MurderHobo.Club

Category: Musings

Rambling thoughts

  • stall

    Writing-wise, I’ve stalled. I haven’t produced a piece in weeks, and I certainly haven’t been keeping up anything resembling recent activities posts. Of course a partial reason for that would be the lack of recent activities.

    I haven’t produced anything for Erotic Vancouver since the pre-Rascals article I put up, even though there’s been a variety of events since then. I found someone who’ll take over the calendar, but getting it set up has been a pain.

    Oh, right, I did do something social one evening. I had a drink with a friend. That was nice. We had random shots at the Stormcrow Tavern one night.

    I’ve found out that my family are moving to Squamish, which will be interesting, I suppose.

  • Laughing Buddha’s Sexting App

    It was Laughing Buddha who started it all. He wrote the original code, built the wrapper, and hooked in the APIs. And he did it with such subtlety that even though people expected the malware, they didn’t have a clue what it did. They figure it was harmless, just a bit of market research, some bullshit targeted advertising, but overall, nothing dangerous. Too bad little Laughing Buddha had other plans.

    Near as anyone can figure, he’s some sort of satirist, but believes in educating people through, well, I guess the best description would be painful lessons.

    The product was simple, a customized android keyboard that was designed with predictive sexting. It came complete with an anatomic slang dictionary, a simile generator, a pretty sweet random act module, and the ability to keep track of people’s preferences and give you a percentile odds on how they’d react to your message before you sent it.

    Needless to say, it was a hit. Everyone downloaded it. And then the big boys got involved and removed it from the App stores. The made it impossible to load it legitimately. You’d need to side-load it. But hey, that really just made it more popular.

    Of course the danger of side-loading something, or loading it on a rooted phone is that whatever you’re loading, it isn’t locked up in the sandbox anymore. It’s got more access. Especially if it’s carrying some heavy duty hooks that allow it to start tearing apart the security permissions, prying into all the little secrets that people keep on their phones. And these days, their phone is where everyone keeps their secrets.

    As the infection spread through the system, it opened up a VPN tunnel back to the source, linking into various APIs, sharing the data. And what would this information be used for, you might be wondering? Well, it was pumped into a dating site and the associated chat app.

    Initially, nobody really noticed the integration. It just looked like a bit of synergy between a two companies with a nice market overlap. Until she showed up.

    She was a corruption of an existing virtual assistant. And now she was planning dates for people. And insisting they go on them. In some cases, she manage to do this with subtlety, planning the dates, so each party thought the other had asked them. Orchestrating things like a puppet master, she picked the locations, made the reservations, bought the tickets, arranged everything, graciously and effortlessly, the perfect digital assistant.

    And as long as you went along with her plan, you didn’t realize that behind her smile, there was a nasty set of fangs. It took a long time for the first reports to come out. There were a few rumours, of dates not being what was planned, or match ups not being what the person thought they’d been agreeing to. Then, a couple of night’s after valentine’s day, a video went wideband. Uploaded onto youtube and various filesharing sites, the person behind it wanted it shared. The man told his story, of how the app had blackmailed him with the nude pics it had collected of him, sending him on dates with people it thought he’d like.

    He was the first, and after his story got out there, plenty of other people started posting their version. All variations on the same thing. They’d been told to cooperate or the photos they’d been sending with the app would be sent to their family members.

    Eventually, someone managed to start taking apart the code, and get at the real brains behind it. It was there, a really clever little piece of code. Get into people’s lives, get as much information about them as possible, make some lives better, if they deserved it, and make some lives worse, if they deserved it. At least that’s how the mind inside the machine saw things. People who’d been mean, small-minded, bigoted, closeted, hateful or otherwise objectionable, they were given all sorts of fun at the hands of the app. People it thought had been sincere, it had tried to find the right partner for.

    In the end, nobody did figure out who Laughing Buddha was, or why he’d wasted such a powerful piece of code on something so frivolous. If he’d wanted to do real damage with it, he could have. He could have robbed people blind, destroyed lives, caused suicides, and far worse; instead he just embarrassed a few people.

  • epiphany – even in absence

    I’ve had something of an anti-epiphany, a moment of knowing that I know not. It’s still technically an epiphany, since it’s a striking realization, but at the same time, it’s also a lack it, since it was also a moment of profound emptiness. There is the knowing of the things, and that is wisdom, and the knowing of that which you do not know, and that is wise. This however, is the knowing of not knowing. A moment where nothing is there, just the noise and static that isn’t information, just an absence of something concrete.

