Follow by Email

Tuesday, April 21, 2020

Notes on Goodbye My Friend

Writing and production history

This song was written in May, 2019 as a farewell to Tom Hedges who died in November of 2007. I worked with him for 30 years and we became business partners at Fractal Design, where we created Painter, ImageStudio, ColorStudio, and other great products. The song is all guitars, bass, and drums (aside from vocals). Tom was a Beatles fan, and he liked John Lennon. Lennon mainly respected rock songs that used the traditional rock instruments, so that's why I arranged the song this way. I also altered my voice like Lennon, who always wanted something different. The song chronicles many memories, and tries hard to show how much he influenced me.

It starts with a chorus, with the drum setting the tempo and an iconic guitar riff, subtly fuzzed. In the background are some descending chromatic vocals. Slow arpeggiations on a clean guitar trace out the harmony in a wistful way while the drum fills get your attention.

The first verse sets the scene. He was, at first, my mentor, but eventually I took over as lead coder. Apps took over in importance and salability. The B-section of the first verse chronicles our relationship - we fought over lots of things but always somehow remembered to be friends the next day.

The second verse talks about how we were the progenitors of our software Apps. But we didn’t write them all — others helped write them like John Derry (UI and brushes), Bob Lansdon (watercolors), Priscilla Shih (general coding), Shelby Moore (PC version, multi-point color fills), Glenn Reid (R&D Management), Christina Hall (general coding), Vahe Avedissian (general coding), Scott Cooper (general coding), Erik Johnson (general coding), and our Ray Dream friends, Damien Saint-Macary (web features), François Huet (web features), and Nicholas Barry (Web features). These were the people that actually touched the code (and there were a few more I can’t recall). These were “our loyal crew”. And they were awesome!

But our loyal crew also consisted of a few more people who were instrumental to the development of the complex software base. For instance, Michael Cinque, who headed QA and Steve Rathmann, an early hire that always adapted to the task.

In the B-section of the second verse, the tale of difficulties competing against the software giant Adobe gets told. We fought the Painter fight ten years. All through the time, Tom’s health got worse and worse. He was diagnosed with Non-Hodgkin’s lymphoma in 1989, went into remission, had it flare up in 1995, and went into remission again. However, his radiation therapy treatments ended up creating a spreading neuropathy that started with his hands, and eventually affected his lower arms, and then his whole arms (by 2005) and finally his lungs.

We believe what caused this was his brief tenure as KSJO’s chief engineer. He spent a lot of time in the Optimod room up near the peak of Mt. Hamilton, where their radio antennas and microwave transmitters resided. I went in there once (but only once). You could literally feel the radiation.

He also had a spectacular lack of good luck with the women in his life. And I’ll say no more about that (for now).

Reprise references

The reprise from this song contains a dozen references to arcana from Tom’s life and the time we shared. Here, I’ll pick it apart, line by line.

Remember the days in Boston town

Tom and I were Fractal Software, a partnership, in 1986-1989, with Letraset as our marketers. We often traveled to Boston for the MacWorld East show, to show our product. Letraset had demo artists and a medium-sized booth. Later on, Fractal Design, the company that Tom and I had a hand in founding (along with Steve Manousos, Lee Lorenzen, and Steve Thomas), had a much larger booth presence. Tom and I would arrive in August in Boston, set up shop in a nice hotel, hit the bar, and wait for the other people showing products to arrive. It became a growth period for both of us.

Remember the day we lost our friend

Bob Lansdon was our odd friend from academia. He was constantly in search of a PhD in math. There was no doubt he was smart. Bob introduced me to Fourier transforms, and taught me how to vary the phase of the frequency signal, an incredibly useful trick. He and I dreamt of laser interferometry for measuring paper surface texture. Bob wrote the first watercolor capability in Painter. One day in 1994, Bob came into Fractal Design the office on Spreckels Drive in Aptos, and into the suite where Tom, John Derry, and I had our desks, and we talked for a bit. He had completed his PhD, finally after all these years (his thesis advisor was Ralph Abraham). We were a busy group and he left. A few days later we learned of his suicide. When I announced it to the new at Fractal, that was one of the few times I actually cried in front of the company I ran.

Remember how Water Tank went down

In the early 1990s, Tom was married to Joanne Etheridge (née Stoner) and they became a couple. They had two kids, Colin and Broghan. By the late 1990s, the relationship between Tom and Joanne was strained for a reason I never knew. It might have been Tom’s personality, which was a wee bit crude for many people’s taste. I don’t know. But there was a point where Joanne hired her parents, both real estate agents, to get them a second home. They bought a house on Water Tank Road in La Selva. To me as an observer, I felt that their strained relations, compounded with the fact that Joanne was literally creating a bachelor pad for Tom, meant that they were headed for divorce. But somehow Tom never saw it.

