Random Thoughts – Randosity!

Beware of Silicon Valley Clean Energy and energy slamming

Posted in botch, business, california by commorancy on September 19, 2017

If you live in California, you need to read this. This situation has scam written ALL OVER IT. Let’s explore.

State / City Mandated ‘Clean Energy’

Apparently, as a result of city voting, some cities (such as Cupertino) have decided to force residents in that city to change their power generation provider to a third party instead of PG&E. In my case, it ends up being the scam outfit Silicon Valley Clean Energy. Why are they a scam? Here’s what happened.

First, they enrolled my electrical generation service under SVCE’s generation service without my permission. Then, SVCE waited over 60 days to notify me of my enrollment into their power generation service. Because they offered opting out at less than 60 days for free, this means I am not only being assessed a $5 exit fee from SVCE and I am now being put under PG&E’s transitional rates (which are likely to be higher than normal PG&E for at least 6 months). Oh, it gets even better.

Second, because I was force exited from PG&E’s generation services, PG&E gets to assess a Power charge indifference adjustment (PCIA) charge (effectively it is an exit charge for leaving PG&E’s power generation services). This charge on my last bill was $25.60. If you add this charge together with SVCE’s power generation charges, the total generation fee becomes identical to PG&E’s generation charges. If you spread this fee out over 12 months, SVCE’s charges aren’t as low as they seem. Also, this PCIA seems to be assessed once a year (or as frequently as the CPUC allows PG&E to assess it). Basically, this is a charge that PG&E gets to assess to cover generation fees they lost because you moved to a competitor. And, they get to do it each year.

Third, SVCE’s crap web site would not accept my opt-out request. Their opt-out form is entirely broken. I ended up calling their phone and opt-ing out there. Unfortunately, I have no idea if they really got my opt-out request because this fly-by-night outfit only has 9-5 call-center business hours. So, I have to wait until the following day and contact them.

Fourth, I was only notified of my ‘enrollment’ in this service because of a cheap card sent to me in the mail over 60 days after my enrollment.

Fifth, they make a lot of bold claims about using wind and solar energy for generation, but do not back up those claims anywhere. They could simply be buying PG&E generated power and reselling it.

Charges and electric slamming

Not only does PG&E get to assess random charges as a result of the customer is now using a third party power generation company, the power generation company gets to assess random exit charges for leaving their service when I never voluntarily joined it in the first place.

This entire situation smells of CLASS ACTION LAWSUIT. So far, I will have been assessed around $35 in fees plus an unknown amount for rates (up to 6 months) simply because SVCE grabbed my service without notifying me timely. This is the exact thing that long distance phone companies were doing in the 90’s. It is called slamming. This scam type is just another form of state / city endorsed slamming, now with the electric service.

The Feds need to jump on board and stop this slamming activity quick and force the same payback charges on the company who slammed the customer. Here’s what long distance providers were forced to do if they slammed someone onto their service and the end user paid the bill:

If you have been slammed, but discover it after you HAVE paid the bill of the slamming company, the slamming company must pay your authorized company 150 percent of the charges you paid the slamming company. Out of this amount, your authorized company will reimburse you 50 percent of the charges you paid the slamming company. Or, you can ask your authorized company to recalculate and resend your bill using its rates instead of the slamming company’s rates.

Electric generation companies need to be held accountable for slamming in the same way as long distance providers. Companies like SVCE riding on the coattails of city votes shouldn’t get a pass to switch services without permission. Slamming is slamming whether it’s for telephone service or power generation. No matter what it is, it’s a rip off unless the change is by consumer permission. If there are fees involved, the customer MUST authorize the change in advance. Otherwise, it is slamming.

Is the iPhone X Innovative?

Posted in Apple, botch, california by commorancy on September 17, 2017

Clearly, Apple thinks so. I’m also quite sure some avid Apple fanboys think so. Let’s explore what innovation is and what it isn’t and compare that to the iPhone X. Let’s explore.

What is innovation?

Innovation effectively means offering something that hasn’t been seen before, either on other devices or, in fact, at all. I’ll give an example of this. If I create a transporter that can rearrange matter into energy and safely transmit it from point A to B and reassmble it into a whole, that’s innovation. Why? Because even though the concept has existed in the Star Trek universe, it has never existed in the real world. This is true innovation and would ultimately change transportation fundamentally as we know it. Though I won’t get into the exact ramifications of such an invention, suffice it to say this technology would be a world game changer. This example is just to show the difference between true innovation and pseudo innovation. Innovation should be a world game changer to be true innovation.

So then, what is pseudo innovation? This type of innovation, also known as incremental innovation, is to take an existing device and extend it with a natural progression that people expect or, perhaps, have even asked for or because other devices on the market have already added it. As an example, this would be taking a traditional blender and exchanging the blender bowl with a small single service container that can double as a cup. This is a natural progression from an existing blender to a more useful and functional device. This is the kind of change that doesn’t change the world, but solves a small problem for much smaller subset of people.

iPhone X Design

Let’s dissect this design from top to bottom to better understand it better and understand why the iPhone X is not in any way truly innovative and only presents pseudo innovation.

  • OLED display While this is new to the iPhone, it is in no way new to mobile devices. Samsung has been shipping tablets and phones with AMOLED displays for years now. In fact, I’ve personally owned the Samsung Galaxy Tab S for at least 4 years that has a Super AMOLED display. This display has been amazing and remains that way to this day. Apple is substantially late to this party for the iPhone. While it’s new to Apple’s devices, OLED is not in any way a new technology created by Apple. Worse, Apple hobbled their OLED display with the unusual design of that large black brow at the top. I still have no explanation for covering 10% of the display with an unsightly black bar. Worse, when videos play or other active content is viewed, 1/10 of that content is now being obscured by that black bar unless you change the settings. Such a questionable addition to an expensive phone.
  • Removal of Touch ID This is actually negative innovation. Removal of useful features from a device serves only to leave more questions than answers. Touch ID is a relatively new addition to the iPhone. That Apple shipped the iPhone X without it is entirely unexpected. Apple should have postponed the release until they got this right. Touch ID is an intrinsic, non-intrusive technology that works in all conditions, secures the device using biometrics and offers a much safer alternative to login IDs and typing passwords (something entirely cumbersome on small phone devices).
  • Addition of Face ID — Face recognition on a phone, while new to the iPhone isn’t a new technology, nor was it created by Apple. Cameras have been capable of recognizing faces when taking photos, but it does not necessarily take the step to identify the person. Apple takes it to the identification level with Face ID. In fact, it takes it to the next step to use it to identify the owner of the phone. However, this is an untested new technology when used on a phone. While computers with hefty internet connections have been capable of performing this type of fast facial recognition, a phone will require a cloud service to provide such an identification. This means that your facial information will need to transmit to a cloud service and attempt to determine that you are you. It also means that this picture information may be stored on Apple’s servers for this purpose. It also means there’s a huge privacy concern here if Face ID captures something it shouldn’t have. Touch ID is never susceptible to this privacy intrusion problem.
  • Wireless ChargingAgain, Samsung devices have had wireless inductive charging for years. This addition, while new to Apple’s phones, is not in any way innovation. Wireless charging has previously existed on other non-Apple devices and, again, has not been created by Apple. Apple has embraced the Qi wireless charging standard up to a point. However, Apple has denied iPhone devices from using Qi fast charging, instead choosing to offer up Apple’s own standard sometime in 2018.
  • Fast Charging — This allows the phone to charge the battery perhaps 5x faster than the iPhone currently charges today. This is separate from Wireless Charging, but Wireless Charging can take advantage of it.
  • Edge to Edge DisplayWhile Apple’s implementation of this screen seems edge to edge, it really isn’t. There is a small bezel around the display due to the way the case is designed. While it is probably the most edge to edge display we’ve seen in a phone to date, it isn’t the first. Samsung’s Galaxy Note 8 offered at least side to side edge to edge display and a reasonably small top and bottom bezel. Suffice it to say that what Apple has done is merely semantics. Now, if Apple hadn’t added that questionable brow covering 10% of the display, it might have been a small achievement.
  • Faster CPU, more RAM, faster overall performance — To be expected in any new release, though it will be outdated quickly

In fact, none of what has been included on the iPhone X is in any way newly created ideas by Apple. Apple is firmly playing catchup with the Joneses (or in this case, Samsung). Samsung has already produced phones with every single one one of the technological advances that Apple has put into the iPhone X.

Fanboys might claim that the iPhone X is all new. No, it’s all nuances. Apple is simply catching up with existing technologies and ideas to improve their new phones (and I use the word improve loosely). There is nothing actually innovative about the iPhone X. In fact, from a design perspective, it’s probably one of the ugliest phones Apple has yet produced. The brow seals that fate. If there were such Razzie awards for design, Apple would win it for 2017.

iPhone 8

This is one of those things that always irks me about Apple. That they’re releasing the iPhone 8 at all is a bit of a mystery. If you’re introducing a new phone, why keep this line of phones at all? Bet the bank on the new model or don’t do it. This is what Apple has always done in the past. That Apple is now hedging its bets on two different models seems a bit out of ordinary for a company that has typically bet the bank on new ideas. I guess Apple is getting conservative in its old age.