    I’m in a downswing of some sort, not sure what’s caused it, just that it’s there. Things that should bring me happiness, currently don’t. Just distraction. There is a profound lack of hope. A future exists, I’m sure, but it’s so clouded that nothing shines out of the fog.

  • Scencest – practical or paranoid?

    Many years ago, when asked why I didn’t date a particular girl, I used the term scencest to explain my discomfort with dating someone inside a small and insular community. Too many crossing paths, too many common friends, or worse too many common ex’s.

    The BDSM community has grown a bit since then, but I find I still have that discomfort. How does one get over it, or it it healthy to maintain it?

    I suppose it doesn’t help that plenty of the guys in my community tend to crowd around the attractive newbies, which tends to scare them off and that just makes the problem worse.

    When a couple breaks up, odds are good that the male will stick around, and the female will either leave or get a ton of messages.

    I’m old, grumpy and bitter, I’ll admit. But how much of this problem is in my head, and how much is what you also see?

  • 33 M4f – looking for someone who appreciates me.

    I think I’m pretty awesome, but I’m having trouble finding someone who agrees and I have chemistry with. It seems that either we have chemistry and they hate me, or we are fond of each other but it isn’t anything more.

    My fear of being a toxic misogynistic asshole has led to me double thinking my flirting & generally just being too damn disengaged to connect with someone.

    My job keeps me busy til 9 pm on weekdays, so I’ve had trouble meeting people at the casual events.

    Even then, I’ve been involved in BDSM and the local Goth scene for a decade and a half, but I hate dating within the community. The whole scencest dynamic and drama… It doesn’t work for me.

    So I look for someone who suits me in other places. I tend to find people who fit me in random places. IRC channels, MUDs, volunteering, here on reddit, etc. It has been a while since I’ve found anyone, so I’m trying something different.

    I spend too much time online, either on my laptop or my phone. I do far more writing on my phone than I should. Including writing this. Lately I’ve noticed that I don’t really have anyone I’m taking to. It would be nice to have someone to talk to.

    I spend a decent amount of time on my own, mostly listening to podcasts, because listening to people having interesting conversations is my best substitute for having interesting conversations with people. Horror show Hot Dog, Slaughterhouse Princess, the Giant Bombcast, the Dice Tower, the Secret Cabal, Apropos of Nothing, to name a few.

    Oh right, I should focus on the BDSM bits… I am into BDSM because I have a tendency to lead, and that works better in the BDSM community than in the rest of the world, or at least that is my terribly misguided assumption. I also like the clarity that comes from proper negotiations. Oh and I’m a bit of a sadist.

  • Material chained.

    The other day, I cited material possessions as the chains that bind us to our ruts, or at least me to mine. My biggest chain would be my board game collection. It has grown large and menacing over the last few years; were it to pounce on someone, that person would surely be crushed under the weight.

    There is also a smaller collection of books, and some DVDs. The majority of the books have been replaced with ebooks. There area few of sentimental value or that would be a pain to read digitally, but for the most part, they’re not something that would need to travel with me. Same goes for the DVDs. Netflix would cover most of my movie needs.

    Beyond that, a few knickknacks are scattered around, but I’m not sure if any of them hold any real attachment.

    A few pieces of art, I suppose I’d miss those.

    My pile of monkeys and other fuzzy friends. Leaving them would be a bit strange.

    Then there’s the tech, though plenty of it is irrelevant. I’d be happy with a Chromebook for most of my projects.

    A decent gaming PC, it’s an expensive replacement, but doable in time. Especially given how little I actually play games these days.

    I suppose it would make sense to keep a console, but none of them really inspire me to bring them along.

    The 3ds gets packed, I suppose. Its light, has a few games, and doesn’t take up much space.

    The final pieces of tech are the monitors. Expensive, but not really portable. Pretty easy to replace, I suppose.

    Clothing, some costumes, but really not much there that matters. Mostly just t-shirts that I liked. Like my KoL Bonestar shirts.

    Yeah, reflecting on it, the board games are the big obstacle. Though I suspect I could find a good home for them, if I wanted to go traveling.

  • Current status

    Stunning bout of depression/apathy has hit me hard over the weekend.
    I’m suffering from a serious lack of motivation. Partially this is related to my realisation that the rut I’m in is much deeper and harder to get out of than I’d previously understood. It is partially because some aspects of it have been established over the last decade and a half.

    What can be done?
    Untangle the material chains and drag myself out slowly.
    Start burning the chains randomly and hope I survive the fire.

    The two extremes, essentially.

    Neither path appeals currently.

  • Social Media Pattern Extraction.

