A Geek With Guns

Chronicling the depravities of the State.

Archive for the ‘Technology’ Category

Apple’s Diminishing Quality

without comments

Yesterday I was asked to recommend an Apple laptop (the laptop was going to somebody with a learning disability so the hurdle of transitioning them to a non-Apple platform was great and not a realistic option). As I was making my recommendation it really struck me just how far Apple’s laptops have fallen in the last few years.

In the past when somebody asked me if they should get AppleCare, I usually recommended against doing so. Apple’s laptops were pretty reliable and when they did fail, they could usually be repaired.

Apple’s current lineup has a significant problem. The new slim butterfly keyboards are notoriously fragile. A mere piece of debris getting under a key cap is enough to disable that key. This wouldn’t be a problem with a normal laptop keyboard because there is enough clearance to easily remove most debris that gets caught under a keycap. Moreover, even if the debris cannot be easily remove, the keycap usually can, which allows you to remove the offending debris. Getting a keycap off of a butterfly keyboard without wrecking the fragile butterfly mechanism isn’t easy. And if you do damage the mechanism, you’re stuck replacing the entire keyboard and that requires breaking a bunch of rivets that hold the keyboard to the top of the casing. This is why Apple replaces the entire top case when the keyboard needs to be replaced.

So you have a keyboard that cannot be serviced and has a high probability of failing. Strike one.

Strike two is the solid state drive (SSD). Apple no longer utilizes modular SSDs. Instead their SSDs are soldered to the mainboard. With SSDs failure is a matter of when, not if. This is because flash memory cells can only handle so many erase operations. SSD manufacturers attempt to prolong the life of their product with wear leveling but that only means that the time between failures is extended, it’s not eliminated. This isn’t a big deal with modular SSDs. If an SSD is modular and croaks, you replace the dead SSD with a new one. When an SSD that is soldered to the mainboard croaks, you end up having to replace the entire mainboard. Since the mainboard also has the processor and graphics card soldered to it, you necessary end up replacing those pricey components as well. What used to be a relatively cheap unavoidable repair has become an extremely expensive unavoidable repair.

Recommending an Apple laptop has become an exercise in presenting the least bad option. An expensive repair is a matter of when, not if. The keyboard is likely to suffer a premature death because of its design and lack of repairability. If the keyboard survives, the SSD will eventually die, necessitating replacing the entire mainboard (and thus the processor and graphics card). Instead of recommending a computer that I know will likely leave the buyer happy for years to come, recommending an Apple laptop involves tagging on a great number of caveats and warnings so that when the buyer is looking at an absurd repair bill, they aren’t doing so unexpectedly.

Written by Christopher Burg

December 18th, 2018 at 10:00 am

Posted in Technology

Tagged with ,

Great Claims Request Great Evidence

without comments

A couple of months ago Bloomberg made big waves with an article that claimed China had inserted hardware bugs into the server architecture of many major American companies, including Amazon and Apple. Doubts were immediately raised by a few people because the Bloomberg reporters weren’t reporting on a bugged board that they had seen, they merely cited claims made by anonymous sources (always a red flag in a news article). But the hack described, although complicated in nature, wasn’t outside of the realm of possibility. Moreover, Bloomberg isn’t a tabloid, the organization has some journalistic readability, so the threat was treated seriously.

Since the threat was being taken seriously, actual investigations were being performed by the companies named in the article. This is where the credibility of the article started to falter. Apple and Amazon both announced that after investigating the matter they no evidence that their systems were compromised. Finally the company specifically named as the manufacturer of the compromised servers announced that an independent audit found no evidence to support Bloomberg’s claims:

SAN FRANCISCO (Reuters) – Computer hardware maker Super Micro Computer Inc told customers on Tuesday that an outside investigations firm had found no evidence of any malicious hardware in its current or older-model motherboards.

In a letter to customers, the San Jose, California, company said it was not surprised by the result of the review it commissioned in October after a Bloomberg article reported that spies for the Chinese government had tainted Super Micro equipment to eavesdrop on its clients.

Could Apple, Amazon, and Super Micro all be lying about the findings of their investigations as some have insinuated? They certainly could be. But I subscribe to the idea that great claims require great evidence. Bloomberg has failed to produce any evidence to back its claims. If the hack described in its article was as pervasive as the article claimed, it should have been easy for the journalists to acquire or at least see one of these compromised boards. There is also the question of motivation.

Most reports indicated that China has had great success hacking systems the old fashioned way. One of the advantages to remote software hacks is that they leave behind little in the way of hard evidence. The evidence that is left behind can usually be plausibly denied by the Chinese government (it can claim that Chinese hackers unaffiliated with the government performed a hack for example). Why would China risk leaving behind physical evidence that is much harder to deny when it is having success with methods that are much easier to deny?