Other than wireless and fast charging introduced into the iPhone X, nothing else has trickled its way into the iPhone 8. Effectively, the iPhone 8 is simply a faster iPhone 7 with Qi wireless and fast charging support.

Let’s talk about wireless and fast charging a little here. While the iPhone 8 is capable of both wireless and fast charging, it won’t come with it out of the box. In fact, Apple’s fast wireless charging pads won’t be released until sometime (probably late spring) 2018. While there are other Qi Wireless chargers you can buy now, these chargers won’t fast charge. Worse, the iPhone 8 still ships with the standard Lightning USB cable and standard speed charger. If you want fast charging, you’re going to need to invest in the extra accessories (cables and chargers) to get that faster charging performance. Until Apple releases its wireless charging pad, you can’t even get wireless and fast charging together. In addition to your phone’s cost, expect to dump an extra $100-200 on these accessories (several times if you want something now and then again when Apple releases its accessories).

Mac Computers

Just to reiterate the point of lack of innovation, I’ll bring up one more point. The MacBook and Mac line of computers has been so stagnant and so far behind the times, I’m not even sure Apple can catch up at this point. While every other non-Apple notebook on the market (even the cheapest, smallest model) now includes a touch display, Apple continues to ship its Mac computers without touch surfaces in defiance of that trend. There’s a point where you have to realize that touch surfaces actually are a necessity to computing. The ironic thing is, we have Apple to blame for this dependency by Apple introducing the original iPad.

Yet, Apple’s stubborn stance on introducing touch displays on the Mac has actually become a sore point with these devices. Apple, lose your stubbornness and finally release touch friendly MacBook computers at the very least. Though, I’d like to see touch screens on every Mac computer. You’ve had Spotlight on the MacOS X for years now (the first step towards touch displays), yet here we are with one computer that has a Touch Bar. The Touch Bar is such a non-innovation as to be a step backwards.

Let’s just get rid of the worthless Touch Bar and finally introduce Macs with touch displays, which is what we want anyway. Since we’re playing catchup, let’s finally catch the Mac line up to every other non-Apple notebook.

Apple’s Worms

It’s clear, Apple has lost its innovative ways. Apple is now relying entirely upon existing technologies and ideas, firmly throwing together half-assed ideas and calling them complete. The iPhone X idea should have been tossed before it ever saw the light of day. Had Jobs been alive to see it, the iPhone X idea would have been tossed out the window in lieu of a new idea.

Additionally, Apple’s technology ideas across its product lines are entirely fractured:

  • The iPhone ships with Lightning connectors, but no other device in Apple’s line up supports Lightning
  • The iPhone has removed the 3.5mm headphone jack for no other reason than, “just because”
  • New Macs now ship with USB-C, yet none of Apple’s mobile devices support this standard
  • USB-C Macs require dongles because none of Apple’s accessories support USB-C (other than the converter dongles)
  • The Apple Watch has no direct integration with the Mac. It only integrates with a single iPhone.
  • Apple ships Lightning head phones that can only be used with the iPhone line, not Macs
  • Macs still fail to support touch displays
  • Macs still ship with 3.5mm headphone jacks
  • Apple’s magsafe adapters were amazingly innovative to supply power to the system, yet have been tossed out in lieu of the inferior USB-C connector
  • The iPhone and Mac are only half-assed integrated with each another. The best we get is USB connections and Airdrop. The Universal clipboard only works about half the time and even then it’s not always useful depending on copied content. The single app that works quite well is iMessage. In fact, the entire reason this integration works at all is because of iCloud.

Innovation is about putting together ideas that we’ve never before seen and that take risks. It’s about offering risky ideas in creating devices that offer the potential of changing the game entirely. There’s absolutely nothing about the iPhone X that’s a game changer. Yes, I do want an iPhone with an OLED display because I want the super high contrast ratio and vibrant colors. If that had been available on the iPhone 8, I’d probably have upgraded. For now, there’s no reason to upgrade from any of Apple’s most recent products. Wireless charging just isn’t enough. A hobbled OLED display is just not worth it.

Tagged with: , ,

How to protect yourself from the Equifax breach

Posted in botch, business, security by commorancy on September 11, 2017

Every once in a while, I decide to venture into the personal financial security territory. This time, it’s for good reason. Unfortunately, here’s a topic that is fraught with peril all along the way. It also doesn’t help when financial linchpins in the industry lose incredibly sensitive data, and by extension, credibility. Let’s explore.

Target, Home Depot and Retailer Breaches

In the last few years, we’ve seen a number of data breaches including the likes of Target and Home Depot. While these breaches are severe problems for the companies, they’re less problematic for the consumer in terms of what to do. As a consumer, you have built-in protections against credit card fraud. If a thief absconds with your number, your liability is usually limited to around $50, but that also depends on the card… so read your fine print.

With the $50 you might have to pay, the inconvenience to you is asking your credit card company to issue you a new card number. This request will immediately invalidate your current card number and then you have to play the snail mail waiting game for a new card to arrive. That’s pretty much the extent of the damage with retailer like Target or Home Depot.

No one wants to go through this, but it’s at least manageable in time… and you can get back on with your life. For breaches like Equifax, this is a whole different ball game, let’s even say, a game changer. Breaching Equifax is so much more than a simple credit card inconvenience.

Credit Reporting Agencies and Breaches

With Equifax breached, this is really where the government needs to step in with some oversight and regulations. What your social security number is the the government, your credit reporting file is to your personal financial health. This breach is a dangerous game… and worse, Equifax is basically taking it lightly, like it’s no big deal. This is such a big deal, you will absolutely need to take steps to make sure your data is secure (and even then, that only goes so far).

First, I’ll discuss what this breach means to you and how it might affect you. Second, I’ll discuss what you can do to protect yourself. Let’s start with some basic information.

There are 3 primary credit reporting agencies (aka credit bureaus):

  1. TransUnion
  2. Experian
  3. Equifax

Unless you’ve never had a credit card, you probably understand what these businesses do. I’ll explain for the uninitiated. These agencies collect and report on any outstanding credit card or revolving lines of credit you currently have. If you have a mortgage, these entities know about it. If you have a credit card (or many), they know. They also know lots of other data (i.e., previous and current address), what loans you’ve had in the past, what bank accounts you have, what balances are on your outstanding lines of credit, any collections activities and the list goes on and on. It also lists your birth date, social security number and full credit card numbers and account numbers.

Based on all of your credit lines, how well you pay and so on, these companies create a FICO credit score. This score determines how low of interest rates you’ll receive on new loans. These companies are not only a bane to actually exist, but they are your lifeline if you need new credit. Even just one blemish on your record can prevent you from getting that loan you need to buy your new house or new car. Without these linchpin companies, lenders wouldn’t be able to determine if you are a good or bad credit risk. Unfortunately, with these companies, consumers are at the mercy of these companies to produce accurate data to lenders (and to protect that data from theft)… a task that Equifax failed to do.

What did Equifax lose?

Equifax lost data for 143 million record holders. While that number may seem small, the damage done to each of those 143 million record holders will eclipse the damage produced by Target and Home Depot combined. Why? Because of how these credit reporting agencies actually work.

Equifax (and pretty much all of these credit reporting agencies) have flown under the radar in what they do. If you go to a car dealer, find a car you want and fill out loan paperwork, that dealership will pull a credit report from one or more of these agencies. Your credit report will contain a score and all loans currently outstanding. It also shows how well you pay your loans, any delinquencies in the past and other financial standing metrics. This credit report will be the basis of whether you get a loan from the car dealership and what what interest rate.

Hackers had access to this data between May and July of 2017. The hack was found on July 29th, but not reported to the public until September 8th. That’s over a month that Equifax sat on this news. It’s possible that they were requested by law enforcement to hold the announcement, we just don’t really know.

What was lost?

According to the Washington Post:

Hackers had access to Social Security numbers, birth dates, addresses, driver’s license numbers, credit card numbers and other information.

According to the New York Times:

In addition to the other material, hackers were also able to retrieve names, birth dates and addresses. Credit card numbers for 209,000 consumers were stolen, while documents with personal information used in disputes for 182,000 people were also taken.

Those dispute documents being PDFs of bills, receipts and other personally identifying information. I’ve also read, but have been unable to find the corresponding article, that the hackers may not have had access directly to the credit report database itself, but only to loose documents in a specific location. However, even with that said, do you really trust Equifax at this point? I certainly don’t.

Why is this such a big deal?

Because the credit reporting agencies have played it fast and loose for far too long. They make boat loads of money off of each credit report that’s pulled. If you pay $50 as part of the loan process to pull your credit report, the dealership will keep part of that money and the rest goes to Equifax. Because many loans applications are processed every day, some credit reporting agency is making money. Making money isn’t the problem, though.

These agencies will pull a report for anyone willing to spend money. This includes people with stolen credit cards. However, that only gets thieves so far before being caught. Instead, breaking into computers at the agency allows them to not only pull credit reports for anyone who has a record, they can get access to lots of sensitive information like:

  • Social Security Numbers
  • Birth Dates
  • Addresses
  • Places of employment
  • Home Addresses
  • Credit card numbers
  • Dispute Documents
  • Etc..

