TechCrunch: Skating on Thin Ice

Back in the day I used to do naughty things to computers that I could access via dial-up modems, packet switching or the nascent Internet. Nothing that caused any damage, but it made me realize how insecure most systems are.

I don't do that stuff anymore (although I can't help noticing security holes that turn out to be exploitable) and yet it amuses me greatly when I see someone bleating about a third party's security troubles.

Take for example TechCrunch. Today they made fun of Twitter for using the password password for access to an administration web site. Yep, that's a really bad idea.

But if you're TechCrunch and you are going to publish that sort of gloating article you'd better be damn sure that your own security is solid. And your security envelope can be very large. It encompasses all the services you use like your domain registrar, DNS provider, hosting provider, mail service and the software used to run your site.

Any one of these elements could be a vector for an attack.

You really wouldn't want it to be the case that someone like me could trivially discover that one of those services was vulnerable because I could guess in 30 seconds what your username was likely to be, and then find that I could order a password reset using three pieces of personal information that were easy to find out.

You wouldn't want that to happen.

Because if someone like me did that they'd be able to mess with your web site, play with your email, and generally create havoc.

Happily, I've got better things to do.

PS Personal information like "the name of your first dog" or "your brother's middle name" needs to be phased out. Google allows you to set your own security question; if you don't have that choice do as I do: lie. Whenever I'm asked for the name of my first girlfriend I make the answer up.

PPS Some people have asked me if this post is a threat to TechCrunch. No, No, No. I'm not interested in threatening them. Why would I? It's also not an incitement to attack them. It's meant as a warning to them that spouting your mouth off about the security of other people's systems is waving a red flag to a bunch of people who'd like nothing better than to mess with your systems. Don't be silly like that.

UPDATE: TechCrunch got in contact and we had a quick back and forth. They confirmed that the security vulnerability I was pointing out was something they had worried about already and taken action to mitigate.

They also said "We have had thousands of breakin attempts over the past few days". No surprise really.

And they are planning some posts pointing out the vulnerable nature of apps in the cloud.

How to despam Twitter

Here's how I would despam Twitter:

1. A network of honeypot Twitter accounts. I set up the simplest of all honeypot accounts on Twitter and it has 14 followers. With something more sophisticated you'd catch many more.

2. A Report Spam button. Let anyone report spam from the public timeline. Sending to @spam is just too hard.

3. Integrated SURBL/URIBL/anti-phishing look ups. Expand URL shortener links and perform blacklist checks. In doing this the system can go back and look at tweets after they are posted (long after if necessary) to remove them. Unlike email spam can be cleaned up over time.

4. Look for tweets containing multiple terms from the trending topics. These are almost certainly spams.

5. IP address checks. Use SpamHaus to look for messages coming from known bad networks. Keep track of IP addresses associated with Twitter spam.

6. Machine Learning. All of the above, plus the tweet text can be fed to something like POPFile for a decision.

7. Quiet spam removal. Messages that are considered spam should not be deleted. The links they contain should be disabled (no href) until the person responsible for the tweet complains.

Watching the Google Birth of The Geek Atlas

Back in December of 2008 I set up a job on one of my servers that once a day searched Google for the title of my book, The Geek Atlas. This job grab the page returned by Google and stored it away.

The first time I ran the search there were 254 pages referencing the term "The Geek Atlas". Most of these were related to Amazon and O'Reilly and were placeholder pages for the book (which wasn't going to come out until June 2009).

I've now processed the data and the chart below shows the number of pages returned by Google per day up to today.

Today there are around 45,000 pages returned by Google. But the curious thing is that the search results show a number of spikes. These spikes are as follows:

1. June 10, 2009 jumped to 82,100 from 7,300 and then back down again the next day
2. June 19, 2009 jumped to 76,500 from 29,600 and then back down again two days later
3. July 13, 2009 jumped to 14,000 from 48,300 and then back down again a day later

So, what happened on those days? The nearest I can come to an explanation is the following:

1. June 10, 2009: Jason Kottke mentioned the book.
2. June 19, 2009: Wired published a full review of the book.
3. July 13, 2009: The BBC published a video and article about the book.

What I'm guessing happens is that the content is syndicated or stolen for use on a variety of short-lived web sites. Hence the spike. If I'm right it tells us that Google is very, very fast at updating its index.

The Statistical Language of Climate Change

Imagine that you've been feeling unwell and you are referred to an eminent specialist. Sitting in his office he tells you: "It is very likely that you have late stage colon cancer". You leave his office realizing that your days are severely numbered.

On a subsequent visit you ask him about his confidence and he says: "I have very high confidence that you have late stage colon cancer". You are now convinced that you are going to die.

On a third visit you decide to ask him a different question: "How many people are you wrong about? How many people to whom you say that it's "very likely" or that you have "very high confidence" that they have cancer don't have cancer?" And he replies: 1 in 10.

So, despite the prognosis offered by this eminent scientist you have a 1 in 10 chance that he's wrong. 1 in 10 people walk out of his office thinking they are going to die, and they are not going to.

The difficult question is how should the specialist turn his probability into everyday language. What does "very likely" mean to you? How about "virtually certain"? And how would you map those onto probabilities.

The same problem has to be addressed by the Intergovernmental Panel on Climate Change. For example, in 2007 the IPCC said that it was "very likely" that man was responsible for warming since 1750. Prior to that they had said that it was "likely".