Unless Bloomberg can provide some evidence to support its claims, I think it’s fair to call bullshit on the article at this point.

Written by Christopher Burg

December 12th, 2018 at 10:30 am

Posted in Technology

Tagged with ,

Who Needs Copy and Paste Anyways

without comments

WordPress 5.0 was rolled out on Friday and with it came the new Gutenberg Editor. I’m not a curmudgeon who’s unwilling to give new features a chance. However, I found myself wanting to disable Gutenberg within seconds of trying to use it. Why? Because I couldn’t get the stupid thing to accept pasted text.

Most of my posts involve linking to a story and posting an excerpt of the part on which I want to comment. Needless to say copy and paste is pretty bloody important for what I do. Moreover, copy and paste are two of the most basic operations for an editor. It turns out that I’m not the only one unhappy with Gutenberg. During my quick search to find a way to revert to WordPress’s previous editor I came across a WordPress plugin called Disable Gutenberg. It has over 20,000 active installations and a five star rating, which indicates that it does its job well and the job it does is in high demand.

My setup isn’t anything special. I use Firefox with a few basic add-ons (HTTPS Everywhere, Privacy Badger, uBlock Origin, Multi-Account Containers, Auto Tab Discard, and Bitwarden). This setup worker well with the previous WordPress editor. This leads me to believe that WordPress’s developers didn’t thoroughly test Gutenberg before releasing it. Failing to perform thorough testing before releasing a major update isn’t unique to WordPress though, it has become the standard operating procedure for technology companies.

When I see a new update for any piece of software I use, I become a bit wary. When I see that the update includes new features, I become downright nervous. More often than not new features are released half baked. The weeks (or months) following the release of a new feature are usually spent making it work properly or at least provide the same functionality as the feature it replaced. This is annoying to say the least. I would much rather see the technology industry move develop an attitude that saw reliability as a critical feature instead of an afterthought. But I doubt this will happen. Reliability is a difficult feature to sell to most consumers and the work needed to make a product reliable is boring.

Written by Christopher Burg

December 11th, 2018 at 10:00 am

This Neopuritan Internet Is Weird

without comments

Just days after Tumblr announced that it will be committing corporate seppuku Facebook has announced that it too is joining the neopuritan revolution:

Facebook will now “restrict sexually explicit language”—because “some audiences within our global community may be sensitive to this type of content”—as well as talk about “partners who share sexual interests,” art featuring people posed provocatively, “sexualized slang,” and any “hints” or mentions of sexual “positions or fetish scenarios.”

[…]

The new Sexual Solicitation policy starts by stating that while Facebook wants to faciliate discussion “and draw attention to sexual violence and exploitation,” it “draw[s] the line…when content facilitates, encourages, or coordinates sexual encounters between adults.” Can we pause a moment to appreciate how weird it is that they lump those things together in the first place? Whatever the intent, it reads as if only content coding sex as exploitative, violent, and negative will be tolerated on the site, while even “encouraging” consensual adult sex is forbidden.

This is a rather odd attitude for a website that recently rolled out a dating service. Does Facebook seriously believe its dating service isn’t being used to facilitate, encourage, and coordinate sexual encounters between adults?

This neopuritan Internet is getting weird. Both Tumblr and Facebook have mechanisms that allow content to be walled off from the general public. These mechanisms serve as a good middle ground that allow users to post controversial content while protecting random passersby from seeing it. But instead of utilizing them, these two services are opting for a scorched Earth policy. It seems like a waste of money to pay developers to create mechanisms to hide controversial content form the public and not utilize them.

Written by Christopher Burg

December 7th, 2018 at 10:30 am

Posted in Technology

Tagged with

Shooting Yourself in the Foot… with a Machine Gun

without comments

Tumblr has been known for two things: pornography and social justice blogs. After December 17th it will only be known for social justice blogs. The service announced that it was going to commit corporate suicide by remove all pornography from the site. But Tumblr isn’t taking the easy way out. Instead it has opted to prolong its misery, to commit corporate seppuku if you will, by using machine learning to remove pornography from its site:

For some reason, the blogging site hopes that people running porn blogs will continue to use the site after the December 17 ban but restrict their postings to the non-pornographic. As such, the company isn’t just banning or closing blogs that are currently used for porn; instead, it’s analyzing each image and marking those it deems to be pornographic as “explicit.” The display of explicit content will be suppressed, leaving behind a wasteland of effectively empty porn blogs.

