Why the movies are wrong (Surprise, Surprise)

On the lighter side of life, my friend @zarino tweeted this link, which got me thinking about hackers in popular culture. Think about your favorite movie and/or TV hacker. My vote goes to Alec Hardison, but that's irrelevant. In any "hacking sequence" you see the hacker typing away furiously on a keyboard and all sorts of random green text on a black background. The green on black dates way back to the old days and I have no clue as to why they used those colours, but everybody loves it.

Anyway, you see them typing away furiously at a console screen and all sorts of text just popping up.

IT'S ALL WRONG!

Sadly, hacking is really not that glamorous. It's mainly typing one or two commands or even just a button click. That is preceded by actually coding the tool you are using but nobody types that fast, especially not when programming. Just by the by, the text that appears in the link is a program of some sort. Haven't read all the code, so not sure what it does. All I can say is that it looks something from the C-family.
*****EDIT******
Turns out they last change the site a touch since I visited it. It appears the code is part of the Linux kernel.

Location, Location, Location! What you don't know that they know! (Part 2)

So, some of you may remember this post. Well this is part two of that. I contemplated for about 15mins if I should end the post with the fact that your phone is also capable of tracking your movements but decided against it. Well that would been pretty cool, and mildly prophetic, but hindsight is always 20/20. Well back to the present and how your phone tracks you.

So, recently people discovered, much to their surprise, that the iPhone stores an unencrypted history of where you have been for the past 10 months. I seem to be the only person whom this did not surprise. In fact if the phone did not store any location history would surprise me. I often, mostly jokingly, say to my friends who own Apple products that Steve Jobs owns their souls. After reading this, some of them are starting to think it's true (side-note: this article seems to agree).

It also surfaced that android phones do exactly the same thing. So much for being the free and open platform right? So, I would normally take this time to be smug that I am use a Symbian smartphone, but in all honesty, I would not be surprised if they did the exact same thing. Of course I haven't forgotten all you lovely Blackberry users. RIM may well be doing the exact same thing, but I have not found any solid evidence either way.

So, base assumption: if you have a smartphone, it has a record of where you have been for the past x amount of time. Why is this a) done? and b) a problem? Well in the previous post, I covered most of the answer to b), so lets move on to why it is done. The official answer: "to improve the quality of our location based services." The real answer: "to improve the quality of our location based services." SHOCKER!

Yes, I am aware that this law enforcement agencies are aware of this data and sometimes use this data in the course of enforcing the law. But in all fairness, when the cops are looking for you, the normal rules don't totally apply. So, back to the main point: it really does help them improve the location based services. There is no other way than to actually use your actual location data. If you want a great app that finds the nearest bar, restaurant or even condoms in New York (was very amused when I read that article), your handset manufacturer needs to collect this data.

The upshot: this is something you have to give in order for you to get the services that you want. I for one think it's a fair trade-off. I have no proof that my phone does this, but if it turns out that it does, I'm OK with that. Again, in the digital age, privacy is not quite what it used to be, which is a fact we all have to deal with.

Why you are not dead from the robot-induced nuclear apocolypse (or why CAPTHAs still wotk)

If you are reading this then you are not dead. That is generally a good thing. Now, you may ask yourself as to why you should be dead. Well according to the popular Terminator series of movies, 18th of April the day when we all bite the big one. Unless you happen to be John Conner.

The original premise of the movie was that the Artificial Intelligence (AI) known as "Skynet" became self aware and decided that it reaaaaallly hated humans. So, it decided to get rid of them the best way it knew how; it nuked the living daylights out of EVERYTHING (Barring John Conner and the other lucky guys) and then some. And then we have time-travel and fights and craziness spread over 4 movies and a TV series. Why, you may ask, do I care about this. Well, apart from being a massive geek?

There is a mild connection between the Skynet and computer security. What Skynet represents is a sentient AI, which is basically a computer that can think for itself. Now, having personally worked with an AI (for my undergraduate thesis) I now look at all movies/TV shows that have real full AI with a great amount of scepticism. I know I am not an expert by any metric, but it took me close to 2 months to write an AI agent that learns to play blackjack. Nothing fancy at all, just plays a basic strategy. The upshot: it's really really hard.

I know that they have made some massive leaps in the field, such as Watson and Deep Blue, but that's not quite the same. There are supervised AI agents that can just do one thing and had to be fed a ton of data before hand. Watson for example has the whole of Wikipedia stored, which is in my books cheating just a little bit. Although these are very impressive, they are still far away from full self-awareness and sentience.

The only way that could happen is if we had an unsupervised agent, that is, an AI agent who is given only knowledge of the problem and needs to learn how to solve it. For example, you could tell an agent what a maze it and then put it in a maze and tell it to find it's way out. It will (eventually) learn how to do that. Then you give it another maze and it will learn and so on and so forth. And then you have to make it able to learn new tasks. But once you hammer out those little details, then you have the computer that will end the world.

To, the main point: the reason AI is interesting from a computer security point of view is several things, but the main is CAPTCHAs. Now, it's a little bit of an abuse of the term, but for simplicity I use CAPTCHA to mean all the systems and implementations thereof. The general idea is that you are shown a picture of somewhat distorted letters and you have to enter the letters in to prove you are a human.

The reason for this is that computers, such as automated sign-ups and spambots etc were use to make THOUSANDS of false email accounts for the purpose of spreading spam, viruses, boredom, marketing maybe, but generally evil stuff. IF you can prove you are human, then all will be hunky-dory and you can sign up. A computer will almost always fail these tests. AIs can try to learn these things, for example, using neural networks. And some of these algorithms have had some reasonable success. This is exactly why you sometimes get a CAPTCHA that is completely unintelligible, to protect against smart AIs, with the side effect of annoying the humans, ironically, as the machines wanted.

But, if we could for a second just shift back to self-aware AI. Well, the upshot is if the AI were self-aware, it's well beyond breaking CAPTCHA. We would basically have a robot with human cognitive skills, but much more computing power. I leave it to your imagination (mostly sculpted by TV and movies) to do the rest.

SIDENOTE: More real/relevant blog posts to come soon.

More irony

So, after this post went up this story surfaced pretty soon. I never got round to writing about it, because I have just moved from my old flat to a new one. So, I've kinda preoccupied. There really isn't more to say about this than how ironic it is. I may be tempted to do a post on Cross-Site Scripting soon, but we'll see how that goes