Basically, the thieves may now have access to everything that makes up your identity and could steal your identity and then attempt to divert bills away from your house, create new cards, and do other things that you may not be able to see. If they managed to get access to your credit report, they can open cards out the wazoo. They can charge crap up on those cards. And, they can perform all of this without your knowledge.

Credit Monitoring

You might be thinking, I’ll set up a credit monitoring service and have the credit reporting service report when activity happens. Even that, while only somewhat effective is still subject to being breached. If the thieves have access to all of your identity information, they can request the credit reporting service to do things like, reissue passwords to a new email address and send sensitive reports to a bogus address. These thieves can even undo security setups like a credit freeze and reassign all of that information to their own address. You won’t see or even know about this unless you regularly check your credit reports.

This problem just barely peeks into the can of worms and doesn’t even open it fully. There are so many things the thieves can do with your identity, that by the time you figure it out, it could be far, far too late. So, don’t think that signing up for credit monitoring is enough.

Sloppy Security Seconds

In fact, it wasn’t seconds, it was almost 2 months before the breach was known to the public. A move that not only shows complete disregard for 143 million people’s financial security from a company who should be known for it, Equifax doubled down by creating a lead generation tool in their (ahem) free TrustID tool. Keep in mind that that TrustID tool is only (ahem) free for one year, after that you pay. Though, protecting against new account creation is only half the problem. The other half to which TrustID can’t help is protecting your existing accounts. Because credit reports contain every account and every account number you own, if your data was compromised (and with 143 million accounts worth of data lost, it’s very possible), you need to do so much more.

Even the Security Checking Tool (which was questionably put up on a brand new created domain???) seems to have been a sham and had its own share of SSL certificate problems leading to some browsers showing the site as a scam. Some Twitter users have entered bogus data… and, this checking tool seems to have stated this bogus data was included in the breach. The question is, does that tool even work or is it merely security theater? Yet another black eye in among many for Equifax’s handling of this data breach. To wit…

and then this tweet…

To sign up for Equifax’s TrustID premium service, you have to enter even more personally identifying data into a form of a company that has clearly demonstrated they cannot be trusted with your data. Why would anyone do this? Seriously, signing up for a service with a company who just lost a bunch of information? No, I think not. Instead, Equifax should be required to pay victims for a monitoring service with either TransUnion or Experian (where breaches have not occurred.. yet).

On top of entering even more personal information, the service requires you waive your right to lawsuits against Equifax and, instead, requires binding arbitration. Yet another reason not to sign up.

It’s not as if their credit monitoring service is really going to do you a whole lot of good here. If you really do want a credit monitoring service, I’d suggest setting it up with Experian or TransUnion instead. Then, figure out a way to get Equifax to pay you back for that service.

Can’t I reissue credit card numbers?

While you can do this, it won’t protect you fully. The level of what the thieves can potentially do with your data from Equifax goes much deeper than that. Yes, changing the numbers will help protect your existing cards from access. However, it won’t stop thieves from opening up new accounts in your name (and this is one of the biggest problems). This is why you also need to set up a credit freeze.

Because the thieves can now officially pretend to be you, they can do such things as:

  • Pretend to be you on the phone
  • Call in and request new pin codes based on key identifying information (address, SS#, phone number, etc)
  • With your old address, they can then transfer your bills to a new address
  • They can reissue credit card numbers to that new address

You’re probably thinking, “What about the security measure my bank uses? Won’t that protect me?” That depends entirely upon how convincing the thief can be over the phone. If they can answer all of your identity information and find a representative who can bypass some of the banks security steps, they can get a foot into the door. That’s all it takes for them to basically take over your credit accounts… which is one step away from potentially hijacking your bank accounts. A foot in the door is enough in many institutions to get the ball rolling towards full hijacking.

How do I protect myself?

If your data was involved in the breach (unfortunately, the tool that Equifax provides is sketchy at best), the three bare minimum things you should do are

  1. Contact one of the three credit bureaus and ask for a free 90 day fraud watch
  2. Contact all three and ask for a credit freeze on your records at each credit reporting agency
  3. Set up credit monitoring at TransUnion or Experian

The 90 day fraud watch means they will need to let you know when someone tries to do anything with your credit report. However, this watch is only good for 90 days and then expires. The good thing about requesting this watch is that you only have to do it at one bureau. All three will receive this watch request from your contact with one of them. The bad thing is, 90 days is not nearly long enough to monitor your credit. In fact, the thieves will expect the 90 day fraud watches, wait them out, then go after it hard and heavy after these begin expiring.

A freeze, on the other hand, lasts until you unfreeze. A freeze puts a pin code on your credit record and that pin is require each time a company needs to pull a copy of your credit report. This will last far, far longer than a 90 day watch and serves to stop the thieves in their tracks. To freeze your records, you will need to contact all three separately and perhaps pay a fee of $5-10 depending on where you live.

Setting up credit monitoring means you can be alerted to whenever anything changes on your credit report. But, credit monitoring won’t stop the changes from occurring. Meaning, you’ll be alerted if a new card is opened, but the monitoring service isn’t a preventative measure.

You can contact each bureau as follows to set up any of the above services, including a credit freeze (links below):

  1. Equifax or call 1-800-349-9960
  2. TransUnion or call 1-888-909-8872
  3. Experian or call 1‑888‑397‑3742

Neither a fraud watch nor a credit freeze will impact your credit score. A freeze simply prevents any business from pulling your credit report without having your pin code. Companies for which you already do financial business or have loans established can still pull reports as needed. However, any new loans will be required to have your security pin code.  You can learn all about the details of a credit freeze at this FTC.gov web site.

Unfortunately, because the breach may have been more extensive than it appears, a thief can now contact the credit bureaus over the phone, pretend to be you and have any pin codes removed and/or reissued. Then, gain control over your credit records. This is why this breach is so treacherous for consumers. You need to be on your guard, vigilant and manually monitor your credit report for at least the next 12 months regularly. This is the part no big box media site is reporting. Yes, this is a very treacherous landslide indeed that is at work. Even if you do all of the protections I mention above, thieves can still subvert your financial records for personal gain by knowing your key personally identifying information.

How do I stop the thieves?

This is the fundamental problem. You can’t, at least not easily. To truly protect yourself, the scope of changes would include all of the following:

  1. Get a new social security number
  2. Reissue all of your credit card and debit card numbers
  3. Open new bank accounts, transfer your money into the new accounts
  4. Close the old bank accounts
  5. Reissue new checks
  6. Change your telephone number
  7. Move into a new address (or obtain a P.O. Box and send your bills there)
  8. Legally change your name
  9. Change all of your passwords
  10. Change all of your email addresses
  11. Set up multifactor authentication to every financial app / site you log into that supports this feature.

Unfortunately, even doing all of the above would still mean the credit bureaus will update your credit report with all of this new data, but your prior history would remain on the report… possibly up to and including all of the old account, name and address information. It is very, very difficult to expunge anything from a credit report.

In addition to the above, I’d also suggest closing any credit lines you don’t regularly use. If it’s not there, it can’t be exploited. None of this is a magic bullet. You just have to wait it and shut the thieves down as things materialize. Being diligent in watching your credit report is the only way to ensure you nip things in the bud early.

Tidal Waves and Repercussions

It is yet unknown the extent of their breach or the extent to which each consumer may have to go to protect themselves from this deep gash in the financial industry. Not only does this gash now undermine each account holder’s personal financial well being, it undermines the credibility of the very industry holding up the world’s economy. This is some serious shit here.

If half of the US’s residents are now available to identity thieves, those organizations who help protect the small amounts of identity theft throughout a normal year cannot possibly withstand a financial tidal wave of identity theft paybacks which could seriously bankrupt many credit organizations. In fact, if this tidal wave is as big as I suspect it could become, we’re in for some seriously rough financial waters over the next 6-12 months. By the time the holidays roll around, it could be so bad, consumers cannot even buy the goods needed to support the holiday season. Meaning, this could become such a disruptive event in the US’s financial history, many businesses could tank as a side outcome of consumers not being able to properly spend money during the most critical season of the year.

This has the potential to become one of the most catastrophic financial events in US history. It could potentially become even more disruptive than the 1939 stock market crash. Yes, it has that much potential.

Since I have no reason to believe that Equifax has been totally honest about how much data has actually been lost, this is the reason for this level of alarm. I’d be totally happy if the amount of data lost was limited to what they have stated, but the reality is, nothing is ever as it seems. There’s always something deeper going on and we won’t find that out for months… possibly at the point where the economy is hit hard.

Equifax Aftermath

Because the US is so pro-business, Equifax will likely get a slap on the wrist and a warning. Instead, this company should be required to close its doors. If it is not providing adequate data security measures to protect its systems, then it needs to shut its doors and let other more capable folks handle this business. This sector is far too critical of a service and that data too risky if lost to allow flippant companies like Equifax to continue to exist in that market.

