thebaldgeek

A few days back, I ranted about the Raspberry Pi Zero.
You can read about it here.

The central part of my rant was that there was zero connectivity on the Zero.
And on cue, we have this……

http://www.hackerspace-ffm.de/wiki/index.php?title=Datei:Raspi_edimax_hack_2.jpg

Please check out the photo. Pretty please.
Ugly isent it.
The thing is, it is not the guys fault, his work and soldering is really spot on… No, this is 100 percent the Raspberry Pi foundation’s fault. They built a computer with zero connectivity.

Computers these days NEED to be connected (Gary’s pie in the sky dreams aside).
They just do.

If the Pi people had just put a full size USB connector on the board along with the micro USB port, there would be a glint of hope, but they did not even do that.
So, we have to buy these;
http://www.amazon.com/gp/product/B015GZOHKW

Glad they come in a 5 pack.

So yeah, I still have no idea why they gave the Zero zero.
But I told you so.
Computers need to be connected.
They just do.
Oh, and I told you so.

This is so sad… A guy that loves drones, just having a quick flight out the front of his house, clips a tree, the drone comes down and hits his neighbour…. In this case a small child. The still spinning blades cuts his eye to the point where he loses it.

http://arstechnica.com/tech-policy/2015/11/toddler-loses-eyeball-after-errant-drone-slices-it-in-half/

Evans has reportedly been forgiven by the family for the “awful accident” and said he has not flown another drone since: “I look at the drones in the garage and I feel physically sick.”

I would love to get back to flying RC, but honestly, all these drone stories are part of what keeps me out of it.
I plan to get a very small one to fly inside. In fact, I plan to pay for Trevor to send his damaged drones down to me and I am going to see if I can get 1 working from the three dead ones he has….. All part of the fix rather than buy new.

My names Ben and I void warranties.
I even have the shirt to prove it.

http://motherboard.vice.com/read/how-to-fix-everything

I just want to block quote this whole thing, but I am the target audience and so will try and refrain from gushing too much about this whole article.
(Bottom line, if you know how to use, or own a screwdriver, you need to read the whole thing).

If you’ve tried to open any iDevice—iPad, iPhone, iMac, any of them—within the last four years, you’ve come face-to-face with Apple’s very small, five-pointed Do Not Enter sign. It’s an overt declaration that your phone, or your computer, or your tablet is not really yours to tamper with, a public statement that you are not qualified to fix your own things.

The whole article focuses a little too much on Apple, but he does make the point that they are not the only ones doing this, they are just the most well known and most of their devices are well known.

“For a lot of these newer devices, manufacturers want to say ‘We want to be the only ones to repair it’ because they make more profits off the repairs. They’ve found lots and lots of way to do this. Intellectual property law, contracts, end user license agreements, lots and lots of ways to try to make sure you can’t do what you want with your stuff.”

So, Apple has lots of ways to keep you out of your devices. But the screw is a good place to start.

This is pretty much the guts of the whole thing. Manufactures do not want us to open their goods. They do not want us repairing or modifying them.

“Your competition is not each other,” Wiens tells the 100-or-so repairmen and women (though it’s mostly middle-aged white men) who showed up to his introductory talk at the conference in New Orleans. “We’re competing with the garbage dump.”

This is the bit that is near and dear to my heart, throwing out ‘perfectly’ good but broken tech.
I really miss the days of getting stuff from around Ballarat and fixing it.
If I recall correctly it was one of the things that ended up getting Gary and I in the same loop… Somehow he found out that I was replacing caps on computer motherboards and ended up doing a bunch of them for him.
One of my best memories is replacing a bunch of caps in one board well after sunset for one of his customers because a repair was going to be much quicker and cheaper than a full rebuild. Our late night repair session made a difference, to Gary, to his customer, to their customers.
The point is this, repaired electronics can have a long life. I am still using one of the laptops I got off Gary over 8 years ago!!

Make no mistake, repairing electronics is big money….

This is by design. Americans spent more than $23.5 billion repairing and replacing broken smartphones between 2007 and 2014. In 2013, an analyst reported that Apple hoped to save $1 billion by repairing broken iPhones instead of replacing them, which gives you an idea of just how big the repair market is for the world’s most popular phone. Apple wants as large a share of that as possible. Because it controls the hardware, it’s also trying as best as it can to control the parts market.

For those of us that open things up, that fix the broken, it is not just about the money.

This isn’t all about pushing back against Apple or any other company. It’s not all about saving the environment, either. Fixing things feels good.

