Cinemark Cinema and the Waste of Time

Occasionally I visit a cinema with family - this time it happened due to Inside Out - a decent family movie with a couple of good jokes. Not the best I’ve seen but not the worst way to spend Saturday night either.

After getting tickets, buying overpriced snacks we’ve took our places and watched various commercials, trailers, and messages about the evils of the mobile phone. To quote them: “… we want our customers to enjoy their movie - FREE from distraction …” I share the view that mobile phones are distractions during movie and I do believe in silencing them completely. What I don’t get is why stop there? Why not remove the other distractions?

Why do I need to go through 10 commercials? Why is there at least 5 trailers before the movie I actually came to see? Why the heck movie scheduled for 7:25 starts at 7:40? This so reminds me of the unskippable FBI warnings on DVDs. Why the heck are you molesting your paying customers? Is there anybody really thinking those warnings work? Is there anybody really thinking pre-movie trailers do anything?

Frankly these days I avoid going to cinema almost completely. Only exception are animated movies that come recommended by friends as worthy of the big screen. All other stuff I simply ignore until it arrives on Amazon or Netflix. If it doesn’t arrive there timely I usually forget about it altogether and I don’t think I lose much.

I do love watching a movie on the big screen in the cinema. I even love their overpriced popcorn. But I simply cannot handle amounts of rubbish one has to consume before actually getting to see the movie. And with passing years it is only getting worse.

PS: And coming late is not the solution as in States seats are given on first come, first served basis.

Why Authy?

I am a big fan of two-factor authentication. Heck, I even have my own site and C# code to prove it. :)

Let’s just quickly recap most common two-factor authentication: Beside user name and password your service provider usually has, you have additional private key shared between you. Based on that key, current time, and some clever crypto (also known as TOTP) you will get new 6-digit code every 30 seconds. Whenever additional security is needed (e.g. login from a new computer) you enter that code and server checks it against its own calculation. Since entered code depends on a key that is never transmitted over the network and it changes all the time, chances of somebody faking your account regardless of snooping traffic and knowing your user name and password are significantly lowered.

While all this is not panacea, for me it is clear: If some service has option of two-factor authentication, you can pretty much be sure I’m going to use it. Except for CloudFlare. Why? Because CloudFlare decided to go with Authy.

Major beef I have is that, while I trust CloudFlare, that trust does not extend to all their partners. With Authy not only I am giving my phone number but I actually have to trust my (partial) login details to them. By design they have my login e-mail, phone number and token. Only password is missing from the list. While pretty much all other services will allow me to retrieve shared key and use application of my choice with me deciding who I want to trust, with Authy that choice is out of your hands.

If you want to use it with another application you will stumble upon a wall of intentional incompatibility. Where virtually everybody else uses 6-digits with SHA-1, Authy uses SHA-256 and 7 digit codes. Although there are some attacks on SHA-1 algorithm, they do not apply on its HMAC version used with TOTP. In this context SHA-1 is as secure as SHA-256 - no more, no less. Seven digit code does give slightly increased security but not a significant one. It pretty much boils to fact that the only benefit Authy gets from this is user lock-in.

There is at least one 6-digit SHA-1 TOTP client on every platform you can think of. From Linux command line to a Pebble watch. You can have your code generated wherever you want. Not so with Authy - it only supports iPhone, Android, BlackBerry and Chrome. Forget about native Windows or OS X application.

Yes, Authy can import other keys (e.g. Google’s), largely helped by the fact that all other TOTP services use exactly same process Authy intentionally avoids. If you do that you get a benefit of syncing all your tokens across all your devices. Think about that for a moment. For that to work Authy has to store them centrally. Can you really ignore fact that Authy suddenly has access to tokens for all services you hold dear and that some SSL bug might cause their exposal? I prefer not to even think what damage rogue employee might do.

In some regards I appreciate proprietary services like VIP Access more - while they are not cooperating with other applications and are fracturing auth universe, at least they are not trying to steal all your other tokens. While intentions might be the best, Authy is doing just that - stealing all you tokens by a false pretense it can keep that data secure.

Among all the crazy stuff, only saving grace for Authy is ability to PIN protect mobile application. Considering all other nonsense Authy brings, I don’t think it’s worth it - just practice locking your phone.

All this is not really Authy’s fault. They have their business case whether they continue to provide API for two-factor authentication or if they decide to run with all collected data. I am disappointed with CloudFlare for their lousy job in analyzing what users want. Although they did go through motions, their conclusions don’t make sense. Let me give you a few examples:

Although they kick out Google Authenticator platform from their consideration, they end up deciding on essentially same system with Authy - both Google and Authy system rely on standardized TOTP cryptography. There is essentially no difference between them - other than Google having open-source solution and Authy being closed-source. And bug they mention had nothing to do with cryptography anyhow.

