Log in

Thorfinn - Recent Entries

2037-01-18 Sunday

00:00 - Social Networky

Here is where I exist on various social networks:

I do not auto gateway any stuff between the various social networky places, since I am using them for quite different purposes.

Posted at http://thorfinn.dreamwidth.org/55629.html (comment count unavailable comments). Please read DW OpenID Help and comment there. (If post is locked let me know and I'll add your OpenID.)


2014-04-10 Thursday

09:31 - PSA: Heartbleed Secure Web Vulnerability

Please Share Around: So, you may or may not have heard about "Heartbleed". A significant proportion[1], possibly 2/3rds of all "secure" web servers out there are currently essentially insecure (could be snooped on by anyone on the Internet), and this may have been the case since Mar 2012. The bug was publically announced on 7th of April 2014.

Right now, before you log in to any secure website (has the little lock icon), you should go here: http://filippo.io/Heartbleed

and enter the website name without the http or https bit, to check if the service is vulnerable.

If that doesn't work, try: https://lastpass.com/heartbleed (but that reports a lot of false "maybe"s, so it's not as useful).

If that still doesn't work, for an even more full on SSL test, go here: https://www.ssllabs.com/ssltest/index.html

If the service is reported as vulnerable - DO NOT LOG IN. Go and register a support complaint with that website, point them at http://filippo.io/Heartbleed and http://heartbleed.com/ and wait until they fix the problem. If you do log in and use the website, be aware that your login details (and anything else you send to/from that site) can be stolen by anyone on the Internet. Literally. It is that bad a bug.

Problematically, if you use smartphone apps that connect to a secure service at the back end, many of them may well be vulnerable, but you have no way of knowing. If you know what their website is, go test that, as they may be using the same service to provide their website.

Reliable secure service providers are starting to notify their customers of the situation and recommend changing your password.

If you know a service has been vulnerable to this bug, it is very much in your interest to change your password the moment it is fixed. Now is the time to find a password keeper application to randomly generate new unique passwords for every single site you log in to and store them for you. If you're an Apple only person, the iCloud Keychain is quite good (I'm told) and free, otherwise I highly recommend 1Password ( https://agilebits.com/onepassword ). There are other options for secure password keepers, if people who use other good ones wish to mention them in comments, please feel free.

You can take this one very seriously - Bruce Schneier, pretty much the top person regarding computer security, says '"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.' - https://www.schneier.com/blog/archives/2014/04/heartbleed.html

[1] ETA: Something like 6-10% of all sites, judging by this scan - Here's a list of 627 sites that were vulnerable on 8th April: https://github.com/musalbas/heartbleed-masstest/blob/b72a87558bfe37cd40327ec8b72386a2a2b99c69/README.md#627-of-the-top-10000-sites-appeared-vulnerable-on-april-8-1600-utc

Posted at http://thorfinn.dreamwidth.org/56833.html (comment count unavailable comments). Please read DW OpenID Help and comment there. (If post is locked let me know and I'll add your OpenID.)

2012-12-18 Tuesday

15:48 - O Noes, the Instagram Sky Is Falling...

O Noes, the Instagram Sky Is Falling...

So, the latest buzz about the traps is that Instagram is about add this (text from the iOS app) to it's Terms of Service :

"Some or all of the Service may be supported by advertising revenue. To help us deliver interesting paid or sponsored content or promotions, you agree that a business or other entity may pay us to display your username, likeness, photos (along with any associated metadata), and/or actions you take, in connection with paid or sponsored content or promotions, without any compensation to you."

Note that photos (especially ones taken on smartphones) usually have geographic location metadata attached, by the way. This is essentially the same thing that happens on Facebook with "So and So likes Company Page X", etc. If you use Instagram, you may or may not be concerned by this change of Terms. I already wasn't and still won't be uploading anything to Instagram that isn't intended for public usage, and mostly only have a username because I like to grab usernames, so it doesn't bug me specifically.

The whole situation boils down to this: if you are not paying for the service, you are not the customer. Whoever is paying for the service is the customer - in the case of Facebook, Instagram, Twitter, Google, Youtube, that's the advertisers. Don't expect the service provider to do things that are in your interest. They will do whatever is necessary to keep you interested so that they can serve their customer (the advertisers) - this is not the same thing as doing things that are in your interest.

And if anyone is still wondering why Facebook paid USD1billion to buy Instagram, this is precisely why - one of the biggest features that keeps users on Facebook is photos, and Instagram was the only service so far that actually successfully took users away from FB. That's a cheap price to pay for a defensive manoeuvre that removes your only competitor. (And no, G+ isn't a competitor. It has some different features that some people like, but nothing that actually really competes with FB head on and wins.)

