The Flowing Candy Bees

Spotted by the folks at HackADay.com, here’s a simple way to open locked doors without any lockpicking skills: use a length of gauge 6 copper wire to pull the handle from the other side.

What’s really interesting is the policy that makes the hack possible: businesses and public buildings are required to have accessible door latches by the Americans with Disabilities Act. This usually means handles in place of round door knobs; in general, you should be able to open a door with a closed fist, without fine manipulation. This also happens to produce a door interface that can be pulled by a crudely fashioned length of copper wire.

This is an excellent real-world (by which I mean non-computer) example of the interplay between security, accessibility and usability. You want a lock on the door, but you also want the door to be easy to open, and if you aren’t thinking about both goals simultaneously, one goal can clobber the other. This sort of design compartmentalization is common, difficult to avoid, and a big part of the reason why security is hard.

Of course, this isn’t a necessary trade-off, because accessibility does not preclude security. This hack simply means that few people think that much about both simultaneously. You can probably design an ADA-compliant door interface that can’t be easily pulled from the other side.

I’ll try this hack soon, because our department just got re-keyed. Some fool contractor lost a master key and everything had to be changed and updated. My office key used to open our reading room and copy room and dept office, but now each requires a separate key and I haven’t been able to collect ‘em all.

Apparently there will be a “Professional Bull Riding” event this weekend at the arena across the river.

This is a mere half mile from my house, which is only about a two hour walk if you have to shovel. Which brings me to the other interesting thing that just happened: the remaining 25% of winter. Whee, snow. Enough snow to close the University, by knocking out the power campus-wide. It was also enough winter to give me a cold.

In other news, the Underhanded C Contest has just begun. I decided to host it on my main site as a Wordpress blog. I have to say that Wordpress makes my life much easier. It’s not just for blogs: WP is really the quickest way for me to put up a web site about anything, with most of the features I usually need. This is especially true now that WordPress has pages and a page menu, and attributes that I can use to mark articles as hidden. I amended the WordPress theme code so that users can be served a completely different site, with hidden content etc, once they log in.

We’ll shall see, however, how well it does against a Slashdotting.

So far I’ve shoveled for four hours, cumulative: a half hour late last night, 2 hours this morning, 45 minutes at lunch, and 45 minutes in the afternoon. This is the first time I had to shovel the driveway so we could get out, and again in the afternoon so we could get back in.

It’s a lot of time and trouble to shovel because firstly, my entire back lot is paved. This house is divided into two apartments, and the whole backyard is off-street parking in anticipation of the big Binghamton population boom of 2159. So imagine shoveling out your entire backyard (if you live in Silicon Valley, imagine a lot about twice the size of your backyard.) Secondly, the driveway squeezes between two houses, so there’s no place to move the snow. I spent most of the time carrying the snow out of the alleyway one shovelful at a time.

I’m guessing maybe two more hours will be needed before tomorrow morning, when classes resume. Maybe then I’ll finally see the dude on the ATV. There’s this dude, see, and he has an ATV with a mini-plow, and he’ll clear your driveway in minutes for something like 10 bucks. Except he shows up only when you are done shoveling. I have no idea where he lives; he just materializes on the streets of town after the snow is down, like the spark in Qix. Maybe after a few levels he’ll get here faster.

I cleaned my apartment today, which means dealing with a mountain of junk mail—half of which presents a glaring opportunity for identity thieves.

If I didn’t know any better, I’d swear credit card companies were engineering their junk mail to break paper shredders: extra fat envelopes with a demo credit card in them, either plastic or cardboard, held with rubber cement. Just to let you know what a credit card might in theory look like if you had one. Coincidentally, this can’t be shredded without opening the envelope.

I got a shredder as a present, and I am always testing its limits by shredding credit card offers, even as I offer them partially digested by tearing them open. Today it gave up the ghost on a Citibank offer. KHAAAAAAAAAN!!!!! This sucker used to go all pro ice on a single envelope; it was ten ninjas and I was master Splinter, offering sage advice while it flipped out and killed people, its brandished steel smoking with bloody execution. Now it chokes to death on one extra-thick credit card offer on extra-heavy paper.

