Thursday 30 March 2017

More trojans

Date: Thu, 30 Mar 2017 13:43:20
Subject: uk_confirmation_ph134150011.pdf


Confirmation letter enclosed.  Please see attachment.
Actually, it isn't a pdf, it's a zip file containing a zip file that contains an exe file and a txt file requesting me to open the exe file. Well, even if I were running Windows, I'm not going to open the file.

I showed it to Virustotal, and 8 out of 59 products flagged it. It was first seen about an hour ago; that's why so many products don't flag it. But that's how things are these days.

What does it do? I don't know, and don't much care. An exe file pretending to be a pdf file is going to be malicious. My guess is that it's ransomware, because that's the way things are today. Or maybe it zombifies your computer. Or maybe it displays flags of all nations - I don't care enough to spend very many hours analysing the file.

When I send the exe file to VirusTotal, 11 out of 61 products flag it. That means that some products aren't scanning inside zip files (or at least, aren't scanning inside files that have been doubly zipped). That's bad.

If you're depending on an antivirus to protect you from the malware threat, you better make sure that your lucky horseshoe is nailed to your computer.

Wednesday 29 March 2017

Riding around Reed

I went out yesterday on the bike, for some 50 or so caches around Reed.

The biggest problem I had was with my database of caches. Somehow, I managed to include a few caches I've previously found on my map. So I don't have quite as many finds as I'd thought I had!

I did about 30 before lunch, got back to the car and did another run of about 20 after lunch. After that, I had time for another couple of dozen, but I was knackered and my back was hurting, so I went home.

A good day out.

Ransomware flood

According to the FBI, ransomware costs $1 billion per year. I'm guessing that's just in the USA, so the total must be several billion.

And according to the FBI, the average ransom demand is $679.  Which translates to 15 million ransoms paid in the US. So maybe 100 million worldwide?

That's a lot. What are the causes?

1. It's a really good business model. $679 is a small sum to pay for all your data; I know that because when we ran a recovery service getting data from dead drives, people were willing to pay much more than that. And because it's bitcoin, there's no risk of the ransom being traced back to the criminal.

2. Antivirus products are pretty much ineffective. According to this article, "Some traditional anti-virus vendors were caught out by ransomware’s sudden rise from obscurity, which caused blocking rates to drop.". That's nonsense, of course - ransomware is just a particular case of malware. AV products should block all malware. And if you show some malware-bearing emails to Virustotal, you'll see that 95% of products just don't flag them.

3. Email and malvertising means that the malware is delivered to the user before any AV company has a chance to update their product.

So what can you do? There's two cases; before you're hit, and after you're hit.

After you're hit, you can either pay the ransom and hope that the criminal is honest enough to give you the key. I suppose there are some honest criminals. Or you can not pay the ransom and wave goodbye to your data. Both routes aren't attractive. If you get lucky, then the ransom demand was a bluff, or maybe somone has cracked the encryption for that particular ransomware. It's worth checking this out, but don't hold your breath.

Before you're hit, you have lots of good options.

1. Block executables in attachments. If someone sends me a file with an executable attachment, it goes to a folder set aside for such things.

2. Disable macro execution in Word and Excel. Don't re-enable it just on the say-so of an incoming email.

3. Set javascript (.js) files to open in Notepad.

4. Install a javascript blocker, such as Noscript. And don't disable it just because a web site asks you to.

5. Install an advertising blocker, such as uBlock Origin. And don't disable it just because a web site asks you to.

6. Don't use Adobe Acrobat to read PDF files. Download and install an alternative.

 7. If you use Flash, update it each time a vulnerability is found. That will mean pretty much each month.

8. Take backups. Your backup system should be designed with the possibility in mind that you don't discover that all your files are encrypted until a week after it happened. In other words, taking a copy of your files each day, isn't good enough.

I know that blaming the victim of a crime is unpopular, but your best option is not to become a victim, which means taking some precautions.

Friday 24 March 2017

I beat Caesar!

I scored 4515 points on Civ 6, at Deity level, the highest. For comparison, Hammurabi checks in at half that, and even Julius Caesar only gets 2500! This was playing as Germany, on a large world with a mid-world large lake.