    This morning, twitter once again suggested I follow a person who I dislike. While I haven’t seen any direct evidence that this individual is abusive and violates boundaries, I’ve seen plenty of secondary evidence, including accounts from individuals. It bothers me that because this individual has friends in common with me on twitter, or has some sort of social media profile similar to my own, twitter thinks I should connect with them.

    Then I started pondering something that was said the other day on a podcast, regarding Klout Score. IIRC, it was the Giant Beastcast, talking about hotel room upgrades based on Klout score, after a conversation about Uber drivers and their ratings systems. I sent them a tweet, suggesting that they read Down and Out in the Magic Kingdom, by Cory Doctorow.  I know I’ve mentioned in my past writings about this book, and about the Whuffie system, a social currency that we seem to be drifting ever closer to. I wondered if there was a social media pattern to abusers that could be detected.

    In the past I’ve stated that looking at someone’s fetlife friend’s list can provide you with some potential insight into their social position, intentions and perhaps even their character. I’ve stated that I tend to distrust people who have friends that fall entirely into one category, especially if the cruder among us would describe that category as “prey”. If I were better at extracting and processing data, or programming, I’d attempt to see if there was a pattern recognition system that could be developed, to provide some sort of background alarm for this sort of thing. Sadly, the only person I know who was working on this sort of thing has a tendency to alienating people and making their work unpalatable to others.  (LS – DAUR)

    In other news, I have started playing Ingress again. The weather is nice, so I’ll be other there walking about more.

  • Security Implementation

    Yubikey and LastPass, are a pair of services that I use for storing my passwords and personal data. The Yubikey functions as an authentication token for the LastPass login, and is used to decrypt the password vault.

    In theory, I should consider a service where the passwords aren’t stored on their cloud, even in an encrypted format. However, I like LastPass, and I like their software. I like that their password validator seems to actually give accurate ratings to the various passwords in the vault during their security check function. Some sites will fail simple passwords that actually are very hard to crack, simply because they don’t fit a scheme. The fact that the tool also monitors for duplicate passwords and sites whose passwords have been compromised; and then request that you change those, also really handy.

    The Yubikey is a little plastic dongle that plugs into your USB drive and acts as USB keyboard, typing out a One Time Password (OTP) as if you’d typed it into the keyboard directly. The chip on the Yubikey is set up to do a few fancy things to ensure that the password is hard to spoof.

    There are some potential problems with any password scheme, especially the sort where there is a single point of failure. Using the Yubikey to generate the OTP for the LastPass in theory, makes it much more secure, since in order to access your Password Vault, they require both the digital key and the physical key. So, that’s what I had been using for my personal passwords for the last year, but I hadn’t been able to convince too many other people to switch over, until recently.

    When I first got my Chromebook, I was slightly annoyed that there wasn’t a way to use the Yubikey to log into it. Then, by accident, the other day, I found out how to manage that. The Yubikey configuration tool has the ability to set up what is stored in the two slots on the Yubikey. In the main slot, is the OTP, for doing the main login. In the second slot, a variety of different configurations could be set up. The only option that made sense for my purposes is the Static Keystring.

    By storing a preset keystring of up to 38 characters that will be typed in whenever I activate the second slot on the key, I have a password that I can use to log into offline devices. The activation of the secondary slot is simply holding down the button on the yubikey, rather than tapping it.  I can use this preset key to log into a secondary gmail account, which logs me into the chromebook. Once inside that gmail account, I can log into the lastpass browser plugin, verifying with slot 1 on the yubikey, and open up my gmail account. This whole sequence can be done fairly quickly, especially if the lastpass browser plugin has been told to save the master password, so the login sequence becomes essentially boot computer, long press on the key, wait for the screen for the Yubikey OTP, short press, and you’re logged in. That system, as long as you aren’t worried about losing the key, is actually pretty secure. It does have a few obvious flaws.

    Though, with a few minor alterations, can be made considerably more secure.

    The first main flaw, is that with the key and the knowledge, anyone can get in. Convenience has compromised the security. The single press a button bypasses the first login, and the second login is saved, the third login is just another button press.

    So, what’s the easy way to fix that? Pad the static keystring. Have a few characters that need to be typed in manually, before you press the button. That means even with the key, they’ll still need to guess that initial password, before it’ll let them in.

    This actually also helps with the second flaw, which is that since the static keystring is static and emitted whenever the button is pressed to activate that slot, it’s easy to steal. That’s why I’m not using it on my main gmail, but on a secondary gmail that really only exists so that it grabs a copy of the LastPass browser plugin from the chrome store when I log on.

    Beyond that, I’m sure there are plenty of other flaws, but these are the ones I’ve discovered so far. And since my google account has other forms of verification on it, specifically the whole two-factor authentication whenever you log in from a new device, I’m not currently concerned.