Remember the goldfish bowl and then

WhenI first met Tom Hedges at Calma Company in 1974, he was an RA at Stanford with his first wife, Rabbit (I never learned her name). So he came in late because those were his remaining working hours. I had been hired at Calma (at 4 bucks an hour, by Art Collmeyer) as an applications programmer for a new APL-based language (called GPL) that Carl Smith was creating. I needed a real workstation to do the work I was doing (which usually involved not doing what I was supposed to do). I was working on a demo of a rotating dodecahedron with hidden lines suppressed that ran on a Tektronix storage scope. One night Tom and Bruce Holloway, high as a kite, entered the demo area at Calma, which was surrounded by glass, and hence its name “the goldfish bowl”. They hopped on to the wheeled chairs and scooted themselves across the demo space, very close to me, and said “boo!”. I barely looked up from my code, which irked them a tiny bit. But they just kept abusing the 5-wheeled chairs, skating to and fro. It was a funny time for me, to be sure.

Remember the wall-sized plots we made

Tom introduced me to Bob Lansdon as a one time co-resident of Ruddock house in their days at Caltech. I myself was a Page house resident, but a few years later on. Bob was a shy nerd who rarely spoke. But he knew his math. At Calma one night, with access to a brand new Versatec raster printer, with four-foot-wide rolls of paper, they decided to make a plot. Tom suggested that the plot be of a nice mathematical function. Bob suggested a Fourier transform of a set of points on the unit circle (I think it was 9-point). A gigantic plot was produced and it hung on the walls for a time. I've recreated the plot here.

The end of your set you played that song

Tom worked for KZSU, the Stanford radio station as a DJ for a while in the 1970s. He divorced his first wife Rabbit (she was unfaithful to him I heard) and married Carolyn Foster. At the end of his DJ set at KZSU, Tom always played a song “Sweet Caroline” by Neil Diamond as a tribute to her.

Remember how partner’s draw was great

Tom and I were partners in Fractal Software from 1985 to 1990. When we got Letraset as a marketer was when we met Marla Milne, a product manager from Soho in New York. She spotted my demo of Gray Paint at a party thrown by Marc Canter. Once we built our first image editing App, ImageStudio, the royalty checks started coming in once a quarter. When they arrived, we deposited the check and then each drew out half of the check in “partner’s draw”. We bought houses on those checks and bought our first BMWs.

Remember how Cheshire cowed your dog

Tom and Caroline had a large German Shepherd mix, Pokey. It was a huge dog. One day they came to visit me and Ruth Zimmer (née Rasmussen), my second wife at our house in Evergreen. Ruth’s old black cat was named Cheshire and it was, let’s say, a bit strong-willed. Once Pokey came through the door, Cheshire pounced! Cheshire, with one tenth the body mass of Pokey, soon had Pokey literally cowering in the corner by the door. Poor dog!

Remember the Gershwin rhapsody

Tom’s dad, who had passed by the time we became partners in Fractal Software, was an avid pianist. He often played the Gershwin Rhapsody in Blue. When Tom and I met Ed Bogas (Steve Capps introduced us, I think) and his crew of musicians and programmers in the mid-1980s (including Neil Cormia and Ty Roberts), we both got interested in the possibilities of music and computers. We were tasked to sample a piano, so we did exactly that and produced an 88-key set of sound samples. I had created a program that could play MIDI format, triggering sound samples, and mimicking the sustain pedal and Tom laboriously keyed in the Gershwin Rhapsody so we could play it back. He also keyed in Wasted on the Way by Crosby, Stills, and Nash. With the Rhapsody, I think Tom was literally constructing a tribute to his Dad.

Remember when Painter saved the day

Tom and I had both profited from ImageStudio and ColorStudio, both Letraset-branded products, because we received royalties from their international sales. One day in 1990, we got a call from Letraset’s General Manager Jack Forbes who told us they were getting out of the software business in North America. I had been working on Painter for 11 months at my home (in secret). I chose that day to introduce it to Tom. He and I both thought it had definite possibilities, so we contacted some friends and started Fractal Design.

Remember the exit strategy

Tom, John, and I worked on Painter for nearly ten years. The board of directors had hired me back as CEO (of MetaCreations) and ordered me to sell off the software. Which I proceeded to do. It was an unpleasant time for me. But as it happened, we sold Painter and associated products to Corel and set up a consulting gig with them for the three of us. That was our exit strategy. It wasn’t planned.

Remember neuropathy’s dismay

All through our time when Fractal Design was in Scotts Valley, Tom Hedges began experiencing neuropathy in his hands. This was a result of his radiation therapy in 1898 for Non-Hodgkin’s lymphoma, an aggressive cancer. Unfortunately his radiation therapy had to be concentrated on his lymph nodes in his neck. At first he had problems typing. Now, Tom was always a two-finger typist to begin with. Eventually it cost him his productivity. Later on, it cost him the use of his arms.