I guess it’s time to buy a stronger one, after which junk mail will include metal shims for some barely justifiable reason. I want one of those NSA shredders that just coughs up dust when you drop a calculus textbook into it. Or maybe a house with a fireplace. Either way, we will see spammers advance the state of the art in indestructable materials as a result of this arms race.

I just received a mass of spam comments that passed the Akismet filter. Most of them gave URLs for various seedy web sites, but then one of them was a comment that just read:

So much spam (

This was also spam, as multiple comments came from the same URL. It was a few minutes too early, arriving on my site just before the avalanche of spam from elsewhere. Otherwise it could have passed as meaningful commentary.

There is a class of spam comments that fake real comments (”cool site!”) with a URL to a link farm or some such. Right now they are relatively unsophisticated, but I think they could easily cross the gray line into meaningful content. For example, you can take a blog post’s text and feed it through ELIZA; post a comment to the effect of “How do you know you just received a mass of spam comments?”

And then one day, bam: you have SkyNet.

In the spirit of Ed Felten’s tech policy predictions on Freedom To Tinker, I offer my own smaller set of tech and tech policy predictions. Some of these are a bit tongue-in-cheek, and some are long shots, but we’ll find out one year from now, if this InterWebNet thing is still around. Click for more:
Read the rest of this entry »

I put this here just in case someone is Googling for it:

There is a simple way to upload music files from an iPod back to your Mac, and it doesn’t require any special utilities or software. You don’t need to download any utilities or install anything or pay for shareware. Just run a command from the Terminal.

Apple tries to discourage you from uploading songs from an iPod. Presumably they do this to placate record companies, who think you must be a criminal if you want to move data against the arrows. Not so: I had to restore music to my computer that was on my iPod, music from my own CDs that I purchased and ripped legitimately. These things happen.

Here are the two “security measures” they use to stop you from pulling music off an iPod:

1. Uploading simply isn’t implemented as a feature in iTunes.
2. The music files are on a hidden directory on the iPod drive, so you won’t see a folder in the user interface.

That’s it. We call this “speedbump DRM”: easily defeated, but it trips people up. It can be surprisingly effective. People are stopped from doing something, and often assume that it simply can’t be done. This is more effective than you might think, even in our modern age of Google and Wikipedia. Many people don’t even think to search for a remedy, because speedbump DRM is an act of misdirection. It fakes tough security, it fakes impossibility.

Anyway, here’s the remedy:

First make sure your iPod is enabled for disk use, and it is plugged in with the iPod icon on the desktop. Next, launch the Terminal (in Applications/Utilities) and run these commands:


$ cd; mkdir tunes
$ find /Volumes/MYiPOD/iPod_Control/Music -name "????.???" -exec cp {} ~/tunes \;


That second command should be all on one line. Replace MYiPOD with the actual name of your iPod. If you’re uncertain about the path to your iPod, just drag the iPod icon from the Desktop into your Terminal window. The pathname should appear. Or, begin the command “find /Volumes/” and hit the tab key.

Now, go to the tunes folder in your home directory, select all the music files, and drag them into iTunes. They should be imported and returned to their original state, complete with all track information.

Note, some of these files may be .m4p files. An “m4p” file is a protected AAC file, the kind you get when you buy music from the iTunes store. You can upload these from the iPod, but you can’t play them in iTunes without authenticating as the file’s owner. ITunes is happy to load them into your playlist, as long as you can provide the password when you want to play them.

So how do you “unprotect” an m4p file? Well, you log in as the rightful owner. M4p files are encrypted using AES, with the key stored in an encrypted block; you get the key for that block from Apple, when you provide the correct password for the iTunes account. That key will be stored in your computer and on your iPod, so they can play the music. If you have that key on your computer, JHymn may help you convert the m4p file to an m4a (unprotected) file.

If on the other hand you are trying to unprotect someone else’s m4p file, none of this will help you.

I rarely watch movies, but this weekend I rented two: The Bourne Identity (great) and 15 Minutes (godawful, tho DeNiro is always worth watching.) Both of them had scratches and froze halfway through. 15 minutes locked up the DVD player at 45 minutes. This happens fairly often with rental DVDs, and now it happened with both rentals.

So I ask the obvious dumb question: is DVD quality actually worse than VHS quality?

