A Sceptical Mind

Let me first state: I did this review not because many have heard about Me.dium’s search engine - but because one of the people behind it wrote a comment on my blog earlier today and requested I took a look at it - and so I did!

After having just reviewed Cuil, the alleged competitor to Google, it’s quite an uplifting feeling to go to http://me.dium.com/search. At the very least, here is a search engine that can actually claim originality. Not that we haven’t seen popularity search engines before, but never in this way.

When you go to me.dium, you are met with your typical search bar and two buttons: Search and I’m feeling social. Also on the page is a list of search strings just typed in by other users. Now for a security guy like myself I’m a bit reluctant to call the “suggestion list” a good idea. Theoretically it’s a good idea because it can give people interesting things to read. I myself found out Bernie Mac apparently almost died recently. On the other hand the list could potentially be a bit damaging if users start typing in personal information like their e-mail address, name, address and so on. It’s a well-known fact that many try to “google” themselves to see how much information is publicly available on them - doing the same thing here might actually lead you into more trouble than you were before you did the search. However it largely depends on the algorithms set into place to control that list and if it’s handled properly it shouldn’t be a problem.

When it comes to the actual standard searching, me.dium does a fairly good job actually. There’s nothing really revolutionary about it, but it does what it’s supposed to and I got way more results than I did on Cuil (however not anywhere near what I get on Google.. but me.dium is still only released as an alpha version so what can you expect really?). The I’m feeling social feature is also quite interesting as it displays what other users like - thereby sorting out a lot more spam- and/or irrelevant sites so that you get a more precise and relevant search. I must say I really like that feature!

Now for the layout. Well, I like the colors and I like the graphics. But what I don’t like is the blatant Google rip-off. I’m feeling social is a very cool feature, but as for the name anyone can see it’s a complete rip-off of Google’s I’m feeling lucky. I would have liked a bit more originality here! The same goes for the search results, which also look way to much like Google’s - actually so much that I would fear a lawsuit had I been from me.dium.com.

So all in all I like Me.dium Social Search soo much better than Cuil and I really think it has some new and cool features. I don’t believe it’s a realistic competitor to Google, as it doesn’t support many of the cool features Google does (define, site, image searching, calculator, currency converter etc.) and I’m a bit afraid Me.dium Social Search can’t handle the pressure of 60.000.000 unique users pr. hour or whatever Google actually handles (probably a lot more) and of course - Me.dium needs to index more sites. That being said, it’s not unrealistic that Me.dium Social Search, given time, could potentially be a competitor to Google - So my advice to the dium.com people: Be original, stay original, increase power and ease of use and just expand with servers and new indexed pages - maybe in 5-10 years people will be using your search engine!

I recently tried out the “new” search engine Cuil which supposedly was the new up and coming competitor to Google. Now, I really went into this with an open mind and thought: “Hey, if they claim to be better than Google, they probably have even better features that make my searching and related tasks easier” — well, I was wrong!

Cuil is in many ways a semi-finished project. It doesn’t have superior searching in any way. It actually didn’t even have any relevant results half the time I searched for things.. Things that Google did have relevant results for.

One of the other things that make Google special is their many functions. As in you can use commands like define: and site: , and even use Google as a calculator with support for trigonometric functions and currency converter. Cuil has none of these features!

Also, when it comes to Cuil’s layout, they’ve said that the picture-paragraph thing is there because users should visit websites based on pictures and not “meaningless” text.  While I can partly agree with this, they do a terrible job of actually making this work. The pictures shown are seldom relevant and you have a tendency to choose the results with the pictures - yet the real information could easily be on a website without a relevant picture. Text is still the single most relevant thing we search for - it’s why we use the Internet.. so that we can share information.. and text is information.. images are seldom necessary..

All in all I’m very disappointed in Cuil and at the moment I don’t believe for a second that it will even remotely be a competitor to Google…

I’m definitely sticking to Google for the time being.

I love debates! I really do.. I simply love discussing the facts, opinions and actions of one self and others - with the appropriate argumentation of course. This is something I’ve often loved doing with my family and friends (whom often hate me for it, as I’m kinda strict with correct argumentation) and of course in my work with politics in Radikale Ungdom here in Denmark.

