01.02.08
Posted in Ranting at 9:14 pm by DMZ
Here’s the EULA for SyncBackSE, one of the candidates for “program I’d be using to back up remotely”. For ease of reading, I’ll bold the particularly horrible section:
SOFTWARE is provided as is without warranty of any kind. To the maximum extent permitted by applicable law, 2BrightSparks Pte Ltd its suppliers, its distributors, and its affiliates, or others who may offer SOFTWARE, will not be liable for any damages whatsoever, whether direct or indirect, special, incidental, consequential, or punitive of any kind (including but not limited to damages for: loss of profits, loss of confidential or other information, business interruption, personal injury, loss of privacy, failure to meet any duty - including of good faith or of reasonable care - negligence, and any other pecuniary or other loss whatsoever) arising out of, or in any way related to the use of, or inability to use our SOFTWARE or support services, or the provision of or failure to provide support services, or otherwise under, or in connection with SOFTWARE documentation, or any provision of these terms and conditions, even if 2BrightSparks Pte Ltd or any supplier, distributor, or its affiliates has been advised of the possibility of such damages.
Really? I don’t even get good faith? If someone files a bug and says “on alternate Tuesdays when I run SyncBackSE it deletes my files and then overwrites them with 0s and 7s repeatedly to eliminate any chance I might recover them” and they don’t fix it, ever, I can’t do anything?
Oh, and it gets better:
2BrightSparks Pte Ltd furthermore disclaims all warranties, including without limitation any implied warranties of merchantability, fitness for a particular purpose, and on infringement.
Even if you pierce all of that, you get your money back, and that’s it:
Any liability of the seller will be limited exclusively to product replacement or refund of purchase price.
Data destroyed because we totally sent all your backup files to a data haven in the Dutch Antilles? How about a copy of the next incremental version, in which we may or may not have fixed that bug. After all, it’s not as if we’re bound by even a requirement to make a good faith effort to solve it. Or, specifically:
2BrightSparks Pte Ltd is not obligated to provide support, maintenance, or updates for the SOFTWARE (either by email, phone, or otherwise).
WOW.
And yet on their product page:
SyncBackSE ensures your most valuable asset, data, remains protected
No it doesn’t. It fucking well does not. SyncBackSE explicitly does not ensure your most valuable asset, data, remains protected.
I looked it up ensure on M-W:
ensure
: to make sure, certain, or safe : guarantee
Argh. This stuff drives me nuts.
Permalink
Posted in Ranting at 8:19 pm by DMZ
I started messing around with backup implementations today. Now, the obvious question is: why not just get a service from Mozy or whoever? Isn’t that slightly more expensive but have the advantage of being entirely painless? I was going to rant about this, but someone already did it for me: check out this article on backup services disclaiming responsibility for being backup services.
As a long time techie, I’m used to having my software explicitly deny responsibility if it decides to burn my house down and raid my bank accounts if I use the help file too often. I mean, you’d think you’d be paying Microsoft for some kind of quality, but if you read those agreements, you’re really no better off than with a free open-source program — anyway, I think the service thing is entirely different:
“Hey, here’s a crescent wrench. I know it could be used for all kinds of things, like a paperweight or improvised blunt weapon, and that’s your business. You could even use it as a wrench. Whatever. Either way, you buy it, you break it, it’s up to you. $2.”
“Here at Bob’s Auto Club, we offer roadside assistance, 24/7/365, we’ll be there for your auto needs no matter where you are or what your problem is. You can rely on us. Except we may not show up, or offer assistance, no matter how close to our offices you are or how great your problem is, and we may even cause those problems, because it’s hilarious. $10/month.”
There’s just no way. It’d be like hiring a paper shredding service that reserved the right to not shred confidential documents, scan them, and sold them to competitors.
Plus, I’m uncomfortable not being able to encrypt myself — having one company control that and the storage itself spooks me. Especially when they’re not willing to say “I promise not to rustle through your stuff.”
Permalink
01.01.08
Posted in Ranting at 7:10 pm by DMZ
This weekend I looked into Jungledisk as part of my interest in Amazon’s S3 and related products. I’m fascinated by the potential to go serverless: to essentially rent out a box and storage as you need it, without having to pay hosting fees, and home use implications.
So anyway. Right now, S3’s prices are:
$0.15 per gig per month of storage
$0.10 per gig of data uploaded
$0.18 per gig of data downloaded
So I thought about this: what would it cost for me to backup a DVD’s worth of data?
