Open Source Peddling

I am fan of free software. Heck, I make quite a few of free programs myself. That is why it pains me to see what is happening last few years with it - malware, malware, everywhere!

For example take CamStudio, once a decent screen recording program. I’ve downloaded my setup from www.camstudio.org and everything seemed legit. Until I was offered was Search Offer powered by Bing during setup - I of course declined. After that I was offered ByteFence (which ironically promises protection against malware) and Yahoo powered search. Yes, the same install offers both Bing and Yahoo powered search. I declined them both. Guess what, it tried to install Search Offer regardless.

I found this slightly unnerving so I removed all traces of it and checked for the source code. I did find it on SourceForge after a bit of googling (camstudio.org doesn’t offer a link toward it). Installer found there was actually without malware (as far as I could see) but it was also unsigned and more than 10 times the size (11 MB vs 1 MB).

So, on one side we have install downloaded from SourceForge, 11 MB in size and unsigned. On other side we have 1 MB setup digitally signed by Path Quality (Alpha Criteria Ltd.). Which one looks more official? Yes, a search for Alpha Criteria Ltd. will show its malware roots but I still find it disturbing that such shady figures actually have a valid digital signature.

There is a real danger in someone taking your installer and making setup with malware. You cannot really do anything about that. But this is not the case here. Not only that camstudio.org is officially looking, with forum and everything, but also you can see that Nick Smith is one registering domain. Going to SourceForge pages, you can also find Nick Smith there as one of the main contributors.

What we have here is one of, possibly rogue, developer intentionally packing malware into product’s setup for profit.

This is something I have noticed for a while now. Freeware programs (regardless if open source or not) have been having more and more aggressive and misleading ads in recent years. Every time I go to download something I need to figure which link is actual download and which ones are “download” links designed to click-bait you into ad. It is a shitty and misleading practice but at least it only wastes your time. Packing malware into what amounts to officially looking software package on the officially looking pages, is another, more devious approach.

Realistically, you will not earn money on freeware. If you expect open source to get you some quick money, you are an idiot. Building open source and/or freeware software is something you should do for enjoyment and because you have an itch to scratch. You might not get money out of it but it will provide great learning experience, it will get your name out there, and possibly you might even get a tangible benefit out of it.

Or go the money route and make application for sale - there is nothing bad with that. For example, developers of Bandicam, also a screen recording program, decided to charge for their software. That is an honest approach.

Earning money by incorporating malware into your freeware application is not only dishonest but deserving of its own circle in hell.

Planned Obsolescence Is Not Black&white

I always feel like half a story is told when I hear about the planned obsolescence and how manufacturers are screwing us all. It always start with an example of device breaking apart right after warranty expires and ends with “it was better in the old times”. Is it really that black and white in the world of electronics?

If you compare “good old times” with now, you will see that electronic devices are dirt cheap. Big part of that is economy of scale and cheaper hardware chips. But it is also due to newer, smaller processes enabling manufacturers to fit more chips into the same wafer area which enables them to earn more. And yes, with all chip competition out there, more often than not these savings are passed to consumer.

But smaller process also impacts durability - chip with a foot-wide oxide layer (exaggerating a bit) is definitely going to have more durability than something done in 10 nm process. So yes, that newer, smaller, more power efficient, and undoubtedly better chip will fail sooner than one used in the phones of old. There is no escaping laws of physics.

Another complain I often hear is that nothing can be fixed these days - if something fails you must buy new. And that is bullshit too - almost everything can be fixed. Search on YouTube and you’ll find people playing with BGA level repairs all the times. Real issue is that, while everything can be fixed, it is often not worthy to do so - unless you do it yourself.

Think of the guy doing diagnostics for something as simple as dead capacitor. If he is lucky he can find it fast, if not he might spend hours troubleshooting board that costs $200 to repair. Even if final repair is just a $1, he needs to charge his time. Quite often math ends up being that cost of troubleshooting is simply too high compared to the cost of buying new. It is not that stuff cannot be repaired. It is just that’s not worth the time.