This would be bad enough for Tumblr users if it were being done effectively, but naturally, it isn’t. No doubt using the wonderful power of machine learning—a thing companies often do to distance themselves from any responsibility for the actions taken by their algorithms—Tumblr is flagging non-adult content as adult content, and vice versa. Twitter is filling with complaints about the poor job the algorithm is doing.

Machine learning has become the go-to solution for companies that want to make it appear as though they’re “doing something” without taking on the responsibilities. We’re already seeing the benefits of this decision. A lot of non-porn material is being removed by whatever algorithms they’re using and when users complain Tumblr can say, “Don’t blame us! The machine screwed up!” Thus Tumblr absolves itself of responsibility. Of course the three people who post non-pornographic content to Tumblr are likely to flee after tiring of playing Russian roulette with the porn scanning algorithm but I’m fairly certain Verizon, which owns Tumblr now, just wants to shutdown the service without listening to a bunch of people who still use the platform whine.

Written by Christopher Burg

December 6th, 2018 at 10:30 am

Unexpected Microsoft

without comments

Microsoft has been making all sorts of unexpected moves in the last few years. The company released Visual Studio Code, which is not only an excellent code editing environment but available under the open source MIT License. In addition to that, Microsoft also released an open source version of its .NET framework and Windows Subsystem for Linux. Needless to say, it’s becoming more difficult to hate the company lately.

Now to top it all off it sounds like Microsoft is going to abandon its customer HTML rendering engine and replace it with Chromium:

Because of this, I’m told that Microsoft is throwing in the towel with EdgeHTML and is instead building a new web browser powered by Chromium, which uses a similar rendering engine first popularized by Google’s Chrome browser. Codenamed “Anaheim,” this new browser for Windows 10 will replace Edge as the default browser on the platform, according to my sources, who wish to remain anonymous. It’s unknown at this time if Anaheim will use the Edge brand or a new brand, or if the user interface (UI) between Edge and Anaheim is different. One thing is for sure, however; EdgeHTML in Windows 10’s default browser is dead.

I have mixed feeling about this. On the one hand, it’s good to see Microsoft moving towards an open source rendering engine. On the other hand, I don’t enjoy seeing the rendering engine market turning into a duopoly (with the only major non-Chromium engine, Firefox’s, having a paltry percentage of market share).

Watching Microsoft do an about face from being the satanic figure to the open source community has been fun to watch. It probably is the greatest testament to the viability of open source software out there.

Written by Christopher Burg

December 4th, 2018 at 10:00 am

Bitwarden Completes Security Audit

without comments

In my opinion one of the easiest things an individual can do to improve their overall computer security is use a password manager. I had been using 1Password for years and have nothing but good things to say about it. However, when I decided to move from macOS to Linux, I decide that I needed a different option. 1Password’s support on Linux is only available through 1Password X, which is strictly a browser plugin. Moreover, in order to use 1Password X, you need to pay a subscription (I was using a one-time paid license for 1Password 7 on macOS as well as the one-time paid version for iOS), which I generally prefer to avoid.

Bitwarden bubbled to the top of my list because it’s both open source and can be self-hosted (which is what I ended up doing). While Bitwarden lacks several nice features that 1Password has, using it has been an overall pleasant experience. Besides missing some features that I’ve come to enjoy, another downside to Bitwarden has been the lack of a security audit. Two days ago the Bitwarden team announced that a third-party vendor has completed a code audit and the results were good:

In the interest of providing full disclosure, below you will find the technical report that was compiled from the team at Cure53 along with an internal report containing a summary of each issue, impact analysis, and the actions taken/planned by Bitwarden regarding the identified issues and vulnerabilities. Some issues are informational and no action is currently planned or necessary. We are happy to report that no major issues were identified during this audit and that all issues that had an immediate impact have already been resolved in recent Bitwarden application updates.

The full report can be read here [PDF].

With this announcement I’m of the opinion that Bitwarden should be given serious consideration if you’re looking for a password manager. It’s an especially good option if you want to go the self-hosted route and/or want support for Linux, macOS, and Windows.

Written by Christopher Burg

November 14th, 2018 at 10:00 am

Posted in Technology

Tagged with ,

Lockdown

without comments

I’ve always treated mobile devices differently than desktops and laptops. Part of this is because mobile devices tend to be restrictive. Most mobile devices are closed platforms that don’t allow you to load a different operation system. And while you can load custom firmware on a few mobile devices, it often requires some hackery. It appears as though I jumped ship at the proper time though because Apple is bringing the restrictive nature of iOS to its desktops and laptops:

Apple’s MacBook Pro laptops have become increasingly unfriendly with Linux in recent years while their Mac Mini computers have generally continued working out okay with most Linux distributions due to not having to worry about multiple GPUs, keyboards/touchpads, and other Apple hardware that often proves problematic with the Linux kernel. But now with the latest Mac Mini systems employing Apple’s T2 security chip, they took are likely to crush any Linux dreams.

