Category Archives: security

Unlockers

Hacks, security, , , , , ,

My new office is the nicest place I’ve ever worked. It’s gorgeous.

As part of a more intentional office strategy, not everyone comes in at the same time. For occasional “everyone in at the same time” events we have extra overflow space.

But since all the desks are shared, there’s a clean desk policy. Anything you don’t want to take home goes in a locker. You pick an empty locker, put your stuff in, set the code and lock it. When you return, unlock it with the code. Simple!

I love lockers because I can use them as dead drops. When I had to return a kiteboarding kite or send someone a present it’s more fun to put it in a locker and message them the combination. Sneaky fun!

But I just found a terrible hack:

The lockers unlock for any code.

I discovered it accidentally when I went to open the wrong locker and put in my code. It opened and I, a fool, thought “That’s so weird that they put in the address of our last office as the code!” Then I moved on, until I did it accidentally again. Then I went hog wild and tested that ANY four number opens it.

I’ve let the admin team know but I also feel the need to go put presents in every locked locker until they get it fixed.

Closing a Glassdoor

Incentives, security, ,

Listen, I understand that people believe I exist in an endless state of incandescent rage, but they are going to have to invent new words for how angry I am about Glassdoor adding real names without users’ consent.

Eva halperin, EFF Director of Cybersecurity – https://hachyderm.io/@evacide/112125381301913499

Eva is writing about an Ars Technica story about Glassdoor adding identity info about users without their consent.

I support salary transparency and forums for publishing information good or bad about workplaces, but these places need strong guarantees of privacy. Consent is critical.

I went to delete my account, but was surprised to see a full page pop-up about some new feature called a Community. I couldn’t click anywhere to close my account without completing the process to onboard to a new feature!

If you’re tying to do the same, just know that https://www.glassdoor.com/member/profile/accountSettings is the page you go to directly that allows you to delete your account.

DreamHost is making my life way more complicated

morelight, Pals, security, , ,

Argh – normally I like everything DreamHost does. They had a history of just making my life easier over time. Their plan was simple: unlimited email and storage for your website, a reasonable price.

But now, for the second time, they are taking away a feature that I use heavily! DreamHost is killing catch-all emails! This is terrible for me.

The short version: I own this domain and I get or send email from from anything@morelightmorelight – so honeybooboo@morelightmorelight gets to me and I could send you a mail from DarkCrushingVoid@morelight… This is fun, but where it is really useful is in dealing with all the damn signups online.

Everyone online wants you to sign in or sign up! The reason why isn’t always that they love you and want you to be a member, it is sometimes that they want to track you and sell your details to other businesses. Imagine that! Sometimes they are nice but they just don’t have great security and someone steals your email address from them. That’s how you get all that spam!

Stop for a minute and give Have I Been Pwned a check for your email address. Yeah.

The emails I use for talking to people I love and care about don’t show up here. For example:
Image showing that my primary email hasn't been in a data breach
But when I am forced to register with a service, I just make up an email address with their name in it and I make up a password just for them. When they get breached by hackers, they hackers can’t use that email or password on other services to get into more stuff. For example:
Image showing that an email and password associated with adobe was stolen from the adobe servers

The password with adobe and the the email address are disposable to me.
I filter out emails from places that have been breached by hackers.

And all is good! I have unique emails per place to log in, I have unique passwords per place to log in, and I have a way to respond to data breaches. But now, DreamHost is turning off this feature for me.

They will delete my email account in October if it isn’t converted over to a different email account. I have to figure out a way to create email accounts for all the logins I’ve had over the years or go change them on every site. It is going to be an incredible pain in the ass. So now, I have to start figuring out how to respond.

My likely plan:

  1. learn how to download all of my emails and get a way to analyze them.
  2. Figure out all the unique email addresses I get email at and mark them as keepers and personal. This will take coding.
  3. Create a main personal account
  4. Upload all my history back to this account and figure out how to sync that back with Thunderbird
  5. Create all the other personal accounts and forwards from all the other personal accounts to the main personal account. This will take coding.
  6. Create business accounts and forwards for each of them. This will take coding.
  7. Create a general new throwaway scheme for login emails
  8. Investigate whether it’s time to move to hosting that gives me more control or adapt to this and concentrate on other things in my life.