And that is without taking into account time one needs to open the damn device. If we use a phone as example, often you will find excessive amounts of glue without a screw in sight. But that is not (only) manufacturer’s problem. People want nice, curvy designs. People don’t care about the screws when they are buying the phone. I can bet you that 9 out of 10 people will just care that something looks beautiful and that it is cheap. Only time they will care about accessibility of inner hardware is when device fails.

What makes the new devices cheaper all the time is extensive use of plastic, avoiding screws to lower cost of assembly, and removing all parts you can live without. Any manufacturer that would build their devices purely for maintainability and durability would probably be bankrupt within a few years. Partially because its devices would be more expensive but partially just due to time needed to get design just right.

Do we have a problem with devices falling into the obsolescence faster and faster? I would say yes. But manufacturers are not to blame. It is us consumers voting with our wallets. As long as consumers want cheap and beautifully designed devices, repairability will suffer.

Pebble, the Second

Imagine this scenario: you are in the woods, lost, tired, all you need is to find the north. You look at your smartwatch, start compass application and you are saved.

I had lived through this scenario (minus the dramatics) and I’ve tried to use my Pebble. Year ago, with old firmware, this would work. I knew new Pebble Time firmware screwed things by requiring a phone connection in order to swap active application. What I didn’t know is that damn thing now also requires Internet access. Why? Why? WHY?

There are a couple of things I ask of my smartwatch. It has to be water resistant, it has to have battery last for a few days, it has to properly do notifications, and it has to work without phone. Pebble had it all for me until new firmware. Since they started with this Time interface my use cases got screwed up. I am not saying it is a bad interface as such - maybe there are crazies out there who like the fact now they can actually hold only one application in memory. It just became painful for me.

I know Pebble has a new Kickstarter with a bunch of new devices. And I was tempted for a while to actually back it up. However, looking at all of them, there is nothing for me there. I don’t need heart monitor as I am pretty sure my heart is working and that I’ll be the first person to notice when it stops. I don’t need the color screen - wife has one and the only difference is worst readability. And I definitely don’t need Core.

Pebble lately puts a lot of hope into tracking activities but then allows swapping applications only when smartphone (with Internet connection!) is available. It puts a lot into the battery life but then sucks the life out of it if bluetooth connection is not just right. I think their desire to cover all bases is making them produce more devices than they can realistically support. They have five different models already. Kickstarter brings this up to seven. All this brings firmware quality down…

I am not saying I won’t buy another Pebble, who knows, maybe the perfect firmware is out there. I am just saying I’ll wait for my Steel to die first. When that happens I will decide on what to buy next. And frankly, it doesn’t seem likely it will be another Pebble.

Cinemark Cinema and the Waste of Time

Occasionally I visit a cinema with family - this time it happened due to Inside Out - a decent family movie with a couple of good jokes. Not the best I’ve seen but not the worst way to spend Saturday night either.

After getting tickets, buying overpriced snacks we’ve took our places and watched various commercials, trailers, and messages about the evils of the mobile phone. To quote them: “… we want our customers to enjoy their movie - FREE from distraction …” I share the view that mobile phones are distractions during movie and I do believe in silencing them completely. What I don’t get is why stop there? Why not remove the other distractions?

Why do I need to go through 10 commercials? Why is there at least 5 trailers before the movie I actually came to see? Why the heck movie scheduled for 7:25 starts at 7:40? This so reminds me of the unskippable FBI warnings on DVDs. Why the heck are you molesting your paying customers? Is there anybody really thinking those warnings work? Is there anybody really thinking pre-movie trailers do anything?

Frankly these days I avoid going to cinema almost completely. Only exception are animated movies that come recommended by friends as worthy of the big screen. All other stuff I simply ignore until it arrives on Amazon or Netflix. If it doesn’t arrive there timely I usually forget about it altogether and I don’t think I lose much.