Tagged with: , , , ,

Console Review: Nintendo Switch

Posted in nintendo, technologies, video gaming by commorancy on August 17, 2017

Back in April, I wrote an article entitled Why I’ve Not Yet Bought A Nintendo Switch. It’s now August and I’ve decided to take the plunge and buy a Switch based on a comment I heard about The Legend of Zelda: Breath of the Wild. I hadn’t yet played this game (in part because I was disappointed with the last Zelda installment). However, someone told me that it is effectively Skyrim. That comment piqued my interest. The Elder Scrolls series is one of my two most favorite video game series, the other being Fallout 4. I’ve always liked Zelda, but didn’t want to play it on the Wii U. So, I decided it was time to give the Switch a try (assuming I could find one in stock). After turning the unit on, it became quickly obvious just how limited this tablet really is. However, I am looking forward to playing the Skyrim port on a portable. Let’s explore.

Best Buy

As luck would have it, when I arrived at Best Buy to pick up my pre-ordered copy of Agents of Mayhem for the PS4 (haven’t started playing it yet for reasons that will become obvious), I asked a floor person if they had any Nintendo Switch consoles in stock. To my surprise, they did. I picked one up on the spot, and with it a copy of The Legend of Zelda: Breath of the Wild. I also picked up a few Amiibo that I didn’t have and a Switch Pro Controller in hopes of avoiding the Joy-Con problem. I have heard the Joy-Cons can lose connectivity when operating wireless, dropping their connections mid-gaming. I had experienced this exact problem with the PS3 controller after its release and I definitely do not wish to revisit that problem on the Switch. Even the Best Buy floor representative confirmed the wireless disconnection problem with his own personal Switch.

Note, I also decided to picked up the Switch at this time because it’s still well before the holiday season when finding things in stock gets crazy impossible. I’m planning on playing Skyrim and wanted to have a Switch before Skyrim releases during the holidays (no release date as of this article). I would also like to see Bethesda port Fallout 4 over, but that’s probably a pipe dream. Let’s get right into the meat of this review.

Tablet Weight and Size

Starting with size, the one thing that I immediately noticed upon opening the box is how small this tablet actually is. My NVIDIA Shield, my iPad and my Galaxy Tab S are all actually much bigger than the Switch. Even the iPad mini is bigger than the Switch. Let’s just say that its much smaller than I had expected. In a portable, I guess that’s okay. Of course, after attaching the Joy-Cons, the tablet becomes much longer. As for setting it up, the tablet setup was easy and fast, unlike the Wii U which seemed overly complicated. The slowest part was setting up a Nintendo account (see below).

The weight of the tablet is average, not too light and not too heavy. After you attach the Joy-Cons, the weight becomes more substantial. I’ll probably leave the Joy-Cons attached most of the time because the Switch Pro Controller works spectacularly well even though it costs ~$70. Anyway, the screen is smaller than I expected, but it is still readable. However, the screen controls inside Breath of the Wild are far too small. In fact, this tabsole suffers from the same exact problem as did the PS Vita. The screen resolution is so high and the icons are drawn so small that it can be difficult to touch or read some of the text on the tablet screen. When played on a TV, this isn’t a problem. Though, the tablet screen is bigger than the PS Vita and the play area is quite nice, the tiny icon problem remains. Nintendo can fix this issue in later games, but for Breath of the Wild, it suffers a bit from the tiny icons when playing on the tablet screen.

Graphics and Game Performance

After playing Breath of the Wild for just 15 minutes, it is quite obvious. This tabsole is workhorse fully capable of producing solid frame rates on both the tablet display and through the dock on a large screen TV. In fact, the ability to switch back and forth between the tablet display and the TV display is so seamless, it just works without thought. Simply slide the tablet into the dock and it’s on the TV. Hooking the dock up to the TV was a cinch.

What accessories does the Switch support?

  • microSDXC and microSDHC cards
  • 32 GB built in tablet memory
  • card slot for games (they’re card based)
  • Amiibo support (both on the controller and on the tablet)

Interestingly, there are tablety features missing such as:

  • No cameras (rear or front)
  • No microphone
  • No stylus (interesting because the 3DS was all about the stylus)

However, the Joy-Cons have a unique slide attach system. This means that in the future such devices as microphones and cameras may become available as slide-on accessories. It is unknown if the slide-on accessories can be stacked. Hopefully, Nintendo did design the slide-on accessories to be stackable. Even if they aren’t stackable, you can still use the Joy-Cons wirelessly when other accessories are connected.

Joy-Cons

I would be remiss if I didn’t discuss these controllers. These controllers (light gray – right, blue/red – top) slide onto the left and right side of the tablet (or the left and right side of the adapter). They’re nice enough and have a good joystick feel, but overall they’re only just okay. The buttons are too small for my liking. When you take the Joy-Cons off and attempt to use them separately or attached to the Joy-Con controller adapter (pictured right), they still don’t improve much. The real improvement is in using the Switch Pro Controller (pictured below). Interestingly, in addition to the Joy-Con adapter, there are two slide-ons included for each Joy-Con that attaches a wrist strap. I guess because of the Wii and people breaking things by throwing them at the TV, Nintendo has learned its lesson. Needless to say, these two wrist strap attachments do provide the Joy-Cons with a more polished, finished look and feel when attached. Interestingly, Nintendo did not include simple rounded end closures for the sides of the tablet itself to make the tablet also look finished when the Joy-Cons are detached. The unfinished tablet side ends just hang out to collect dust and dirt.

Switch as a Tablet

In this day and age with the likes of the Samsung Galaxy Tab and Apple’s ever larger and larger iPad versions, coupled with the iOS or Android, these modern tablets are both functional as productivity and browsing devices, but they can also be used for high intensity gaming… with controllers even. Clearly, only Apple tablets support iOS. However, many many tablets support Android. In fact, Android is likely to become the operating system of choice on tablets, far and above iOS or Windows in deployments. Why? Because it’s open source, it’s designed to work with tablets, it performs well and it’s well supported. It also means that there’s a crap ton of applications already available on this platform.

Unfortunately, here is where the Nintendo Switch completely falls down. Nintendo has opted to use its own proprietary operating system to drive the Switch. This has the obvious downside of not running any existing apps or games. This means that as a Switch owner, you are entirely at the mercy of Nintendo to provide every app you could ever want. And herein likes the biggest problem.

While the games run like a champ, the Switch cannot become a useful tablet itself because it does not benefit from inheriting existing games or apps from Android. This is entirely the problem with the Switch in a nutshell. When you power the Switch on, you’ll quickly notice that there are a very very limited number of games in the Nintendo eShop. In fact, there are so few, it’s probably not worth considering the Switch as anything other than a Nintendo gaming system.

Switch as a Game Console

Unlike the Wii U that offered a dual display (the Gamepad touch screen in addition to TV screen), the Switch can only display on the TV or the tablet one screen at a time. When docked, the tablet display is covered and disabled. With the Wii U, you could use the Gamepad screen for maps or inventory or other useful drag and drop features. With the Switch, that’s not possible. That Nintendo has dropped the two screen idea entirely is a bit unusual. I did like being able to perform certain gaming tasks (i.e., rearranging the inventory) on the second screen. Yes, it was of limited use, but having the second screen for certain gaming tasks made a lot of sense.

Nintendo never learns

By now, you would have thought that Nintendo would have learned its lesson from failure of the Wii U. Yet, here we are… back in the same boat as the Wii U. This means that, yes, it’s a tablet but, no, you cannot use it for anything other than gaming. Nintendo, if you’re planning to design a device like this, you also need to understand the bigger picture. This is a tablet. As a tablet, in addition to gaming, it should be able to run standard apps that are found on both Android and iOS. Unfortunately, there is nothing available (not yet anyway). In fact, the Switch is currently missing the most basic of apps such as Netflix, Amazon, Facebook, Twitter, Instagram, a web browser or any other social networking app. While the OS may support sharing some content to some of these services, that’s as far as it goes. You cannot use the tablet as a general purpose device. Such a shame as this means that you will have to carry the Switch around with another tablet or device.

In fact, as a Nintendo device, it doesn’t yet even support Miiverse, not that that’s a big loss. It also doesn’t currently support StreetPass (and may never). That’s a bit odd for a portable gaming device produced by Nintendo. You would think that Nintendo could at least support its own social platforms out of the gate.

Nintendo Login

The bizarre choice to require a Nintendo website ID instead of the Nintendo Network ID to log into the eShop is completely unexpected. Like the Nintendo 3DS, I fully expected to type in my NNID login and password and be on my way. Nope, I had to run over and create a brand new login ID through the web site, then link it to my NNID, then use that new login and password to have the Switch login. Bizarre. Nintendo seems to make these arbitrary and haphazard changes with each new console iteration. I’m not yet even sure what benefit jumping through this hoop actually provides. Though, once you log into the Nintendo Web portal, you can link in your Facebook and Twitter accounts. So, perhaps it’s a way to link your social networks? *shrug*

The one thing that irks me is that you must type in your Nintendo Login password each time you want to enter the Nintendo eShop. Why it can’t remember your password for even a few minutes is frustrating. Better, give me the option of saving my password on the console so I don’t have to type it each time. If you want to add a security feature against accidental purchases, require a separate four (4) digit pin code which must be typed before each purchase. Typing in four (4) numbers is far easier than typing in a long password string. Figure it out Nintendo.