So what?

It's all about the Business Models, IMO: User Pays > Freemium > Open Source Self Supported > Ad Supported.

So, nothing too significant, really. Just something to bear in mind whenever using an Ad Supported service (and note that this includes free-to-air television, news sites, etc), that you are not the customer, and have only small a ability to influence the service to provide what you truly want.

In the case of Freemium services, you are still the customer, in that what you're getting is a loss-leader to try and get you or others like you to pay for the more expensive parts of the service. And if you do choose to pay, you have more influence.

The other "free" alternative kicking around is "open source" software (e.g. roll your own wordpress installation on a web hosting service), but the general caveats with "open source" type services are that: firstly, there's a lot of self-support involved; secondly, the "paying customers" are the developer(s), whose interests often do not align with those of non-technical humans. In some cases you find that there's a mix between Freemium and Open Source, this can be a good way to go for everyone.

Posted at http://thorfinn.dreamwidth.org/56751.html (comment count unavailable comments). Please read DW OpenID Help and comment there. (If post is locked let me know and I'll add your OpenID.)


2012-11-07 Wednesday

17:47 - iPhone 5 (and other iOS devices) FAQ - 2012

So, I finally got around to picking up the iPhone 5, and my iPhone related posts, whilst still relevant (a surprising number of apps are still existent and updated, and the security tips are still good), need a bit of updating. This is pretty much just going to be a random collection of new stuff that I happen to have opinions about. Some of it is not specifically iPhone 5 related, it's more iOS 6 related, so applies to all devices.

Also, if any of this post is confusing, tell me about it? I'm hoping that this is readable for non-geeks. :-) If there's something you don't understand, it's me, not you, please let me know so I can work out how to explain it better!



Apple discovered that mapping is hard. Buying access to good map data is a massively hard problem, and Apple don't have their own cars driving around. :-) Some research and my own experience seems to indicate that Apple Maps refuses to return "near enough" results if it can't find an exact match (which can result in giving you no results or "middle of the street" results if it can't find the street number), whereas the Google maps searches try hard to return something, even if the something is wrong (usually it's near enough, but sometimes it can be way off too). The data will improve as more people use it, no doubt, but Google maps has a several year head start. I've been using Metroview GPS Navigation for turn by turn navigation a few years now, and it's quite good for the rather low price. If you particularly need or want google map data, you can install the Google Maps app. Nokia Here Maps is also a pretty good alternative if you want to try it out. Personally I've been happy using Apple Maps, have had no significant issues, and found the Siri integration quite useful.

Games are slowly catching on to just using GameCenter. My GameCenter ID is thorfi if you happen to want to add me.
Facebook/Twitter integration

Surprisingly nice - I particularly like the FB Calendar integration into the Calendar app.
Privacy Settings

Privacy settings are improved lots - you now get prompts when apps want to access your contacts, calendars, reminders, photos, bluetooth sharing, twitter and facebook. Location services privacy protection is still there, of course. Hit Settings - Privacy to go and tweak settings later if you want to. Sneakily, you probably want to go to: Settings - General - About - (scroll down) Advertising - Limit Ad Tracking and turn that on.

iPhone 5

Lightning (very very frightening)

The new plug adaptor - it's nice. I hated having to fiddle around and work out which way was up with the old dock connector, especially in the dark. Sure, I'm now going to have to live with having just one expensive old connector to Lightning adaptor for a bit until cheaper cables come out, but such is life.
Tall/Wide screen!

This thing is tall/wide. I like that I can still reach the whole screen with my thumb one handed, and watching video in widescreen on it in bed is awesome. Looking at my old iPhone 4, it seems short and squat. And now I can fit a zillion more apps in folders on my front screen. 4 more per folder x currently 20 folders = +80, woot! Yes, I have a lot of apps. No, I'm not going to list them all.

As usually, they bumped the camera specs, and the much faster CPU means much quicker image processing as well, hence the new Panorama built in feature.
Magic Headphones

The new in ear headphones are probably the best in ear headphones I've owned. They fit in my ear canals very happily, don't jostle loose at all, sound quality is definitely better, and I can still hear environmental noise through them. As a side note, the new plug position on the bottom next to the Lightning connector means that you don't have things sticking out two sides, which is nice. They're no doubt not a replacement for decent over-the-ear headphones if you're an audiophile, but that's not my main use case.



