Always strive to learn something useful. --Sophocles

I knew I read Cixin Liu's Three-Body Problem last year, but I couldn't find a record of it! What's worse, I couldn't find a copy of it on my computer! The reason why I was looking for it is that I'm reading the Hugo Finalists for the Worldcon voting and his third book in the series is nominated, unfortunately I haven't read the second, but I think there's a considerable time lapse between the subsequent books.

Fortunately I found email evidence of when I read it (9/26), so here's an abbreviated mention of it.

This book, the first of Cixin's Remembrance of Earth's Past trilogy, revolves around a strange and immersive video game that runs multiple generations resulting in total destruction of the game environment because of three suns have unpredictable and unstable orbits. It's actually a four-body problem because you also have the world that the game takes place upon: eleven other worlds in the system have been consumed by the suns. The culture survives incineration by dehydrating themselves and the husks being stored in deep underground vaults, waiting to be rehydrated some day when society has recovered.

It's a strange book that ties China's cultural revolution to modern times to extraterrestrial contact. Cixin Liu is an amazing writer with something on the order of eight Chinese Hugo awards to his credit. This and the third book of this series, Death's End, are translated by Ken Liu. The second book, The Dark Forest, was translated by Joel Martinsen. To cite Wikipedia, "The work was serialized in Science Fiction World in 2006, published as a book in 2008 and became one of the most popular science fiction novels in China. It received the Chinese Science Fiction Galaxy Award in 2006. A film adaptation of the same name is scheduled for release in 2017. ... It won the 2015 Hugo Award for Best Novel and was nominated for the 2014 Nebula Award for Best Novel."

And that brings my 2016 total to 48 books read recreationally.

Back in March, Brian Krebs posted an article titled Why I Always Tug On The ATM. It boils down to there being a limited number of ways that your credit card information can be stolen:

1. Financial institution is hacked
2. Malware is implanted on a merchant's network, possibly on point of sale (POS) card scanners
3. Hardware is covertly installed on or in POS card scanners

You can't do anything about #1. The first time my banking information was compromised was about seven years ago. I was at my parent's house in Phoenix, heading to Las Vegas to a convention when I saw a charge on my checking account for $80ish at a truck stop in North Carolina, a state where I hadn't been in five years. Turns out that a check processing company in Albuquerque had been hacked and they managed to create a bank card from that info. That hack never hit the news.

#2 is the classic Target hack, though that was an extreme example where the criminals managed complete subversion of their cash register system. They could have done what North Korea did to Sony over the release of The Interview. Arby's, Wendy's, CiCi's, you name it. And you can't do anything about this, either.

#3 is something that you can attempt a bit of defense with.

Skimming comes in two flavors, an overlay or an insert. The overlays are easy. The criminals somehow manufacture a flimsy plastic module containing electronics, generally a card reader for capturing card information, a camera for capturing PINs, and a Bluetooth radio for transmitting the info. The whole thing can be quickly slipped over a card reader at a cashier station. It's a two or three man job: distract the cashier, obscure the overhead security camera, slip the shell over the reader. The shell is precisely made for specific models of card readers and will only fit on those models. There are a few 'tells' that help identify an overlay. The colors will be slightly off. It will feel like thin plastic. The graphics won't look quite right. The dimensions will be slightly off. If you pay attention to the card terminals that you use, you might notice these.

But the best way to notice is to tug. Give the terminal a squeeze and a pull. It should feel solid and it should be solidly anchored to the pedestal that it's secured to.

Gas stations are a slightly different problem. These will sometimes have overlays, so a visual inspection and a tug test is good, but they also may have internal skimmers. These are tiny circuit boards that are actually slipped in to the card slot that read the inserted card and store the info. They don't collect as much information as an overlay, but it's still enough to cause you problems with card theft, and it's not easy to spot these.

Gas stations have taken some defensive measures. You'll notice there are security tape seals where the panels open on the pumps to show they haven't been tampered with, but let's face it, it wouldn't be hard to make fakes of those. But they've also improved the design of the pump faces to try and make it harder for skimmers to be installed, ATM makers have also tried defensive design with varying success.