Nintendo Online

With the introduction of the Switch, Nintendo has created (or will create) an online service. This service, I’m guessing, is to be similar to Xbox Live or PlayStation Network. I’m assuming it will offer multiplayer gaming and other perks, but we’ll have to wait and see what it intends to provide. It doesn’t officially launch until 2018 and will sport a $19.99 a year price tag (though you can pay monthly). Whether or not that’s the final price tag remains to be seen. Considering that both PSN and Xbox Live are well more costly than that, I’d fully expect Nintendo to raise the price of this online service in short order. After all, it’s not inexpensive to build and maintain services in AWS or Google Cloud or even in your own data center.

Overall

The Switch is definitely great at gaming. However, because Nintendo has chosen for the Switch not to be a general purpose tablet or run an operating system with a boatload of existing software (i.e., Android), it will only ever be a single purpose gaming tablet. Personally, I think that’s a huge mistake on Nintendo’s part. Nintendo is gambling an awful lot on this limited tablet design. I personally believe this gamble will not pay off for Nintendo and may leave the Switch as dead as the Wii U. Thanks for thinking ahead there Nintendo. For playing Nintendo game franchises (Mario, Zelda, Pikmin, Pokemon, Splatoon, Metroid and so on), the Switch will do fine. Barring the upcoming Bethesda port of Skyrim to the Switch, I can’t foresee much in the way of non-Nintendo franchises or other blockbusters being developed or ported. In fact, Nintendo probably paid Bethesda a boatload to get Skyrim ported. However, I wouldn’t expect third party ports to continue much into the future. Nintendo will, once again, be forced to give up on that idea of wooing AAA titles to the Switch … which will ultimately limit the platform to Nintendo properties (the entire reason the Wii U failed).

The Switch will become just like the Wii U, the third most popular game console. It will sell to those parents who trust the family friendly nature of Nintendo’s games. However, for adult gaming or using this tablet as a replacement for the iPad, nope. It has a nice enough hardware design, but it just has too many shortcomings to be the end-all of tablets. Because it does not support general purpose tablet use, a parent cannot justify it as an educational tool or even a browsing tool, unlike an iPad or Samsung tablet at around the same price point. Sure, it supports Nintendo’s game franchises, but is that enough? No.

Personally, the Switch is just a little too weighty (and way too lacking of general tablet features) to carry it around all of the time. Instead, I’ll use it at home like a console when docked or use it as a portable around the house when I do laundry and such. If it had Android, could access to the Google Play store, had access to an existing library of tablet games, supported a browser and included other general purpose computing features, I could much more easily justify carrying it with me all of the time. Unfortunately, that’s not going to happen with this version of the Switch. Perhaps Nintendo can make this right with an OS update, but certain things cannot be solved in software (i.e., lack of a camera or microphone). The lack of a microphone will seriously hinder multiplayer usage.

The final takeaway is, don’t go buy a Switch expecting anything more from this tablet than playing Nintendo game franchises. For the price of the Switch as a tablet, it’s way under-designed.



Hardware Build
: 5 Stars
Hardware Features: 4 Stars (missing camera and microphone)
Software / OS: 1.5 Stars
Joy-Cons: 3 Stars
Pro Controller: 4 Stars
Overall: 3 Stars

Agree or disagree with this review? Please leave a comment below. I’d love to hear your thoughts about the Nintendo Switch.

 

Tagged with: ,

Rant Time: Apple iPhone, MS Exchange and Security Policies

Posted in Apple, best practices, botch by commorancy on August 7, 2017

If you’re like me, you like to use your phone device as your catch all email reader, including for your company email. Many corporate email solutions choose MS Exchange and/or Office 365 for their mail services. This article is here to inform you exactly what can happen to your iPhone when connecting to Exchange to access your corporate email. Apple has slipped this feature set in under the radar and, worse, doesn’t inform the users or request consent. Let’s explore.

Overreaching Policies and Exchange

I’ve never been one to think that Apple isn’t transparent about its technologies, but in this case, I think I have to make an exception. Apple slipped this technology change in without so much as an eye-blink. What is this change, you’re now wondering? Well, I’ll tell you.

If you connect your iOS device (iPhone, iPad, iPod Touch, etc) to an Active Sync Exchange mail server, the systems administrator operating that Exchange server can muck about with settings on your entire device. What mucking about can they do? We’ll, here’s a short list:

  • They can wipe your entire device through a single exchange server request
  • They can change system settings on your device to prevent using certain functions on iOS, such as disabling the ability to turn off passcodes or modifying other settings on your operating system, possibly even up to disabling iCloud entirely.
  • They can deny connection to the service if your device is set with an insecure setup or jailbroken
  • There are many other security policies they can apply to your device without your knowledge or consent.

Now, I can hear the Exchange Admins all over the world groaning right now. Well, the jig is up. You’ve had your fun for far too long. Unless the company is paying not only for the device, but for the service on the device, these changes are WAY WAY overreaching for the simple act of reading email. The only thing Exchange should be able to do is wipe the mail data left over from that Exchange server. You should not be able to set or change security settings on the entire device. Additionally, users should be able to grant or deny such overreaching settings coming from Exchange. Operating systems have had this feature for years… requesting the root password to make such sweeping changes. This same should be available on the iPhone (or any mobile device).

Mail Service Connectors modifying OS settings?

This was my question… why is this possible?

That the Exchange Service can make these global operating system changes to an iPhone is a way overreaching and abusive use of mail services. Mail applications (or any app for that matter) should NEVER be able to muck about with operating system settings at that level any more than a browser can. This is not only a security risk in itself, it leaves iOS devices open to security vulnerabilities because the mail app could become compromised and used to nefariously mess up iOS. Worse, if there are two or more Exchange Server connections to the mail app, which one rules when policies are applied? They both can’t apply differing security settings and expect them both to work properly.

Of course, the biggest problem is wiping your device. There should be no possible way a mail application should be capable of instantiating a wipe command ever. This is an amazing intentionally introduced vulnerability that I’m surprised to find exists in this day and age. Mail applications should never have this level of access to any device. In fact, the only allowed wiping should be done by the user of the device through a service such as Find My iPhone behind the user’s iCloud login and password and in no other place. I’m sorry… if corporate admins want to be able to wipe lost devices, they should do it through another method… not through the Exchange mail service protocol. Mail services should be for mail services, not for pushing extraneous other functions. This was never the purpose of a mail server and this should never be possible through a mail server connection. It should also not be possible without the user’s prior knowledge or consent.

Devices and Settings

Apple needs to quickly obsolete and remove this capability from the mail app. This was an unnecessarily overreaching decision that has no place on iOS. If corporate admins wish to apply corporate policy to devices, then whatever protocol makes this change needs to inform the user of each and every policy change that will be applied to the device and let the iPhone user make the choice of whether or not to accept those policies changes. If the corporate admins want to make global policy changes to iOS, it should be through an entirely different application and system.

Perhaps Apple needs to roll out a separate application and service that allows corporate admins to make these sweeping changes to iOS. Changes that will inform the user, that the user can track through this new app and that the user can opt out of if they wish. Right now, the only way to remove the applied global settings is to remove the Exchange connector from iOS. Even then, some of the applied settings may remain set and may require a wipe and restore to clear.

Unfortunately today, Exchange can silently push policies to your device up to and including wiping your device. When I say, “wipe the device”, I mean wipe it entirely. Yes, that means data and settings lost in an unrecoverable way. The data lost does include your photos, notes and any other personal information. This means that by connecting Exchange to the built-in Mail app, you’ve given your corporate admins control over your device simply for the convenience of reading email.

How can I protect my iPhone?

Don’t use any Exchange servers with the built-in Mail app on iOS. Instead, if you need access to Exchange email, install the Outlook app which is available on the app store. The Outlook app does not have access to modify any system settings and cannot wipe your entire phone, just as it should be. However, the Exchange server can wipe email data from inside Outlook. I’m perfectly fine with that. As long as Exchange’s modifications remain contained inside the Outlook app alone, that’s perfectly acceptable.

No mail server connection should ever be able to modify an iPhone’s global system settings in such a blatant and sweeping way. Apple, you need to fix this issue pronto. If you want to allow policy changes over the entire phone, then design and build a policy application with an API. Then, like Facebook apps, request the user to approve access to this API for any application that needs to use it and require connection to the iCloud login and password to activate it. Also, allow the user to revoke access to the API and undo all policy changes at any time. Once connected, offer an app with a UI to allow the iPhone user to see what settings are being altered on the phone. Also through this app, allow the iPhone owner to make changes (when possible) to these policy grants on the device. If those changes are incompatible with a specific service’s policies, then notify the user that that service will be removed from the device if changes are made.

Few companies pay for phones today and instead leech off of employees who pay for their own phones and services. If the company is paying for the phone and service, then they can do whatever they want with it. If I’m paying for the phone and monthly service, then it’s my decision over what happens on the device. Granting access to email should never let any mail service take control over my device in such a vulnerable way, especially when I never consented to that give that level of access.