Remember the picture Marla made

In 1985, we built ImageStudio, to be distributed by Letraset. Marla Milne was our product manager. Tom had a picture of his family. Tom also had a chipped tooth. Marla, as a joke, scanned that image and applied Tom’s chipped tooth to all his other family members. When I saw it, I had a laugh for about an hour. What a crazy, disrespectful idea. After I had my laugh, I said “Bummer, man” to Tom and resumed my coding. It was a thing we did. The funny thing was that Tom had that chipped tooth fixed within a week.

Remember the sadness near the end

On Tom’s 57th birthday. He had a small gathering in his local pub, CB Hannigan’s. Tom’s arms hung limp at his sides because of his neuropathy. He and I spoke for fifteen minutes or so. His situation was not good since his lungs’ function was finally being impaired by his neuropathy. I listened to his situation and gave my final “Bummer, man” to him. He smiled (the only time that day I saw a smile from Tom) and we drank our beers. Mine was from a mug. His was from a tall glass with a long straw. It was a sad moment.

Remember the time you were betrayed

Really it was the “times” he was betrayed. But this line is referring to his months-long relationship with a woman known as “Yolanda”. She wasn’t straight with him. He took her to Tahiti on one vacation I remember, and lavished her with jewels and such. But as It turned out, she had never left her relationship with her previous boyfriend and actually brought him with them on the pretext of scuba training (for her). Later, when he wised up, he had a detective discover that she was still seeing him, with pictures and all. And that was it.

Remember I’ll always be your friend

Goodbye old friend.


Goodbye My Friend

Goodbye my friend
I said goodbye my friend

Though your time is gone
I look back upon
All those years we spent together
Working on and on

You were outta sight
And you taught me right
When you handed me the reins
I drove on through the night

Day by day
We learned to get along
Along the way
We remained strong

We both wrote the song
Others sang along
You know, even when the earth moved
We kept on keepin’ on

We worked to create
And our stuff was great
Yes our loyal crew was awesome
When they stepped up to the plate

Year by year
We fought the hardest fights
Have no fear
Soon comes the night

Goodbye my friend
Goodbye my friend
Goodbye my friend
I said goodbye my friend

Too much time in the radio station
Took its toll out on you
And even so it never made you blue

Too much trust in the ladies that found you
Left a few scars on you
Too bad that none of them could be true

Goodbye my friend
Goodbye my friend
Goodbye my friend
I said goodbye my friend


Remember the days in Boston town
Remember the day we lost our friend
Remember how Water Tank went down
Remember the goldfish bowl and then

Remember the wall-sized plots we made
The end of your set you played that song
Remember how partner’s draw was great
Remember how Cheshire cowed your dog

Remember the Gershwin rhapsody
Remember when Painter saved the day
Remember the exit strategy
Remember neuropathy’s dismay

Remember the picture Marla made
Remember the sadness near the end
Remember the time you were betrayed
Remember I’ll always be your friend

Tuesday, January 10, 2017

On WikiLeaks Methods and Motivations

Recently, the WikiLeaks Task Force tweeted something quite inflammatory:

We are thinking of making an online database with all "verified" twitter accounts & their family/job/financial/housing relationships.

In other words, that it was determined to create and publish a database of personal interconnections between verified Twitter users. This database would include information about finances, family connections, cohabitation, jobs and so forth.

This statement has, at the very least, sparked outrage.

Let's look at this statement from two points of view: (1) that WikiLeaks made the statement , and (2) that someone else made the statement and wants us to think WikiLeaks said it.

(1) WikiLeaks made the statement

That, on the face of it, would be galling.

I ask you here, honestly: does everything have to be public?

I can understand Facebook and why they would want to collect their user graph. They protect their users' privacy (although that's far more nebulous, even given their periodic missives, famous missteps, and explanations of policy).

But let's look at the author of the tweet: WikiLeaks. This sounds more like a sinister plot to me. Let's address the main reason for this.

What's all this about WikiLeaks working with the Russians?

Though WikiLeaks may never have dealt directly with the Russian intelligence services, they certainly had to know that release of the data played right into the Russians' hands. It seems pretty clear, given the timing of the release of the Podesta emails, that WikiLeaks understands perfectly the consequences of their actions.

In fact, WikiLeaks' sensitive data releases almost always damage the west and leave Russia unscathed. A visit to the torrent repository shows us specifically who they target. There are very few Russia-related information troves.

If they released a trove of data on the Russians, it seems clear to me that Assange and many others at WikiLeaks would find themselves sipping Polonium-210-laced tea like that ill-fated ex-KGB whistleblower Alexander Litvinenko. Bad press for the Kremlin (in his case, looking into the assassination of Russian journalist Anna Politkovskaya) is generally punished by death in Russia. Dig too deeply and you'll discover, much to your chagrin, that it's your own grave you have dug.

WikiLeaks denies they received the leaked emails from the Russians. The US claims they know the go-betweens that prove Putin ordered the operation.

Let's just say for a moment that WikiLeaks are enemies of the west. Then this is completely consistent with publishing a database of who is related to who, what their jobs are, how much they make, and where they live. This process, called doxing enables people and organizations with malicious intent to get handles on people they want to attack. If this were true, the database WikiLeaks apparently would want to publish is, in fact, an analog of the human flesh search engine.

This kind of data would be of immense use to the Russian intelligence services, such as the FSB. So it certainly seems plausible to me that WikiLeaks was behind the tweet. But what about the other possibility?

(2) Someone else made the statement and wants us to think WikiLeaks said it

Did they even say it? It was tweeted by the WikiLeaksTaskForce, the Official WikiLeaks support account. It is explicitly intended to "correct misinformation about WikiLeaks".

Very soon after the original tweet, which has since been deleted, WikiLeaks itself tweeted the following:

Media note: is the only official account of WikiLeaks. No other accounts are authorized to make statements on behalf.

So the narrative might be that some troll joined (or hacked into) WikiLeaksTaskForce and posted the tweet to spread false information.

Its not unlikely at all that someone would want to discredit WikiLeaks. After all, their business is to enable whistleblowers by providing foolproof ways to release sensitive information. So anyone that has been damaged (or may be damaged) certainly has the motivation to discredit WikiLeaks. This is a big list of people, like John Kerry, Hillary Clinton, and organizations, like Bank of America, the American Intelligence community, and so on.

Tom properly discredit WikiLeaks, they would plausibly possess the means to accomplish the database in question. To assess that, we must first know exactly how WikiLeaks works.

How does WikiLeaks work?

Their primary modus operandi, I believe, must generally be given by the following steps:

  • accept large corpora of whistleblower information
  • put it onto an air-gapped network
  • strip it of all attribution, which entails editing it
  • separate it into bins of sensitivity
  • encrypt and encapsulate (using BitTorrent) the bins for transport
  • upload the information on
  • get other sites to mirror the information
  • periodically release keys for the purpose of disseminating the information a bit at a time

They would use an air-gapped network to prevent anyone from hacking into them, which is definitely possible. They would want to isolate the sensitive data to completely control what is done with it and where it goes.

The stripping of all attribution information, including email headers and telltale references is done to protect their sources. This may involve redaction of information that can hurt innocent parties. But also look at this on the face of it: they are intimately acquainted with the forensics of data present in email headers.

They have admitted that they separate the data into bins of sensitivity so they can control the impact of the releases. After all, the idea that some information is more sensitive than others is a natural consequence of the information itself. But they might also want to keep the most inflammatory information as a deadman switch. Such information can be released if Assange is killed, for instance. This was demonstrated recently when, in October 2016, Ecuador cut off Julian Assange's Internet access. Soon thereafter, WikiLeaks tweeted hashes to various troves of information, aimed at John Kerry, Ecuador, and the UK FCO. So it's a virtual certainty that Assange has deadman switches.

Their favorite method of leak data storage is by encrypted, encapsulated databases, posted as a single file. This is so they can withhold the release of the data, processed using AES 256-bit encryption, until a later date, without withholding the data itself. Often, the files are hundreds of gigabytes in size, so they use BitTorrent as their transport. The file names often contain the word "insurance". This also corroborates the theory that the files constitute a deadman switch: if Assange or another key-holding WikiLeaks person is killed, then keys may be released by the others in retribution.

After the data is packaged, it is then uploaded to, a storage site run by WikiLeaks that promotes mirroring. Unfortunately, from time to time, this data has often included malware which gets cleaned up, generally as soon as it is discovered.

Once there, any number of sites mirror the WikiLeaks databases. This includes CableDrum, and many other sites. This measure of redundancy prevents any single site from simply being destroyed to prevent the sensitive information from being released.

When WikiLeaks releases a trove of information, they simply need to release the AES 256-bit (64 hex digit) key. This allows anybody having access to any of the mirror sites to decrypt the information and begin the process of data mining it. Usually this means the press.

How does WikiLeaks modus operandi make the tweet more plausible, specifically?

First, because WikiLeaks is known to accept large corpora of hacked data, who says they haven't been able to get ahold of the verified Twitter database? If it's not plausible, then this tweet is a call to arms for the many hackers out there who need the cred that would stem from such a successful attack.

Second, because WikiLeaks is adept at stripping attribution information from email, metadata from photographs, wrappers from tweets, and other media, they are the perfect institution to be able to make use of that attribution information, symmetrically, to work against the "system".

Third, knowledge of encryption and the limits of its usefulness means they must also be knowledgeable about decrypting and cracking such information. They have a milieu of hackers that they are in regular contact with, certainly. They are trusted by hackers because it is WikiLeaks specific mission to protect them. They need to know what can and can't be cracked so they can keep their publicly available information troves secret from the most capable intelligence agencies in the world.

How does the tweet discredit WikiLeaks, specifically?

The ghastly specter of Big Brother looms over the tweet, that some clandestine organization is gathering information on all of us. This makes WikiLeaks the new NSA, the new GCHQ. Which makes those two organizations the ones most likely to discredit Assange.

Do they really need discrediting?

Currently their leader Julian Assange had been holed up in the Ecuadorean Embassy in London for 4 years and 7 months. This is because he has been granted asylum by Ecuador. Assange suspects that he will be extradited to the US to face charges under the Espionage Act of 1917. This could net him 45 years in a supermax prison, and potentially the death penalty.

Assange is also wanted for "lesser degree rape" in Sweden, a charge that will not expire until 2020.

The NSA has labelled WikiLeaks as a "malicious foreign actor".

Saturday, December 17, 2016

Profit Angle

I have read that Android's success is a direct result of Apple's iOS being a walled garden. Let's look at this statement now from two different angles. First, is the walled garden really bad? Second, is this the real reason that Google and Microsoft are actively developing their own hardware?

Is the walled garden really bad?

Apple curates the apps that are allowed into the App Store. This has demonstrably reduced malware compared with Android. Recently, a form of malware, called Gooligan, was found to be present in about 100 apps. It is present in about one million phones in the wild, and increasing at a staggering rate of about 13,000 smartphones per day. I would actually say curation is a plus. So, what is it that people prefer about the Android operating system?

Let's look at what makes Google's Android shine over Apple's iOS.

This article points to three main reasons: Android...
  1. can be rooted
  2. uses non-proprietary software formats
  3. interface can be customized

Talk about dubious value. Being able to root Android means (in hacker parlance) the phone can be rootkit'd. In plain English, it means that apps can enter superuser mode and obtain administrative privileges on your smartphone. Once that happens, they can reconfigure your device, redirect its output, and install their own choice of apps. In other words, you are exposed to malware that can steal your passwords, the money in your bank accounts, access your email, snapchat photos, microphone, track your location, keep logs of your text messages, listen in on your phone calls, and essentially every bad thing you can imagine. Malware on Android is a critical problem right now.

Your average consumer should never, ever root their phone. It's only for hackers, spies, and criminals to take advantage of you. What this represents is Google not looking out for you.

Now let's look at how pleasant rooting is on Android. Why should you root your phone? This article spells it out perfectly (while detailing how complicated, dangerous, and potentially undesirable the rooting process can be). The main reason that people want to root their phones is to get rid of the bloatware that's typically installed by the manufacturer (Samsung, for instance). Welcome to the same problem we had in the last millennium with PCs: shovelware. This is how they differentiate their phones from each other in the Android ecosystem -- the same way vendors used to differentiate their PCs in the Wintel ecosystem. But, in comparison, it's a fact that Apple now allows you do delete the pre-installed apps you don't want on iOS 10, without rooting your phone.

Many users want to bypass the complexity of using Terminal to obtain superuser mode on the phone's Linux kernel to change various privileges. Hey: what consumer would want to do that? So they buy rooting software to do it. Can you trust that software? No. In July 2016, rooting software was reported to have installed malware on 10 million Android handsets.

And, by the way, each manufacturer's phone has a different rooting process due to the security bloatware they've installed. Joy.

Non-proprietary software formats

This means that, unlike iOS apps, which are available only through Apple's own App Store, Android apps are available from several sources. The Google Play Store is not the only place you can buy and install Android apps. There are many alternatives, including Amazon Appstore for Android, SlideME, 1Mobile Market, Samsung Galaxy Apps, Mobile9, Opera Mobile Store, etc.

Is this a good thing? It does open up multiple sources for Android apps that run on various smartphones.

But what are the downsides of multiple app stores?

The first problem is fragmentation. Each Android smartphone has a different hardware configuration, which turns out to make the app developer's life hell. Each smartphone has a different screen configuration, for instance. Before buying an app with a specialized purpose, like using the GPS, or a game app with high demands, it's important to decide if that app will run properly on your phone. This is precisely why smartphone manufacturers have been building their own app stores -- not all apps in the Android ecosystem run on every phone.

The second problem is trust. Can you trust the app you download to be free of malware? You would like to know that the App Store you are using is checking for malware. Fundamentally, if they do not have access to the app's code, app stores cannot protect you from malware. What happens is this: you download an app, as it runs, it loads and install malware from some server somewhere. This installs Gooligan.

Nowyou find new apps simply appearing on your phone. This happens because ratings are actually steered by app companies through the use of the Gooligan software. Gooligan installs itself, initially, for the purpose of buying apps it wants you to buy, forging your approval to buy them (and possibly spend money on them) and then rating them highly. These apps can be installed because Gooligan can obtain system privileges. Usually this happens because you enter the admin password for your machine. Perhaps it's to give the app privileges to install some fontware or customization feature. These new apps it installs potentially contain the real malware, because you do not have a choice nor can you control where they come from.

Customizable interface

Really? Can't you customize the interface of an iPhone? You can customize the wallpaper and the lock screen photo. If you want to go further, you can use customization apps like Pimp Your Screen, Call Screen Maker, iCandy Shelves & Skins, Pimp Your Keyboard, and so forth.

