Archive for the ‘Historical and future use of technology’ Category

The number one rule for safely using a debit card: Don’t! But, if you have to use a debit card, here are some suggestions from two of Austin’s leading computer security experts.

Michael Gough and Brian Boettcher are co-creators of LOG-MD, a sophisticated analytical tool used by computer security professionals. I recently had a conversation with them about how to use credit cards and debit cards more safely.

They said: Limit debit card use to only one local grocery store chain, especially if it has gas stations and stays open 24 hours a day. That way you can get cash without using the card in an outside ATM. Of course, the risk of being robbed is also much higher at an ATM. If you always use the same grocery store, then if the number is stolen, you know where it happened.

They said: Do not ever use a debit card at a self-service checkout, an ATM, or a gas pump. It is almost impossible to tell if the card reader has been compromised.

(Brian Krebs, who writes the blog KrebsOnSecurity, talks about card skimmers in this series of articles. Krebs updates these articles on a regular basis and they are well worth reading. In fact, as I have mentioned before, his column is a great place to find out about security issues.)

They said: You may also be able to buy store gift cards with your debit card to use at their gas pumps without having to pay a fee to use them the way you do with MasterCard or Visa cards. And the cards may even be reloadable. The one drawback? If the card is lost or stolen, the money on it is not replaced the way it would be if you used a credit card.

They said: Do not use a debit card at a restaurant. You have no idea if the person is using a hand-held skimmer on your card. Someone may have placed a skimmer on the restaurant’s card terminal.

 (Restaurants are weak in security because the staff holds your cards out of your sight and out of your control. The authors of this blog each had fraudulent charges placed on their cards after two visits to the same restaurant in the same week. We usually take turns paying. We had different servers each night. We think that they had a little ring going.)

They said: Debit cards are less secure than credit cards because debit cards are directly hooked to a bank account or credit union account. If a debit card gets compromised, your account can be drained. It may take some time—even months—to get the money replaced in your account. And the money may not be replaced at all since it is not insured as it is with a credit card.

They said: Most banks and credit unions are helpful about getting a new debit card, but if a credit card gets compromised, usually a new card can be received in 2 or 3 days, maybe even faster if you can pick it up at your financial institution.

Here are their recommendations for safer credit-card use:

They said: Get a second card with a low limit. This card should be mainly used at less safe locations: public kiosk use (think train tickets or parking) and online shopping, as well as automatic payments. If you have to use self-service checkouts, use the second card. Avoiding self-service checkouts is the best strategy.

They said: That second card can be a handy back-up, in case your main credit card is lost or stolen.

They said: Look over your statements on a regular basis for transactions that you did not make.

They said: Patronize companies that use chip and signature (in the US) card terminals, which in most cases was supposed to be in place in the US by October 2015. Europe uses chip and pin. If a company still has not upgraded from magnetic stripe terminals, tell them why you do not want to shop there. (Or only use cash there.) Gas pump card terminals are required by major credit card brands to be updated to use chip and signature (in the US) by October 2017.

They said: Keep a list of automatic payments, and when they renew. Cancel automatic payments as soon as possible when you switch to another card.

One problem with automatic payments is that they may move to a new card even if you did not authorize it.

They said: Some cards (American Express is one example) will allow you to set a daily limit on spending. They usually alert you as soon as possible if spending goes over that limit.

They said: Replace your cards at least every two years.

They said: Put a credit freeze on your credit. The FTC explains the pros and cons of credit freezes here. There may be a small charge for freezing and unfreezing your credit file, but it is cheaper than credit monitoring, which will not tell you about a breach until after it has already happened.

Michael said: Using credit monitoring is like going to a dentist who only monitors your teeth, but does not fix any cavities found.

They said: Get a copy of your credit report from each of the three credit bureaus yearly. You can cycle them so you get one every four months.

They said: As soon as you hear about a mass data breach that could involve your accounts, call your bank or credit union and request a new card. Do not wait for a notification.

They said: Keep records of each card, the card numbers, the customer service phone numbers and addresses. (It is pretty easy these days to make blow-up copies of the fronts and backs of your cards.)

Michael Gough has worked in the IT and Information Security field for over 18 years. He has a wide variety of experience that includes positions as a security analyst for the State of Texas and the financial and health-care sectors, and security consulting with Hewlett Packard. Michael currently works in the health-care sector as a Blue Team Defender, incident responder, and malware fighter.

Michael has created or co-created several tools used in the security industry, such as LOG-MD, which is a logging tool, and the “Malware Management Framework,” which is used to discover and manage malware. In 2012, Michael discovered a type of malware called Winnti that continues to plague gaming and pharmaceutical companies.

