Oct 242015

Rusty_PadlockRelated to my rant regarding the TalkTalk hack that I've just posted, is an associated rant about security advice from the media. It's spotty at best, and downright unhelpful or just plain wrong at worst.

I've been stuck indoors today waiting for someone to paint my front door, so amongst various household tasks that I've reluctantly undertaken, I've also had the BBC News 24 channel blaring out. And of course the TalkTalk hacking incident has been making a regular appearance. And on occasions the security advice has been less than stellar; in fact some of it stinks like a rhino's rancid rectum.

It Was A DDoS

(bang) as my head hits the table.

No, the TalkTalk hack had nothing at all to do with a distributed denial of service attack. There may have been a DDoS attack just before the hacking incident, but it was not related (even if it was done by the same people). A DDoS attack is the cyber equivalent of getting all your friends to shout at someone you don't like; it's noisy, stops you communicating, and is as annoying as hell.

But once it is over, things are back to normal (except for writing an incident report). 

Breaking into a server and stealing the personal data of customers is not any kind of denial of service attack. It's an intrusion, and an exfiltration; there are two seperate events there. Labelling either as a "DDoS" just makes you look like an idiot.

Look At The Email Headers

(bang) as my head hits the table.

Email headers can be forged; those headers you see normally ("From", "Subject", "Date", etc.) are nothing more than comments. They are not to be trusted. Even if you reveal the hidden headers (and there's a lot you don't see), the story they show can be mostly forged. It takes a real expert to distinguish between a phishing email and a legitimate email from just the headers.

Even something geeky like PGP digital signatures can be forged if you are dealing with an organisation that has been compromised. And who uses PGP?

Don't trust emails with the name of a compromised organisation on.  

Change Your Passwords As Frequently As Possible

(bang) as my head hits the table.

Changing you password frequently doesn't actually accomplish that much. It is better to keep the same password for a year, if it is long and strong, than it is to change your password every month if it is simple and weak.

Long and strong passwords are tedious to remember – especially for web sites you rarely use. So use a password manager like KeePass. If you want to use a different password manager, seek out a security geek and ask for their recommendations. And the geekier the application site looks, the better; the site should be droning on about 3DES, AES, and all sorts of inscrutable cryptogeek mathematics; you don't have to understand it all, but it's absence on a web site is a bad sign.

Use different passwords on different sites. This is also tedious, and can be relaxed for less important web sites – that is those web sites that don't store more personal information about you than your name. And tedious is a good thing when it saves you from the stress of finding out your bank accounts are empty.

Don't Blame The Victim

It's all very well being sympathetic to those victims who have found their bank accounts emptied, but they are not necessarily related to this latest incident.

And they're not entirely blameless. 

If they hadn't shared information with hackers who already had some of their data, or they had not used the same password for their bank as TalkTalk, then they would not be victims.

And this is hardly new advice.

The media should be sending the message that these victims have been dumb; yes there may be extenuating circumstances, but they have still been dumb. And dumb TalkTalk customers will likely end up with their money and/or identity stolen.

Oct 212015

So there's this new TV series called "CSI: Cyber" (well technically it's new to me and the UK) which is all about an FBI cybercrime unit. 

As it hapens cyber security (if you insist on calling it that) is something I know a bit about. And so this new TV series has two ways of amusing me – the normal entertainment that TV offers, and of course the chance at falling about laughing at the mistakes.

Is it entertaining in the first sense? It's an American cop show with a bit of added "tech", so to some extent it stands out of the American cop show crowd (or perhaps flood). So yes, it's mildly entertaining; nothing worth staying in for, but it will kill an hour that you're too tired to do anything more productive with.

In the second sense I mentioned – yes it's got that in spades.

The most obvious flaw is that everything happens too quickly. Analysing a malicious printer firmware as you plug in the USB disk that contains it? Not going to happen. Finding a zero-day exploit in a collection of IoT devices within an hour? Not going to happen. Hacking a municipal transport network whilst being driven around at furious speed? Well that could happen if you had already done it (they hadn't), but it isn't something you would really try.