But during all of this over enthusiastic opinion sharing I’ve often come across certain argumentation styles I’ve found .. well, ridiculous! Let’s take a few examples:

Arguments of the form “Everyone knows … “ or “Everybody agrees … “ are inherently false - Always!! No matter what subject you pick, no such subject will be known by all of the general population and no opinion will be shared by the general population. The mere fact that you are having the discussion with someone should tell you that your argument is inherently wrong, as that person clearly does not know or does not agree! This form of argumentation often comes up in emotional subjects like “Everybody agrees child molestation is wrong” - Which is obviously false, since some actively molest children. Or perhaps in another context “Everyone agrees that global warming is real” which is again obviously false, since some don’t believe this to be true.

There is a correct way to use the “Everyone .. something” argumentation form however, you just have to limit your population. So an argument like “All doctors agree ..” might be right, it’s definitely not inherently wrong. Also, in the same category, an argument like “All soldiers know guns can shot” would also probably be correct, while “Everyone knows guns can shot” isn’t!

Let’s take another example of bad use of argumentation: “Abraham Lincoln would have …” - Using what a dead guy might have said, is very very bad argumentation! Actually this is one that Jon Stewart already pointed out (very delicately I might add) on The Daily Show a few months back.

Sadly many actually do this! Like refer to Martin Luther King, Abraham Lincoln, JFK or some other historical figure - but really, how the fuck do you know what that person thinks? Maybe he would have hated your guts?

Hmm another example: “Studies have shown…” A very commonly used argument for some given product or solutions correctness. Yet this seemingly normal expression is probably one of the worst forms yet, since it begs the question: “Which studies?”, and as long as that question can not be answered by the individual, his or her argument doesn’t count for shit! It’s all too common:

Normal guy reads newspaper, sees a headline “Studies show mobile phones cause HIV” and then unquestionably believes this snippet of information to be true. He then tells his friends, his girlfriend, his dad, his teacher, a couple of stoners and perhaps his dog (he’s probably kinda drunk). This then circulates even further with these individuals talking to other individuals, claiming that studies show mobile phones cause HIV and finally, 1 year later, people are so damn scared no one dares use a mobile phone for fear of HIV.

Using an argument like “Studies have shown … “ is the equivalent of saying: “As far as I know and believe …” - that is if you can’t mention the source of course!

So what was this post all about? Well - mainly it was about me getting some frustration out there :-).. I’m tired of people believing arguments like the above are worth anything, and I’m tired of people unquestionably believing everything they hear or read… So really my one goal here, my one morale, is simply:

Be sceptical - Question everything!!

Well - I went for the passing grade in Linear Algebra, but was foiled by the subject I picked.. Stochastic matrices.. Which in itself is not that bad of a subject, but when they suddenly change the subject to linear differential equations and unitary diagonalization - then you know you’re fucked!..

Anywho - The score as of right now:

Lin Alg: 1

Michael: 0

Re-match in August!

FUCK LINEAR ALGEBRA - That’s all I have to say!

So, as most of you probably know, Barack Obama won the Democratic nomination this week. I have to be honest - I was kinda hoping he would, as I found him to be the most competent of the likely candidates. I really disliked Hillary Clinton from day 1 - She just came off as sad, whiny and untrustworthy - spilling out one unfair attack after the other.

So congratulations to senator Barack Obama - May you take back the white house and throw out all those whom have destroyed much of the peace we enjoyed on this earth (well - the little peace there were that is).

I actually tried to give a donation to your campaign only to find out that I couldn’t! Apparently only American citizens can donate money to candidates.. so I guess you’ll just have to live without my donation and if I were ever fortunate enough to meet you in person, perhaps I could then buy you a coffee and we could call it even

So one of my friends recommended Google Adsense today. I’ve never been too fond of adds myself, however I thought I might try it out and see if it pisses me off or not. So you’ll probably be noticing a few ads on the blog now and again.. If you don’t like them - then ignore them! If you saw an add here you think I would be completely against - please do write me an e-mail because that was specfically one of the things I was worried about when adding the Adsense stuff - Ads I would find dishonest or misleading!

So anywho - Ads are here on a trial basis!

So I read this article today on Comon.dk: http://www.comon.dk/news/forste.store.smishing-angreb.i.danmark_36080.html

It’s Danish, so if you followed the link and thought to yourself: “What the f*ck?” - That’s probably because you’re not Danish, so lets start with me explaining what the article says!

The article talks about the first big SMiShing attack in Danish history and features comments from Danish security expert Peter Kruse (CSIS Security Group). Now for all of you who don’t know what SMiShing is, SMiShing is basically just a SMS oriented way of doing Phising. So instead of trying to scam a victim to a fake website (which is Phising), SMiShing tries to scam you into calling a specific number due to something like “Hey you won 10 million dollars. Call #somenumber# to claim your prize”. So what’s really dangerous about this? Is people really gonna fall for something like this? - A lot of stuff and yes!

Let’s have a look at the SMS sent to a bunch of Danes the other day:

“Your mobile number won 750.000 Euros from the Espana global promotion. Contact claim dept. on: Tel: 0034664219273 Fax: 0034911013657 mcellproiaim.com”

How many do you think would fall for this scam and call the number? There’s no official number, but former numbers for other Phishing sites have stated that 1-2% of all recipients visit the site after receiving the scam e-mail. So is it also 1-2% with SMiShing? - I would argue no, specifically because e-mail is still being stigmatized. People don’t trust e-mails because they’ve grown accustomed to spam and other forms of fake emails - but they trust their mobile phones! So while we see numbers like 1-2% for e-mail scams, I fear we will be seeing numbers like 4-6% for mobile phone scams - if not even more than that.

So what happens if you call the number? According to Peter Kruse, one would probably be met with the scam artist himself, trying to get your bank information so that he can “transfer the money to you”, while in fact he just wants the information to do some form of identity theft. - Personally I don’t believe this one! It seems very much unlike mass computerized criminals to initiate contact to their victims. Experienced hackers do it, however they’re usually also a lot more focused.. they plan ahead and hit one or two companies very specifically. SMiShing’s nature of mass-oriented scamming is not well suited for this type of theft attempt. No, I find it much more likely you’re met with a computerized voice asking for a lot of information - including a bunch of information that doesn’t seem odd but just completely unnecessary, like address, city, postal code, state, country, gender and so on. So why would a scammer want to know all of these things? Very easy - he wouldn’t! But he would very much like you to stay on the line while you’re chunking up huge premium rate fees - all of which go straight into the scammer’s pockets, without you being able to do much about it.

Scams with premium rate numbers have been around for a very long time and while obviously illegal, it can be very difficult to get someone convicted. So the scammers can sit back while perhaps 2000 people call (if they’ve contacted enough victims with SMS) and on average use 12 minutes on the phone with a fee of 15$ a minute - adding up to: 360000$ in profits for the scammers. - Actually these numbers are probably way to low if they’ve attacked several countries.

But this is just one of the ways you can use SMiShing and is actually one of the more naive ways. A much better way would be to exploit the way SMS’s actually work. Many people believe that SMS’s include numbers and the only way their phones can show names (like “Tom” instead of 08005552342) is if they themselves added it to their phone book. But this is actually not true! You can very easily spoof names instead of numbers, so that when a victim receives a message from you, instead of having 08005551215 as a number, you could choose “Mom”. This way, you would be able to do a very evil form of SMiShing, where the number of callers would quite likely be much higher:

“Hi son. You need to call me straight away - We’re in Honduras and your Dad just had a heart attack! I’m sitting here in the hospital but my phone isn’t working well and almost has no more batteries. Would you please call the hospital’s phone at: (504) 559 - 0300. Love you! - Mom.”

If I were trying to scam people with SMiShing (and I had no soul) - this would be the way to do it!
Assuming it isn’t possible for the son to call his mother (as in she’s not picking up or at work) and the son’s parents aren’t dead already, this will work wonders and a lot more than 4-6% would call!

So to sum it all up. Is SMiShing much of a threat? Well yes because it uses an old technology which hasn’t had any real security boosts and which people mistakenly trust. So in that sense it’s much worse than scamming over e-mail (Phising) as it’s much more likely the victim will fall for the scam. I fear we will be seeing a lot of these scams in the future unless something is done to secure SMS - a scenario that’s probably very unlikely!

I have a Lenovo Thinkpad T61 as my work laptop - You know, one of those laptops with the fancy fingerprint scanner in the bottom right corner. Now without getting into a big discussion about the dangers of biometric security systems, I’m going to tell you why I think these kind of devices are completely ridiculous and benefit with absolutely no extra security what so ever.

Let’s first consider the premises for using a biometric fingerprint scanner! The premises for using a fingerprint scanner, instead of e.g. a password, is that a password can be guessed while a fingerprint is something unique to a user - something the user is the sole possessor of and always carries with him. So while that sounds more secure (since you don’t have to worry about e.g. password strength), in reality it really isn’t. Let’s say we had a hacker Charlie and Charlie here wanted to gain access to a building only Alice had access to - a building using biometric authentication in the form of a fingerprint scanner. How would Charlie accomplish this? Well, it actually turns out he has quite a few options:

• He can force Alice to let him in (read “big fucking gun”)
• He can jump Alice and chop off her finger (thereby giving him the “key” he needs)
• He can break the fragile window next to the top-security, 20 inch steel door (as in: don’t make your damn security systems more solid then what surrounds them.. before long you’ll have burglars blowing up your walls to get in.)
• He can break into the fingerprint scanner and steal the stored fingerprint (fingerprints aren’t stored as images, as some may believe.. Fingerprints are stored as a seemingly random sequences of characters uniquely identifying the fingerprint. It’s much like a hashing function like md5() og sha())
• He can swipe Alice’s fingerprint of some glass or whatever he can find, and then use the same technique as Chaos Computer Club did when they stole a German officials fingerprint, to then reproduce the fingerprint and use it as if he was Alice.

All in all there are tons of ways to break a biometric system. However one of the more disturbing issues isn’t that it’s easy to break. It’s the fact that when it’s been broken - the users are screwed! If you get your fingerprint stolen, you can never use a fingerprint scanner securely again.. simply because the premises isn’t there anymore - you are no longer the sole possessor of the fingerprint. So there are many very real concerns with the use of biometric systems and I can tell you right now - I usually avoid all of these systems!

So back to the subject here: Why the fingerprint scanners on laptops from IBM, Lenovo, HP etc. are completely useless when it comes to security! So really the issue is quite simple. The premises for using biometrics is that the user is the sole possessor and therefore the only one who can log in. Now consider this scenario: Your walking down the street, your laptop in hand, and then suddenly out of the blue a skinny guy runs past you, grabs your laptop and runs like the wind! You, exhausted by the last burger you just ate, try to run after the perpetrator but fail when you start to loose your breath (after 10 meters).. but then - aahhh - a sigh of relief when you remember you had a 35 digit password, encrypted harddrive and a biometric fingerprint scanner! No worries right? … — … — … — … — … — WRONG! The perpetrator gets home and takes a look at your laptop. He noticed your “Linux rocks - I secure my toilet brush” t-shirt while running past you and concludes your harddrive is probably encrypted and your password is probably psycho - but then.. aaahhhh - a sigh of relief when he notices you’ve activated your fingerprint scanner! He then takes a piece of tape, picks a random spot on your laptop, swaps your fingerprint right of, uses CCC’s method to copy your fingerprint and uses it to log in and steal all your data - despite the whole encryption, psycho password stuff.

It’s actually really simple: The fucking key is on the machine you’re trying to break into!!

Imagine an office building having break-in keys hanging from the fucking front door - just for burglar convenience!

All in all it comes down to this: The laptop fingerprint scanners are there because it’s hype! Like Apple, Facebook and a bunch of other stuff, fingerprint scanners for the common man is hype these years - it sells! But while companies are telling people to use these devices, they’re actually misleading the public and giving them a false sense of security - thereby actually weakening security very extensively.

So why am I writing this? Well pretty simple actually - Disable your fucking fingerprint scanner!

So I’ve been looking into the problem of getting FreeBSD running on Microsoft Hyper-V the last few days and then yesterday I finally got it working.

Apparently people have been quite upset that Hyper-V only offered support for Windows based systems and Linux SuSE systems, which is obviously not very bright or community friendly - to be quite honest I would rather use WMWare due to the very few *nix systems Hyper-V officially supports.

However you can’t always pick and choose, and in this particular situation - I couldn’t either! So I had to get it working, so first I tried FreeBSD 7.0 RELEASE with a bootonly .iso and tried to mount that in the virtual machine - however the only thing I got out of that was a disc trying to boot but failing almost immediately with the message:

“Can’t load kernel”

So I tried FreeBSD 6.3 STABLE instead since it was obviously due to the kernel loading with FreeBSD 7.0. But again - no luck and just the same message:

“Can’t load kernel”

So finally I tried FreeBSD 8.0 CURRENT and to my great surprise - this would actually boot and let me install. However there are a few quirks that I haven’t worked out yet. Like the fact that FreeBSD apparently doesn’t detect the network interface given to it by Hyper-V - something that is somewhat of a huge problem.

So anywho - FreeBSD 8.0 CURRENT works with Microsoft Hyper-V… so for all you people I’ve seen with this problem, use FreeBSD 8.0 for your install.

I’ll write more when I’ve done some more extensive benchmarking and configuration.