There was a difficult time when the USA made a surprise helicopter attack on me, but I had lots of field guns (they're good for defence, which is necessary when playing at Deity level because the other civs are quite aggressive unless you outgun them), and was able to fend it off long enough for me to put together a bomber fleet. My bombers then broke up the attack, and went on to pulverise America's cities. It was touch and go for a while, but Germany prevailed and I was able to force Roosevelt to a humiliating surrender. After that, it was a matter of conquering the other eight civilisations one by one.

I found a few more bugs in Civ 6; the worst of these is (I think) a memory leak. This causes the game to slow down more and more, and eventually the program crashes. The workaround is, when you feel the system slowing, to exit Civ 6 and restart it.

More minor bugs - when you've achieved all of the civics, it keeps offering you the last two and you get those again and again. When you move an airplane from airfield to airfield, there's no distance limit on the transfer.

Weight check

I weighed myself this morning. But first, I combed my hair.

You might think that combing your hair would increase your weight. This is because  a combed barnet (Barnet Fair) is more ordered than uncombed, and therefore has less entropy. Less entropy means you can increase the entropy and thereby generate useful energy, and so combed hair has more potential emergy than uncombed. And e = mc squared; energy is mass.

But, by the second law of thermodynamics, you can't get something for nothing. To comb my hair, I expend energy. So combing my hair actually decreases my weight.

Not by much, of course.

Seventeen stone, four pounds.

Thursday 23 March 2017

Student politics

Are you on the left, or are you on the right?
Do you need trigger warnings or are you robust?
Is there a rape culture?

When I was at university, the questions were different.

Are you a bridge/chess/go player or a hockey/rugby/soccer player?
Does quantum mechanics make your brain hurt?
Why is there 20 times as many male student as female (and in maths, 400 to 2).

Times change.

Wednesday 22 March 2017

A car and a knife

The terrible events of today - five deaths and 40 injured - remind me of the days when I worked in London. Then the threat was the bombs of the IRA, and you can still see the transparent plastic rubbish bins that replaced the metal ones to make it harder to plant a bomb. And we occasionally heard a bomb going off.

But today there's a silver lining. The murderer (I don't actually know just yet whether he was a terrorist or just a nutcase) didn't use a bomb; probably had no notion of how to make one. All he could use was a car and a knife. Because anyone can get a car and a knife.

In America, pretty much anyone can buy a semi-automatic rifle, which can fire as quickly as you press the trigger. And, of course, any amount of ammunition that you like. If the murderer had had access to explosives and guns, the butcher's bill would have been much higher.

In America, some folks argue that you're killed just as dead with a knife as with a gun. They're missing the point. Access to guns increases the casualty count.

A dream

Last night, I dreamed a strange dream.

I had to write software for a satnav. My part of it was the core engine - not the user interface. So I had to work out the best route from A to B. So far, a rather ordinary dream.
But what made this a strange drean, is that I worked out an algorithm for doing it, and when I woke up, I remembered the algorithm, and it seems to me to be workable.

So here's the algorithm.

Suppose you want to go from Snodgrass Road, SW1, London to McMurray Street, Endinburgh.

I happen to know that to go from London to Edinburgh, you go up the A1. I know that, because I have a mental map in my head of the major cities in the UK, and I know, roughly, how to get from one to another. So the problem now reduces to: How to get from Snodgrass Road to the south end of the A1, and how to get from the north end of the A1 to McMurray Street. You see, I've now reduced one big problem to two smaller ones.

To get from Snodgrass Road to the south end of the A1, I'd go up the Edgware road (A5) then around the M25. Again, I've reduced that problem to two smaller ones. And you keep opn doing this until you've got the whole route worked out.

Then, if that calculation was fast and there was time to spare, you could try small variations on the route, to see if changes made it faster.

Here's what I don't know.

Is this a good algorithm? Is this how existing satnavs do it? And why on earth did I have this dream in the first place?