For normal 4.7GB disks, it turns out to be $1.18 to upload and store it for a month and then $.71 for every month I leave it up there.
With the price of blank media, I’m better off burning it to media and storing it. Or use a hard drive.
But here’s where this gets interesting. I’m entirely paranoid about backups, but I’m really bad about actually doing them. I try to do a whole rotation, keeping incremental/full backups on a rotation and what not, but I don’t in practice do a good job. So what I do in addition is run two drives in RAID-1.
The only think I’m really paranoid about, though, is the writing. My whole backup paranoia comes from college, when I got lazy and lost about four months of stuff, and restores failed. And that’s only a fraction of my stuff.
And there’s where this potentially shines: incremental backups.
1) Sign up for the storage
2) Map it to a drive
3) Pick your favorite backup utility and set it to go at the one directory I care about on a schedule
Then each day or so, it goes through, sees what documents have changed, and updates them. I get charged some tiny amount for the bandwith burned that day, and at the end of the month, I have to cough up a couple of pennies, because the actual amount of data that changes day to day is tiny.
No having to stash some DVDs at work in case the house burns down. No rotation schedule.
That’s ridiculously cool and convenient.
Linus Torvalds once said “Real men don’t use backups. They just submit their work to a public FTP.”
That’s almost exactly what we’re talking about.
The really interesting thing, I think, is extrapolating out — what happens as encrypted, secure online data storage is nearly free and you can set up your own virtual server to do things with it?
Permalink
11.15.07
Posted in Ranting at 8:30 am by DMZ
It’s 4:25 and when I looked outside a couple minutes ago, it was dark.
Sunrise: 7:18 AM
Sunset: 4:12 PM
That’s a 8h 54m day. At its highest, the sun got 20′ off the horizon (making walking south really hard).
A few weeks from now you’ll be able to work an eight hour shift and not see the sun unless you go outside for lunch. For all my complaints about Seattle, that’s a full half hour worse than we get.
Of course, we get overcast skies and rain, and it’s been cold, clear, and sunny here.
Permalink
11.10.07
Posted in Ranting at 10:09 am by DMZ
I happened across the Lord Mayor parade today, where a ton of (to my American eyes) random groups drove/marched/etc through the streets of London: scouts, unions, trade groups, charities, and so on, and so forth… and a lot of the UK military. Marching around in camo with assault rifles behind the British equivalents of the Girl Scouts. Some of the UK military groups were, say, the fueling group, or the medics, but there were a lot of them like the arctic commandos who went through the parade in a Zodiac, guns pointing out…
And here’s the thing: I saw Children of Men not that long ago. It made it being in that close proximity quite unnerving. When I mentioned this, the lovely and talented Mrs. Zumsteg said “Maybe you shouldn’t watch movies like Children of Men…”
She might have a point. But I don’t think I can.
Permalink
11.09.07
Posted in Ranting at 3:50 am by DMZ
You have chosen — or been chosen… — Breen
Following up on yesterday’s gaming post — I don’t want to live in a country where you can’t take pictures of things on trains.
And so, whether you are here to stay, or passing through to parts unknown, welcome, to City 17. It’s safer here.
Permalink
10.28.07
Posted in Ranting at 8:03 pm by DMZ
Some of this is going to be US-centric.
Relative powerlessness to do anything about all other items on this list
Global warming (expandable!)
Iraq War
I’m a citizen of a country that tortures people and makes them disappear
We’re all “good Germans” (see above two, several from below)
Erosion of civil rights (see: war on drugs, war on terror)
Non-global warming environmental issues
We’re not going to get onto clean energy sources before we can’t use dirty ones/there aren’t dirty ones left so the last two humans face off with clubs over a preserved bottle of Penzoil in a couple decades.
Media consolidation and lack of discussion of topics on this list
Corruption
Politicization/Evangelism of military
Politicization of other government services (TSA)
Quality of educational system (particularly race/class discrimination)
Societal inability to find reasonable compromises (see: war on drugs, erosion of civil rights, also: health care/copyright laws)
Wealth concentration
… and so on
I don’t know, looking that over, none of it seems particularly unreasonable to be anxious about.