Brian Krebs' suggestion is that the best defense is to never use a debit card at a terminal that you don't have absolute confidence in, only use a credit card. The reason for this is that credit cards have legal limits for fraud protection, debit cards do not. Your bank may limit your liability if your debit card is compromised, but they are not REQUIRED to by law. So you can trust your bank if you like, but you need to know that they don't have to back you.

Another way to defend yourself, if you have a fairly recent smartphone with Near Field Communications (NFC) and your merchant supports it, is to use Apple Pay or Google Pay. Microsoft tried to set up a wallet system, but it never gained traction and has been relegated to the dustbin of history. BE WARNED: these payment systems take a little getting used to! I set up Apple Pay last week: I've used it four times, I've been successful ONCE. I know how I failed the first time, and I suspect how I failed the other two times, so I think I have it figured out, but still, be prepared for a learning curve.

Apple has an exhaustive explanation of how their system works, and it is really elegant. From what I understand, even if the POS terminal has malware installed, if you use Apple Pay the criminals will get nothing usable. The information is not just encrypted, it's done with a one-way encryption that cannot be reversed after it's transmitted, so no card information can be recovered by an intercepting criminal. The merchant identifier and transaction amount is appended, the packet is sent to your financial org, which authorizes it, and the bill is paid. Your information is never exposed.

I'm sure Google's system works in a similar fashion, but the info that I easily found didn't go in to nearly as much detail as what I found with a casual search for Apple's system.

And I have to tell you, the Apple method for registering a card was amazingly cool: take a picture of your credit card. I was sitting in my partially demolished computer area, in somewhat poor lighting, and it said to take a picture of your card. So I pulled out my personal debit card, and it read it perfectly. Done. Pulled out the debit card in my name for my wife's checking account. For some reason, within about a month of receiving it the gold paint on the letters is completely gone. There was no strong side lighting to provide contrast for the lettering, yet my iPhone 6S had no trouble reading the card! I was VERY impressed. The third card that I registered was my credit card, and that one also registered fine, except it got the expiration date wrong, and that was easy to correct.

You can also manually enter the card information.

You can also use Apple Wallet for concert tickets! I used them for Jethro Tull, which was convenient because I forgot to take the printouts. It looked to me like 75% of the people in line were using smart phones for their tickets.

iPhone 6 series and later, which includes the SE, have NFC. Apple Wallet can be configured to use a fingerprint to authorize rather than the phone's password, regardless of whether you use a password to unlock the phone. Androids that run version 4.4 of the OS or later should have NFC. I saw that sometimes Android updates can cause headaches for Wallet users.

Anyway, that's enough blathering. The best defense, of course, is to always pay in cash. But that brings up two problems: carrying large sums of cash, and do you get the cash from the bank, which may involve lots of inconvenience, or do you trust the ATM to not have been compromised?

It seems to be never-ending.

https://krebsonsecurity.com/2017/03/why-i-always-tug-on-the-atm/

First, Kmart has once again found malware in their store point of sale systems. This is not a first for Kmart, and apparently does not affect online sales or their stores of their partner, Sears. Kmart is my wife's pharmacy, so I expect we'll be getting new cards from our bank in a month or two, which will mean Amazon resets and all the joy that entails.

https://krebsonsecurity.com/2017/05/credit-card-breach-at-kmart-stores-again/


The OneLogin breech is bad. This is a password vault company where you can store logins and passwords for everybody that you do business with online, so with this one violation everyone that you have an online account with is potentially compromised. Bad news. Very bad news for a lot of people and companies.

https://krebsonsecurity.com/2017/06/onelogin-breach-exposed-ability-to-decrypt-data/


Now, when it comes to knowing whether or not an online identity has been compromised, it's not easy to know. We use email addresses as logins to numerous web sites, but what gets compromised when a site gets hacked? The valuable information is the login identity and password information. While password information is frequently encrypted, sometimes it's not and it's stored as plain text. And a lot of people commonly use the same password on lots of sites. Thus, a password that was used on Site A might work on Site B.