Tuesday 21 March 2017

Flying hazards

I'm glad to say, I haven't flown for a couple of decades, and I hope I never do again. It isn't that I have a fear of flying - it's the awful discomfort, the intrusive searches and the terrible ennui.

And now I see a new rule. If you're going from any of a dozen middle-eastern airports, to the USA, you're not allowed to carry laptops, cameras, tablets and suchlike in the cabin.

When I used to travel, back in the early 1990s, my accompanying computer(s) was what kept me sane. But that's not the problem.

If there's a terrorist hazard in carrying such a device from a middle-eastern airport to the USA, how come there isn't the exact same hazard from any airport to any other? I mean, if Joe Badperson wants to blow up an airplane, and he knows about this ban, so he'll fly from London to Hamburg and blow that up instead.

Either this new rule is more security theater, or else it isn't wide enough and we should expect a similar ban to become universal.

Monday 20 March 2017

Fun with Barclays, part 2

After my call on Friday, I was told I'd be called back at 3pm today. Of course, that didn't happen. So at 3:30, I called them, and after being passed around twice, I got to talk to someone who could actually help. She sent me an email with my passcode, and I signed up for being able to see my statements online (I had done this before, but they changed their system so all their customers had to go through it again).

The email with my passcode was formatted for reading with a browser, of course. Most emails are. But some give a nod to the possibility that the email reader isn't a browser. This wasn't one of them.

Why don't I read emails in a browser? because that is so *obviously* insecure, I can't understand why anyone does it. The browser is a complex piece of software, so therefore liable to being hacked. My email reader (alpine) just shows me the text of the email - it cannot run java, javascript, flash, active content or whatever other compromisable elements they're putting into browsers this week.

That's why I see dozens of attacks via email each day.

So after the registration was done, I said I had two complaints, and I was transferred to the complaints department. And I complained about the formatting of the email. And about the failure to call me at the time I was told I'd be called.

She took down my complaints, and said I'd be sent £25 for the inconvenience.

And I have to wonder why Barclays have decided to reward anyone who complains about anything at all with a gift of £25. Don't they realise that they are incentivising complaints?

Maybe I should complain about that.

Friday 17 March 2017

Fun with Barclays

I wanted a copy of my credit card statement. Simple, huh?

So I logged on to the Barclaycard Business web site. It asked for my username and password, and three digits of the PIN. I gave them. No joy.

I tried again. No joy.

I tried the previous username and password. No joy.

I asked for a password reminder. It gave me nothing useful.

I asked for a password reset. It asked me things like "name of your first girlfriend" and I gave it the answers which are complete lies because I don't really want it to use the truth (which could be known by other people). No joy.

I tried using  Chrome instead of Firefox. No joy.

After half an hour of trying different things, I gave up and called them on 0800 008 008.
That got me, via an automated menu system, (after some security questions) to ... the wrong department. More security questions, and then I spoke to a person, who was able to tell me that it's another wrong department. And I was transferred again. At last, I was at the right department, and Catherine Lapaz spoke to me.

She explained that they've changed their system, so there's no way it could have worked. Hurrah, the problem wasn't that I'd misrecorded the details. She said they'd told me about this in a letter. Well, they do send me letters, pretty much every month, telling me stuff that I don't think many people care about, and I must have missed it.

So can she get me onto the right system? No. Not till Monday. Sigh.

So why did this obsolete web page still exist, allowing me to try and try and try to log in to it, which could never have worked? Why is that page, a trap for Barclaycard users, still there?

Apparently, only some people have been migrated; the Mastercard people like me. Visa users are still on the old system. Sigh.

So why can't it tell me, as soon as I try to log in, "You're a Mastercard user, you can't use this old system". I had wasted about an hour trying to make something work, that could never have worked.

I've raised an official complaint. And I asked Catherine, "What's my complaint reference number?" So that I can call back about it if necessary.

She couldn't give it to me. She can only raise the complaint after the call is over. It's almost as if she can't use her computer while she's using her phone.

I promise you, the people in charge of these systems have never tried to use them, it's never occurred to them that they ought to test them to see how they appear to their customers, and possibly they don't care.