[…]

Update 2: It looks like even if disabling the Secure Boot functionality, the T2 chip is reportedly still blocking operating systems aside from macOS and Windows 10.

I know a lot of people have expressed the feeling that buying an Apple computer and installing Linux on it is rather foolish. After all, you can buy a computer for far less that is fully supported by Linux (Linux support on Apple computers has always been a bit hit or miss). I mostly agree with that attitude. However, there comes a time in every Mac’s life where Apple drops support for it in macOS. While it’s possible to coax macOS onto a lot of unsupported Macs, there are also quite a few older Macs where installing a modern version of macOS is impossible. In such cases Linux offers an option to continue using the hardware with an operating system that has current security updates.

I prefer to repurpose old computers rather than throw them away. Having the option to install Linux on older Macs has always been a desirable option to me. For me losing that ability severely limits the functional lifetime of a Mac. Moreover, I worry that the limitations put into place by the T2 chip will make installing future versions of macOS on these machines impossible when they fall out of support.

Secure Boot functionality is a good security measure. However, Secure Boot on a vast majority of PCs can be disabled (in fact Microsoft requires that Secure Boot can be disabled for logo-certificate). Even if you don’t disable it, many Linux distributions have signed bootloaders that work with Secure Boot (unfortunately, even these signed bootloaders don’t work on Apple computers with a T2 chip). So it is possible to provide boot-time security while supporting third-party operating systems. Apple is simply choosing not to do so.

Written by Christopher Burg

November 7th, 2018 at 10:30 am

Posted in Technology

Tagged with ,

Meet the Modern Military

with one comment

The United States military has a problem. OK, it has a lot of problems, but the problem I’m specifically referring to is the trend as of late of acquiring unfinished or flawed technology. From a $1 trillion jet that doesn’t seem capable of doing anything well to stealthy destroyers with flawed engines to fancy new aircraft carriers with nonfunctional munition elevators:

The $13 billion Gerald R. Ford aircraft carrier, the U.S. Navy’s costliest warship, was delivered last year without elevators needed to lift bombs from below deck magazines for loading on fighter jets.

Previously undisclosed problems with the 11 elevators for the ship built by Huntington Ingalls Industries Inc. add to long-standing reliability and technical problems with two other core systems — the electromagnetic system to launch planes and the arresting gear to catch them when they land.

The Advanced Weapons Elevators, which are moved by magnets rather than cables, were supposed to be installed by the vessel’s original delivery date in May 2017. Instead, final installation was delayed by problems including four instances of unsafe “uncommanded movements” since 2015, according to the Navy.

I guess when the deck is used to launch $1 trillion jets that don’t function reliably, getting munitions to the desk isn’t terribly important.

The modern United States military is addicted to high-tech bells and whistles. While those bells and whistles look great on paper, they are often plagued with problems in real world testing and on the battlefield.

At the rate things are going the United States’ military will win the war for its enemies.

Written by Christopher Burg

November 7th, 2018 at 10:00 am

Security for Me, Not for Thee

without comments

Google has announced several security changes. However, it’s evident that those changes are for its security, not the security of its users:

According to Google’s Jonathan Skelker, the first of these protections that Google has rolled out today comes into effect even before users start typing their username and password.

In the coming future, Skelker says that Google won’t allow users to sign into accounts if they disabled JavaScript in their browser.

The reason is that Google uses JavaScript to run risk assessment checks on the users accessing the login page, and if JavaScript is disabled, this allows crooks to pass through those checks undetected.

Conveniently JavaScript is also used to run a great deal of Google’s tracking software.

Disabling JavaScript is a great way to improve your browser’s security. Most browser-based malware and a lot of surveillance capabilities rely on JavaScript. With that said, disabling JavaScript entirely also makes much of the web unusable because web developers love to use JavaScript for everything, even loading text. But many sites will provide at least a hobbled experience if you choose to disable JavaScript.

Mind you, I understand why Google would want to improve its security and why it would require JavaScript if it believed that doing so would improve its overall security. But it’s important to note what is meant by improving security here and what potential consequences it has for users.

Written by Christopher Burg

November 2nd, 2018 at 10:30 am

Posted in Technology

Tagged with ,