Rant Time: Don’t ever wipe your network settings in iOS

Posted in Apple, best practices, botch by commorancy on July 15, 2017

I’ve been recently trying to solve a problem with T-Mobile which ended up a bust because of the absolute sheer uselessness of T-Mobile staff about the iPhone and Apple Watch features. I will write a separate rant about that entire disaster, but let me lead with this rant that’s a little more critical. Let’s explore.

Apple’s iCloud

What is this thing? It’s a way to store settings and various data in Apple’s network cloud storage. This seems like a great idea until you realize what Apple keeps ganging up into this storage area. Then, you might actually think twice about using this feature.

While you might realize that Apple iCloud service will backup your photos and other data stored on your iPhone, it also stores other things you might not realize, like your WiFi network passwords, your Safari logins and passwords and various other sensitive data. What that means is that if Apple’s iCloud is ever compromised, your passwords could be completely captured by a hacker. Depending on whether Apple has stored this data encrypted strongly or not (probably not), you may end up having to change every password you have ever typed and stored on your iPhone.

Now, while that is a security problem, that’s not the problem that this article is intended to address. Let’s continue.

Apple Geniuses Are Anything But

I was recently talking to an AppleCare staffer who, when trying to solve my T-Mobile problem, requested that I wipe my network settings on my iPhone. I explicitly asked this staffer if it would also wipe my iCloud passwords. She, of anyone on this planet, should have known the answer to this question working for Apple. Unfortunately, I have very quickly learned that Apple is now hiring the lowest grunts of the grunts who simply don’t give a shit nor do they even understand the technology they are hawking. Apple, train your staff. Which leads to …

Never, Ever EVER wipe your network settings on any iOS iCloud device

No matter how much anyone begs or pleads you to do this, tell them, “NO”. And, if anyone ever tries to do this to one of your devices sharing a single iCloud login, you need to grab the device back from them PRONTO and stop them.

The answer to my question I asked Apple is that wiping network settings on your phone does, in fact, indeed wipe all of your network settings in iCloud! Why is this important? If you have multiple devices sharing your iCloud ID and settings, after wiping a single device, all of your WiFi passwords are also wiped for ALL other iCloud devices. This means that every single iCloud device suddenly and explicitly drops its WiFi connection.

This also means you will need to go back to each device and manually re-type your WiFi password into each and every device. This is the only way for the device to log back into iCloud and relearn all of its knowledge of all newly recreated settings.

This is an absolute PAIN IN THE ASS, Apple! So, if anyone ever asks you to wipe your network settings on your iPhone or iPad participating in iCloud, don’t do it! Note that even signing out of iCloud and wiping may cause the same problem once you log it back in. So, I wouldn’t even try this knowing Apple’s crappy network designs. Simply tell the person asking, “Not only no, but hell no” and have them figure out another way to resolve whatever the problem is.

So, there you have it.

Rant Time: Password Bombing

Posted in best practices, business, security by commorancy on June 29, 2017

What is password bombing? This is a malicious activity by trolls on the Internet just to inflict chaos and to annoy legitimate account holders on the Internet. Like DDoS attacks affect Internet providers, password bombing affects individual Internet users. It works like this. You have an account somewhere, let’s say Apple. Apple institutes a policy that after 3 failed password attempts your account is locked. You must then jump through a bunch of hoops to unlock the account… typically answering ‘security questions’ in addition to entering your password. Sometimes these hoops are much more problematic, like bank logins. You might even be required to call in to have someone there verify your identity and unlock your account. You might also be required to reset your password. Some companies, depending on the lockout procedure, might even require that you re-register a brand new account. The hoops you are required to jump through can be minimal to numerous… all in the name of security. A password bomber takes advantage of these security practices and bombs your account to force this account lock inconvenience on you. Let’s explore.

Security and Logins

Yes, we all want our login IDs to remain safe, but not at the expense of being locked out of our account by a random schmoe on the Internet. After all, when they enter your account’s password incorrectly, there’s nothing that affects the malicious troll except a few failed attempts… at which point they can move on and try yet another account. All of the burden and inconvenience is firmly placed on the account holder to resolve the lockout. The malicious user gets to lock you out, you as account holder have to jump through the hoops to get the account reinstated. Depending on the organization’s security practices, you might be online in a few minutes, sometimes it can take days for the lockout to expire.

Overreaching Security Methodologies vs User Preferences

As more and more breaches occur, ever more organizations are making huge security knee-jerk reactions by, in most cases, silently instituting tougher and more problematic security measures for user accounts. After all, it’s my account and, in many cases, I’m paying to have that account (in one way or another).

This is one of those times where organizations think they know better than you. They think they can simply institute security procedures and everyone will just go along with them all happy like. It doesn’t work that way. If you’re an organization instituting security practices that will affect your user accounts, you need to not only inform your user base, you need to also offer ways to set preferences to control these security practices. If you’re planning on instituting a lockout policy, then you should offer ways to prevent lockouts (multi-factor authentication) or in ways to remain informed of lockout attempts. For example, if you’re planning to lock an account due to bad data, send an email WHY your system locked the account and the IP address that caused the lockout.

Locking out accounts may sound like a great security prevention practice, but it’s what’s happens after a lockout that makes this security measure useful or a fail. Making your users jump through a bunch of sometimes impossible hoops to reactivate their account is not cool. Simply because some random schmoe on the Internet decided to type in my account name with a bad password three or more times shouldn’t require me to spend 30 minutes or longer resolving this issue. It’s your system that allowed that schmoe to continue to enter the password multiple times. That had nothing to do with me.

Why not just block that IP address from your site after multiple bad attempts and then inform the actual account holder that someone attempted to gain access from that specific IP? Let the account holder determine how to handle this issue. That’s the better way to handle this. Let us know that people are attempting to access our accounts and tell us where they are from and what device they are using. Let us make the decision. Don’t just lock us out without a word, then assume we’re okay with spending 30 minutes jumping through your silly hoops to gain access again. Do you really want us to use your services?

Password Bombers

As we are forever required to have and own more and more accounts on the Internet, it’s becoming much more common for our usernames to clash with other people. This is especially true when we’re required to use our email addresses as our login IDs. I preferred the time when we could choose our user IDs so they could be unique. Instead, we are now forced to use our email addresses which can be easily confused with other users, particularly when using an email domain like @gmail.com, @yahoo.com, @outlook.com or similar common email services used by perhaps millions of other users.

Worse, though, is when malicious trolls decide to be contrary. When they can simply go out to Yahoo or Apple or Google and just plug in random data into the login screen simply to lock user accounts. Even though this vulnerability has been around for a long time, it’s now becoming more and more common. As we move forward, it will become even more common in retaliation to stupid things like Internet comments.

These password lockout practices need to be refined to not inconvenience legitimate account holders. But, instead, it should inconvenience the password bomber. Yes, inconvenience them. Make them pay for their stupidity of entering incorrect data multiple times. Instead of locking out our accounts, block that IP from your site for 24 hours after entering incorrect login data. Prevent them from locking any further accounts through their contrary actions. Make them contact your team to get the IP unblocked. Leave the accounts alone unless it’s absolutely necessary, like under a real breach. If your organization loses password data, then yes lock our accounts until we change passwords. If some random troll decides to password bomb as an activity, make them pay for this activity by blocking their IP from your login screen.

If you have been password bombed by someone on the Internet, please leave a comment below with your story. If you like what you read here, please subscribe to the Randosity blog so you don’t miss my newest posts.

Tagged with: ,

Rant Time: Xbox One and PS4 automatic downloads

Posted in botch, business, microsoft, Sony by commorancy on June 17, 2017

So, I have reasonably fast internet service. It’s not the top speed I can get, but it’s fast enough for most general purposes. I’ve clocked it on wireless at about 18-20 Mbps down and 6 Mbps up. If I connect a device wired, it will be somewhat faster. With wireless, it’s not the fastest, but it’s definitely sufficient. The wireless is obviously for convenience, but it works well the majority of the time. However, when the PS4 or Xbox One get going with their automatic downloads, it absolutely kills my network connectivity. And so starts my somewhat shorter than usual rant. Let’s explore.

Automatic Downloads

I always turn off automatic downloads whenever possible, no exception. When there is no ability to shut off automatic updates, then I unplug the device. There’s no need to have devices automatically downloading at the most inopportune times. In fact, several months back I explicitly disabled automatic update downloads on my Xbox One. Yet, just yesterday I find my Xbox One automatically downloading again. I’ve finally had enough of rogue network devices and out of sheer frustration, I’ve finally just unplugged it. I also unplugged my PS4 for the same reason. No more rogue network devices. If these systems cannot respect my wishes when I explicitly turn off automatic downloading, then they’re going to remain unplugged until I decide to use them. Worse, these devices would also decide to randomly begin downloading updates at random times (usually in the middle of the night, but it could be any time).