Sure you have a far clearer picture, when it works; but you also have movies that catastrophically halt right in the middle. Even if not, the non-catastrophic failures in a DVD are very visible and distracting: VHS errors look like broadband static; DVD errors look like block artifacts, stuttering, freezing and dropped frames. VHS tapes gracefully degrade: DVDs go into the cinematic equivalent of cardiac arrest.

This is a huge difference when you consider the suspension of disbelief required to watch any movie. VHS noise is usually the type of distortion you can unconsciously correct unless it is very severe. DVD errors abruptly snap you out of it, even small ones, and ruin the whole experience.

Real-world quality is a matter of both the severity of the errors and how often they happen. It takes a lot of abuse to make VHS noise substantially distracting. Over the entire lifetime of VHS I remember two movies that were unplayable due to crappy quality. One was an in-flight movie. And I saw a lot more movies back then, before grad-student guilt made me reluctant to see or read anything recreational when I still had textbooks to go through.

In contrast, I have seen a lot of skippy DVDs. Sometimes it isn’t the DVD at all, but the player overheating or failing to keep up with the far more complex task of decoding DVD video. More than once I have seen the extended edition of Lord of the Rings completely exhaust a DVD player—but I assume that the march of technology will fix this.

So on average, I have to say VHS is better quality, at least for rental movies. DVD is a clearer picture in the error-free case, but so far the average quality has been much worse.

UCLA recently got hacked, exposing a whopping 800,000 identities of current and former students, staff and faculty. This includes SSNs and birth dates, and the intruder was apparently searching for SSNs.

It is worth comparing this to the AOL breach, both in terms of the actual harm and the possible level of public outrage.

First, the security side: the exposed UCLA data is obviously more substantial, more useful for fraud and identity theft. The AOL search data was very personal, but contained few SSNs and other security-sensitive pieces of information. Furthermore, the UCLA data wasn’t leaked by mistake but exposed by a direct attack; someone wanted in for whatever reason. I would say that the UCLA leak provides more substantial harm.

On the outrage side, there are different factors to consider. Which is more scandalous, the AOL leak or the UCLA leak? Will it anger or scare or bother people? Here’s a head-to-head comparison on some major “outrage factors”:

• Lots of people go to college. One outrage factor is the possibility that the disaster could happen to me next. There are two sub-factors: one, the perceived risk, and two, my ability to empathize with disaster victims and understand the scope of the disaster—easier if I am in the same situation.
• AOL’s public image, before the disaster, makes it a better candidate for public outrage than a university. AOL is an overcat, a big fat media conglomerate, with a history of bad PR online (there is an alt.aol-sucks, for example, which is one of the first “hyphen-sucks” groups on Usenet.)
• The AOL data was genuinely leaked, and people have already copied it, and sifted through it.
  It matters if the disaster can be concretely framed, if we know for sure that it has happened.

  There is a complementary outrage factor caused by uncertainty, for example the dreadful thought that a food additive might put you at risk for cancer, and you don’t know. But to outrage people, you need at least enough certainty to be aware that a disaster has occurred.

• The press could extract personal stories from the AOL data. This brings home the human side of the leak, and the concrete nature of what just happened.
• The UCLA data, while sensitive, is not embarrassing personal information. I bet a lot of people would rather expose their birthdates than their search history.

So we have a few “outrage factors” here: one, how real/concrete/visible the disaster is; two, how visceral our reaction is to the leak; three, how much we can empathize, or imagine that it could happen to us tomorrow. Also, we have PR matters such as the company’s reputation and the general newsworthiness and coverage of the disaster.

All in all, I suspect that AOL will beat UCLA in the outrage department, even though the UCLA leak is a more substantial security disaster. Note that I have been saying “substantial” rather than “large.” Which is a bigger privacy invasion, someone stealing your bank account number or someone peeping in your window at night? You can’t answer this question so easily, but we can at least quantify the harm caused in the bank account case. That’s what I mean by “substantial” — it can lead to substantial harm in terms of fraud.

I saw this at a craft show here in Binghamton:

Actually, I saw the right-handed version. The potter made a left-handed version for me. Your non-dominant (right) hand slides into the half-twisted handle, so you can stir with your left. You have to imagine someone standing to the left of it.

Of course, I bought it because it is topologically nonorientable, like a Möbius strip:

The bowl is made Diane Lia, a local potter. Some of her other work is sold at La Taza on South Washington.