Category: Internet matters

Posts about the internet

Legal chess positions versus IPv6 addresses

Based on recent minimal research, it seems like there are probably more legal chess positions than there are addresses in Internet Protocol version 6 (IPv6). Wikipedia explains that there are 3.4 x 10^38 IPv6 addresses, and explains that Claude Shannon estimated the chess figure at 10^120, though other estimates exist.

If there are more chess positions than IPv6 addresses, it means you could devise an algorithm to represent the address of an internet-connected machine using IPv6 as a legal chess position, and that there would be enough chess positions to represent every possible IPv6 address. For instance, you could devise a set of rules that would produce an exhaustive set of chess positions, then generate the whole set and start numbering them using IPv6 addresses. You would start with a legally set up board, then assign IPv6 addresses to the positions that can be achieved through every possible move. Then, keep going until your rules have produced the gigantic complete set of possible legal chess positions. It would be like a rainbow table.

That would be a neat way to express the addresses in a human-readable form. It also means that you could translate the address of any device into a playable chess game, though a lot of them would be very lopsided, in terms of which colour has the advantage.

‘Track changes’ in calendars

One neat thing about software like MediaWiki (which powers Wikipedia, among other sites), is that it keeps a record of every change that is made to a document. That way, it is easy to see what the history of changes has been and respond when information changes.

It seems to me like it would be very useful to have the same technology in my calendar. So often these days, things get moved around and re-scheduled. It would be useful if I could annotate my calendar to know what is certain and what is uncertain, which appointments have already been rescheduled, and so on.

It would also be useful for situations where something accidentally gets deleted. If I delete my only record of an event, the chances of me remembering and showing up are virtually nil. That is one reason why I maintain a paper copy of my calendar in a page-a-day Moleskine, in addition to the Google Calendar I update from computers and my phone.

Radio frequency ID security

Contact-free cards and authentication tokens have become common. These are the sort of things that you put close to a reader on the wall in order to open a door or perform a similar function. People use them to get into parking garages and offices, and even credit cards now allow you to pay without swiping or inserting your card. Of course, all this creates new security risks. All of these cards can be read at a moderately long distance with inexpensive hardware, which is one reason why it is a bit crazy that these chips are being put into passports. Furthermore, cloning these radio frequency identification (RFID) tags is often quite easy.

Your standard RFID tag is just a little chip with an antenna. When it receives a signal on a particular frequency, it chirps out its name. The card reader says: “Any RFID tags out there?” and it says: “12345678abc” or whatever string it contains. The string is transmitted in clear text, and it is always the same. Anyone with a device that can program RFID tags can easily copy it. These sorts of tags exist all over the place. An office tower might have a database listing the code inside the RFID tags used by each employee. It would then check the database each time someone used a card, to make sure the number was on the list.

This system can easily be attacked. Just stand outside a building with an appropriate antenna and recording equipment and you can capture the code from each person’s tag as they go in. You can then copy whichever you like to make your own access card.

More sophisticated tags use a challenge-response authentication protocol. That means they take an input value, perform a mathematical operation on it, and generate a response which they transmit. For instance, an absurdly simple rule would be something like ‘multiply input by two’. Then, the reader would say: “3” and any card that replied “6” would be accepted as valid. These tags tend to require a battery to run their computing hardware, so they are relatively rare.

This is harder to attack. You need to figure out what the rule is, and they are often cryptographic. That being said, the cryptography used is often either proprietary (which usually means ‘bad’) or out of date. With access to a few tags and some knowledge, it may well still be possible to reverse-engineer the algorithm being used and clone tags.

In addition, this kind of system can be attacked in real time, using a man-in-the-middle attack. Suppose I am in line at the grocery store, about to pay. I take out a dummy wireless credit card, while I have an antenna concealed in my jacket sleeve. The clerk’s RFID reader sends a challenge request, which my antenna picks up. I then re-broadcast that request with more power, so that all the tags nearby chirp up. Suddenly, everyone in line who has a wireless card is offering to pay for your groceries. Re-broadcast one of those responses back to the clerk’s card reader and you suddenly have free groceries. I suspect something similar would work with the more high-security access cards used by some offices.