The primary problem is, neither the Xbox One nor does the PS4 limit its download speeds. In fact, both try to download as much as possible, as fast as possible. If both of them get going at the same time, it’s a disaster on my network. Even just one of them downloading is enough to cause problems. If I try to ask Siri or Alexa a question, I get no response or I get the Echo’s dreaded Red Ring (no connectivity).

Rant

At least Apple respects disabling automatic downloads on its devices. These devices dutifully wait until you click update before beginning any downloads. Unfortunately, Microsoft does not honor its no auto updates setting. Instead, it just overrides that setting and dutifully starts downloading whatever it wants whenever it wants. I just can’t have rogue devices like that on my network. Rogue devices need to go away and Microsoft needs to understand that making rogue devices needs to stop. If your software can’t respect the owner’s wish not to download automatic updates, then you really don’t deserve a place in the home.

I haven’t yet determined if the PS4 overrides my no download wishes, but I recall that it, at times, the PS4 will also do this for system updates. Updates which, again, should not automatically update unless I explicitly ask it to update.

Just say no to rogue network devices like the Xbox One. For now, the Xbox One and the PS4 will remain unplugged until I decide I need to use them. Though, in the last few months, there really has been a substantial lack of game titles on both platforms. I’m really finding that the spring and summer to be a dead season with new game titles. Instead of overloading us with too many fall titles which we can’t play that fast, why not spread them out throughout the year and let us have adequate time to play each? This, however, is a whole separate rant topic in itself.

Movie Review: Alien Covenant

Posted in film, movies, reviews by commorancy on May 31, 2017

*SPOILER ALERT* stop reading now if you want to watch this film.

If you haven’t seen Prometheus, then you should probably skip this review. Also, if you want to see Alien Covenant, then I’d suggest you stop reading now as this will be chock full of spoilers. With that said, let’s explore.

Alien Covenant Story

This film begins as a sequel to Prometheus, basically where that film left off. However, it effectively tosses the Elizabeth Shaw character out before the film even begins. While we have seen this happen with the Newt character between Aliens and Alien 3, we’ve never seen it done to a main character. No, Newt wasn’t a main character. She was a supporting character and her loss was no big deal. However, I find it a huge problem to open this film and toss out the one redeeming character from Prometheus. A character that could have been as strong as Ripley. Instead, we’re left with a malfunctioning synth named David. I jump ahead a little bit here.

After a longish and unnecessary expository scene involving a very young Weyland and David, we proceed into the main film.

Colony Ship Covenant

The film starts out following a colonization vessel named Covenant with both crew, colonists in stasis and embryos. The mission is to land on an already vetted planet with a forgettable name to begin colonization. It will take about 7 years to get to that destination planet. However, the ship is rocked by a space anomaly and damaged along with the death of the captain. This ship damage premise actually starts out much like Passengers. This requires the newly assigned captain and crew to go out and fix the damage. While fixing the damage, one of the crew stumbles across a message in a bottle… or more specifically, a space transmission.

So now, the crew has decide whether to follow the transmission or continue on with the mission. Here is the first of many stupid plot devices. If your mission is to land safely on an already existing planet that’s been vetted for the purposes of colonization, why would you make a diversion to some unknown and potentially hostile planet? It doesn’t make any sense. In Alien, the reason the Nostromo landed was in part due to Mother and Ash. They had orders from Weyland to find this alien and capture it. However, the colony ship had no such orders from Mother or Walter (the resident synthetic — artificial person).

Plus, that colony ship wasn’t equipped for that sort of reconnaissance type mission in the first place. Yet, here we go traipsing into the unknown because the naive new captain deems it so even though his second actively protests. Wouldn’t they have at least trained all seconds in command for these sorts of contingencies?

We also find that there is a synthetic on board this colony ship who is named Walter and looks surprisingly like David from Prometheus, except he doesn’t have the British accent.

Planetary Diversion / Alien Backstory

So the colony ship, which was clearly not built for exploration, decides to spend time gallivanting off to this unknown world to find this message in a bottle. What do they find? Spores that turn people into xenomorphs, the Engineer ship (with Shaw’s message), a bunch of dead engineers on the planet surface and, eventually, David. We also come to find that Elizabeth Shaw is dead. We also find that David apparently chest bursted her in one of his experiments.

As the story progresses, we find there are spore plants that can infect people and back burst aliens out of them. We also find that David has unnecessarily re-engineered the species to require an egg and a face hugger. The same egg and face hugger we find in Alien. So, we’ve come full circle. Now we know who created the egg and face hugger, but what was the point?

The spores which seemed quite abundant on the engineer home planet were actually a much more sophisticated and deadly delivery system. No need for alien queens or eggs or even face huggers. Instead, just drop the spores and let them do the work. What we find is that David’s work was actually superfluous. The original design by the engineers was sufficiently deadly enough and easily delivered without the need to complicate it with eggs and queens and hives and stuff.

I’m not exactly sure why Ridley felt the need to degrade the original Alien story by setting up this crude prequel that degrades the idea. Worse, it really doesn’t even get into the head of David sufficiently to understand his motivations. All we know is that this synthetic is somehow damaged, yet still able to function. I guess that’s the point. Since the original Alien didn’t get to take Ash to a more disturbing conclusion, Ridley seems to be doing it with David instead.

Body Count

After the bodies start piling up, first from the spore aliens and then later from David’s face hugged variety, the crew gets fewer and fewer. Of course, this is to be expected and is entirely predictable in an alien film. Because the colony ship used its one and only one landing vehicle to land on the planet (why are they only ever equipped with one?), effectively the crew is stranded because a spore alien makes its way onto the ship through an infected crew member and one of the crew lights the entire ship up with gunfire into explosive canisters.

Being stranded means David comes to the rescue and this is where things turn mostly sour. After a bunch of David vs Walter stuff and some other spore alien death romps, David reveals his big surprise on the naive captain, his prized face hugger alien. Seriously, David hasn’t given himself to be that trustworthy yet, yet this naive captain calmly puts his face right over the top of an open egg. Ah, the stupidity of movie characters.

Anyway, David shows himself to be mentally unstable and Walter and David have a fight. Yet, we don’t really know how it all ends because Ridley cleverly cuts away before the end. So then, the colony ship makes a daring rescue with some kind of ship not designed to land on a planet, an adult alien gets on board and lots of yelling, gunfire and stupidity ensues. Walter and several other crew make it back aboard the colony ship in space, yet we have one more alien to take care of. Now that that’s done, we settle into our cozy 7 year nap. Just as the last crew member is in her cryotube, she realizes Walter isn’t Walter at all. David has somehow taken over Walter.

David in Walter’s body

Here’s where the film jumps the shark. So, Walter is a much more sophisticated and newer synth model. I’m reasonably sure that Weyland did not give David schematics of himself. Yes, David knew what he was, but didn’t have any idea how he was made. So, how is it possible that David could have, in the all of about 5 minutes he had after fighting Walter, transfer himself into Walter? Seriously, there was no equipment on that planet to perform such a data transfer. There had been nothing set up in the film at all to show that David had been working on anything like that. David’s experimentation was entirely with the aliens, not with his own physiology.

Expecting us viewers to suspend our disbelief that far is just insane. There is no way possible that David could have transferred his own programming into Walter that quickly. In fact, as sophisticated as those synthetics were, to believe Weyland didn’t put a fail safe to prevent such synth to synth transfers is also insane. Weyland was extremely paranoid and that idea certainly wouldn’t have slipped past him. Based on what I know about Weyland, it wouldn’t have been possible for David to transfer his programming into Walter. In fact, it’s likely that David’s programming wouldn’t have even worked in Walter considering how much newer the Walter model was.

At the end we see Walter/David burping up alien face hugger embryos. Wait… what? Since when do face huggers exist in small embryo formats like that? I thought they required eggs? I shake my head yet again. Between the embryo aliens and the David into Walter transfer, this whole movie ends up as one big unnecessary Deus Ex Machina.

Third Film

I don’t really even know if I want to see the third film. I already know what’s going to happen. Clearly, they’re going to land on their colony planet and become infested with Aliens with the help of David… unless Walter can somehow reemerge and stop it.

Alien Covenant is a below average film that tries too hard to fill in the details, but fails at pretty much everything it tries to offer. Worse, what it does offer only degrades the idea of Alien rather than enhancing it and it adds entirely nothing new to the franchise.

Stars: 4/10
Recommendation: Skip or rent if you must

Rant Time: YouTube, Copyrights and Content ID

Posted in botch, business, Google, youtube by commorancy on May 16, 2017

Unless you’ve been living in a cave, you probably know what YouTube is. It is a video sharing platform that allows anyone to post video content onto the Internet. YouTube offers the likes of travel videos, personal vlogs, how to guides, DIY projects, music to all types of random content. However, Hollywood has forced Google to employ more and more heavy handed techniques to video uploads to (ahem) protect big Hollywood copyright content. This system is severely flawed. Let’s explore.

YouTube Channel ownership

While it’s fun to run around on YouTube looking for all kinds of weird content, let’s look at what it’s like to be a channel owner and all the fun we’re not having. While I do like writing blog articles, I also have a gaming channel on YouTube. So, I have personal experience with this issue. I like to play games on my consoles and upload recorded game content to YouTube for others to share in my fun.