Then they mention Authy’s ability to revoke keys as a huge advantage. Compared to others Authy’s system is just over engineered with having separate private/public and token keys. All other systems don’t offer easy revoke functionality because they don’t have to - just generate a new key instead of the old one and you have exactly the same effect because all codes generated with the old key won’t match. All Authy offers here is a dialog box toward customer explaining that key is revoked. At most this is GUI benefit, not a security one.

Lastly they state that TOTP requires “fairly precise match” of the user’s clock for authentication to work. How do you define fairly precise? In RFC itself it is recommended to allow for at least 30 seconds difference (up to 89 seconds). Even if we assume you have valid reason why some of your clocks might be more than 30 seconds off, do you wonder how Authy accomplishes better reliability than others? Only way they can do that is if they accept code for longer and essentially make more codes valid. There is a reason why 30 seconds was selected as a step and why acceptable window is recommended to be within 60 seconds and not e.g. 20 days.

It might just be me, but I think CloudFlare made a bad choice and I won’t be having it.

PS: Gem from Authy’s privacy policy: “If Authy is involved in a merger, acquisition or asset sale, we might not continue to ensure the confidentiality of any personal information nor give affected users notice before personal information is transferred or becomes subject to a different privacy policy.” Honest and worrisome.

PPS: Yes, screenshot is real: iPhone application seems to have a bug where certain private keys that work just fine on Android and Chrome will cause output to be 000000.

How Not to Trim?

In order to play with electronics, one has to get some sweet parts. Ever since I moved to States my supplier was DigiKey. They have good part selection, decent prices, and while their interface is not really the newest thing out there, it is good enough. Yes, I do occasionally have an issue or two but when my orders arrive, everything is in perfect order. Usually.

Since I always have multiple projects in parallel, I got into habit of using Customer Reference field to the fullest. I always fill not only my name for the component but also project name (e.g. C 10nF /16V NP0 (0805) [Esp8266Plug A1452]). That way I can easily sort stuff when it arrives and this has worked for me for long time. But with latest order I got a few packages where Customer Reference text was Character Limit Exceeded and my component sorting got interesting.

It was obvious what happened. One of many components that deals with data entry and printing labels didn’t like the field length. Not ideal situation but nothing uncommon either. However, decision of handling this situation is really bad.

First of all, line has enough space for at least 72 characters. Why would you put software limit to 48? My best guess is that limit was decided some time long ago for completely different kind of label. They switched labels and simply forgot to update the length. Or there might be some legacy component in the middle that can handle only 48 characters. I think that would be also a good reason for limiting length so low. Most realistic reason is that somebody simply copy/pasted the same limit as defined for Description field. I can completely understand how that could happen.

But there is NO EXCUSE in deciding to drop the whole customer’s text and replace it with your own. Your system has limitations, and you obviously had them in mind during design. Perfect A in my opinion. But why wouldn’t you just WARN me when I enter that reference in the first place? There is data verification done on that page for the other fields. Why is this field so special that no verification can be performed?

And, if you really have to do anything, don’t replace MY text - trim it. What would help customer better: Character Limit Exceeded or Q MOSFET, P-channel (SOT23-3) [ElectroPiggy A...? I am not sure what was going through the head of person who made that particular decision but they definitely didn’t think of customer.

I guess my script for ordering the parts will get another update…

Chilling

As I was doing a search on my own site, I noticed that one result was missing and at it place all I had was “In response to a complaint we received under the US Digital Millennium Copyright Act, we have removed 1 result(s) from this page. If you wish, you may read the DMCA complaint that caused the removal(s) at ChillingEffects.org.”

Going to the ChillingEffects link I found out that page in question was Installing Windows 8.1 (or 8) without a product key. Despite the name that might indicate some shenanigans, post only covers functionality that has been officially documented by Microsoft themselves (here and here). Heck, I even said so at the bottom of the post.

Only keys that ever appeared in that post were done by other people in the comments section. Some of them stayed there for a bit longer (e.g. Microsoft’s own default key), some comment were removed instantly (obvious pirate ones), and all surviving keys were changed to XXXXX anyhow (as soon as I noticed them).

My firm belief is that page doesn’t infringe so I went about finding a way to clear its name.