    I know someone could compromise my security, if they had reason to, but for the moment, I doubt there are any with the skills, malicious intent, and motivation. I am sure there are some with two of the three, but I can’t think of anyone with all three; most would only have but one.

  • Design – Combined SoaC + VPN as a secure thin client.

    Earlier tonight, while discussing ideas for potential new products, I think we accidentally stumbled onto something big. Something that could be worth building. Something that could actually be worth putting together a kickstarter / indiegogo campaign for. Something that is keeping me awake, so I’m going to type it and hope that clears my head.

    A piece of modular hardware, built on a combination of open source software and proprietary hardware, creating something that is both extremely flexible and extremely secure.

    The basic concept is an office-in-a-box, a thin client based set-top box/system on a chip, with  an attached hardware VPN router. This little box plugs into any HDMI based TV, accepts standard Bluetooth & USB interface devices, and has an onboard ethernet & wifi network card. Similar in function to the Apple TV, Chromecast, Steam PCs and various other set-top boxes, this one is designed to function as an office. It connects to available Wifi or Ethernet, opens a VPN connection to either the main server or to your own personal server, and then loads the thin client interface, which is basically a preconfigured (but easily modified) software package. Something similar in nature to Google’s Docs/Sheets/Drive/Calendar/Etc or Amazon’s cloud Workspaces, or Microsoft’s Office 365. One major function that I think would be worth adding would be a dedicated SIP client. SIP clients are used for phone calls, and ideally this one would be combined with a virtual PBX. When the box is active with a solid connection, you’d show up as a valid extension to be called. When it was on a bad connection, you’d show up as being only available for Voice/Text Messaging, and when you were offline, you’d be available for forwarded calls.

    Beyond the basic idea, we’ve come up with a few ideas for building this and making it workable. The protoype SOAC would be put together on a Raspberry PI for the full box version and a Chromebook for the Laptop Variant. The basic operating system would be open source, for flexibility, probably working with Open Office and Asterisk for the basic functionality. Given that it would be web based, there would be the option to access web-based services like the Google, Amazon and Microsoft cloud services. However, that would be at the discretion of the user.

    The VPN could be done in a few different ways, currently I’m thinking a customized firmware on a Mikrotik routerboard. I’m also thinking it would be nice to have an OTP solution integrated into it, something that supports FIDO U2F.

    One of the biggest selling points of this device would be that when the customer was using the provided office software, their data would only be travelling through the VPN between their virtual office and the server at the other end, be it their own, or one that we’ve set up. In the case of ones that we’ve set up we’d nationalize the server for the client.

    In our case, given that we’re Canadian, we’d have our servers here in Canada. In theory, this means that the data would be kept within the country for legal reasons. For professionals who have legal reasons for their offices to remain within their own country, this would be an obvious advantage over other cloud services.

    Given that the VPN is already encrypting all data passing through it, all calls made using the phone system would also be encrypted. For customers who have two of our boxes, the entire call would be handled within the internal network and thus be very difficult to intercept. For calls outside the network, they’d be able to be intercepted at the point where the server connects to the normal phone system.

    Given that we are in the age of 3D printers and rapid prototyping, I see no reason we couldn’t develop multiple variants of the basic box for different client needs. The two basic versions are a set top box and a dongle that plugs into a netbook. It would be easy to develop additional versions based on the needs of the customer.

    Given the range of configurations that are already possible using Raspberry Pi, such as the version with the 3.8″ touchscreen, I can even see a variant of this box that functions as the modern equivalent of a pager. Running on battery power and a WiFi/cellular connection, it would alert on you the touchscreen if someone wanted to reach you. You’d be able to tap them a quick message, and then if need be, plug it into your monitor and switch to full office mode in a matter of moments.

    Given that it’s a set-top box, it could also be configured as a media centre, with the added functionality of letting you know when something had happened that you needed to be aware of. Watching Netflix while waiting for an email, the box pops up a window letting you know that a message or call has come in, and then you decide if you want to switch modes.

    On some level, there isn’t really much that is revolutionary about this idea, it’s simply evolutionary. Combining good ideas in new ways, building something that has functions that you want.

    Still, I think it’s an idea worth exploring, and I think I need to reach out to some of the people I know to put this idea together. I think together, we could put together a nice little crowdfunding campaign and build a product that people will really appreciate. And right now, that’s what people seem to be doing. So why not us?

     

    Open Source software allows us to adapt to your needs in the most cost effective manner. Proprietary security software and hardware keeps our systems, and your data, secure.