I do love watching a movie on the big screen in the cinema. I even love their overpriced popcorn. But I simply cannot handle amounts of rubbish one has to consume before actually getting to see the movie. And with passing years it is only getting worse.

PS: And coming late is not the solution as in States seats are given on first come, first served basis.

Why Authy?

I am a big fan of two-factor authentication. Heck, I even have my own site and C# code to prove it. :)

Let’s just quickly recap most common two-factor authentication: Beside user name and password your service provider usually has, you have additional private key shared between you. Based on that key, current time, and some clever crypto (also known as TOTP) you will get new 6-digit code every 30 seconds. Whenever additional security is needed (e.g. login from a new computer) you enter that code and server checks it against its own calculation. Since entered code depends on a key that is never transmitted over the network and it changes all the time, chances of somebody faking your account regardless of snooping traffic and knowing your user name and password are significantly lowered.

While all this is not panacea, for me it is clear: If some service has option of two-factor authentication, you can pretty much be sure I’m going to use it. Except for CloudFlare. Why? Because CloudFlare decided to go with Authy.

Major beef I have is that, while I trust CloudFlare, that trust does not extend to all their partners. With Authy not only I am giving my phone number but I actually have to trust my (partial) login details to them. By design they have my login e-mail, phone number and token. Only password is missing from the list. While pretty much all other services will allow me to retrieve shared key and use application of my choice with me deciding who I want to trust, with Authy that choice is out of your hands.

If you want to use it with another application you will stumble upon a wall of intentional incompatibility. Where virtually everybody else uses 6-digits with SHA-1, Authy uses SHA-256 and 7 digit codes. Although there are some attacks on SHA-1 algorithm, they do not apply on its HMAC version used with TOTP. In this context SHA-1 is as secure as SHA-256 - no more, no less. Seven digit code does give slightly increased security but not a significant one. It pretty much boils to fact that the only benefit Authy gets from this is user lock-in.

There is at least one 6-digit SHA-1 TOTP client on every platform you can think of. From Linux command line to a Pebble watch. You can have your code generated wherever you want. Not so with Authy - it only supports iPhone, Android, BlackBerry and Chrome. Forget about native Windows or OS X application.

Yes, Authy can import other keys (e.g. Google’s), largely helped by the fact that all other TOTP services use exactly same process Authy intentionally avoids. If you do that you get a benefit of syncing all your tokens across all your devices. Think about that for a moment. For that to work Authy has to store them centrally. Can you really ignore fact that Authy suddenly has access to tokens for all services you hold dear and that some SSL bug might cause their exposal? I prefer not to even think what damage rogue employee might do.

In some regards I appreciate proprietary services like VIP Access more - while they are not cooperating with other applications and are fracturing auth universe, at least they are not trying to steal all your other tokens. While intentions might be the best, Authy is doing just that - stealing all you tokens by a false pretense it can keep that data secure.

Among all the crazy stuff, only saving grace for Authy is ability to PIN protect mobile application. Considering all other nonsense Authy brings, I don’t think it’s worth it - just practice locking your phone.

All this is not really Authy’s fault. They have their business case whether they continue to provide API for two-factor authentication or if they decide to run with all collected data. I am disappointed with CloudFlare for their lousy job in analyzing what users want. Although they did go through motions, their conclusions don’t make sense. Let me give you a few examples:

Although they kick out Google Authenticator platform from their consideration, they end up deciding on essentially same system with Authy - both Google and Authy system rely on standardized TOTP cryptography. There is essentially no difference between them - other than Google having open-source solution and Authy being closed-source. And bug they mention had nothing to do with cryptography anyhow.

Then they mention Authy’s ability to revoke keys as a huge advantage. Compared to others Authy’s system is just over engineered with having separate private/public and token keys. All other systems don’t offer easy revoke functionality because they don’t have to - just generate a new key instead of the old one and you have exactly the same effect because all codes generated with the old key won’t match. All Authy offers here is a dialog box toward customer explaining that key is revoked. At most this is GUI benefit, not a security one.