I use Air Video to view videos stored on my home computer. Air Server is the go if you happen to have a computer that you want to have pretend to be (one or several!) Apple TV(s) so you can send Airplay Mirroring to it. Also ABC iView and SBS On Demand now have apps.

iCloud has fully replaced the aged MobileMe, and is rather good. If you want to, you can send your device's backup to iCloud, instead of backing up to iTunes (over WiFi or wired). I'm quite happy keeping my backups local, but iCloud backups are more convenient. Find My Friends is rather nice - although the only person I trust enough to permanently have as a "friend" via that is my wife. Temporary events are very nice, though, allowing you to share your location for the duration of an event.

Posted at http://thorfinn.dreamwidth.org/56142.html (comment count unavailable comments). Please read DW OpenID Help and comment there. (If post is locked let me know and I'll add your OpenID.)


2012-01-04 Wednesday

16:59 - Swing Dancing: Jedi Edition II - Force Touch

So, last time I posted about Jedi swing dancing it was blindfolded couples...

This time, the final two couples at Lindy Focus X do some swing dancing without physical touch ( http://www.youtube.com/watch?v=qm-amalwIX8 )

I am amazed by the winners' abilities - both by the lead's ability to body lead without actually touching ... and by the follow's even more amazing ability to follow those body leads without physically feeling them. There is "shared vocabulary" trickery going on, but I suspect less than you would think.

Mad skills. If anyone knows the names of the competitors, let me know, the Lindy Focus website doesn't have winners lists up yet. :-)

See http://thorfinn.dreamwidth.org/55341.html (comment count unavailable comments). Please read DW OpenID Help if you want to comment there


2011-10-31 Monday

13:24 - Wot I Did On The Weekend - by thorfi, age mumblety something

Just a super quick drop in - I'll make a more substantial post in the next few days I suspect. :-)

In the meantime, here's a link to one of the two Swing dancing routines I performed on the weekend:

Swing Patrol North Melbourne Level 3 Performance Ball 2011

Not a perfect performance, but I'm dancing partnered with a teacher I've been learning from since I first started this thing nearly six years ago, and managed to avoid being blown off the stage by her sheer awesomeness, so I'm happy with that. :-)

I've definitely come a long way since the first time I performed this routine - four years ago with St Kilda for the same annual Performance Ball...

ETA: Also, [personal profile] seedy_girl is the lead in the green vest, white sleeves and red tie starting at the top right.

See http://thorfinn.dreamwidth.org/55289.html (comment count unavailable comments). Please read DW OpenID Help if you want to comment there


2011-09-01 Thursday

13:11 - Open Letter: Asylum Seekers - Let them arrive, instead of treating them like criminals.

Apropos of:

I wrote the following to my MP and the Minister for Immigration:

Subject: Asylum Seekers - Let them arrive and be processed humanely, instead of treating them like criminals.

Dear Martin Ferguson (my local member of parliament) and Chris Bowen (Minister for Immigration),

I arrived in Australia aged 7 as an immigrant, having been brought here by my parents under the skilled migration scheme in 1982, and we all became Australian Citizens some years later, and have been ever since.

I know that my parents chose to emigrate to Australia because they felt that their country of origin (Malaysia) was bereft of opportunities for their children, and that they were under significant levels of ethnic discrimination from the Malaysian government.

If that discrimination had been worse (for example, threats of death, rather than merely restrictions in employment opportunities), and my parents had not been so fortunate as to fit within the skilled migration scheme, I have no doubt that they would have chosen to flee the country as asylum seekers, climbing on a leaky boat if that was the only means available.

I would hope that Australia would have welcomed them with open arms, as is our responsibility under the UNHCR conventions, rather than shipping them off to a deserted island, imprisoning them and their children in a stark prison, placing them in isolation for having the temerity to complain, and other such unpleasant treatments that we normally reserve purely for individuals who have been proven criminals in a court of law.

Seeking Asylum is not a crime, and does not deserve criminal punishment. There are several means by which asylum seekers could be given humane treatment and processing within Australia whilst we still retain protection from those rare asylum seekers that turn out not to be actual refugees. Please consider them, rather than simply maintaining the stance that seeking asylum deserves criminal punishment.

The second verse of the Australian National Anthem contains the words

/ For those who've come across the seas,
/ We've boundless plains to share,
/ With courage let us all combine,
/ To Advance Australia Fair.

My family and myself came here across the seas to Advance Australia Fair, and these asylum seekers merely look to do the same, regardless of how they arrive here.