Not all cloning is necessarily malicious. Phones are increasingly sophisticated radio transmitters and receivers. They can transmit voice calls on various frequencies, as well as access WiFi networks and interface with Bluetooth devices. Somebody should make a phone that can transmit and receive on the common frequencies used by RFID cards. Software could then be used to record the contents of a person’s existing cards. Instead of carrying one fob for your car, one card for work, one embedded in your transit pass, and a credit card, you could just program the functionality of all those RFID tags into one device.

Of course, doing such a thing would reveal how easy it is to copy RFID cards in the first place. That’s all it would be doing, however – making it obvious. Anybody who is malicious and capable can already copy these cards, though consumers often assume that they are secure (like they assume their cell phone calls cannot easily be intercepted by moderately resourceful crackers). By revealing how insecure most wireless authentication technologies are, this cell phone software could play an important role in raising awareness, and maybe even lead people to pressure politicians to get rid of those stupid wireless passports.

I mean really, does that have any non-evil uses at all? A passport clerk can easily scan a barcode or swipe a magnetic strip. Making them readable at a distance only helps spies and criminals. How easy would it be to build a bomb and connect it to a machine that constantly scans the vicinity for wireless-equipped passports? You could program it to explode when more than a set number of nationals of any country you dislike are within a particular distance. Alternatively, criminals could take advantage of chatty radio passports to identify promising targets for mugging.

Republican speculation, via psychic powers

The other night, talking with my friend Jessica, it occurred to me that it could be possible to set up a kind of internet sensation based around the upcoming American presidential election (how early they become ‘upcoming’!) and ‘psychic’ claims of the sort that made an octopus famous during the World Cup. All you would need is pictures of all the plausible Republican contenders and some mechanism for deciding who among them will win on the basis of supposed supernatural powers. An octopus could work. Another idea would be a very young baby, the cuter the better.

In order to draw things out and give advertisers time to start hocking their wares alongside your videos, you could follow a process of elimination, in which candidates are rejected rather than selected. Naturally, you would want to rig the selections so as to produce the most total viewership. A good idea would be to do something a bit controversial at the outset – like reject Sarah Palin. Then, start working through the no-hope candidates as you are building momentum. Rigging the outcomes would be incredibly easy: just keep making videos until you get one where your preferred selection is made.

By the end of the Republican primary competition, when there are only a few plausible candidates left in the race, there would be a reasonable chance that you could simply guess correctly, cementing the reputation of your chosen psychic vessel as the real deal, at least in the eyes of a credulous few. Naturally, you would then want to make a prediction on the actual election. Chances are, you will be able to guess correctly on the basis of sophisticated polling of the Nate Silver variety, along with an assessment of key economic indicators.

If you wanted to keep exploiting the gullibility that seems widespread within the general public, you could use your advertising earnings as seed money to start a cult.

Reader survey: news sources

Out of curiosity, where do readers of this blog regularly turn for news?

I look at a diversity of sources myself. I listen to CBC Radio 1 in the morning before work. I also sometimes listen to it during the evenings and weekends. I listen to the “This American Life” and “National Public Radio: Planet Money” podcasts, though not always in timely fashion.

Every week, I read The Economist from cover to cover, though I will admit to skimming some articles, especially in the finance and business sections. I at least glance through the headlines of The Globe and Mail and The Ottawa Citizen every day. I also keep an eye on Google News and have some Google Alerts set up. When I have excess time on my hands, I look at the websites for The New York Times, Slate, and Stratfor. I track hundreds of blogs via RSS (using Google Reader, since the shutdown threat at BlogLines), but I rarely have time to even scan through post titles in detail. I try to at least scan through posts on Slashdot and Boing Boing. People also email me a lot of articles and links.

When I have time, I watch “The Colbert Report” and “The Daily Show”, but that is the only television I watch with any kind of regularity. I also check out The Onion periodically.

I also try to keep up to speed on important non-fiction books, especially in areas closely related to climate change.

Intrusion detection systems

One side of computer security is keeping people from getting unauthorized access: choosing good passwords, patching software to protect against known exploits, etc. But when you reach a more advanced level than that, intrusion detection systems (IDS) become an important way of detecting and mitigating attacks. These systems monitor the functioning of a computer system or account and produce some sort of alert if suspicious activity is ongoing.

For example, GMail includes a rudimentary IDS. It allows users to check whether anyone is logged into their account from another location. If you check the list and see only your home IP address and your phone, everything is probably fine. If some random IP address from Berlin or Mumbai or Tokyo is on there, someone has probably compromised your account.

