Month: October 2018

I Want to Alter the Deal

The Witcher series of games have been phenomenally successful. In fact their success has overshadowed the books that they were based on. Unfortunately for the author, he made a bad deal and now wants to alter the deal:

“I was stupid enough to sell them rights to the whole bunch,” Sapkowski said at the time. “They offered me a percentage of their profits. I said, ‘No, there will be no profit at all — give me all my money right now! The whole amount.’ It was stupid. I was stupid enough to leave everything in their hands because I didn’t believe in their success. But who could foresee their success? I couldn’t.”

Sapkowski has now made a public demand for six percent of the profits obtained for the lifetime of the franchise, which adds up to more than $16 million for The Witcher 3: Wild Hunt alone.

I especially enjoy how he admits that he was initially offered a percentage of the profits and turned the offer down because he didn’t believe that the project would be successful. So even he’s admitting that his failure to capitalized on his novels was entirely his fault.

Higher risks generally come with greater rewards, which makes sense since there needs to be a justification for taking a risk. Sapkowski played it safe and took the low risk/low reward option. Generally speaking, if you can bear the brunt of losing out on a high risk/high reward situation, take it. Sapkowski had income from his books so he may have been able to bear the brunt of not receiving any money on the series if it flopped. If you ever find yourself in a similar position, give the high risk option some serious thought.

Making Security Illegal

A recent court ruling has potentially made secure devices and effective security services illegal:

The Canadian executive of a 10-year-old company that marketed its purportedly secure BlackBerry services to thousands of criminals (who paid at least $4,000 per year, per device) has pleaded guilty to a racketeering conspiracy charge, federal prosecutors in San Diego said Tuesday.

[…]

As the Department of Justice said in a Tuesday statement:

To keep the communications out of the reach of law enforcement, Ramos and others maintained Phantom Secure servers in Panama and Hong Kong, used virtual proxy servers to disguise the physical location of its servers, and remotely deleted or “wiped” devices seized by law enforcement. Ramos and his co-conspirators required a personal reference from an existing client to obtain a Phantom Secure device. And Ramos used digital currencies, including Bitcoin, to facilitate financial transactions for Phantom Secure to protect users’ anonymity and launder proceeds from Phantom Secure. Ramos admitted that at least 450 kilograms of cocaine were distributed using Phantom Secure devices.

[…]

At the time of his arrest, the Department of Justice said that the Ramos case was the “first time the U.S. government has targeted a company and its leaders for assisting a criminal organization by providing them with technology to ‘go dark,’ or evade law enforcement’s detection of their crimes.”

From what I could ascertain, the reason Vincent Ramos was arrested, charged, and declared guilty was because he offered a device and service that allowed his customers to actually remain anonymous. This is what most Virtual Private Network (VPN) providers, I2P, Tor, and other anonymity services offer so will one of them be the next Department of Justice target?

I’m going to take this opportunity to go on a related tangent. Ramos was charged because his devices and service were being used by other people to facilitate illegal activities such as selling cocaine. Ramos himself wasn’t, as far as I can tell, performing those illegal activities. Since the illegal actions in this case weren’t performed by Ramos, why was he charged with anything? Because the illegal activities being performed with his devices and service were related to the drug war and the drug war has served as the United States government’s excuse to go after anybody it doesn’t like.

Anything that can be tacitly tied to the drug war can be punished. If an officer doesn’t like you, they can claim that the cash you have on hand is evidence that you are participating in drug crimes and use civil forfeiture to seize your stuff. If your roommate is dealing drugs without your knowledge, prosecutors can claim that you actually do have knowledge and charge you with a plethora of crimes. If you offer a product that anonymizes users, prosecutors can charge you for aiding drug dealers. All of the supposed civil rights you enjoy suddenly go out the window when the word drugs is involved.

All Data Is for Sale

What happens when a website that sells your personal information asks you to input your phone number to enable two-factor authentication? Your phone number is sold to advertisers:

Facebook is not content to use the contact information you willingly put into your Facebook profile for advertising. It is also using contact information you handed over for security purposes and contact information you didn’t hand over at all, but that was collected from other people’s contact books, a hidden layer of details Facebook has about you that I’ve come to call “shadow contact information.” I managed to place an ad in front of Alan Mislove by targeting his shadow profile. This means that the junk email address that you hand over for discounts or for shady online shopping is likely associated with your account and being used to target you with ads.

There really is no reason for a website to require a phone number to enable two-factor authentication. Short Message Service (SMS) is not a secure protocol so utilizing it for two-factor authentication, which many websites sadly do, is not a good idea. Moreover, as this study has demonstrated, handing over your phone number just gives the service provider another piece of information about you to sell.

Instead of SMS-based two-factor authentication websites should at a minimum offer two-factor authentication that utilizes apps that use Time-based One-time Password Algorithm (TOTP) or HMAC-based One-time Password Algorithm (HOTP) like Authy and Google Authenticator. Better yet websites should offer two-factor authentication that utilizes hardware tokens like YubiKeys.