Causing a printer to burst into flames with a malicious firmware? I believe the possibility was jokingly mentioned a few years ago when printer firmware became a target for attack amongst the white hat community, but it was also mentioned that it was pretty unlikely as things like thermal cut-out units are isolated and hardwired – you can't turn them off.

Or a malicious exploit causing a laptop battery to burn up; I'm not saying that's impossible, but again battery pack microcontrollers are usually isolated from the computer they power. 

Labelling "zero-day exploits" as something that effects personal devices? Just plain daft, although the rest of the definition was Okay.

Is this a problem? Well, sensible people will realise that this is all just entertainment and will not take it seriously. Indeed it may increase the realisation that criminals with IT skills (and governments) can cause nasty things to happen; even if this show highlights the wrong kind of nasty things. 

Of course the knuckle-dragging neanderthals (with apologies to the real Neanderthals) who watch this show and pay attention (so perhaps there isn't much danger after all) will assume that everything this show demonstrates is for real. And starts panicing anytime someone whips out a copy of metasploit

I imagine I'll be saying: "It's just entertainment" many times over the years.

Jul 132015

No, of course it isn't. It's only mainstream media that is dumb enough to think so. 

Pluto is a dwarf planet whose orbit averages about 39AU (i.e. about 39 times the distance between the Sun and the Earth) whereas the edge of the solar system is approximately 200AU.

Apr 222015

This post is going to be quite long and a bit of a mishmash of different things – my own personal story, a description of what vaping is, politics and conspiracy theories. No great detail in here – it's pretty much an overview.

After approximately 10 months of vaping and not smoking (the "stinkies" being the vaper's term for cigarettes), I think I can reasonbly claim that I am no longer a smoker. Like most ex-smokers, I made numerous attempts to give up varying from a few months to just a few hours. The last attempt to give up was assisted by having the right vaping equipment, but was surpisingly easy – either it was just at the right time, or vaping really does make it easier to quit. 

Of course without a double-blind study to show it, we really are not supposed to say that vaping makes it easier to quit smoking, but anecdotally (and personally) it certainly seems to be the case.

But …

What Is Vaping?

To put it simply, vaping is the act of inhaling the vapour produced by heating an e-liquid so that it produces something close to steam.

There is no burning or smoke involved. The vapour that is produced contains nicotine, vegetable glycerine, propylene glycol, and various flavourings.

Really rather chemical-sounding, but it contains hundreds of chemicals less than that produced by a burning cigarette. And whilst (with the exception of nicotine) the chemicals used in vaping are not necessarily approved for inhaling, there are approved for human consumption. 

The Gear

Cig-a-likes, clearomisers, tanks, mods, … the world of vaping equipment is a confusing mess. Some are more effective than others, and it isn't always easy to tell which is going to suit you, but the sound-bite :-

The more a device looks like a cigarette, the less effective it is.

(Although there is a seperate rant about cig-a-likes)

All devices whether they come as seperate components or as an integrated device can be split into two – the power source, and the atomiser. The atomiser is what turns e-liquids into vapour and is the key item (assuming a reasonably capable power source) for determining the quality of the vapour production. All of the different atomisers work in the same basic way – there is some form of e-liquid storage, some wicking material to move the e-liquid, and the electrical coil which heats up the e-liquid to produce the vapour.

The coil itself is pretty much like an old-fashioned electric fire, although a bit smaller. The coils vary in resistance from about 0.5 ohms to about 2 ohms; the lower the resistance the greater the strain on the power source. Varying the resistance makes a difference to the vaping experience that is too complex to go into here.

The different power sources themselves can be divided into two – regulated devices and unregulated devices. Unregulated devices are little more than a simple battery where the power suppplied to the atomiser is whatever the battery can provide. Whilst there are advantages with unregulated devices, they can be unsafe with lower resistance coils and so should be avoided by beginners.

Regulated devices allow you to set the power sent to the coil and if the battery is capable of delivering that power, it will be delivered. Most also include safety features to prevent electrical accidents.