Permalink
10.18.07
Posted in Ranting at 6:51 pm by DMZ
I made my first presidential campaign contribution of the cycle, and I never would have expected it when this thing started up. As any reader of HLWT knows, I’m greatly upset about the erosion of constitutional rights, and lately, particularly by the failure of Obama or Clinton, who are in the Senate, to do anything, or take a leadership position on any of that, or Iraq, or anything… so obviously, Dodd’s “restore the Constitution” platform’s appealing, but I didn’t care enough.
Anyway, I watched this latest bill with dismay, unable to understand why you’d want to give blanket immunity to people who violated (at least) the privacy of their customers, and almost certainly their civil rights. That no one did anything to stop it made me wonder why I even cared about this stuff.
And today, Dodd threw a big wrench into the process, and at the very least, he’s prepared to pay a price for his opposition to this horrible legislation… and I realized that I need to support that. So I did.
Dodd 08.
Permalink
09.22.07
Posted in Ranting at 6:55 pm by DMZ
DirecTV called. They were eager to let me know about all kinds of exciting offers — but they couldn’t, so I should contact them and take myself off their do-not-call list.
Permalink
09.12.07
Posted in Ranting at 6:57 pm by DMZ
A ramble.
All credit cards numbers have to meet a certain check (mod-10) in order be be valid. I just wrote a little checker to make sure of this, but 10% of all randomly generated 16-digit numbers will pass a mod-10 check (funny how that works out, huh). I’ll probably find out I messed up.
Okay, so there are 16 digits in a credit card, 10 possibilities per, so 10^16 possible numbers. But if only 10% are valid, and you can know that in advance, a list of all possible, valid credit card numbers would contain 10^15. That’s a petabyte of storage, and would cost you a fair (but not astronomical) amount of money to put together. Back when I started working on credit cards and fraud stuff, it was essentially impractical for someone operating on their own to pull that off.
The actual number, though, isn’t even 10^15. It’s much, much smaller, because the first digit or two are card identifiers, then you’ve got four digits of your card identify the issuing bank and whatnot. So the first six digits aren’t actually random at all, and that dramatically contains the number space you’re working with. It’s a whole ANSI standard and everything.
So it’s actually…. 4*some limited number I could work out if I had enough time*10^10. Now we’re getting down to something you can pretty easily stash.
Anyway, there are two things I’m going to gloss over: encryption and hashing. Encryption, you use a key to take a piece of text and turn it into something you can bring back using the same key. In hashing, you put a chunk of whatever through a mathematical function and out the back end comes some crazy number. You can’t derive the original from that number, even knowing the function. (standard caveats apply)
This is used for all kinds of cool stuff, like signatures for files. If I publish an document along with the hash you can verify, and as long as I use a decent method, it’s essentially impossible for someone else to modify that document and get the same hash number to come out the end.
But let’s say you get a list of hashed passwords. You know that all passwords are eight letters long, lowercase. You can generate all 8^26 possibilities, run that same mathematical function on them, and then compare the results to what you have. Tada! You have everyone’s password.
Which is a great argument for long, complicated passwords (I’ve ranted about that before, though) — you should make your password as complicated as you can at every place that requires one.
I know you won’t. It’s okay.
Ah, so anyway, here’s the thing — what if, for whatever reason, someone uses your credit card number for verification purposes? And they store… a hash to do the compare with?
Unless they’re doing something called salting (and the attacker doesn’t figure that out), you’re toast. Same attack: the guy with the huge list of valid numbers can go through and say “for each of these potentially valid numbers, run them through a function and go see if there are any matches in this list I’ve got here.”
Whirr…. running that hash function on 10^15 (or whatever the actual number turns out to be) takes a while, but not as long as you might think, and then… tada! All the credit card numbers.
And after you’ve got those, it’s open season.
Now, this is still a pretty tough attack to make, and it’s almost certain that if an attacker can get that far, there will be more lucrative means of getting card numbers. And it’s also true that an attacker sophisticated enough to make this attack is almost certainly going to have many, many more lucrative targets that aren’t as secure.
But I kept thinking about this today: how many companies can look up your payment or account history based on your credit card number? Either they’re storing the number unencrypted to do lookups, they’re doing something clever, or… they’re using hashes. And if they’re using hashes, it might be clever, or pretty much as good as plaintext.
If you’re a customer of the companies I’ve worked at, you will be happy to know that they’ve all been clever.
If you’ve worked at a large company, where all kinds of ridiculous and bizarre decisions get made, decisions that are indefensible almost at once, how unlikely does it seem that there’s someone out there doing this?
Permalink
« Previous entries · Next entries »