IDS can be much more sophisticated than this. While GMail calls upon the user to keep an eye on things manually, automated systems can flag suspicious activity and produce warnings. A classic example would be a computer in a distant country accessing your GMail via POP3 and starting to download the entire contents of your archive. That is super suspicious and – if you are someone like Sarah Palin – potentially career-ending.

The same goes, naturally, for a situation where some random army private starts accessing and downloading thousands of diplomatic cables. Say what you will about the ethics of Wikileaks, but from a computer security perspective there should have been an IDS that spotted that aberrant pattern.

Attackers always get more sophisticated and their attacks always improve. As a consequence, those who want to defend computer systems must keep raising their own game by implementing sophisticated security strategies. Deploying IDS both on personal computers and within cloud services like GMail is one way in which people can become aware of breaches in time to stop them from becoming too severe. It’s never comfortable to learn that you are dealing with an intruder, but it is much better to have that awareness than to continue blindly forward while they persist in nefarious activities.

P.S. Does anyone know of a good IDS for Macs? Given how many people are on always-on internet connections these days, and given that all operating systems have security flaws that take time to fix, operating an IDS on one’s personal computer is probably a good security trade-off. Indeed, I am planning to set up a second system unconnected to the internet, next time I buy a new desktop machine. It is axiomatic that any computer connected to the internet is vulnerable.

iTunes 10.1.1 (4) bug

One really annoying bug exists in iTunes 10.1.1 (4). When you buy a track from the iTunes Store, it doesn’t go into Apple’s default ‘Recently Added’ smart playlist. This makes it so you have basically two different ‘inboxes’ for new songs, podcasts, etc. You need to remember whether you bought a song on iTunes, ripped it from a CD, or downloaded it as a free podcast, etc.

It would be better if songs you purchased appeared in ‘Recently Added’ along with everything else. It would be especially useful when traveling and listening to previously-downloaded podcasts.

The CBC is growing on me

I wasn’t always the biggest fan of the CBC. I found the argument that we have plenty of diversity in commercial stations relatively convincing. More recently, I have found myself more appreciative of public broadcasters including the CBC and – for international news – the BBC. They do cover politics well.

In addition to providing good content with no advertising, they both run very useful websites.

The Thesis theme for WordPress

My primary focus in blogging is definitely not the coding side of things. I see myself more as a creator of content than as a technology guy. I don’t even know enough CSS to format things the way I want them. As a result, I am grateful that the Thesis theme makes it easy to have a decent looking site that is friendly to search engines.

Avoid messing around with code

With the Thesis theme, you can easily reconfigure things without ever having to dig into CSS or PHP. You can set up sites with different numbers of columns in different arrangements. There is a multimedia box that can be used in creative ways. Thesis also lets you tinker with things like fonts and colours without having to edit any code.

Also, if you want to set up customizations beyond what can be done with Thesis’ various menus, Thesis lets you make all of them in just two files, greatly simplifying the process of upgrading WordPress and Thesis itself. You have a ‘custom’ directory that contains all your special tweaks, and you replace everything else when you upgrade the theme.

Thesis isn’t cheap. It costs US$87 for a personal license (good for one site) or US$164 for a developer’s license (unlimited use). At the same time, that price seems well justified for anyone who is putting a lot of effort into their site and isn’t a web design guru. You want people to take you seriously, and having a decent-looking theme is a big part of that. It would easily take tens of hours to make a site that looks anywhere near as good as Thesis does, and it would be much harder to upgrade your custom setup every time there is a new version of WordPress released (and we all need to keep up with new versions, if only to get security holes patched).

Superior support

Thesis also distinguishes itself in terms of its support community. The theme is updated regularly, maintaining compatibility with the latest versions of WordPress. Rather than having to puzzle over which bits of your site get broken or weirdly modified by the latest WordPress changes, you can just download the updated version of the theme.

Buying it also grants access to support forums, which are extremely useful for both troubleshooting problems and learning how to set up particular customizations. The forums are very useful for helping you set up custom features particular to what you are trying to do with your site, including finding ways to earn a bit of money from ads.

If you are a serious blogger who is still relying on a free WordPress theme, I would recommend thinking seriously about upgrading to Thesis. You will save time that you would have spent agonizing over code; you will present a more appealing look to your readers; and you will improve how your site looks to Google and other search engines, which is critical for building traffic.