Device Safety

Having mentioned issues with device safety, let's go a bit further into that.

If you buy a cheap and nasty battery off a well-known online auction site, charge it from a cheap and nasty battery charger, use it on an unregulated power source with an unreasonably low resistance coil, then you may have issues :-

  1. Electrical fire when your charger blows up or forces more electricity into your battery that it wants to hold.
  2. Battery venting when the battery gets overloaded. Whena  battery vents, it heats up dramatically, leaks liquids and gasses.
  3. If a battery vents inside a device that doesn't allow for the gasses to escape, then the gas pressure will build up until something lets go – in extreme cases you can have pieces of a metal tube fragmenting and scattering at high speed. A pipe bomb in other words.

Now that I've scared you all, let me emphasise that this does not happen if you're sensible – sensible in your purchasing decisions and sensible in your vaping habits. A good charger will shut down if the cheap and nasty battery it is charging shows signs of blowing up. A regulated device will turn off when the battery starts behaving badly. And a sensible vapour will make sure all their vaping components are safe before trying sub-ohnming.

Essentially when you hear of some kind of vaping accident (and you will – bad news travels faster than good news), you will know that you're hearing of an unlucky idiot.

Those Damn Cig-A-Likes

Cig-a-likes are exactly what they sound like – electronic cigarettes designed to look like "analog" cigarettes. Even down to a silly little LED that glows on the end when you take a puff.

They don't work. Or at least didn't work for me.

The batteries are too small to last more than an hour, and what is worse is they don't just stop but fade away.

The cartidges that plug into the batteries contain a tiny amount of e-liquid, and tastes bad enough that it makes bilge-water seem like a tasty drink.

As you might have guessed, I made several attempts to give up with the assistance of cig-a-likes, and failed every time. At best they were a crutch that kept me off the stinkies for a few days or hours, but they weren't satisfying, or enjoyable.  


I'm not entirely sure where the name comes from, but the liquid we use to generate the vapour is called "e-juice". 

It is flavoured, and may contain nictotine. Yes, you can get e-juice without the dreaded nicotine.

But what may come as a surprise is that most e-juice flavours have nothing at all to do with tobacco. Various fruits, spirits (whiskey, rum, etc.), baked goods, custards, and probably a whole lot more. And the relative unpopularity of tobacco flavours probably surprises the e-juice suppliers as much as you!

And no, all these colourful flavours have nothing to do with hooking children; as a whole the vaping industry seems horrified at the thought of selling to children. Since starting vaping I've seen more popup "Are you over 18" pop up messages from sites than in all the years before. It has much more to do with former smokers rediscovering their taste buds.

Is It Safe?

Oh boy! Is that a big can of worms. No. 


I don't know, but it smells nicer.

There is no such thing as safety. All activities (including consumption of anything) necessitate taking risks. Including vaping. This section should of course include many links to the relevant scientific papers detailing studies done. Unfortunately I'm too lazy, but not everyone has been :-

The right two questions to ask are :-

What Risks Are Associated With Vaping?

The short answer to that is that nobody knows.

The longer answer is that apparently there is not a significantly higher amount of HPHCs (a technical word meaning "nasty stuff") in e-cigarette vapour than there is in ambiant air whereas cigarette smoke contains tons (well to be more precise, milligrams which is lots in this scenario). Of course I have ignored the results of studies done with poor methodology.

There are studies which have found nasty stuff (in particular formaldehyde) in e-cigarette vapour, but in many cases this is a result of poor experimental methodology. Any experienced vapour knows about "dry hits" or "burnt hits" where the power is too high and/or the wicking isn't sufficient to deliver enough e-liquid to the coil. What happens then is that the coil chars or burns the wicking material, which results in a vapour that is so acrid and nasty that nobody could breathe it in fully; in one recent posting it has been described as Satan's farts.

With an automated testing machine it is difficult to avoid these dry hits as there is no human in the loop to say "Yerk". Interestingly in one study, the published tweet claimed high levels of formaldehyde which caused the researchers some distress as they had deliberately tested beyond the safe limits to produce half of their results. Their full study actually showed that there was no formaldehyde when vaping normally and formaldehyde was only found at ridiculously high levels of power (for the atomiser they were using).

