Archive for the ‘ rants and raves ’ Category

Address to the Masses: A Tech Support Rant

Caution: Some PG-13 language. View in fullscreen at 720p or higher for best results.

Learn more:
http://en.wikipedia.org/wiki/Mosaic_web_browser
http://recordmydesktop.sourceforge.net/about.php
https://www.virtualbox.org/

[This presentation was made with the help of free and open source software]

Dear Microsoft: A Geek rant

Dear Microsoft:

Find a way to bring your operating systems up-to-date in one run of Windows Update. It makes no sense that one can install Windows in 20 minutes, migrate gigabytes worth of user data in about the same amount of time, and then need to spend 3-4 hours running 15-20 passes of Windows Update in order to get the job done properly. It’s embarrassing. To that end, I’ve got some tips for you to help you out in this matter:

  • Service packs should be the first thing to show up, not the last. Make them mandatory if you have to. I do not even want the option of installing a tiny security patch from last year that was integrated… or even made obsolete, by the Service Pack that came out a month later.
  • If I’m getting a new application through Windows Update (e.g. anything related to Office, Silverlight, Internet Explorer, Power Shell, .NET Framework, Security Essentials, etc), I should receive the newest version of the application; none of this “security update for the thing you just installed” garbage.
  • I should never see updates for “Program version n” and the offer to install “Program version n+1″ in the same window. Ever.

Every Linux distribution had this figured out years ago. Even Mac OS X can be fully up-to-date in two runs (one run for the latest Combo Update, one for anything left over). If I install OS X 10.7.1 (can’t imagine why I would but I have done odder things), I can jump straight to the currently-recommended release of 10.7.3 without needing to change flights in 10.7.2-land.

I’d like to threaten to take my business elsewhere, but I’ve already done that. Most of your “customers,” however, whom I support both professionally and pro Deo, will probably never quit using your operating system as long as they own a desktop or laptop computer… or have a job. Here’s why you should care anyway, and it has nothing to do with your users. I can download (granted, illegally) a copy of any edition of Windows I want with the updates already built-in. They come out every week. Most hilariously, if it’s Vista or Windows 7, the updates were probably integrated into a factory image of Windows using your own highly respectable Windows AIK.

This makes Microsoft Windows is the only product I know where the pirated, so-called “counterfeit” copies floating around on the Internet are in fact superior to what you are prepared to offer for a fee.People who you would label hackers and criminals use your own tools to make their own job easier, and as an afterthought, share it over BitTorrent… illicitly, because that is the only option there is to “sharing” Windows. In the Open Source community, this is business as usual.

Once again, you are being upstaged by both your traditional competition (Apple) and the “alternative” (e.g. free) competition that you try hard to not take seriously. Take some pride in the product! You did it with Internet Explorer 9 (biggest tech shock of the new decade, so far). I think you meant to do it with Office 2010. Think you can squeeze out one more?

That is all.

–Strafe

</rant>

 

Security Sucks

A few weeks ago, my wife and I took our dogs for a frustratingly-short walk. Upon returning home, I reached into my left pocket and found… nothing. My wallet was not where it should have been. My wife, in her usual habit, had no keys on her. The dogs’ keys were on their other collars (couldn’t resist). And of course I had been sure to lock the door when we left.

It was around the time I found myself awkwardly crawling through a window that a few thoughts ran through my head. First, “We’ve gotta get this window fixed… or at least a wedge or something.” Then, “But if I weren’t lazy, and had done that already, then we’d be making an expensive phone call or breaking out a window.” Then, “It’s hilarious that you were so careful to lock the door this time when you went camping and left the back door open. Not unlocked. Open.” And then “Wow… security sucks.”

It sure does, Strafe, and I’ll tell ya why!

But first… I’d like to clarify some terms. First off, I do not wish to treat safety and security as the same thing. “Safety” is about practice and habits; things to do and not do. “Security” is about preventing possibilities. Safety is not playing with matches. Security is locking them up. You can drive safely. You can’t really drive securely. Now, some will try to convince you that the latter is not true—Google “safe browsing” and you’ll get 1.6 million hits… most of the top ten are lists of general tips. Now, do the same with “secure browsing.” Watch that number jump to 28.6 million. Most of the top ones there are from companies trying to sell you something.

To me, that is quite telling. You don’t buy safety, you practice it. And you don’t practice security. You buy it.

And what’s so wrong with that? Well, like most products, just because you bought it doesn’t make it loyal to you. It’s impersonal. The more locks you put on your door, the easier it is for you to lock yourself out. The more complicated your password, the easier it is to forget it (or, in my case, the easier it is to type incorrectly more than the requisite number of times and get locked out—another security feature—and need to make an embarrassing phone call). Try to keep the other-guys’ patriots (a.k.a. terrorists) off your plane, and a decade later they’ve got uniformed staff rummaging through your junk with a flashlight… and inspecting your luggage too. Accidental or not, it’s only a matter of time until added layers of security, at some level, turn on you.