Lastly they state that TOTP requires “fairly precise match” of the user’s clock for authentication to work. How do you define fairly precise? In RFC itself it is recommended to allow for at least 30 seconds difference (up to 89 seconds). Even if we assume you have valid reason why some of your clocks might be more than 30 seconds off, do you wonder how Authy accomplishes better reliability than others? Only way they can do that is if they accept code for longer and essentially make more codes valid. There is a reason why 30 seconds was selected as a step and why acceptable window is recommended to be within 60 seconds and not e.g. 20 days.

It might just be me, but I think CloudFlare made a bad choice and I won’t be having it.

PS: Gem from Authy’s privacy policy: “If Authy is involved in a merger, acquisition or asset sale, we might not continue to ensure the confidentiality of any personal information nor give affected users notice before personal information is transferred or becomes subject to a different privacy policy.” Honest and worrisome.

PPS: Yes, screenshot is real: iPhone application seems to have a bug where certain private keys that work just fine on Android and Chrome will cause output to be 000000.

How Not to Trim?

In order to play with electronics, one has to get some sweet parts. Ever since I moved to States my supplier was DigiKey. They have good part selection, decent prices, and while their interface is not really the newest thing out there, it is good enough. Yes, I do occasionally have an issue or two but when my orders arrive, everything is in perfect order. Usually.

Since I always have multiple projects in parallel, I got into habit of using Customer Reference field to the fullest. I always fill not only my name for the component but also project name (e.g. C 10nF /16V NP0 (0805) [Esp8266Plug A1452]). That way I can easily sort stuff when it arrives and this has worked for me for long time. But with latest order I got a few packages where Customer Reference text was Character Limit Exceeded and my component sorting got interesting.

It was obvious what happened. One of many components that deals with data entry and printing labels didn’t like the field length. Not ideal situation but nothing uncommon either. However, decision of handling this situation is really bad.

First of all, line has enough space for at least 72 characters. Why would you put software limit to 48? My best guess is that limit was decided some time long ago for completely different kind of label. They switched labels and simply forgot to update the length. Or there might be some legacy component in the middle that can handle only 48 characters. I think that would be also a good reason for limiting length so low. Most realistic reason is that somebody simply copy/pasted the same limit as defined for Description field. I can completely understand how that could happen.

But there is NO EXCUSE in deciding to drop the whole customer’s text and replace it with your own. Your system has limitations, and you obviously had them in mind during design. Perfect A in my opinion. But why wouldn’t you just WARN me when I enter that reference in the first place? There is data verification done on that page for the other fields. Why is this field so special that no verification can be performed?

And, if you really have to do anything, don’t replace MY text - trim it. What would help customer better: Character Limit Exceeded or Q MOSFET, P-channel (SOT23-3) [ElectroPiggy A...? I am not sure what was going through the head of person who made that particular decision but they definitely didn’t think of customer.

I guess my script for ordering the parts will get another update…

Chilling

As I was doing a search on my own site, I noticed that one result was missing and at it place all I had was “In response to a complaint we received under the US Digital Millennium Copyright Act, we have removed 1 result(s) from this page. If you wish, you may read the DMCA complaint that caused the removal(s) at ChillingEffects.org.”

Going to the ChillingEffects link I found out that page in question was Installing Windows 8.1 (or 8) without a product key. Despite the name that might indicate some shenanigans, post only covers functionality that has been officially documented by Microsoft themselves (here and here). Heck, I even said so at the bottom of the post.

Only keys that ever appeared in that post were done by other people in the comments section. Some of them stayed there for a bit longer (e.g. Microsoft’s own default key), some comment were removed instantly (obvious pirate ones), and all surviving keys were changed to XXXXX anyhow (as soon as I noticed them).

My firm belief is that page doesn’t infringe so I went about finding a way to clear its name.