That right there is why I have the shirt, that right there is why I miss my mates. We all had the same culture, the same mindset. We all got a kick out of helping each other fix stuff.

My names Ben and I void warranties.

What a mess.
I did not blog about it, but you may of heard of a computer breach that leaked a lot of personal information on the web, Ashley Madison.
It was an online dating website and a few million people got caught up in it. Some even killed themselves when they were found to be using the site.
Sad and unnecessary, but everyone involved were adults.

Over the past few days another computer system breach has come to light.
This time it is scary because it involves kids….. Like, under the age of 12 kids…..

http://www.troyhunt.com/2015/11/when-children-are-breached-inside.html

The guy starts out by making a pretty good point;

I suspect we’re all getting a little bit too conditioned to data breaches lately. They’re in the mainstream news on what seems like a daily basis to the point where this is the new normal. Certainly the Ashley Madison debacle took that to a whole new level, but when it comes to our identities being leaked all over the place, it’s just another day on the web.

Socity, as a whole, is becoming conditioned to data breaches. Why and what implications that conditioning has remains to be seen. I know, for example, that I am a ticking clock. It is only a matter of time before one or more of the sites that I use (like Amazon where I buy (a lot of) things for example) is breached and my email, password (unique), credit card details and home address are in the hands of people I would rather not have all that information.
But again, I am an adult (well, Ok, in age if not behavior). I should be able to take steps to manage such a breach.

When it’s hundreds of thousands of children including their names, genders and birthdates, that’s off the charts. When it includes their parents as well – along with their home address – and you can link the two and emphatically say “Here is 9 year old Mary, I know where she lives and I have other personally identifiable information about her parents (including their password and security question)”, I start to run out of superlatives to even describe how bad that is.

This is the background on how this little device and other online assets created by VTech requested deeply personal info from parents about their families which they then lost in a massive data breach:

The device is a type of child’s iPad. It is a robust touch computer with games and such on it.
To use it, the parents need to make an account on it so that they can manage it for the child.
(Well, that was the intent).

Here is what is in the breach from VTech.

4,862,625 rows and column headings as follows:

id
email
encrypted_password
first_name
last_name
password_hint
secret_question
secret_answer
email_promotion
active
first_login
last_login
login_count
free_order_count
pay_order_count
client_ip
client_location
registration_url
country
address
city
state
zip
updated_datetime

Phew. 4.8 million kids with those sorts of details.
If you are not chilled to the bone about this, drop me an email, I would love to chat for a bit.

Sadly, we are not done with the ahhhh, slackness…..

The next thing I checked was the passwords and whilst the column heading implies they’re encrypted, they’re not. The easiest way to check what’s going on with password storage is just to Google a few of the values stored in the database. For example, let’s take the very first one in the dump: 835af17f41292ba8ea3270f6859757ab

Their password is “welcome81”, it’s that simple. It’s just a straight MD5 hash, not even an attempt at salting or using a decent hashing algorithm. The vast majority of these passwords would be cracked in next to no time; it’s about the next worst thing you do next to no cryptographic protection at all. Speaking of which…

All secret questions and answers are in plain text. The questions are typical (albeit poor) examples such as your favourite colour, where you were born and your first school.

VTech did nothing to encrypt the information.
Anyone with a text editor can view it.

For example, there is no SSL anywhere. All communications are over unencrypted connections including when passwords, parent’s details and sensitive information about kids is transmitted. These days, we’re well beyond the point of arguing this is ok – it’s not. Those passwords will match many of the parent’s other accounts and they deserve to be properly protected in transit.

Ok, I think that’s enough for you to get the point.
Read the source article if you are interested in some of the tech details.
(The technical details are worth a read regardless of your role in computers – this kind of breach is staggering in its laxness and is really well written up).

I guess the point is that more and more of our lives and our kids lives are on line.
They (we) are in the hands of companies that we just assume is doing the right thing by our information. We can rarely check with them and ask them. I know that I would struggle to ask the right questions and even I don’t have time to try and crack, or hack at every company I give my details to see if they are secure.
My kids are (supposedly) grown up. Terry and I have had a vague conversation about passwords, he has switched to a longer one. I figured that since he majoring in computer programming that he would have a clue….. Probably a mistake to assume that.
Amy and I have never had the chance to talk about her online security. I shudder to think her password manager system.

Please take a moment to think about your passwords.
Make them long, make them unique for each web site.
Most of all, please look after your kids online.

EDIT: 6 Hours latter.
This getting worse, kids photos and chat logs are now part of the breach.
http://www.engadget.com/2015/12/01/vtech-breach-kids-photos-chat-logs/