I don’t believe this is accidental, either. I’ll throw out a modest number and say ninety-nine percent of car alarms that have gone off… ever… have been for nothing. Maybe we could drop that number to ninety-six if we count relatively harmless, yet intentional events, where theft was never a possibility, but nonetheless you don’t want someone screwing with your car. Now, alarm vendors can point out that if an alarm system isn’t sensitive, it isn’t effective. True to a degree, but at least a fringe benefit is that every false alarm, for all its irritations, puts the alarm’s owners at ease. They know that their investment in working for them. At the same time, people who have been victimized are reminded of their trauma, and are further informed of their need for an extra layer of protection…

I’m going to take a moment here to apply this line of reasoning to my field of expertise: computers. I own two machines that run Windows. One has a fee-based anti-virus suite installed. The fee-based one has has caught exactly one “threat” that was truly malicious. It intervened BEFORE I was actually at the point of infection, and when I intentionally infected a virtual machine later with the same virus, I discovered it was easily removable, either manually or with a free anti-malware utility. That’s fine; it was a little aggressive, but the security program did its job and it was over quickly. A few weeks later, it told me the machine was infected again, then proceeded to quarantine the file, shut down Windows, and urge me to perform a system restore. The file in question was a system file that had been on the machine since Windows was installed. I know that, and I know how to do the research to confirm it. But, to the layperson, which event would have seemed more serious? The false positives are what reinforces the perceived need for the product in the first place.

“But Strafe!” the people declare, “computers are weird like that. That’s not a generalizable event.” OK. Wait until you call your bank and accidentally transpose two of the last four digits of your social security number (I do it all the time), and suddenly you’re on hold while they get a specialist on the line. I take calls like that. Sometimes the callers are upset. Usually, though, they are pleased that the company has such security protocols.

And sometimes, these conversations are actually pro-active. People call to have conversations about security. I hate those calls…. because I have to try to respectfully and confidentially field questions addressing increasingly unlikely scenarios. “OK Mr. Zambonie… if the bad gets hacks your computer and your firewall doesn’t catch it, and you then log into your email and he gets your email password, and he uses it to send a wire request to us, that still wouldn’t work because…” These conversations reveal a lot about the security mentality. First, the human mind is really bad with probability. That’s why we like Vegas. Second, the more we dwell on spectacular theoretical scenarios, the more plausible they become to us. Third and worst, once we are convinced that these scenarios are not only possible, but likely, we become celebrities in a sense—we’ve got a Bond villain trying to break into our vault! And a security team just waiting to catch him in the act.

Trying to point out how unlikely it is makes it seem like you’re evading the question. It also puts on individuals the pressure of admitting to themselves that they are not that special.

Now, we see big companies pouring money into security measures, and I think we tend to react to that as if they’re setting an example. But there are reasons for corporate security, good and bad. They need to limit liability. They are high-profile (if you house a trillion dollars, it is no longer unreasonable to think that someone is, in fact, trying to break in). They also need to keep up with competitors. (“Why doesn’t Acme think mandatory third-passwords are important? GeneriCo does it!”). I’m not saying this is good. And I know that there are exceptions, but generally speaking, if life and limb aren’t at stake, there are really only two things bad guys can do with your stuff. Break it, and steal it. Get too overzealous and you will cause one while trying to prevent the other.

Earlier I made a TSA joke… it’s easy to do. That might have been a little out of place, considering that when it comes to planes in flight, life and limb are at stake. But you don’t need terrorists. For that to be true. Incorrectly installed parts can do that. Components in use beyond their recommended life spans will also. You’ve got pilot fatigue. You’ve got unpredictable weather. All of those have killed more American commuters since 2001 than terrorists (given the current count of… greater than zero). The more energy you put into preventing the unthinkable, the less energy you have to think about mitigating the preventable.

So what to do instead? Well, much as I hate clichés, I do believe that knowledge is power. I make fun of people who treat account security like they’re trying to hide from the bogeyman… but in a sense they are. They don’t have the facts, and you can’t hide from the unknown. I still stand by being safe… and when armed with facts, I think it’s fairly obvious what is safe and what isn’t. Lastly, perhaps we could use our vulnerability as a chance to take inventory. If I were to have ‘x’ taken from me, what would the result likely be? How much energy is it worth to lessen the likelihood? If those two questions don’t balance out, perhaps a shift of priorities is in order.