First issue was to find how to file counter notice. Among all links in regards to DMCA on both Google and ChillingEffects.org, there is not a single contact you can pursue for this. I did know that Marketly was one that complained on behalf of Microsoft, but there was no actual e-mail (no, microsoft-[redacted]marketly.com is not a valid e-mail) or postal address behind those. All that searching around gave me was a link to YouTube DMCA process but nothing applicable to Google Search.

After a while my inquiry finally stopped at the Google Webmaster forum where I finally got two links. It was either DMCA Counter Notification form or Restore URLs form. I went with a good faith belief that infringing content was indeed in comments and that Restore URLs form was an appropriate venue.

This happened on December 13th. Link is still blocked and there is no response from Google whatsoever. Company that usually takes content down less than 24 hours after notice is received sure does take its time doing the opposite thing. Or even just responding to my request with “you’re wrong”.

Whole process left me a bit baffled by a few things. First of all is the recipient of DMCA notice itself - Google, Inc. [Blogger]. I haven’t had my page hosted by blogger for three years now. If my assumption was correct about them finding issue with comments on my post, proper venue would be to send DMCA to either Google Inc. or to myself and not to an uninvolved third party.

Slightly more troubling issue is why I haven’t received information about issue from Google. I searched all my e-mails and I could not find a single warning about any issue. I have Google’s webmaster tools and nothing is there either.

And lastly I find it absolutely unacceptable to have DMCA notice filled without a proper e-mail address for a response. Notice on ChillingEffects.org did have a name of a person but only a generic Microsoft address as a contact and a redacted e-mail. That makes it impossible to respond directly. I believe that minimal courtesy would be to leave a valid e-mail.

All in all, between figuring all the information and writing this post, I have wasted a complete day on this topic. It is a matter of principle to me because I take this DMCA take down very personally. However, looking back at this I don’t think I will ever deal with this again. It just requires too much effort to go through motions for something that is essentially just a hobby.

PS: I find two things curious:

• Bing search still returns link to my page so I can only assume they never got DMCA notice.
• All those keys that are supposedly infringing can still be found at the Microsoft’s own help forum.

PPS: Yes, I am aware that DMCA is over a year old. I don’t google looking for my own posts that often…

Humble Bundle and One Order Too Many

I am a fan of Humble Bundle so when they announced their winter sale, I of course had to buy something. As anybody with small kids will tell you, it is hard to go wrong with LEGO Harry Potter.

I used PayPal to pay gift purchase for one kid and tried to get the same for another only to be faced with “Sorry, your Humble Store order has been canceled. We have received too many purchase requests from you in a short period of time, so we have canceled your order (you will not be charged). We are very sorry for the inconvenience.” Well, I did try to buy second game less than another so I gave it a few minutes. Same again. Gave it 30 minutes, same again. Than 2 hours, same again.

At that time I decided to contact Humble Bundle support, the only website that gives you Forbidden error when you try to create a new account. At least their support system sends responses via e-mail so I could afford to give up on setting the proper account.

Talking with the Peter, their support guy, didn’t gain me much: “The purchase limits are part of anti-fraud measures”; “unusually large wave of traffic from one person”; “Sadly I am unable to lift the fraud protection”; and my favorite “Unfortunately I am unable to reveal that information”. I have been Humble’s customer since their very first Bundle. I have bought multiple games before (in one instance three of them). But now, two orders in a row are considered too many.

I understand that there was a need for some automated protections so people would not buy bunch of games and resell them. But I cannot believe that anybody would think a proper limit would be a single game per person, especially since they do offer option of a gift. And even if that is a decision, why would you not give possibility of an override to your own support staff? And why don’t you tell your customers how long they need to wait between purchasing two games? A day? A month? A year?

I did solve it at the end by using my credit card instead of PayPal. Somehow I am not considered a fraud if I use different payment method…

CoPilot Conundrums

Back in the 2011, I bought CoPilot GPS; application for Android (it was called CoPilot Live back then). It came quite pricey at $70 (with full Europe and North America maps) but I considered an offline GPS a worthwhile investment.