USA health

One important indicator of human health, is life expectancy. We all want to live longer, I think, and it's a measure that's easy to define and difficult to fudge. And this is still rising in western democracies; over 80 and counting. Except in the USA, where it's 79.

It is rising in the USA, but a lot more slowly than in the other countries. Why is this? I'm guessing it's because the USA is the only country that doesn't have a universal healthcare system.

I don't know how good these statistics presented below are; it's difficult to get good comparative statistics, and some people just make up their own facts. But if the figures below are true, that would help explain why so many people would rather live in Europe.

Why doesn't the USA have a universal healthcare system? It's hard to understand. The USA is a particularly religious country, so you'd expect that the people would want for the richer to help the poorer, the healthy to subsidise the sick. But it would seem that's not so.
US healthcare would seem to be expensive and ineffective.

Economic theory helps to explain this. In a country like the UK, healthcare comes from a single provider, who therefore has huge market power and is able to get good deals on drugs and services. In the USA, no one healthcare provider has any leverage with the drug companies or medical service providers, and that would tend to push up prices. In addition, because healthcare is usually via insurance, the insurance companies take a slice of revenue from the healthcare spend.

The Affordable Care Act (Obamacare) was a move in the right direction, but even that is now being reversed, and replaced by ... we don't know what, but I suspect healthcare is about to get a lot worse for the middle and working classes when the American Care Act (Trumpcare) gets passed. 

Thursday 16 March 2017

Furze and Top Gear

Colin Furze (check out his youtube channel, it's brilliant) has been invited to help out dear old Auntie Beeb with their Top Gear problems.

As you may have heard, they had to fire their presenting team after one of them punched a producer. And it's sad, but they were right to axe the puncher, because if you don't, you're not doing what's right. So they hired a new team, and it wasn't as good, according to audience figures.

Colin Furze, on the other hand, has over four million subscribers, so that's a possibe four million to add to Top Gear viewing figures when this gets aired.

Colin (who was a plumber until he remade himself into a Youtube star) has got hold of an old dodgem car. He's stripped off the heavy chassis and put in a new lightweight one, and he's put a 100 horsepower motorbike engine into it. And The Stig will drive it.

I, for one, will watch this Top Gear episode, which gives the Beeb a chance to show me how much better they've made it.

Wednesday 15 March 2017


Transmetropolitan is a series of 60 comics by Warren Ellis (one of my favourite comic authors, the other being Garth Ennis) about journalist Spider Jerusalem. It covers the period from the presidency of The Beast, through the election, to the presidency (and eventual impeachment) of The Smiler (Gary Callahan).

It was written from 1997 to 2002, but there are so many resonances with the events of the last couple of years.

You can get it from Amazon.

It's worth reading.

Sunday 12 March 2017

Some thoughts about Civilisation VI at Deity level

I was given Civ 6 as my birthday present last November, and I've put in many hours on it since then. Currently, I'm only playing at the Deity level (which is the hardest).

Here's my thoughts about how to do well at this.

First, choose a good civilization. Germany is my favourite, because the Hansa (industrial district) is much cheaper, and you get u-boats (other civs only get submarines). And an extra military policy slot.

A six-armed snowflake or 4-armed star is good, because the give you a chance to develop your civ before you get attacked. Because you *will* get attacked; at this level, the other civs are very aggressive.

The way to deal with this, is to have a strong military; that deters attacks, because if you do get attacked, you're very likely to lose. But, of course, expenditure on military reduces all other expenditure. It's a balancing act.

Get crossbows as soon as you can, and then go for field artillery. Put a wall around the city that's nearest to the other civs, because for the first part of the game, you're going to be entirely on the defensive. But you will want to colonise as much territory as you can defend, because you'll need the aluminium resource later.

After getting field artillery, you want to go for electricity, because that lets you build power stations, which means the best production capacity. You also want campuses, to speed your research.