That last one is also important. When I was younger I did a lot of flexing in tech to do things myself so I could be super independent. This taught me TONS of things and is great! However, I can’t do everything, so I now make compromises so I can spend time on what matters most.

That’s the part that irks me. I am fine with adapting to the new business reality at DreamHost – but they don’t have a plan for me. I’m going to have to build my own tools and figure out my own way. I can do this, but I don’t want to! I’d rather spend this time building a website or helping people or being with my family.

Who watches the watchmen?

The Justice Department and FBI have formally acknowledged that nearly every examiner in an elite FBI forensic unit gave flawed testimony in almost all trials in which they offered evidence against criminal defendants over more than a two-decade period before 2000.

 

The cases include those of 32 defendants sentenced to death. Of those, 14 have been executed or died in prison, the groups said under an agreement with the government to release results after the review of the first 200 convictions.

Source: FBI admits flaws in hair analysis over decades – The Washington Post

It happened before 2000. There was other evidence in those cases. But still – false testimony from these high levels over decades happened.

It should shake you.

What is preventing us from reading a similar headline in ten more years? How could we make sure this lab has an incentive to tell the truth rather than to ally with their colleagues?

Free Kiera Wilmot

Pals, Politics, security, , ,

A young woman conducted an unauthorized science experiment with an unfortunate result. At school early, before morning bell, she was in the lab and mixed some common household chemicals in a bottle. There was a small explosion that injured no one.

She has been expelled and is being charged with a felony.

I am Kiera Wilmot. I was enthusiastic and bored in high school. I did unauthorized experiments, some of them very very stupid. I was well known as a smart person who did very very stupid things in high school.

I was not expelled or arrested, I was given guidance and understanding and was often yelled at for doing stupid dangerous things. The authorities at my school did not screw up my life by putting a felony on my record or kicking me out of school. I stand with Kiera and other troublemakers.

As a former troublemaker and soon to be parent of a future troublemaker I am very worried about the zero tolerance policies at our schools. They are crazy and would leave me a drain on society instead of a productive taxpayer.

Art sec meetup

Art, Pals, security,

Last night I went down to the art and security meetup at NYU’s ITP.

We saw three rad projects.

1. Heather Dewey-Hagborg collects hair and cigarette butts from subway, streets in Williamsburg. She goes to Genspace, a bio hacking space in downtown Brooklyn to perform PCR and gel electrophoresis, etc. Sends off to get these DNA sets sequenced for specific phenotypic traits. Stuff like mitochondrial maternal region indicators ( ethnicity), eye color, hair color, freckles,  etc.

Then she runs code against these to generate 3D models of how they might look. Prints those out using a full color 3d printer.

Great discussion about implications and the private or public nature of DNA vs its uses. We compared to browser DNA identified by EFF, ways  government should regulate both. Also, how little we generally know about our own DNA.

2. Glenn Wester is trying to create true heads up display for augmented reality. He points out that all current AR hardware uses screens that block your vision. You don’t look at really augmented, you look at a picture of reality that is augmented.

He wants something more like a fighter jet heads up display. This involves having a tiny oled project onto a 45 deg angled beam splitter mirror. Sort of like your basic haunted house ghost room effect, but mounted to your head.

Here is me wearing it.

image

It works and is really cool. We tried to figure out ways to hack it, like getting light off of your clothes or trying to read reflections on your eyes, but nothing so far. Very cool if still unfashionable. I wondered if you could combine a dimmed laser picoprojector and fiber to get a low res display with less bulk up top.  Amazingly, all of this costs around a hundred bucks.

3. Jordan Seiler presented his work removing outdoor advertising from towns. Some of this is physical work, and some is using AR.

An augmented view of a How & Nosm mural
An augmented view of a How & Nosm mural

He was VERY excited about the presentation from 2. We talked about analogues between his work and Add-Art. We got into who has the right to determine what you look at ( this is part of what underlies the justification for some graffiti). That led into wondering how folks might use AR for nefarious purposes. I brought up the possibility of racists editing out the looks of other people in the same way that buildings are treated. Jeff Crouse’s underdeveloped Unlogo Project came up as well, but we had a devil of a time remembering the name of the project.

At the end, Kyle invited folks to go see his amazing face substitution work at Eyebeam.