It turns out that the IPCC has gone to lengths to carefully define guidelines for the use of language to describe probabilities. In the snappily titled Guidance Notes for Lead Authors of the IPCC Fourth Assessment Report on Addressing Uncertainties (yes, I lead an exciting life!) published in July 2005 the IPCC published the following guidelines:

Terminology	Degree of confidence
Very High Confidence	> 90%
High Confidence	About 80%
Medium Confidence	About 50%
Low Confidence	About 20%
Very Low Confidence	< 10%

And they published another scale for likelihood.

Terminology	Likelihood
Virtually Certain	> 99%
Very Likely	> 90%
Likely	> 66%
About as likely as not	> 33% and < 66%
Unlikely	< 33%
Very unlikely	< 10%
Exceptionally unlikely	< 1%

Interestingly in 2000 a report published by the IPCC called UNCERTAINTIES IN THE IPCC TAR: Recommendations To Lead Authors For More Consistent Assessment and Reporting had a slightly different definition of "very high confidence". It has greater than 95%. So, it would appear that the IPCC has widened the range (i.e. loosened the definition) of "very high confidence".

I asked one of the authors of the 2000 paper about the change and he said:

It was negotiated by several rounds of email peer review, and the guidance paper was no more than that--guidance in the TAR. Some working groups evolved their own tweaks to it in the TAR, and in AR 4 a formal group got together and redid it again so the margins evolved. Still evolving.

Returning to the most recent report from the IPCC: what's the chance that the IPCC is wrong? It's gone from "likely" (wrong between 1/3 and 1/10 of the time) to "very likely" (wrong 1/10 to 1/100 of the time). So, at this point the consensus is that the chance that warming is not caused by man is somewhere between 1/10 and 1/100.

Is James Dyson held back by the speed of sound?

I was intrigued by a story in the Daily Telegraph about a new electric motor created by Dyson. The DC motor apparently rotates at 104,000 RPM and is to be used in a portable vacuum cleaner.

The motor technology itself is switched reluctance. Essentially, the motor works by turning on and off electromagnets at just the right time to keep the rotor inside the motor spinning.

My immediate thought was 'how fast is the outside edge of the rotor moving if it's spinning at 104,000 RPM?' And shortly after that, 'how close is that to the speed of sound?'

In Electronic Weekly there's an article which states that the motor is 55.8mm across. Now, that's probably not the diameter of the rotor, but given that Dyson is attaching an impeller to the rotor anyway I'm going to take that as the diameter and work my calculations from there.

So the distance travelled in one rotation is π * 55.8mm and there are 104000 / 60 rotations per second. So, the outside is moving at 304ms^-1.

The speed of sound at sea level is 340ms^-1.

So the impeller is likely operating at near the speed of sound. I wonder if there are any nasty effects of rotating at that speed and if Dyson is close to the theoretical limit of what he can do.

There are two patent applications from Dyson that I believe cover this invention: 20070252551 and 20070278983. Neither mentions the speed of sound.

How to do customer service

I've previously complained about poor technical support that I received from Hewlett-Packard. That particular incident isn't over yet... the issue has been escalated a couple of times, HP has told me they are end-of-lifeing the product, ... I'll write that up when it comes to a resolution.

But it's not all moaning! Two companies that have provided excellent customer service recently are Apple and Bugaboo. I dealt directly with Apple myself, a friend with small children told me about the Bugaboo goodness.

First off, Apple. I own a MacBook Pro that I bought in mid-2007. Unfortunately, it suddenly started to suffer from the NVIDIA GeForce 8600M GT problem a couple of months ago. The upshot was that my machine would boot but couldn't find a display adapter (or at least it found the Intel display adapter, not the NVIDIA one).

I verified that I could ssh into the machine and ran System Profiler on the command-line. A quick search by serial number showed that my machine was susceptible to this problem and that Apple offered free service.

So, I called AppleCare. I never bought AppleCare for this machine and for this problem I didn't need it. I described my problem in detail to the technician including the steps that I'd taken to try to resolve it (including resetting the PRAM and SMC) and he did something great. He completely avoided going through any script, realized that I knew what I was talking about and immediately set the machine up for repair.

Next step was an appointment with the Genius Bar. This was the most annoying part because Apple's Concierge software is poorly designed. But once at the Genius Bar I got my appointment in about 10 minutes of the allotted time. The technician immediately verified that I had the NVIDIA problem and that I was eligible for a motherboard replacement.

While I was chatting with him I mentioned that my iPhone headphones had a fault and I wanted to buy some new ones. He asked me how long I'd had the iPhone (about 3 months) and simply went and got me a new pair, for free, just like that.

Then he told me to expect that my MacBook Pro would take about a week to repair. I left the Apple Store and went into work. That evening Apple called me to tell me the laptop was ready.

Nice.

Now Bugaboo. My friend Bill has two small kids and one of them is always in a Bugaboo Cameleon stroller. These are really high-end and expensive bits of kit. But they are very, very well made.

Now Bill's Bugaboo's brakes had developed a fault. They didn't always work and it was a minor annoyance. Little did Bill know that Bugaboo had identified this as a common fault and recalled the Cameleon.

Happily, Bill had filled out the warranty card for the stroller and sent it back when he bought it. One day a small package arrived unannounced containing a kit to fix the brakes. The kit worked perfectly.

Nice.

In both cases, Apple and Bugaboo, we were dealing with premium brands and got premium support. Apple's ability to just give me new headphones made my experience wonderful, and Bugaboo simply sending the repair kit to Bill made him a loyal customer for life (he just needs to have some more kids).