On Android, you should ask yourself how much you want customization. After all, it might come with malware.

Oh, cost!

One of the main reasons that people prefer Android is the cost of the phone. Which really has nothing to do with Android. Actually, cost is normalizing because deals with carriers are being made that pay for the phone up front, in exchange for locking you into the carrier for two years (usually). But this applies to all phones now. So, cost is not as much a reason as it used to be. But the plain fact is that, without a carrier deal, Apple's iPhones do cost more.

Why Google and Microsoft are developing their own hardware

Second, is that even the reason that Google and Microsoft are developing their own hardware? No, it isn't. The real reason is profit envy. The price of software has been dropping quickly since the App Store was created. This means it's harder for software-only companies to keep operating margins high. Think Microsoft, who has gone to subscription software to guarantee upgrade revenues, amidst unpopular OS upgrades, like Vista. The profitable niche, mobile devices, must look pretty good to them. Should they merely license OS to hardware manufacturers, like Windows? Will that work? No. Google gives Android away for free: upgrades don't cost anything. So nobody will buy Windows Phone if it costs money. Also, hardware and software both need to be upgraded.

The real reason is that, given that software is becoming essentially free, to make the profit you must make your own hardware. Also to make the hardware work best, you must develop custom software. In fact, the best features require both hardware and software to make them work.

This tight vertical integration is why Apple reaps well over 90% of the profits in the smartphone industry year after year. They sell their own hardware. That, and their profit margin is about 40%.

Value proposition

So, why are people willing to pay a premium price for iPhones?

As always, the price is paid based on the value perceived. The value of better user experience on iOS, easier installs, significantly better privacy and security, and great design is huge. It leads to unprecedented user satisfaction ratings and loyalty. People pay for this, and enjoy the rewards.

Apple devices, on the whole, are more up to date than Android devices. Here is a chart of Android OS versions as of September 13, 2016 and their share on smartphones. It clearly shows the latest version, Marshmallow, at 18.7% installs. And on iOS? As of November 27, 2016, 63% of iOS devices have upgraded to iOS10, 29% are running iOS 9, and 8% are running earlier versions. Get the latest stats on Apple's App Store page.

Clearly Apple's customer base upgrades significantly faster.

General comparison

Consider this article on iPhone vs. Android as a near-complete analysis of the subject.

Tuesday, November 8, 2016

Analysts: What Are These?

Analysts are not always a savvy breed. In fact, sometimes they are downright stupid. Their general types of stupidity can be broken down into classes. I'll just name a few.

The first class, show offs, often throw around terms like disruption, logistics, zero-inventory and so forth without actually knowing their implications. Showing off is a pointless pretense of prowess, unless it shows valuable insight. Usually this class misses the forest for the trees.

The complainers just have axes to grind about their specific issues. They consider their beefs to be of paramount importance while ignoring the majority of users. A specific kind of complainer is the port complainer. They have whined about their disappearing serial port, FireWire port, headphone jack, and old-style USB port. But, hey, things change. It's disruption in action. Old media becomes obsolete, like vinyl records, cassette tapes, and CDs: this is because media is now delivered online. Cords disappear and wireless connections dominate: this is because virtually all updates are now accomplished over-the-air (OTA).

Then there are trolls. They know that the generation of disinformation creates knee jerk reactions that budge stock price. Close your eyes and imagine for a minute that many of them are simply Russians from the St. Petersburg Troll Factory and you will be just about right!

The feature creatures are typically Windows people who just care about feature lists and spec bullet points. They count ports, processors, gigaHertz, and keys on the keyboard. They are the ones that think shovelware makes for good workflow. If they actually use the features that they write about then they would know better. It's the user experience that leads to user satisfaction and commands user loyalty.

I don't want to forget the price people. To them price is everything. Forget about surprise and delight, user experience, or even quality! I can't tell you how annoying these people are. Their inevitable assertion is that the cheapest product always wins, which as we know already is totally wrong. Even if you're selling refrigerators! It's the product that gives the best value that wins. If you get into a price war, you've already lost.

The market share obsessors are yet another class of flawed analysts. To them, it's only about units, no matter if these units are only used for limited purposes, left in a drawer, or even if they are catching fire. They totally avoid the issue of who is actually profiting and thus who will see the consistent growth. For instance, Apple has 12.1% of the smartphone market yet makes 104% of the profit. Yet Android has 87.5% market share. How can this be? The Android hardware makers' profit is largely negative. Yep - they are losing money.

The software profiteers subscribe to the 90s Microsoft model: just build the software and let other idiots kill each other making cheaper and cheaper hardware; there's no profit in hardware, right? Wrong! If there's no profit in hardware then who is going to make it? By the way, the hardware makers often want their own unique look, defeating the standardized software. Also consider that software prices are plummeting. With the introduction of the App Store, Apple has turned software into a $2 commodity. This has forced the software profiteer into the subscription model.