 Brian Boettcher, co-creator of LOG-MD and co-host of Brakeing Down Security, has worked in the IT and Information Security fields for a number of years. Brian currently works as a senior security engineer and incident responder. He is a member of several security groups and presents regularly at security functions.Do not ever use a debit card at a self-service checkout, an ATM, or a gas pump. It is almost impossible to tell if the card reader has been compromised.

Beware; Honda Cares!

Posted: January 24, 2016 by IntentionalPrivacy in Historical and future use of technology

I have watched the YouTube video “United Breaks Guitars” several times, and while it makes me laugh every time I see it, I have come to understand that the issue is really bigger.

“United Breaks Guitars” is the story of a man who hands over his Taylor guitar to United baggage and watches from inside the plane, helpless to protect it while United baggage handlers deliberately break it.

Stories like this often start with “I shoulda …” as if it is somehow our fault that we unwittingly entrusted someone whom we paid—yes, PAID—to treat us and our belongings with respect. Instead when they abuse our trust—when they lie, do not deliver on their promises, or worse, deliberately break something that has been committed to their care—we are supposed to accept it and move on with our lives.

I watched this video again while I was writing this article. I was thinking of words to substitute for the song lyrics to fit my recent problem with my new 2015 Honda Accord, which I purchased in September. Unfortunately, most of the words I thought of were not printable.

While I have bought a couple of new cars, they were practical and did not have any extra features. The only thing that I have ever purchased that cost more was a house. I fell in love with this car. It had amazing technology. It was a beautiful Obsidian Blue Pearl. The doors close with a very solid thunk. It drives great and it is comfortable. It has many other features that I enjoy.

However, it has some features that I do not enjoy. One such feature is that you cannot unlock the passenger door from outside the car with the key fob if the car is parked and running. I was told that was a safety feature. That one is annoying, but I can live with it. Other features are not so acceptable.

I am stuck in traffic every day for a couple of hours. I download audio books to my phone, and I was very happy to discover that I could hook my phone into the car’s Bluetooth and listen to my current book on my long commute. Unfortunately, if I receive a text message while my phone is connected, the text message replays every time I use my right turn signal until I turn the car off.

Imagine: When I get in my car after leaving work, I text my husband to tell him I am on my way home. I’m driving down the road and he texts me back “ok.” There are at least five right-hand turns on my route home. Ok … ok … ok … ok … OK!

The first time it happened, I almost drove off the road. The next time, I pulled off the road and tried to figure out how I could fix it. I work in technology and there must be some option I could change, I thought. As I explored the options, I decided the user interface was terrible and counterintuitive. I got the manual out; it did not explain the options at all. The manual actually only refers to the iPhone, but it does not explain the options there either.

But no, none of the available options made a difference in the car’s behavior.

I was sure there was something I was missing in the settings or maybe the dealership could install an update that would fix the problem. I drove to the dealership. I took a service writer for a ride in my car and let him experience the text message problem. He told me that it was supposed to work like that. My choices were to turn off the right-hand camera or not attach the phone to the car.

Spending that much on a car and not being able to use the features I bought it for seemed ridiculous to me.

Next, I talked to his boss, who also dismissed my issue and me.

My phone is a Samsung Galaxy S5 and my carrier is Verizon. Yes, they are both on Honda’s list of approved phones and carriers.


Then we discovered that my husband’s iPhone 5 does not connect at all, even though it is also on Honda’s approved list.

I went home and wrote a letter to Honda America. A month later I heard from “Crystal,” who said she would contact the dealership and then call me back. That was in early November, and I have not heard from her since.

The car has pale gray velour seat covers. I drink coffee in the car and I knew what those seats would look like in six months without stain repellent. I purchased the Auto Butler interior stain repellent as well as the exterior coating to protect it from the Texas sun.

As I was driving to work one morning, my coffee tipped over. Instead of the coffee beading up the way the loan officer had shown us so I could pull over and wipe it up, it soaked right in. I was furious.

I called the dealership and asked to speak to the General Manager. The switchboard told me it wasn’t convenient for him to talk to me. I told her that it wasn’t convenient for me to have spilled coffee all over the inside of my car either. She switched me over to the Service Director.

I explained my problems with the car.

He told me to bring it in and they would make it right.

That was the week before Thanksgiving. They did clean the seat (although I swear I can still see coffee stains). When I picked up the car, the new, pale green bathmats I use as seat protectors were wadded up on the floor with great big, greasy footprints on them.

The Service Director (I’ll call him “George”) gave me a 2015 Honda Accord loaner. The loaner—with a different user interface—did not have the text message issue.

They kept my car for two weeks, claiming they put in updates and reset everything. When I got the car back, George sent me a link that explained how to reset Bluetooth on my phone to fix connection issues. I applied the Verizon update to my phone that had come out the day before. Even though I did not have a connection issue, I deleted the HandsFree link from my phone. I followed the directions for resetting Bluetooth. Then I reinstalled the phone in the car.

It did not help.

Instead, the car had a new problem. I was listening to the radio and the Bluetooth on the phone was turned off. I got a text message, the car turned on Bluetooth and played the message. I turned on the right turn signal and the message replayed.

George told me the Honda engineer said that problems with phones happen because the phone model they work with three years before the car comes out is not the same phone that hooks up to the car. While I can understand that phone models change, the phone uses Bluetooth 4.0, and it is supposed to be a common standard.

I called George and said I wanted it fixed. Fix the car, replace it, or give me my money back. I said if the loaner did not have the problem, my car should not have an issue either.

He sighed and told me to bring it in again.

They had it for a week when George called to say that Honda had agreed to replace the audio unit. He made it sound like it cost several thousand dollars to replace and they were doing me a big favor. He finally called me five days later to say it was fixed and I could pick it up any time.

So at noon on Thursday, I drove to the dealership to trade the loaner for my car. Instead of taking five minutes to turn in the keys, get a receipt, and pick up my car, I sat there for 45 minutes. When I was called to the desk finally, a different service writer tried to hand me a bill for $561. I politely handed it backed to him and said it was supposed to be warranty work. He handed it back to me. I said that he had better check unless he wanted me to call my lawyer right then. Another twenty minutes went by. Magically the charges had disappeared when they handed me the receipt the second time. I finally got my keys and my car, and hooked the phone back into the car.

Did they go for a test drive with me to show me it was fixed? No. I got in the car and had someone send me a text message. Problem still there.

In the meantime, my husband had taken our 2005 Honda into the same Austin, Texas, dealership to get it inspected because the power steering was making a noise. They resealed the power steering pump, and replaced the valve cover gasket and the cam plug. When he picked the car up and drove away, the engine light came on. He took it back and they charged him another $65 to tell him that an additional $670 was needed to replace the spark plugs and the induction coils. He went to an auto parts store and picked up four spark plugs for $52. When he pulled out the spark plugs, he found two springs under one of the spark plugs and none under one of the others.

Technology is supposed to make your life easier, better, and safer. I would argue that this car does not make my life easier, better, or safer: its problems are annoying and distracting. I should not have such issues with a brand-new car. I should not have such customer service issues with the dealership either.

The warranty package I bought with this car is called “Honda Cares.” It sounds great!

Honda, do you care? If you do, you will fix my car!

In fact, you should fix both our cars.



Part 1 explains why you might decide to use secure messaging.

If you decide you want to use a secure messaging app, here are some factors you might consider:

  • How secure is the program? Does it send your messages in plaintext or does it encrypt your communications?
  • How user friendly is it?
  • How many people overall use it? A good rule for security and privacy: do not be an early adapter! Let somebody else work the bugs out. The number of users should be at least several thousand.
  • What do users say about using it? Make sure you read both positive and negative comments. Test drive it before you trust it.
  • How many people do you know who use it? Could you persuade your family and friends to use it?
  • How much does it cost?
  • What happens to the message if the receiver is not using the same program as the sender?
    • Does it notify you first and offer other message delivery options or does the message encryption fail?
    • For those cases where the encryption fails, does the message not get sent or is it sent and stored unencrypted on the other end?
  • Will it work on other platforms besides yours? Android, iOS, Blackberry, Windows, etc.
  • Does the app include an anonymizer, such as Tor?
  • While the app itself may not cost, consider whether the messages will be sent using data or SMS? Will it cost you money from that standpoint?

The Electronic Freedom Foundation recently published an article called “The Secure Messaging Scorecard” that might help you find an app that meets your needs. Here are a few of the protocols used by the applications listed in the article:

I picked out a few apps that met all of their parameters, and put together some notes on cost, protocols, and platforms. While I have not used any of them, I am looking forward to testing them, and will let you know how it goes.


App Name Cost Platforms Protocol Notes
ChatSecure + Orbot Free; open source; GitHub iOS, Android OTR, XMPP, Tor, SQLCipher
CryptoCat Free; open source; GitHub Firefox, Chrome, Safari, Opera, OS X, iPhone; Facebook Messsenger OTR – single conversations; XMPP – group conversations Group chat, file sharing; not anonymous
Off-The-Record Messaging for Windows (Pidgin) Free Windows, GNOME2, KDE 3, KDE 4 OTR, XMPP, file transfer protocols
Off-The-Record Messaging for Mac (Adium) Free Adium 1.5 or later runs on Mac OS X 10.6.8 or newer OTR, XMPP, file transfer protocols No recent code audit
Signal (iPhone) / RedPhone (Android) Free iPhone, Android, and the browser ZTRP
Silent Phone / Silent Text Desktop: Windows ZRTP, SCIMP Used for calling, texting, video chatting, or sending files
Telegram (secret chats) Free Android, iPhone / iPad, Windows Phone, Web- version, OS X (10.7 up), Windows/Mac/Linux Mproto Cloud-based; runs a cracking contest periodically
TextSecure Free Android Curve25519, AES-256, HMAC-SHA256.


The new movie, The Imitation Game, about Alan Turing and his romance with Joan Clarke, already has won rave reviews across Rotten Tomatoes, IMDB, Rolling Stone, and Roger Ebert.

The effort by Alan Turing and about 10,000 other people at Bletchley Park was cryptanalysis. A cryptanalyst breaks codes or ciphers.

The Enigma machine was a cryptographic device. Cryptography is the making and using of codes or ciphers. A cryptographer creates codes or ciphers.

The general study of making and breaking codes and ciphers is cryptology.

NSA Museum Front 1

The Museum of the National Security Agency is open to the public and sells memorabilia.

Encryption is putting a message into a code or cipher.

Decryption is the extraction of a message from its code or cipher. Decryption must be carried out by the intended receiver; but it might be done by anyone else who intercepts the message.


Above: Alberti cipher disk made by Louis Brion for Louis XV (Gessler collection Duke University Information Science and Information Studies)

A cipher (sometimes still spelled cypher) is an orderly substitution or rearrangement of characters. A=Z, B=Y, C=X, … is a substitution. Writing a long message out horizontally, then re-writing it vertically is a rearrangement. A cipher is an algorithm. It is easy to write a computer program that will take a message, encipher it, and print out the encrypted message.

A code is a pre-arranged system of signals that have no direct relationship to the symbols they map. In baseball, the catcher’s signs and the constant fidgeting of the third base coach are coded signals. A computer program to encode a message requires a look-up table.  A code cannot be reduced to a mathematical formula.  The “Little Orphan Annie Decoder Ring” of the classic Christmas Story was actually a cipher disk.

Leon Battista Alberti (1404-1472) was perhaps second only to Leonardo da Vinci in his range of achievements. For 500 years, the Alberti Cipher Disk was the essential cryptographic tool, capable of creating the Vigenere Cipher, a 26×26 polyalphabetic system.  If you put “cipher disk” into a browser for images, you can find antiques and moderns.  The NSA Museum store has sold replicas of the disks used by the Confederate States secret service.  Geocaching is a treasure hunt or scavenger hunt game that includes GPS tracking and figuring out clues at each location.  Geocachers often use cipher disks (even though there’s an app for that) just because the mechanisms are cool.


If you have a late model car, someone could disable the brakes, command the steering wheel, set the speed, open the doors, disable the airbags, or explode them, all from a Wi-Fi hotspot.

Perhaps the modern icon is the General Motors OnStar system. Everyone knows it; it shows up in movies and TV as commonly as orange juice or dogs. OnStar was launched in 1995 and went from analog to completely digital in 2006. (Wikipedia here.)  Now, such radio systems are a standard feature on common makes and models. The radios are called “transceivers” for “transmitter and receiver”, that is, a “walkie-talkie” or two-way radio, in other words, a cell phone that is always on. With that link someone can take control of your car.

Computers in cars go back to the 1978 Cadillac Seville. The chip was a Motorola 6800, used also in early personal computers. It ran the car’s onboard display that provided eleven outputs such as fuel economy, estimated time of arrival, and engine speed. By the turn of the Millennium, upscale BMWs and Mercedes boasted 100 processors. Even the low-tech Volvo now has 50. (Automotive Mileposts website here and Embedded website here. Note that “embedded” systems are computer controllers that built into other machines for control or diagnostics. Embedded systems is a branch of computing.)

However, the older your car, the safer you are. A vehicle from the 1980s or 1990s will have electronic controls, but they will be less open to attack from the outside.  Without a radio link such as OnStar, there is no way to control the car from the outside. Also, the older processors were more often dedicated to reporting things such as gas mileage or fuel economy. Electronic fuel ignition replaced carburetors, but, again, was a simple, stand-alone controller that could not be compromised from the outside.

Over the past few years, two different security projects have been reported in which “white hat hackers” (good guys) investigated ways to take control of different models of automobile.


The little antenna on the Prius is not just for the FM radio.

 In 2011, Car and Driver told about the work of the Center for Automotive Embedded Systems Security, a collaboration between academics from the University of Washington and California State University at San Diego. First, they plugged their own device under the dashboard to compromise the on-board diagnostic computer. (Anyone who can get to your car could do that the next time you take in for an oil change or other routine service.) In the second phase, they figured out how to do that remotely.

According to Car and Driver: “Such breaches are possible because the dozens of  independently operating computers on modern vehicles are all connected through an in-car communications network known as a controller-area-network bus, or CAN bus.  Even though vital systems such as the throttle, brakes, and steering are on a separate part of the network that’s not directly connected to less secure infotainment and diagnostic systems, the two networks are so entwined that an entire car can be hacked if any single component is breached.”  (“Hack to the Future” Car and Driver July 2011 by Keith Barry here.)  The original research from the academics is posted online as PDFs.  (See below).

In the words of the researchers:  “We demonstrate that an attacker who is able to infiltrate virtually any Electronic Control Unit (ECU) can leverage this ability to completely circumvent a broad array of safety-critical systems. Over a range of experiments, both in the lab and in road tests, we demonstrate the ability to adversarially control a wide range of automotive functions and completely ignore driver input—including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on.”  (Published as “Experimental Security Analysis of a Modern Automobile” by

Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage.
 IEEE Symposium on Security andPrivacy, Oakland, CA, May 16–19, 2010. Available as a PDF from the authors here.)

Then, having figured out how to install their own controller into a car under the dashboard, they turned to the problem of remote control.

“Modern automobiles are pervasively computerized, and hence potentially vulnerable to attack. However, while previous research has shown that the internal networks within some modern cars are insecure, the associated threat model—requiring prior physical access—has justifiably been viewed as unrealistic. Thus, it remains an open question if automobiles can also be susceptible to remote compromise. Our work seeks to put this question to rest by systematically analyzing the external attack surface of a modern automobile. We discover that remote exploitation is feasible via a broad range of attack vectors (including mechanics tools, CD players, Bluetooth and cellular radio), and further, that wireless communications channels allow long distance vehicle control, location tracking, in-cabin audio exfiltration and theft. Finally, we discuss the structural characteristics of the automotive ecosystem that give rise to such problems and highlight the practical challenges in mitigating them.”  (Published as “Comprehensive Experimental Analyses of Automotive Attack Surfaces” by Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, and Stefan Savage (University of California, San Diego) and Karl Koscher, Alexei Czeskis, Franziska Roesner, and Tadayoshi Kohno (University of Washington). Available as a PDF from the authors here.)

Two years later, Andy Greenberg, who reports on technology for Forbes, filed a story about Charlie Miller and Chris Valasek who carried out their own car hacking research with a government grant.

“Miller, a 40-year-old security engineer at Twitter, and Valasek, the 31-year-old director of security intelligence at the Seattle consultancy IOActive, received an $80,000-plus grant last fall from the mad-scientist research arm of the Pentagon known as the Defense Advanced Research Projects Agency to root out security vulnerabilities in automobiles.” (Forbes, August 12, 2013 here. This story includes a video of the event. They took Greenberg for a ride that ended in a crash despite everything he could do to fight for control of the car. The 5 mph roll out finally stopped in some high grass. )



B-Sides Austin March 21-22, 2013, kicked off the night before with Jeremy Zerechak’s 82-minute documentary about the origins and present reality of computer privacy issues.

Code 2600 introduces modern cyber security via Sputnik and the Cold War which brought about the Defense Advanced Research Projects and the first computer network. The film also weaves in the threads of telephone systems and phone phreaking, and the transmutation of the computer from the behemoths of corporations and governments to the homebrew hacks that birthed the Apple computer. The result was an assault on your privacy which is magnified today by government agencies and private companies that compete for the control of the information that you create about yourself.
More subtly, in the Cold War, we could see our attackers. We would know who launched the missiles. Today, the clues left by a cyber-attack are harder to trace. The war is going on right now with the governments of the USA and China hacking each other, as well as Britain hacking Norway. And corporations are really the leading edge players: everyone – civilian or military, government or corporation – uses the same operating systems and applications programs. The military is no longer the leading edge of technology: they buy it from the same places that you do.

The success of AOL was a milestone. When the computer information service bought Time-Warner it heralded the blossoming of the information age. But we are still in the middle of the story. We will not know for 50 years how this plays out.

“What should we be teaching young people about computers?” is the wrong question. Young people should be teaching us about how they use their devices, apps, and media, because that is the future.

Official Movie Trailer on YouTube here.