First issue was to find how to file counter notice. Among all links in regards to DMCA on both Google and ChillingEffects.org, there is not a single contact you can pursue for this. I did know that Marketly was one that complained on behalf of Microsoft, but there was no actual e-mail (no, microsoft-[redacted]marketly.com is not a valid e-mail) or postal address behind those. All that searching around gave me was a link to YouTube DMCA process but nothing applicable to Google Search.

After a while my inquiry finally stopped at the Google Webmaster forum where I finally got two links. It was either DMCA Counter Notification form or Restore URLs form. I went with a good faith belief that infringing content was indeed in comments and that Restore URLs form was an appropriate venue.

This happened on December 13th. Link is still blocked and there is no response from Google whatsoever. Company that usually takes content down less than 24 hours after notice is received sure does take its time doing the opposite thing. Or even just responding to my request with “you’re wrong”.

Whole process left me a bit baffled by a few things. First of all is the recipient of DMCA notice itself - Google, Inc. [Blogger]. I haven’t had my page hosted by blogger for three years now. If my assumption was correct about them finding issue with comments on my post, proper venue would be to send DMCA to either Google Inc. or to myself and not to an uninvolved third party.

Slightly more troubling issue is why I haven’t received information about issue from Google. I searched all my e-mails and I could not find a single warning about any issue. I have Google’s webmaster tools and nothing is there either.

And lastly I find it absolutely unacceptable to have DMCA notice filled without a proper e-mail address for a response. Notice on ChillingEffects.org did have a name of a person but only a generic Microsoft address as a contact and a redacted e-mail. That makes it impossible to respond directly. I believe that minimal courtesy would be to leave a valid e-mail.

All in all, between figuring all the information and writing this post, I have wasted a complete day on this topic. It is a matter of principle to me because I take this DMCA take down very personally. However, looking back at this I don’t think I will ever deal with this again. It just requires too much effort to go through motions for something that is essentially just a hobby.

PS: I find two things curious:

• Bing search still returns link to my page so I can only assume they never got DMCA notice.
• All those keys that are supposedly infringing can still be found at the Microsoft’s own help forum.

PPS: Yes, I am aware that DMCA is over a year old. I don’t google looking for my own posts that often…

Humble Bundle and One Order Too Many

I am a fan of Humble Bundle so when they announced their winter sale, I of course had to buy something. As anybody with small kids will tell you, it is hard to go wrong with LEGO Harry Potter.

I used PayPal to pay gift purchase for one kid and tried to get the same for another only to be faced with “Sorry, your Humble Store order has been canceled. We have received too many purchase requests from you in a short period of time, so we have canceled your order (you will not be charged). We are very sorry for the inconvenience.” Well, I did try to buy second game less than another so I gave it a few minutes. Same again. Gave it 30 minutes, same again. Than 2 hours, same again.

At that time I decided to contact Humble Bundle support, the only website that gives you Forbidden error when you try to create a new account. At least their support system sends responses via e-mail so I could afford to give up on setting the proper account.

Talking with the Peter, their support guy, didn’t gain me much: “The purchase limits are part of anti-fraud measures”; “unusually large wave of traffic from one person”; “Sadly I am unable to lift the fraud protection”; and my favorite “Unfortunately I am unable to reveal that information”. I have been Humble’s customer since their very first Bundle. I have bought multiple games before (in one instance three of them). But now, two orders in a row are considered too many.

I understand that there was a need for some automated protections so people would not buy bunch of games and resell them. But I cannot believe that anybody would think a proper limit would be a single game per person, especially since they do offer option of a gift. And even if that is a decision, why would you not give possibility of an override to your own support staff? And why don’t you tell your customers how long they need to wait between purchasing two games? A day? A month? A year?

I did solve it at the end by using my credit card instead of PayPal. Somehow I am not considered a fraud if I use different payment method…

CoPilot Conundrums

Back in the 2011, I bought CoPilot GPS; application for Android (it was called CoPilot Live back then). It came quite pricey at $70 (with full Europe and North America maps) but I considered an offline GPS a worthwhile investment.

As I stopped traveling as much I also stopped using CoPilot regularly. I still kept it updated and I still used it on occasional weekend without any issue. As I prepared for my vacation in Croatia, I was sure I had everything I need. I had a full contingent of North American maps along with most of Europe. I always make it a point to download Croatian maps first so I felt quite prepared.

Move forward a few days and I have landed in Croatia. I turned on my CoPilot GPS only to be greeted with an empty screen. Quick search gave me a solution - just reinstall everything. I did as it was written and got a new error - my account seemed not to exist any more. It was time to contact customer service.

After quite a fast initial reply I was asked to share my user name and password with them. In my mind there is NO GOOD REASON why a customer service would want your password. Only possible reason is that their system isn’t build right. However I used unique password for CoPilot anyhow and I was in hurry so I complied hoping it will help solve problem faster.

Fast-forward three weeks, FIVE separate queries for my password, three screenshots of actual error and me sending them original purchase e-mails (why they don’t have access to purchase e-mails is beyond me). All that and I only had my account back. On the very last day of my Croatian trip I also had a map of Croatia working but WITHOUT navigation support - in other words, CoPilot was still useless.

I am back in the States at this time, well into the third week of the CoPilot troubleshooting and I finally got my European maps back. But, alas, I still have no North American maps assigned to my account. My Croatian maps might be working at this time but I am not there anymore. I will update this post as situation unravels.

Few years ago I might have been in trouble for these three weeks but not today. As I noticed that this CoPilot issue was going south, I bought a prepaid SIM with 1 GB data for about $5. This allowed me to use Google Maps and they worked flawlessly. Yes, CoPilot might be more configurable and I personally prefer it since it feels and works as a real car GPS should. But all that was spoiled by it not working at all. I am scared to think how my vacation would look in the country I didn’t know and without readily available prepaid SIMs.

Yes, I will continue using CoPilot in future because it is a really good application - when it works. I just won’t recommend it without any reservation.

[2014-10-15: I finally got my maps back. Maybe it is just fortunate timing but I got them back minutes from tweeting their support (@copilotsupport). Note to self for next time: first tweet support and then open a ticket.]

Password Change, Why?

Heartbleed OpenSSL bug is currently main computer topic of main-stream media. And they all offer same idiotic advice - change the password. I am not saying that “change the password” mantra is useless. No, it is bloody dangerous.

Let’s see what bug does first: it simply allows attacker to read (semi)random 64K block of memory it should not see. And it allows it to repeat that attack until it has all the data it wants. If leaked blocks contain a cookie, somebody can impersonate you. If they contain user name and password, attacker just got a jackpot. If they contain private SSL key, attacker is in heaven.

Based on that fact, password change seems reasonable. But think again. Practically only way OpenSSL might have your password in its memory is if you sent it to him in the first place. When was the last time you actually sent password for e.g. GMail? Answer is a long time ago. Only piece of data server can have for you is your cookie that keeps you logged in. And you can reset that one with a simple logout. But that is not the dangerous part.

If you change password on server that is still compromised, you are putting it in OpenSSL’s memory at that exact moment. In essence, you are giving away your newly created password directly to an attacker. And, since password is freshly changed, you probably wont change it for a while. It is WORSE than doing nothing.

For safety first approach log out of any important service you are using. That way you are preventing somebody using your login cookie. Then go and CHECK whether site is compromised. Once you know host is not compromised any more, log in again. And ONLY THEN think about changing the password.

If host is still compromised, do not log onto it. I don’t care what is the service it offers. Either it is important (e.g. bank website) or it is not worth the risk.

PS: To summarize: I am not against the password change - it is probably a wise move since this bug has been out for last two years. I am just against doing it irresponsibly, without checking whether site has been fixed first.

PPS: Since you are changing passwords anyhow, be intelligent and use different password for each site.

PPPS: Seems as a good time to turn on two-factor authentication (if website has it).

Blackmailing Bastards

With a new year there came a bit of change from my domain registrar. Their post is Croatian-only but this is the gist of it: there are new TLDs available (.app, .shop, etc.), e-mail address verification is required, and free whois privacy is gone.

For those not aware, each website must have name, address and similar personal stuff filled upon registration. Companies usually have no issues with this but for individuals this is really inconvenient because everyone on Internet suddenly knows your home address. To alleviate this issue, domain registrars are usually satisfied if they have your information and whois gets filled with alternate data (usually their address). And everybody is happy.

Starting this year Plus hosting will start charging additional 40 HRK (+ tax) for this service.

Just to make it clear, I am not blaming them for this increase. For last 8 years they have given me the best service I could imagine and their response time was remarkable (immediate response for non-urgent queries even on Christmas). Their web packages are competitive, servers are good and there is really almost nothing I would change.

Their top registrar (OpenSRS) decided to start charging for privacy and they really had no other choice than to forward that cost to their customers. Since they are really small company, swallowing the price increase themselves is probably not a realistic expectation.

And don’t be mistaken, this is pure blackmail by OpenSRS. Since your registrar is usually also your web hosting provider, you got domain for free. Going anywhere else for domain (and leaving web service where it is) would cost you around $10 which is exactly how much they charge you for privacy. Since cost is the same, most users won’t bother with transfer and they will just pay the ransom. It is essentially the same business model patent trolls use - make it cheaper/simpler to settle than to fight.

As for my site, I haven’t decided what to do. Simplest solution of paying the cost increase just seems wrong. Moving away from Plus hosting is not something I am even seriously considering because that would be punishing them for something outside of their control. And having domain with one registrar while web hosting is at other’s would be annoying any time when there is a DNS issue and two companies start playing troubleshooting ping-pong.

I already contacted Plus about this and they assure me that my private address won’t be visible. If true it will alleviate my biggest complain. However, whether that is true or not is another matter. I am sure that guys at Plus believe it to be so but OpenSRS clearly lists address among the fields that are exposed. Time will tell.

Whatever decision might be, I have another few months to figure it out. Maybe OpenSRS idiots will smarten by then…

Why HP, Why?

Due to my Intel NUC needs I got myself a new 802.11ac wireless card (Intel 7260). Since NUC didn’t really need AC, I decided to put new card into wife’s aging HP mini and take its N wireless. My hope was that newer card would improve wireless range just a bit and thus I would gain her eternal gratitude. That was the plan at least.

As it is always the case with small machines, replacing anything is not really straightforward and some disassembly is required. In this case it was just removal of keyboard and new card went in even a bit easier than expected. After a bit of fidgeting with keyboard’s plastic tabs on reassembly I was ready to get into Windows.

Seconds later I was greeted with:

104 Unsupported wireless network device detected.
System Halted. Remove device and restart.

Yep, dear HP decided in their eternal wisdom to forbid wireless replacement. And I cannot imagine any other reason for this other than a case of pure assholeism.

It is definitely not for money. Not only that wireless cards almost never fail but their low cost would anyhow ensure that HP would see little to no profit on any exchange. Even worse, you can plugin another card that is same Broadcom chipset and it works. That means that they didn’t force anybody into using HP replacement services.

They also didn’t do it to force you into using HP upgrade - there is no such thing nor it was ever available. Maybe there were some plans but I doubt that because card was not really positioned to be user-replaceable.

Saving grace would be if they did it for compatibility. Maybe their testing discovered some bug on other cards so they decided to nip it in the bud. If this is really the case (no matter how unlikely it is) than it is pure laziness of engineering team. They decided to solve technical problem with a software block. And someone higher up decided to cover this up and not document such incompatibility anywhere. But I really doubt that.

Most likely story is that some “smart” manager overheard engineers speaking about difficult to replace wireless card. On that he said “We have it replaceable? We don’t have that on list of features. Disable it.” Engineer shrug and did as it was told. And now, years after that moment of stupidity, we have machine that cannot be upgraded. Not for technical reason, but for pure politics.

Babysitting

I’ve been going to a road trip with my family over a weekend and, of course, I forgot to bring audio cable. That small piece of wire was all that was keeping me apart from having my phone output beautiful music for my kids on a car stereo. No biggie I though, car has a bluetooth, it will be a cakewalk to connect the phone.

It wasn’t.

You see, Ford in its eternal wisdom decided to forbid setting such things while car was moving. And the message clearly said: it was for my safety. I found that strange because I was sitting on a passenger seat, pretty sure that I wasn’t one holding the steering wheel. If car is moving, nobody should be allowed to do anything it seems.

And this “security features” seem to be just part of a bigger trend. Let’s just take National Highway Transportation Safety Agency recommendations for GPS functionality. For example, they suggest (V.5.b) that dynamic maps are not the best choice when it comes to visualization of travel data. Their recommendation is to have GPS update every few seconds. Yes, people looking every few seconds for updated map wondering whether what they see is a current information or they have already screwed the turn will definitely make for safer driving.

We should also not forget Transportation Secretary Ray LaHood saying that your mobile phone should be disabled while in a car. I understand that mobile phone is a distraction but thing is that there is no way to reliably detect who is driving. And why shouldn’t passenger use driver’s mobile phone to, God forbid, look up maps or even worse, speak to his Mom who called him at wrong moment?

I am quite annoyed by all this babysitting and forbidding various distracting things for no measurable effect. It restricts quite useful scenarios when you do have two persons in the car and it does not offer any real safety benefit when you don’t. Face it, idiots will stay idiots and no amount of “features” will make them a good driver. They will just think of something else to entertain them while hurling on a highway toward eventual doom.