As a channel owner, you really don’t get many tools other than a content uploader and metadata tools to tweak a video’s description, tags, monetization settings, language, etc. As a channel owner, YouTube offers no tools to the owner to validate that your content is, in fact, your content. Meaning, for example, you might have taken a video of a day at the beach with wave sounds in the background. Then, you’ve uploaded it. Or, you’re playing Grand Theft Auto and you record your session (minus any copyrighted audio to not trigger YouTube’s audio content detection system) and upload. Here’s where things start to fall apart.

YouTube Content ID and content ownership

Besides being a channel owner or a viewer, there is also a third lesser known management meta user. This interface is intended to be used by Hollywood and the music industry. It was designed for the likes of EMI, Sony and other large music and movie conglomerate content creators (mostly by legal threats to Google). This system allows those content creators to submit their content to YouTube into the Content ID system. What is Content ID?

Content ID is a way for YouTube’s automated system to match a channel owner’s content against a copyright owner’s uploaded reference content. Seems like a legitimate thing. I mean, it allows artist’s representatives to make sure their content isn’t being placed onto YouTube unauthorized. Where’s the problem then?

YouTube is the problem

Here’s the rant. The problem is that ANYONE can create a meta content management account and begin uploading any content they wish against YouTube’s content ID matching system. YouTube requires no verification by any alleged content creator. They create a content meta account, get approved (which is apparently relatively easy), upload random content and begin matching against videos on people’s channels. In fact, I’ve even seen content management accounts grab original videos from other people’s channels, download them from YouTube, upload them into the content ID matching system and claim ownership over material that they stole from the original owner. Yes, you can even upload content you downloaded from another YouTube channel and claim ownership of that content in your channel… though, that’s called copyright infringement.

YouTube has taken its somewhat usable platform and turned it into a joke. YouTube is a disaster if you actually expect YouTube to help you protect your own original copyrighted content. Yes, it does allow someone to download a video you own, upload it and then claim ownership of it.

Let’s keep going. What happens when content ID matches a video uploaded through the meta content management account against a channel? YouTube does several things:

  1. It flags the video on the first channel owner as copyrighted content matched against another channel. Basically, the system tells one channel that another channel has claimed ownership over that content even if the claim is false (we’ll come back to false claims).
  2. It allows the alleged ownership claimant to monetize the video (even if they do not own the content).
  3. It allows the first channel owner to dispute the copyright claim, remove the video or leave it up (depending on how the content ID matcher is used).
  4. If the content owner claims exclusive content claims on the content, the content on the first channel can be taken down or deleted.

Disputes

Here’s where the entire system falls apart. While YouTube can match content fairly rapidly, filing a dispute can take days, weeks or sometimes months to resolve. All the while the content is in dispute, YouTube allows the claimant access to monetization over the content in question. Here’s the bigger rub (as if monetizing content you don’t own isn’t big enough).

False claimants are never at all verified by Google. YouTube’s content ID matching system assumes fair play by those approved to use it. That is, people who create meta content accounts are on their honor to upload content that they actually own. In fact, this isn’t happening. While legitimate usage of this system is happening by big content providers, many lesser channels have learned to game the system to claim ownership over content they don’t rightfully own and don’t have the rights to monetize. This is especially true for channels outside the US (i.e. Russia and Vietnam) where copyright rules don’t apply in the same way as in the US. This ridiculous YouTube help article which discusses setting up a meta content account states:

“Content ID acceptance is based on an evaluation of each applicant’s actual need for the tools. Applicants must be able to provide evidence of the copyrighted content for which they control exclusive rights.”

Yeah riiiiiight. Content evidence of what exactly? Copyrights, especially on YouTube are nebulous at best. What are you expected to show, the camera it was created on? How does that prove anything? There’s no way to know that any particular video was produced on any particular camera. YouTube doesn’t show camera EXIF information in the video’s metadata.

Copyright Basics

US Copyright law states that as soon as a work is created, you are automatically the owner of it and possess all worldwide copyright ownership to this work in perpetuity. This is considered an implicit copyright. You don’t have to do anything other than create the work to own it. This assumes some basics like, it must produced entirely by you on your own equipment and on your own time. However, some countries, like China, don’t recognize implicit copyrights at all. Instead, to protect your copyrights in the countries that don’t recognize implicit copyrights, you are required to fill out forms, possibly pay a fee and likely submit your work as evidence. Only then will your work be explicitly acknowledged by the government to exist and that you own that work.

For example, when you’re using your own personal phone to take video of you playing games at an arcade, this work is now considered fully owned by you under US Copyright Law. The moment the video (and audio) is created, it’s yours. On the other hand, if you are hired as an employee of a production company, and that company owns the equipment and they have hired a camera crew to follow you around watching you play games, you won’t own that video content because the production company paid to create it. Of course, there are pesky things like contracts that can explicitly authorize or deny ownership of copyrights to any party involved in a production. So, if your content is created under a contract, you should read your ownership rights carefully. Just because you were involved in a production, doesn’t necessarily mean you have any copyrights to that material.

Evidence of Copyright Ownership?

In this day and age of immediate gratification, YouTube content owners rely on implicit copyright ownership protections to allow their channels to exist. That is, as soon as the content is created and edited (implicit copyright ownership), it’s uploaded to YouTube.

In the case of copyrights, how can anyone sufficiently provide ‘evidence’  over any content? What kind of evidence does YouTube expect to see? The camera it was shot on? The recording studio that it was recorded at? A bill of sale? Seriously, how can you possibly provide ‘evidence’ of ownership for copyrights?

The only way to provide even the smallest amount of evidence is to submit your work to the U.S. Copyright Office for registry. Let’s understand why this is not exactly feasible for most YouTube content. At the moment of this article…

  • It costs $35 to register a single work (one poem, one video, one work of art).
  • It costs $55 to submit multiple works together (a collection of poems, videos or songs).
  • Who knows how long it will take the copyright office to actually register them so that you have ‘proof’.

Sure, while you could do this to, ahem, protect your works, it’s expensive and what exactly does it do for you? The Government won’t stand up on your behalf. The copyright office is merely a registry, not a legal team. They won’t help you protect your content, that’s your responsibility to find a lawyer. It’s also not like Google will get involved in copyright disputes either. For the prices listed above, that would cost $35 for every single video you upload to YouTube and that only registers your work in the US, not necessarily in other countries. It doesn’t give you any specific legal protections other than someone can go look it up, like Google. You may be required to register your content in many different countries to protect your rights in those locales. You’re also responsible for hiring a lawyer to protect your content (regardless of whether it’s registered).

Google and Copyright Disputes

Google outright states they do not get involved in copyright disputes. Yet, by providing a content ID system, content matching and marking videos in YouTube as being claimed by another channel, this absolutely, most definitely is the very definition of getting involved.

If you don’t get involved in copyright disputes, you don’t create controls to help manage disputes. Meaning, it’s entirely disingenuous to create a copyright dispute system and then when someone disputes a claim (that your system sent us notification) state that you don’t get involved. You can’t claim that. You already ARE involved by providing the notification system.

Worse, once you begin the dispute process, Google’s YouTube team doesn’t care. They don’t actually attempt to review the content, the owners or anything related to the dispute at all. They just let the two parties fight it out even if the content isn’t owned by either of them.

Content ID System is Half-Assed Designed + False Claims

Google’s YouTube team got this content system just far enough to make Hollywood and the music industry happy because they can kill content on channels matching their own content catalog. Yet, Google never brought it far enough to actually prevent scammers from abusing it. Instead, Google lets random scammer channel owners run roughshod all over YouTube’s other channels without any consequences. I’ve seen scammer channels claim false copyrights over multiple legitimate channels (even my own) using content that they clearly do not hold copyrights over and yet those channels STILL exist on YouTube. Google does nothing about this. Why was this channel not closed? Clearly, these scammer channels have willfully violated copyright laws using YouTube’s woefully under designed crap of a content detection system to facilitate these false claim(s).

Claiming false copyright ownership over content is, in fact, copyright infringement and very much against copyright law. However, because most of these scammers are outside of the US, Google won’t do anything… not even close the scammer’s channel. Though, sometimes Google will close the legitimate channel and leave the scammer operating. That false claimant had to copy and upload that content to YouTube’s matching system which, in itself, is a violation of copyright laws. This means that Google’s content ID system facilitates false copyright claims and makes Google an accessory to copyright infringement. Google allowed the copyright infringement to take place and allowed the fraudulent claimant’s channel(s) to profit off of that infringement. This is a legal situation just waiting to happen.

Google, fix your shit. YouTube is quickly becoming an unusable mess of a video sharing platform and is now just one big lawsuit waiting to happen against Google. A lawsuit against Google for not only being an accessory to copyright infringement, but providing a service that actually enables copyright infringement in a system that’s supposed to prevent it. Ironic. Such a lawsuit, if won, might ultimately be the end of YouTube.

If you’re an IP lawyer reading this and you would to have a discussion about this situation, please leave me a note on the Randosity About Page.

%d bloggers like this: