Posted on

Twitter Annoyances

I have lost all patience with Elon Musk. Up until last week, I could see some rationale and a ray of hope in his Twitter monkeyshines, but renaming Twitter blew away any lingering spell.

I’ve never been a Twitter fan. I have no quarrel with folks who enjoy an adrenaline and dopamine thrill during a hot online exchange, but dashing off few characters and blasting them out to the world does not excite me, nor do I much enjoy reading blurted tweets. However, scientists, journalists, and many others have all appreciated a decade of Twitter’s rapid and live flow of opinion and information. Twitter established its usefulness for many users.

Some folks like to toss spit wads at the Twitter wall to see what sticks. That’s fine too, but it points the way to the downside of Twitter. I’m too old not to have noticed that attention-seeking, greed, and choler is always present in this world. Given the way people are, some of those spit wads will be mean and treacherous fire balls. Some heat improves a dish, but too much ruins it.

If it were easy, or even possible, to distinguish good and bad posts like sorting sheep and goats, I could see that managing a platform like Twitter would be an interesting and satisfying job. But we all have good days and bad days. My notion of good is only to a rough approximation of yours. On most points, we will differ. Sometimes we will differ a lot.

Anyone who has tried to keep peace in a family, lead an elementary classroom, or push a project team toward a goal knows how mind-stretching and frustrating taming the discourse on a platform like Twitter must be.

Did pre-Musk Twitter meet that difficult challenge? Not especially well. They were in trouble with the European Union and the FTC. Both the right and the left accused them of bias.

As a service system management product developer who has seen outfits like Twitter both succeed and fail, up to the last few weeks, I didn’t think Musk did too badly.

Musk always struck me as a little too hot for everyday consumption, but Tesla and Starlink are undeniable accomplishments. Unfortunately, massive layoffs at Twitter made sense.

Twitter has all the marks of a company that has struggled and failed to address issues. Instead of fixing problems with solutions, Twitter took the last century MBA route and hired more staff, thinking held over from the era when a coal shortage could be solved by hiring more miners.

Technology does not work that way. Typically, adding more staff delays a technical project. Twitter appears to have added bodies instead of engineering and administrative discernment, and that led to a flailing technical organization. They desperately needed trimming. Musk’s judgement was correct. A massive layoff, however cruel and harsh, was the only choice.

I’ve gone through the process of trimming a bloated staff and know how hard it is, akin to a brain surgeon extracting a tumor, but instead of a scalpel, you are stuck with a sledgehammer and pickaxe. If the result of your effort is vaguely in the direction of your goal, you haven’t done so bad.

There’s no question that Musk paid far too much for Twitter. At first, I was willing to give him a pass on that. The world’s richest man can tap his bulging piggybank and survive. Wasting money is a gazillionaire’s prerogative. Accumulating vast wealth offers experience on how much extravagance one can bear. One would assume.

The last few weeks have been bad for Twitter. It appears to have fallen into a descending spiral. Stiffing critical suppliers like landlords and cloud providers has affected operations, which decreases revenues, which further curtails resources. This is the way corporations die.

Yet another nail in the coffin: rumor says some employees still cash in vesting stock options at Musk’s inflated price of $54 per share. That will end soon. I wonder if those employees will continue to work for Musk when that fountain of gold turns into trickle of dry sand?

I expected that naming an advertising executive as CEO would inject some reality into Musk’s advertiser management and stabilize revenues, but the last change, renaming Twitter to X looks like another round of playground gags instead of advertising management skill.

Which brings me to my point: I’m an old Unix hand. X, for me, is the X Windows system developed at MIT that was the foundation for distributed graphic interfaces. Graphic user interfaces (GUIs) opened computing to a wide swathe of users. Without GUIs, computers would be impossible for most people to use.

And now, venerable X has been permanently tied to Elon Musk driving his Twitter Tesla into a bridge abutment.

 

 

Posted on

Two Factor Authentication

Two factor or multi-factor authentication makes computing more secure. You’ve probably seen it already and you will see more of it. I highly recommend it, with some caveats. I remain skeptical of biometric authentication. Facial, fingerprint, and retina recognition are all convenient, but they also have issues that are not ironed out yet. No matter how optimistic the sensor makers’ marketing, faces, prints, and retinas can’t be replaced when they are compromised, and there are reports of gruesome compromisations. Multi-factor authentication adds extra steps to authentication, but there is no question that additional factors increase security.

What is multi-factor authentication?

As the name suggests, multi-factor authentication requires the authenticity to be established in multiple ways. The user name and password authentication that has been used for decades uses a single piece of evidence to prove you are who you claim to be: knowledge of the correct password. Two-factor authentication adds another piece of evidence. The second piece of evidence could be a second password, but all passwords are vulnerable in the same ways, so it is better to use more than one kind of evidence.

Security specialists often talk about three types of evidence of authenticity: what you know, what you have, and what you are. A password is something you know that no one else does. A physical key is an object that only you have. Your fingerprints, your facial appearance, your retinal pattern, and your DNA are examples of something you are.

An example

Physical safes commonly use single factor authentication, sometimes multi-factor authentication. Most single factor safes have combination locks. To enter a single factor safe, you simply enter the correct sequence of numbers. If you write the sequence down, someone could find the paper; or someone could look over your shoulder and watch you dial the combination. Whoever finds the paper or watches you has access to the safe. Sneaking in is a challenge, but by no means impossible.

Bank vaults frequently have two combinations each known to a single bank officer. To open the vault, both officers must dial in their combination. One officer may be incautious or a fraudster, but the double combination prevents a single officer from getting in without a witness.

We have a safe in our home that requires both a combination and a key. I know the combination, but without the key, I can’t get in. If thieves were to successfully snatch the combination, they would still have to find the key. Often, even I can’t find the key, so they’ll have a job to get into our safe. In this way, our two-factor, key and combination safe is an annoyance, but more secure than a single-factor combination-only safe.

Multi-factor user authentication

Typical two-factor authentication uses a password and something else. One common method uses a text message sent to your phone containing a four to eight-character token. After correctly entering your password you must enter the token that is automatically sent to your phone when you enter the correct password. In other words, you must both know your password and have your phone to get into the account. Another variation is to email a token. In that case, you must both know your password and have access to your email account. These methods are harder for criminals to deal with than a simple password.

Flaws in message-based authentication

These methods are good, as long as access to your email account or phone is secure. However, email is just another account to secure, which would be better done with multi-factor authentication. To do that, you would have to have another secure email account. At a certain point, the complexity becomes unbearable.

Cellphone issues

The cellphone method also has problems with phone numbers and SIM cards. Phone numbers are assigned to SIM cards. Usually, when you buy a new phone, the you move your SIM card and your phone number, contacts, and other information moves with you. However, the service providers can reassign phone numbers to a new SIM, say when your phone is lost or destroyed, or you get a new phone that is not compatible with your old SIM.

The ever considerate and conciliating providers can easily transfer your phone number to a new SIM. They hesitate to hassle a customer too much when numbers are reassigned and they do not press a requesting customer for too much identification and verification, which means that criminals with a handful of information can get your phone number transferred to their own phone. To make matters worse, cell carrier employees are not guaranteed to be honest: they might be bribed or they may be criminals themselves. As a result, criminals have found it fairly easy to get phone numbers reassigned without the owner’s consent.

Once your phone number has been transferred, the criminal can use it to gain access to your accounts, change passwords, run up bills, and drain your bank.

The cellular providers have not been forthcoming on how often this happens, but anecdotal evidence says the practice is on the rise. There are a few things to do to protect yourself. If your provider offers a PIN for changes to your account, take it. Most important, when your number changes, you will get a notification on your phone and it will no longer work. Call your provider as quick as you can when you get a notice. Criminals can wreak havoc in minutes with a stolen phone number.

A stronger method

A better alternative is to use another authentication factor that does not depend on sending a token to you. This can take several forms, but they all involve a small application that runs on a device in your possession that produces tokens. When the application is set up, your authenticator and the application exchange information that syncs the application with the authenticator. One method provides tokens that change with the date and time. If you can’t supply the unique time-based token from the app that corresponds to your account, access is denied. Another implementation relies on a private key held on the device. An elegant implementation places the token generator in a USB device similar to a thumb drive. Plug the “key” in, authenticate, and the USB device supplies the correct token. These methods do not rely on communication after the initial setup. Neither WiFi or a cellular connection to the key device is necessary.

I noted with approval in this article in the Washington Post, that the federal government will soon require two-factor authentication for administrators of all government web sites. The method chosen by the feds is better than relying upon calling or messaging the phone. They are using Google Authenticator, which runs on an Android or Apple phone.

These methods are more secure, but not all multi-factor sites accept tokens from all authenticator apps, so you may not be able to use your choice on all accounts.

There’s a podcast on Lawfare explaining Google’s approach to advanced security that is informative.

Posted on

How Computers Work

I will be teaching a new class at the Ferndale Public Library on Saturday, September 22, 2-3pm. My grandson Christopher and I made ourselves available for an hour every two weeks to help people with their computing questions and problems last year, taking the summer off. We found out a lot about the kinds of difficulties folks have with computers.

As an engineer, I can’t work with anything unless I know how it works. Many people know how to use a computer, more or less, but they don’t know how it works—what’s happening inside those desktops, laptops, tablets, and phones. In the Saturday class, I’ll be talking about how it all works. When you understand how computers work, using them becomes easier for a lot of folks. Computers have tremendous power, and many limitations. Asking them to do things that are not possible or extremely difficult, causes frustration, and often, users don’t know what is easy and what is hard. In this class, I’ll try to lay the groundwork for understanding, rather than simply pushing the buttons on computers.

Putting the class together has been a challenge. I plan to explain digital computing in ways that I haven’t seen outside a few engineering classes. I hope the presentation will be clearer, easier to understand, and more revealing than anything I have read or seen for beginners. Christopher is a teenager who used computers from preschool, I wrote my first program in 1967. Between the two of us, we cover a lot of territory.

Christopher and I will also be back on every 1st and 3rd Wednesday at the Ferndale Public Library from 3p to 4p, starting Wednesday, September 5. Last year, we handled questions on email, setting up a Linux development environment, and folks who may have been hacked. We’re excited to see what will be bothering folks this year. We’re ready for anything… I hope.

Posted on

3 Rules for Smartphones

Your Smartphone is vulnerable to crime like all other computers, but the danger points are a little different.

Basic rules for Smartphone safety

These are the basics. Following these rules will drastically reduce your vulnerability.

  1. Don’t lose it. Losing your phone is the most likely way to compromise your phone security. Using PIN, password, or fingerprint authentication for entry provides some protection. Combining authentication with encryption is stronger yet. But not losing you phone is the strongest of all.
  2. Add new apps with caution. A new app is the most likely source of malware on your phone. Malware does occasionally make it through the app store testing processes. Check out your sources and the app’s reputation before you download. Don’t rely exclusively on the app store reviews. If you must side load, be ultra-cautious.
  3. Scrape off the cruft. Remove any apps that you have never used or no longer use. New vulnerabilities appear all the time, so minimize your exposure. Bonus: a lean machine usually performs better. You can always reinstall if you find you need an app.

If you have the basics, there are further steps you can take.

Supplementary rules

These apply to situations that don’t happen as often, but you want to avoid.

  1. If your phone is set up to automatically use Wi-Fi instead of cellular connections when Wi-Fi is available, be aware that it may automatically connect to an insecure public Wi-Fi site.
  2. There are more ways to hack a cellular wireless connection than a wired connection. If you must exchange ultra-private information that you suspect a skilled intruder may be after, use a temporary phone or a land line that is not associated with you.
  3. The contents of your cell conversations may be secure, but who you called, when you called, the length of the connection, and sometimes phone GPS coordinates are routinely recorded both on your phone’s SIMM Card and on your cellular carrier’s equipment. This “metadata” does not have special legal protection and may be obtainable without a search warrant or even sold by your carrier. Check your carrier’s Terms of Service and Privacy Policy.