Finally I give you the walled garden haters. These are descended from the people who like to build their own computers and hack them. They want freedom from carriers, authoritarian systems, and so forth. They want to pwn their hardware. In their minds all software is free, regardless of the time and effort expended by software developers. This class doesn't fundamentally grok the concept of an ecosystem, along with why ecosystems are essential to the survival of modern hardware. The hubris of these haters is in ignoring that hacking, device security, and identity theft has become the defining crucial problem of our time. All this for one reason: walled gardens are inherently more secure. IT people have long ago figured this out.

It's disappointing to find that so many analysts are last-millennium-thinkers, and they have themselves become disrupted. They're still betting on Microsoft for God's sake! Don't let their investment firms get ahold of your portfolio!

Sunday, September 25, 2016

Security Researcher Hit

While we were being distracted by the Yahoo half-billion-user data breach, within the last few days, Krebs On Security, a blog which I often reference here was slammed with a distributed denial-of-service (DDoS) attack of gargantuan proportions, literally silencing the blog. This was after the venerable Brian Krebs published papers on the vDOS owners. vDOS is an attack-for-hire service hosted in Israel.

Hey, what a surprise, after Krebs, a well-known security blogger (and researcher) made the people behind the attack-for-hire service also well-known, he was himself targeted by the world's largest DDoS attack! These are rich teenagers - they earned more than $600,000 (well, in Bitcoin!) in two years. Apparently their service is in great demand.

How do we know this? Oh it figures - vDOS got hacked and their client base was fully extracted and published (this is known as being "doxed", a term which I sometimes use). And Krebs obtained the information in July. This, and the fact that the FBI took notice, is why those cyber-criminal-teenagers Itay Huri and Yarden Bidani (known as AppleJ4ck) were arrested in Israel.

It's possible that these teenagers, after being arrested in Israel, were simply drafted into the Israeli Defense Forces (IDF), because they are both 18 years old (my speculation). Now they can't use the internet for 30 days.

Wow! I was sure it was just going to be a slap on the hand for these two.

Seriously, I hope they can be extradited to the US for prosecution.

The curious thing is that the documents Krebs found indicated that vDOS was literally responsible for the majority of the DDoS attacks on the web, and that the number of packets and data sent might indeed have been Internet-crippling. Apparently DDoS attackers are now taking over personal home routers and using them to accomplish their attacks, which can result on a MUCH larger number of packets being sent because literally anybody can be sending them.

When a security blog gets hit and you are temporarily in the dark about a current threat, you will need to refer to some other security blogs. Here is a decent list.

If you get hacked, you can find out if your data was included in a recent massive breach at

If you have more serious concerns, there is a company,, that can persistently search the dark web for your personal info. The info you enter is encrypted on the client side (open your computer) so even they don't know what you are searching for. This is particularly useful for corporate customers, when they're breached, and also for companies monitoring their information security (infoSec).

Monday, August 15, 2016

Data Compromise: The Next Chapter

Updated: The Equation Group hack has been verified.

It seems the Oracle MICROS malware insertion hack went a bit deeper and had a suspicious purpose. Several hotels in the US, run by HEI hotels and resorts, that run the MICROS points-of-sale and hospitality software, have been breached. This means the credit card info for lots of people has been compromised. The list of dates affected by the breach indicate that the MICROS hack went in as early as March, 2015!

It is curious that the Westin City Center in Washington D.C. was included in the list, and was compromised for more than 9 months following September, 2015. This amounts to total operational awareness for whoever is running the breach. Let's admit it: if you wanted to know what is happening in US politics, what better way than to own than the comings and goings in Washington D.C.? I suspect FSB, the entity that has replaced the infamous Russian KGB.

I doubt we have seen a complete list of breaches with MICROS. If you are an IT person, visit Krebs on Security for a good list of IOCs (indicators of compromise). If you use MICROS, then change your passwords immediately.

Recently we saw the DCCC hack and the dox'ing of a huge amount of congress, on Guccifer 2.0's site.

This, once again, speaks of a state actor attempting to disrupt American politics.

But there are still a few hacks that can't be assigned easily to state actors. The recent data breach of Sage software, based in the UK, used for accounts and payroll processing, indicates that hackers are still largely following the money.

My sense is that data compromise is perpetrated on an agenda rather than simply because "people have the right to know", the tired axiom used by the media to depict crusading whistleblowers.

More often than not we are seeing criminals looking for ways to pry money out of rich people. Or directly from banking systems. But that might simply be a cover for state actors, who are building a database much deeper than Google's. And for much darker purposes.

And Now For Something Completely Disastrous

In today's news is another story that strongly correlates to the awful scenario in which the NSA's reputed-to-exist Equation Group has been hacked. This group is responsible for Stuxnet, Duqu, Gauss, and other famous modular virus architectures used to hack, among other victims, the Iranian uranium centrifuges.