The next target is to build up your treasury via trade, and building commercial buildings.
Another good way is by selling stuff to other civs. You can use trial and error to find out the very most they're willing to pay for your luxuries (or strategic goods). And there's what looks like a bug, whereby the other civ will pay you what they promised double or even treble. I feel sure that the programming team must know about this by now, so I expect that will be fixed. Meanwhile, you're defending (using field artillery), but you will want a few knights, which will be used in your aggressive war later.

After electricity, go for advanced flight (that's why you need aluminium), because that gives you bombers. As soon as you have bombers, use the cash you've accumulated to buy as many of those as you can afford; at least four and maybe eight. And with this, you can go on the offensive. Bomb the target city until it's dead, then send in a knight to occupy it.

Artillery is pretty useless; you'll only want it if you haven't got aluminium to make bombers, and even then you'll only want artillery until you can make bombers. The problem with artillery is the short range (two hexes, or three if you use a balloon spotter) and slow movement (two hexes). Bombers have a range of ten hexes, and you can move them from anywhere to anywhere (another bug, I think - you're probably only supposed to move them 20 hexes).

With only one aluminium resource, you can make as many bombers as you want. I suspect that's another bug - if it is a bug, it's a very important one that really makes the game very different from what I suspect was the intention.

First attack your weakest opponent. If they offer to surrender most of their cities (i.e., all except their capital), accept that, and make peace. Then attack another weak opponent - you can come back to the first civ and polish them off later.

Religion is irrelevant; I can't see how you can ever win using that. Culture doesn't do too much either; your best bet is World Domination, meaning "wipe out everyone else".

Once your offensive is launched, stay on the defensive against the other civs, and direct your research towards Stealth, because that gives your bomber fleet a big boost in power and range. And attack the other civs one by one, until you achieve --- World Domination!

Lambing and cake

An unusual event; it's lambing time, and we celebrate with cake. I saw some newborn lambs, and ate plenty of cake. Here's the finest confection presented.

Long complex passwords

 ... are a good idea.

But some web sites block you from using cut-and-paste to fill in your password, so you're reduced to typing "fjeE82%h34kLLks83" character by character. Or else you're tempted to use a shorter simpler password, like "Popeye24". Phooey.

Here's how you can get round that.

Sunday 5 March 2017

I got swindled

I blew up my bike headlight by giving it 50 volts. It expected 8. There was a bright flash, and then nothing. Silly me.

I needed to replace it, so off to Ebay I trotted. There, I found a triple light (the old one was a double) for a very good price - £2.99. A very good price. Too good to be true! So I bought it.

A couple of days later, I realised that the usual email telling me that it had been dispatched, had not arrived. I waited a couple more days, then checked again, and it was at that point that I noticed that the seller had never sold anything on Ebay before. Uh-oh.

So I emailed the seller. No reply. I waited a couple more days until the last date of arrival had passed, then I raised a case with Ebay.

More nothing happened. A week went by.

So I asked Ebay to take action. Within a few hours, I got a full refund.

And that's why I buy things via Ebay.

So then I bought my light, it cost £5.89 and it arrived from China within a week. I've put a different connector on it, so in future, I won't make the same mistake.

Thursday 2 March 2017

The elephant in the room

How do you know when you've got an elephant in your living room?
 - You can see a large grey animal taking up most of the space.

How do you know when you've got an elephant in your living room if you're blind?
- There's a terrible smell from the large volume of elephant dung.

The elephant in the malware room, is that AV products don't seem to be able to detect most of the malware that arrives in my in-box. But is there also a terrible smell? Yes, there is.

The terrible smell is ransomware. If antivirus software was effective, we wouldn't be seeing all those reports of ransomware attacks.

I'm sure that any decent AV will be able to detect all the viruses that are in the wild. I'm sure about this, because there aren't any viruses in the wild, or at least there's vanishingly rare. Because all the vectors by which viruses used to spread, no longer exist. When was the last time you saw a floppy disk?

Viruse are a problem of the 1990s. Today's problem, isn't viruses.

The problem today, is maybe 90% emails with nasty contents, so that when you click on the attachment, it access a remote site and downloads the malware of the day, which is often ransomware. The other 10% is malvertising.

And the sad thing is, I've already blogged about how all this can be prevented.