is that these technical descriptions are written by people who don’t understand that end-users ultimately must understand what’s being talked about.

The 128 bits of an IPv6 address are represented in 8 groups of 16 bits each. Each group is written as four hexadecimal digits (sometimes called hextets) and the groups are separated by colons (:). An example of this representation is 2001:0db8:0000:0000:0000:ff00:0042:8329.

For convenience, an IPv6 address may be abbreviated to shorter notations by application of the following rules.

  • One or more leading zeroes from any groups of hexadecimal digits are removed; this is usually done to either all or none of the leading zeroes. For example, the group 0042 is converted to 42.
  • Consecutive sections of zeroes are replaced with a double colon (::). The double colon may only be used once in an address, as multiple use would render the address indeterminate. RFC5952 recommends that a double colon not be used to denote an omitted single section of zeroes.

An example of application of these rules:

Initial address: 2001:0db8:0000:0000:0000:ff00:0042:8329
After removing all leading zeroes in each group: 2001:db8:0:0:0:ff00:42:8329
After omitting consecutive sections of zeroes: 2001:db8::ff00:42:8329

The loopback address, 0000:0000:0000:0000:0000:0000:0000:0001, may be abbreviated to ::1 by using both rules.

As an IPv6 address may have more than one representation, the IETF has issued a proposed standard for representing them in text.

For most computer professionals, avoidance has been their interaction with this feature.

Security

The problem, then, is our network security globally. Silently, people are adding a routing feature into everything-that-is. Usually, when something like that happens, all computer professionals then are trained about how this new feature works. That definitely has not happened. We are in for such trouble on this one.

Update Fatigue

Another contributing factor to all this is the recent trend to push updates to end-users relentlessly, daily, (too often). For many people, toggling on some auto-update feature lowers their own sense of being nagged into daily updates. The “magic” just seems to happen and the users assume that literally hundreds of people have tested the safety of everything before it’s put out there for an upgrade. The dirty little secret is that it isn’t tested at all in areas like IPV6.

Conclusion

In short, turn off IPV6 support from every computer, router, device and smartphone in your life. Do it as soon as you learn how to do so.

Turn off IPV6 support on everything you own and everything you can control within your life. It’s a ticking time bomb from the standpoint of Internet security.

There will be a time when this new technology is safe. I’m guessing that this will be at least one decade in the future.

For more information, search for “turn off ipv6” in your favorite search engine.

give a man a phish…

There’s an old quote, of course…

Give a man a fish and you feed him for a day.  Teach him to fish and you’ve fed him for life.

Today’s topic is about phishing, the activity in which a con artist sends a fake email to others and convinces them into giving up their credentials, credit card details, etc.

What They’re After

It’s almost always about money. They want the login details for your checking account or your credit card. If they can get your email account’s credentials then they’ll search your emails for links to your checking account or credit card. If they get your social media account’s credentials then they’ll know the people who trust you and they’ll send them email as if they’re you, conning your friends into clicking these sorts of links.

041017-Phishing-Activity-minTrust

If a stranger on the sidewalk asked you to put your wallet into a magic hat, you probably wouldn’t. You don’t trust him. So when a stranger on the Internet sends you an email, then you are probably smart enough not to click any links in it.

But now, what happens when an email arrives and it has the correct logo and content from Microsoft?  You trust them.  They wrote the software that’s on your computer, possibly.  They’re telling you that you are about to lose something or in other cases, that you could get something for free.

But of course, that email could seemingly arrive from UPS, FedEx, the U.S. Postal Service, Wells Fargo, Bank of America, Chase, Logitech, Intel, Apple, Google, Intuit, Adobe, Samsung, HP, Facebook, Twitter, Verizon, AT&T, Starbucks, Staples, Yahoo, Bing, MSN, Firefox, Chrome, WordPress…  Literally any name brand or product name you trust can be used to fool you.

Urgency

If someone told you that you had thirty years left in your lifetime, you’d probably be interested but it wouldn’t necessarily change what you do today as a result.  You’d have time to get a second opinion from another doctor, say.

We’re programmed, though, to panic when we have a limited amount of time to make a decision.  If the doctor told you that you needed to get your affairs in order because you have 24 hours left, then you probably wouldn’t calmly make an appointment with that second doctor.  You’d very likely go on a shopping spree or make some other not-so-mature decision in the spur of the moment.  In other words, the rational/analytical part of your brain wouldn’t be in charge.  Your would-be scammer knows this.  So all these attempts have some sort of expiration date/time attached to them.

Free… Isn’t

I’m not sure why people are such suckers for the word “free”.  It seems to be another method of short-circuiting the brain.  Combine free with an expiration date of some kind plus a spoofed pedigree and most people will stupidly click that link.

Antivirus Isn’t “Anti-Stupid Protection”

Unfortunately, your antivirus program can’t protect you from doing something, well… stupid, in this case.  It would be stupid to enter your credentials for anything prompted by any email.

But, what if this is legitimate?  Okay, so what if I have received an email from Geico and they’re trying to tell me that my policy is about to expire?  (Let’s assume for a moment that I have Geico insurance.)  Do I actually need to click their link to find out the status of my policy?  No.  It is infinitely safer for me to open my browser, type in Geico.com in the location field, verify that I haven’t mis-typed the domain name and then to enter my credentials on their website.  In doing so, I’ve completely removed all the dangers of phishing.

Digital Extortion

According to statistics, 64% of Americans are willing to pay a ransom to get their data back (or say control of their computer) and the average bounty demanded is $1,077 per victim. Only 34% of people globally are willing to pay money in these circumstances. Unfortunately, that makes the U.S. a prime focus for these people.

the sophistication of phishers

Phishing is an activity where you try to con someone out of their private information (like credentials) and these people are too darn clever. I just got a perfect rendition of Apple’s classic email notification that my Apple ID had been used on a Windows 10 computer with Chrome over an IP address in Israel and that my account is now locked. It’s enough to make you panic and click the link they provided.

The Psychology of Fear

Of course, fear is a prime motivator. “ONOZ! I’ve been hacked!” No, actually. Someone just has your email, which you could have seen from the “Undisclosed Recipients” distribution list.

And yet, it was enough to make me go to a different computer, visit Apple’s website and confirm that my Apple ID wasn’t locked out and it’s only being used on my own devices.

Apple’s Lack of Customer Support

For a company that makes as much money each year as Microsoft, Oracle, Google and Adobe combined, you’d think that there would be room in the budget to support their customers.

showmethemoney

In fact, I just spent many moments trying to let Apple know of the sophistication of this phishing attempt, to identify the culprit(s), their website(s), email address(es), etc. No dice. Apple’s doing such a good job of blocking customer requests that I decided that the best way to get the information out there was to blog it. Pretty sad, really.

the cost of truth

The Internet is chock full o’ news on any given day and most of that is stark-raving free, which we’re used to of course. Contrast this if you will with Reality News Media and their promise of “dissemination of truth” as juxtoposed with their $20 subscription price to read it.

dis·sem·i·na·tion
noun
  1. the act of spreading something, especially information, widely; circulation.

Um, really…?

If you really wanted to spread the truth then charging for it isn’t in your best interest. If you do so, you’d only be spreading that truth to those who don’t value their money, in other words, the rich.

truth