Want to Avoid Being Swatted? Sign Up for Our Anti-Swatting Service Today!

You know police procedures are inadequate when convincing SWAT teams to storm random addresses happens so often that there’s a term for it. The Seattle Police Department (SPD) was recently caught up in a rather embarrassing swatting incident. Instead of taking responsibility for its inadequate procedures it has decided to put the burden on the citizenry:

On its official “swatting” resource site, the Seattle Police Department acknowledges how swatting works, along with the fact that citizens have requested a way to submit their own concerns or worries about being a potential victim. (Full disclosure: after having my own personally identifiable data distributed in a malicious manner, I asked SPD for this very thing… in 2015.)

“To our knowledge, no solution to this problem existed, so we engineered one,” SPD’s site reads. The site claims that swatting victims are “typically associated with the tech industry, video game industry, and/or the online broadcasting community.”

SPD’s process asks citizens to create a profile on a third-party data-management service called Rave Facility (run by the company Smart911). Though this service is advertised for public locations and businesses, it supports private residences as well, and SPD offers steps to input data and add a “swatting concerns” tab to your profile.

Want to avoid being swatted? Sign up for our anti-swatting service today! If you don’t sign up, then the department cannot be held responsible for murdering you when some random jackass on the Internet calls in a fake hostage situation.

What gets me is not just that swatting happens so often that there’s a term for it but that it happens so often that the SPD website has a page dedicated to it. If swatting happens so often that your department has to dedicate a page to it, then your procedures for responding to random hostage situation calls need some serious overhauling.

But He’ll Defend Our Gun Rights

Donald Trump paid lip service to the National Rifle Association (NRA) and gun rights, which was enough to convince many gun owners that he would protect gun rights. This shouldn’t come as a surprise to anybody with more than two brain cells to rub together but he lied:

WASHINGTON (Reuters) – U.S. President Donald Trump said on Monday his administration is just a few weeks away from finalizing a regulation that would ban so-called bump stocks, devices that allow semi-automatic weapons to fire like machine guns.

“We’re knocking out bump stocks,” Trump said at a White House news conference. “We’re in the final two or three weeks, and I’ll be able to write out bump stocks.”

Now to sit back and wait for his apologists to claim that this is really just part of his 517 dimensional chess game to defend gun rights from those evil liberals.

If You’re Going to Go, Go All Out

White smoke signals that the gender has been revealed.

Black smoke signals that the gender has not been revealed.

An off-duty border patrol agent wanted an explosive gender reveal party for his family and friends, but he ended up igniting a wildfire that spread to Coronado National Forest in Arizona.

Dennis Dickey, 37, of Tucson, Arizona, has to pay more than $8 million in restitution, starting with a $100,000 initial payment and monthly payments thereafter, the Department of Justice said in a statement.

Properly Warning Users About Business Model Changes

I have an update from my previous article about how the developers of GPGTools botched their changeover from offering a free software suite to a paid software suite. It appears that they listened to those of us who criticized them for not properly notifying their users that the latest update will change the business model because this is the new update notification:

That’s how you properly inform your users about business model changes.

Installing macOS Mojave on Unsupported Macs

I’m back, I’m married, and I’m behind the news cycle. Although being behind the news cycle should be treated as a state of bliss, it’s not a great place to be when you use news articles for blog material. It’s going to take me a day or two to catch up.

One project I did tackle over my extended vacation is getting macOS Mojave installed on my computers. Mojave dropped official support for several Macs but just because Apple doesn’t officially support a platform doesn’t mean it can’t be used. I see no reason to throw away perfectly functional hardware and enjoy receiving security updates. Because of that, I ended up playing with dosdude1’s Mojave Patcher.

The patcher originally didn’t work for me because all of my computers have FileVault enabled and the version I first downloaded had a bug where it couldn’t mount FileVault containers. That was before I left for my wedding. Fortunately, by the time I got back a new version that fixed that bug was released.

I used the patcher to install Mojave on my 2010 Mac mini 4,1 and my 2010 MacBook Pro 5,4. Installation on my Mac mini was smooth. I haven’t had any major problems with it. Installation on my MacBook Pro was another matter. I should note beforehand that the MacBook Pro in question has a bad memory controller. One of the two memory banks has a 50/50 chance of working when I power the system on. If it doesn’t work, I only have access to half of my memory. That may be why I have to reset the NVRAM every time I power the system on in order to get it to boot (if I don’t reset the NVRAM, I get the dreaded no symbol when I start the computer).

If you’ve been happily running an older Mac and found out that Mojave won’t install, try dosdude1’s Mojave Patcher. It doesn’t work on every old Mac (a list of supported Macs can be found at the link) but it does work for most of the 64-bit Intel Macs.