This story is developing as I write, but an analysis of the example data provided by the hackers, the Shadow Brokers, by Matt Suiche appears to confirm the hack. Just read that source to see how desperate the situation is.

Here is an example of a state actor being hacked. My fears for the Gauss modular virus architecture used to be that it would get reverse engineered and modified by less scrupulous hackers. Now my fears are that essentially every hacker will possess this toolkit. Some eastern European hacking consortium will productize it, make it easy to use, and disseminate it for bitcoins. It's a virtual Pandora's Box.

Update: The Equation Group hack appears to heavily utilize RC5 and RC6 encryption. Comparison of the code by Kaspersky's GReAT team shows it matches the Equation Group's signature. It's all wrapped up in the magical P and Q constants used by Rivest's RC5/6.

Tuesday, August 9, 2016

Big Time Infosec Issue!

Updated: five more point-of-sale systems breached. More info on how long the breach existed. And yet more info on where the compromises might have hit you. More identity information for Carbanak.

Did you ever get a message in a email that says: "We're letting you know your card may have been part of a compromise at an undisclosed merchant."? And not to worry because "We're Issuing You a New Card To Help Keep Your Information Safe". In title case, no less (thanks, daring fireball, for that link).

Apparently the time has come when data compromise becomes huge. Anybody who watches Mr. Robot probably knows that credit card hacking is a serious issue, and can get much more serious. We keep closing insecure points as they are discovered, of course. But, it seems, there are still plenty of ways to get into our credit card data stream.

One such way is through the Oracle MICROS system that handles point-of-sale transactions with credit cards (specifically at restaurants, delis, and hospitality points of sale). Apparently it is possible to rootkit these transaction processors, take control of them, and capture your name, credit card number, and secret code as it goes by. And, of course, send that data to the identity thieves.

Update: five more systems are reported by Forbes to be hacked, possibly by the same Russian cybercrime gang. These are UK-based Cin7, ECRS, Bankcard Services' Navy Zebra, PAR Technology, and Uniwell.

What Happened?

According to Krebs on Security, malware was placed on some internal Oracle server at their retail division. They thought it was just a small number of systems until they upgraded their security software to a new version. And at that point, they realized more than 700 systems were compromised! From there, it spread into the MICROS point-of-sale processors that accept your credit card and verify little things like that little gold chip on it. That was supposed to make the credit card SO much more secure.

The bottom line for us, the customers, is that the breach was detected only on July 25, 2016. And here's the catch: they don't really know how long it's even been active. Could be months.

Update: Bad news! There is info from HEI hotels that the breach might have existed since March, 2015.

Who Did It?

This is a very sophisticated hack. This was no script kiddie.

Apparently the Carbanak cybergang is responsible. According to Kaspersky, they stole $1B by attacking bank system intranets in an advanced persistent threat (APT) campaign culminating last February. This gang is a big time threat, and we have stumbled onto one more page in their playbook.

It gets even more interesting. Carbanak is connected to a Mr. Tverinov, as reported by Krebs, and supported by the sleuthing of Ron Guilmette. Artim Tverinov is CEO of InfoKube, a Russian security firm, that builds the LioN anti-virus application. A Trojan horse?

It's not rocket science - Krebs, while communicating with the shadowy Mr. Tverinov through the Vkontakte Russian social-media site, literally eye-witnessed Tverinov's Vkontakte page get deleted! This was followed by a direct-email denial of any and all wrongdoing.

Supposedly Russia arrested 50 alleged members of the Carbanak cybercrime gang on June 1, 2016. Kaspersky Lab helped to identify the hackers charged, but Tverinov wasn't among them.

It also seems that Carbanak was using a C&C server that is tied to the FSB (the successor of the KGB). This according to Security Affairs.

Update: Carbanak is sometimes also known as Anunak.

Where Was I Most Likely Compromised?

This would have occurred at a chain restaurant, or perhaps a modern restaurant that is taking advantage of modern technology. And you would have used your credit card to pay. Unfortunately, this is not too unlikely a scenario, is it?

You might have seen a colorful point-of-sale display on a tablet or monitor (like this one) at a restaurant, hotel, deli, charcuterie, or even a burger chain.

Update: Forbes, in the same article as the above update, reports that your credit card might have been compromised at Donald Trump's Hotel group, Hyatt, Kimpton, or one of 1000 Wendy's restaurants. Also consult the list of hotels in the HEI list.

The Big Android Hack

Qualcomm GPUs and kernel modules are vulnerable to being rootkit'ed. This involves a huge number (900 million) Android devices. They are called the QuadRooter vulnerabilities, as explained by security researcher Adam Donenfeld in his blog post. This affects the Samsung Galaxy 7, the most popular Android device.

On another note, the Blackberry DTEK 50, "the most secure smartphone in the world" utilizes a Qualcomm 8992 Snapdragon 808 Hexa-Core, 64 bit with Adreno 418, 600MHz GPU. And so it is also vulnerable to four of the flaws.