Lastly, there is some level of misunderstanding of study results going on. For example, there is the case where a study found high levels of metalic nanoparticles in the vapour produced. Which was instantly leaped upon by the anti-crowd who negelected to point out that the levels found were below safe limits.

The long term effects of what appears to be non-toxic components of e-cigarette vapour are not well known, but it is widely accepted amongst reasonable people who have studied the question that vaping is much less risky than smoking. In fact it is entirely reasonable to suppose that walking alongside a busy road has a far higher risk (from internal combustion pollution) than vaping.

Or my old phrase summing up the situation :-

If you're a smoker, you'd be crazy not to try vaping. If you're a non-smoker, you would be crazy to start vaping.

Is probably a bit too cautious.

What Risks Does Vaping Impose On Bystanders?

This is even less well studied than vaping. But have you ever complained about the "smoke" machines at gigs or clubs? No? Well you've been ignoring a risk that is for all effective purposes just the same as an electonic cigarette; those "smoke" machines altough they pre-date e-cigarettes, are just big versions of a vaping device. 

Admittedly the "e-liquid" they put into smoke machines lacks the nicotine and usually flavourings that e-liquids contain, but the levels of nicotine reaching a bystander are zero or so low as to be negligable.

Probably the biggest risk is that the smell of some vapour is likely to make bystanders on a diet feel hungry.

Think Of The Children!

Actually, and just for once, let's not. Let's think of the smokers who will die if we daemonise vaping first

Vaping isn't for children. And if children do "experiment" (which they already do with cigarettes) isn't it better they experiment with something that is less risky than smoking itself? If we eventually change the world so that smoking is almost non-existent and most ex-smokers vape instead, children will find it much harder to experiment with smoking and will have to resort to vaping.

And preliinary evidence shows that children who do experiment with vaping are less inclined to get addicted to it.

Conspiracy Theories and Politics

When it comes to moves to regulate electronic cigarettes, the online vaping community seems particularly subject to conspiracy theories :-

  • Big Pharma wants to daemonise vaping because it has invested billions (really?) in nicotine replacement therapy and wants to keep selling the nicotine patches, sprays, and pills. 
  • Big tobacco wants to daemonise vaping to maintain their revenue stream.
  • Politicians want to daemonise vaping to maintain their revenue stream (from taxes).
  • Anti-tobacco campaignes want to daemonise vaping to maintain their revenue stream (if vaping takes over from smoking there will be fewer anti-tobacco jobs).

l'll be the first to say that I cannot disprove any of these (you cannot disprove a negative), and there may be some truth in some of them.

But Occam's razor leads me to believe it is just ignorance and assumptions that lead to the opposition to vaping. Regulation is necessary, but sensible evidence-based regulation not reflex regulation. So we need to educate the politicians, and the politicians need to educate themselves.

Mar 102015

Today we learned that next Sunday's episode of Top Gear is not to be shown, and Jeremy Clarkson has been suspended pending an investigation. Apparently because of a "fracas" with a producer.

Which is all a bit mysterious, but it is interesting to see people assuming that Clarkson is in trouble because of his mouth. It would be hardly be a big surprise if his mouth has gotten him into trouble again; his public persona is a bit of a loud-mouthed idiot so it is hardly surprising if he says something dumb, obnoxious, or even offensive at times.

When he goes too far, he usually apologises (here, here, here, and I dare say you can find plenty more).

But if this latest fracas has anything to do with the something stupid he has said, the BBC are being a bit two-faced about suspending him. The Top Gear show was a bit of a dreary bore before Clarkson's brand of idiocy spiced it up into something even car-haters can enjoy on occasion. If you employ an obnoxious idiot because he's an obnoxious idiot, it's wrong to suspend him for being an obnoxious idiot.

Of course we're all making assumptions about what went on today. And frankly a "fracas" sounds a bit more serious than just a few badly chosen phrases, so I think we should all wait and see how this develops.