As I stopped traveling as much I also stopped using CoPilot regularly. I still kept it updated and I still used it on occasional weekend without any issue. As I prepared for my vacation in Croatia, I was sure I had everything I need. I had a full contingent of North American maps along with most of Europe. I always make it a point to download Croatian maps first so I felt quite prepared.

Move forward a few days and I have landed in Croatia. I turned on my CoPilot GPS only to be greeted with an empty screen. Quick search gave me a solution - just reinstall everything. I did as it was written and got a new error - my account seemed not to exist any more. It was time to contact customer service.

After quite a fast initial reply I was asked to share my user name and password with them. In my mind there is NO GOOD REASON why a customer service would want your password. Only possible reason is that their system isn’t build right. However I used unique password for CoPilot anyhow and I was in hurry so I complied hoping it will help solve problem faster.

Fast-forward three weeks, FIVE separate queries for my password, three screenshots of actual error and me sending them original purchase e-mails (why they don’t have access to purchase e-mails is beyond me). All that and I only had my account back. On the very last day of my Croatian trip I also had a map of Croatia working but WITHOUT navigation support - in other words, CoPilot was still useless.

I am back in the States at this time, well into the third week of the CoPilot troubleshooting and I finally got my European maps back. But, alas, I still have no North American maps assigned to my account. My Croatian maps might be working at this time but I am not there anymore. I will update this post as situation unravels.

Few years ago I might have been in trouble for these three weeks but not today. As I noticed that this CoPilot issue was going south, I bought a prepaid SIM with 1 GB data for about $5. This allowed me to use Google Maps and they worked flawlessly. Yes, CoPilot might be more configurable and I personally prefer it since it feels and works as a real car GPS should. But all that was spoiled by it not working at all. I am scared to think how my vacation would look in the country I didn’t know and without readily available prepaid SIMs.

Yes, I will continue using CoPilot in future because it is a really good application - when it works. I just won’t recommend it without any reservation.

[2014-10-15: I finally got my maps back. Maybe it is just fortunate timing but I got them back minutes from tweeting their support (@copilotsupport). Note to self for next time: first tweet support and then open a ticket.]

Password Change, Why?

Heartbleed OpenSSL bug is currently main computer topic of main-stream media. And they all offer same idiotic advice - change the password. I am not saying that “change the password” mantra is useless. No, it is bloody dangerous.

Let’s see what bug does first: it simply allows attacker to read (semi)random 64K block of memory it should not see. And it allows it to repeat that attack until it has all the data it wants. If leaked blocks contain a cookie, somebody can impersonate you. If they contain user name and password, attacker just got a jackpot. If they contain private SSL key, attacker is in heaven.

Based on that fact, password change seems reasonable. But think again. Practically only way OpenSSL might have your password in its memory is if you sent it to him in the first place. When was the last time you actually sent password for e.g. GMail? Answer is a long time ago. Only piece of data server can have for you is your cookie that keeps you logged in. And you can reset that one with a simple logout. But that is not the dangerous part.

If you change password on server that is still compromised, you are putting it in OpenSSL’s memory at that exact moment. In essence, you are giving away your newly created password directly to an attacker. And, since password is freshly changed, you probably wont change it for a while. It is WORSE than doing nothing.

For safety first approach log out of any important service you are using. That way you are preventing somebody using your login cookie. Then go and CHECK whether site is compromised. Once you know host is not compromised any more, log in again. And ONLY THEN think about changing the password.

If host is still compromised, do not log onto it. I don’t care what is the service it offers. Either it is important (e.g. bank website) or it is not worth the risk.

PS: To summarize: I am not against the password change - it is probably a wise move since this bug has been out for last two years. I am just against doing it irresponsibly, without checking whether site has been fixed first.

PPS: Since you are changing passwords anyhow, be intelligent and use different password for each site.

PPPS: Seems as a good time to turn on two-factor authentication (if website has it).