Please end the unjust policies of your government (and the previous Howard government), and allow asylum seekers to be processed within Australia.

Yours Sincerely,


Edited To Add: On a more indirect note that I didn't mention in the letter, all four of my grandparents were taken to Malaya in the 1920s/30s as children by their own parents because they were fleeing oppression and famine in pre-communist China. Rough times, and I hope to never undergo such trials.

See http://thorfinn.dreamwidth.org/54938.html (comment count unavailable comments). Please read DW OpenID Help if you want to comment there


2011-08-18 Thursday

14:11 - Quick Hit: Privacy Helpers

Presented without much comment:

See http://thorfinn.dreamwidth.org/54732.html ( comments). Please read DW OpenID Help if you want to comment there


2011-06-01 Wednesday

00:00 - Migrating from LJ to DW

Migrating from Livejournal.com to Dreamwidth.org (if you want to)

Why you might want to migrate (an incomplete list of possible reasons)
How to migrate (if you want to)
  1. Obtain an invite code (either by asking me or going to Dreamwidth.org: codesharing) OR Dreamwidth.org: Buy a new account (a simple USD3.00 for 1 month paid time will get you in).
  2. Create your dreamwidth.org account
  3. Dreamwidth.org FAQ: Import your LiveJournal (content, comments, even access controls for people from LJ if you want)
  4. Optionally change LJ privacy settings to turn off search inclusion, and possibly Turn off comments on your LJ account (especially if you are worried about the FB Connect issue and have imported comments)
  5. Set up Dreamwidth.org FAQ: Crossposting to LiveJournal
  6. Check Dreamwidth FAQ: Tags and Markup for some new markup you may want to use
  7. Just go ahead and start posting on Dreamwidth
  8. More details to check out if you're coming from LJ: Dreamwidth.org FAQ: A guide to Dreamwidth for LiveJournal users
  9. Optionally even more bits to look at if you want to: Collection of things to help people new to Dreamwidth (by [personal profile] kate)

See http://thorfinn.dreamwidth.org/45734.html (comment count unavailable comments). Please read DW OpenID Help if you want to comment there


2011-03-02 Wednesday

13:34 - Why Anonymous Electronic Voting has Security Issues

In Australian Greens MP Adam Bandt's post "Do you think should people be able to enrol to vote online?", a number of people in the post also wanted to actually vote online (or electronically).

My response to that is that electronic voting is currently not possible to secure because of the requirement to preserve anonymity of voting.

With most electoral voting systems today, an essential part of the system is that the vote cannot be linked with the original voter. If votes can be linked to voters, then you open the likelihood that people may not vote honestly, because they can targeted due to the nature of their vote.

The difficulty is that all electronic data is essentially trivially copiable, and an edited version is usually indistinguishable from an original. For example, your computer copies the digital original every single time you look at something online - that's how it gets from the server to your computer so that your computer can even display it to you.

This text you are reading now has been copied in that way lots of times, and you could trivially make more copies of it, edit it however you like, and release a digital text which has been modified, but is in exactly the same format to the original text and nobody can truly verify which one was the real original.

There is only one kind of electronic data that is not editable in that way - that is electronic data which has been securely digitally signed in a non anonymous fashion. That means that if the data is edited, the digital signature will no longer match. For example, digital signatures are used by online banking systems to verify to your web browser that the online website you are talking to is actually the bank you think it is, not someone else pretending to be the bank.

The problem is, digital votes that are secure and verifiable must remain attached to their original digital signature - which fully identifies the voter. Once you detach the digital vote from the digital signature, they can immediately be trivially copied and faked (just like this unsigned digital text you are reading), and cannot be verified using any means.

No matter how much auditing you do on the software and hardware, at any point between the detachment of the digital signature and the final vote count, there is the possibility of trivial and currently impossible to check and verify against digital vote fraud.

Paper votes are physical objects which are much much harder to create copies and fakes of. Once the voter is identified, they can be given a blank voting paper, and the physical vote can then be passed around and verified without having any link to the voter any more.

As regards the original question posed, enrolling to vote online is actually fine, just like Internet banking and similar systems, the point is to be identified to prove that you are you. It could even tie in well to the electoral system at booths - secure identification that ties in with your digital enrolment at the tick off point in order to receive the physical voting papers would actually improve voting security, not decrease it.

In short: Online voter registration, no worries. Online voting, just no.

See http://thorfinn.dreamwidth.org/54451.html (comment count unavailable comments). Please read DW OpenID Help if you want to comment there


Navigate: (Previous 10 Entries)