Even if the password is encrypted, sometimes they don't use what is known as a salt value. In this case, something called a Rainbow Table can be run against the encrypted password list to try and decode passwords. A rainbow table is lists of dictionaries of known words, random words, words in Klingon, phrases from Shakespeare, etc. that are commonly used in passwords. If one of these words matches against an encrypted password, they now know what that password was and can try that matching email address against an Amazon account or bank or whatever.

Salting a password is adding a hidden value to it. For example, if I append the value '123' to your password, the encrypted value is much harder to match against a rainbow table, because the encrypted value of MyPassword vs MyPassword123 are different values. And if you use the password MyPassword, DON'T. It's a ridiculously easy password to hack. But I'm not going to talk about strong passwords right now.

When a web site is compromised, such as OneLogin, frequently the accounts will appear on a web site as a 'dump file'. There are characteristics that let security analysts trace back a dump file to know that File X was taken from Site Y. And there's a web site that will tell you if your email address has ever appeared in a dump - https://haveibeenpwned.com/.

The operator of Have I Been Pwned took it upon himself to collect dumps and suck them in to a cloud-based edition of SQL Server. He doesn't store any passwords, just an email address and information on what dump that address has appeared in. You go to the web site, enter your email address, and you'll learn where your address may have been compromised. It's not a bad idea to check occasionally.

Myself, I have two primary email addresses. My main one has been compromised a number of times, and I don't really care because it's used mainly for email. My more sensitive account has only been compromised once, and that was an Adobe hack. My Paypal email account has never been found in a dump, which is nice. But what I found interesting was that my main email address has been found in lists that "was broadly circulated and used for "credential stuffing", that is attackers employ it in an attempt to identify other online systems where the account owner had reused their password." I'm not concerned because I never reuse passwords on systems where I have credit cards tied. I do reuse passwords on low-value systems OCCASIONALLY, like some message boards that I don't often revisit, but that's slowly coming to an end.

Anyway, you might want to check out this site, it's interesting.

https://haveibeenpwned.com/

We drove up to Albuquerque yesterday for the show, leaving home at 2pm and getting home about 3am! A long day and lots of driving, but well worth it. We both hate casinos because we both have bad lungs and asthma. The poodle was with us, so Russet gave him a stroll while I went in to the casino and found the theater so we could get to it as rapidly as possible, and that worked well.

Here's the set list: Living in the Past Nothing is Easy Heavy Horses Thick as a Brick Jack-in-the-Green Bourrée Farm on the Freeway Songs from the Wood Pastime with Good Company/Henry VIII Sweet Dream Dharma For One A New Day Yesterday Toccata and Fugue in D Minor ? Aqualung Locomotive Breath

The opening was both awesome and sad: for some reason they pointed Ian's microphone too high, and he was having problems singing in to it, making it sound like he had almost no voice. So that song was almost wasted. But let's face it, much of Tull's music is a third vocals and two thirds instruments. While they were playing Nothing Is Easy, you'd see Ian playing, then on the projection screen behind them, they'd show Ian from the '70s playing the same piece! It was very interesting, seeing the massively shaggy hair, compared to the almost 70 year old almost bald Ian. Same process for Florian, the lead guitarist. Very cool effect.

When they performed Heavy Horses, they synced a projected video performance with Icelander Unnur Birna Björnsdóttir(?), singer and violinist, which was really cool - that's one way to make up for a small stage! Very good use of back projection throughout the show.

Dharma For One was a very funny intro. Ian was talking about how (IIRC) Clive Bunker would go in to this ridiculously long drum solos that would last hours, days, weeks! He then says something about respectfully dedicating this next song to Clive, respectful clapping follows. Ian then says "Oh, he's not dead! He was quite well the last I spoke with him on the phone!" They then go in to play Dharma to give their touring drummer, Scott Hammond, a solo. And he did a very good solo. Which gave the rest of the band five minutes to nip off the stage for a drink and a sit.

Throughout the show, aside from the flute, Ian also played guitar and harmonica. And gamboled around the stage with his left leg bent and keeping time.

Here's what I don't understand. People paid probably $100 or more for a pair of tickets, came in late, and left early. One couple ahead of us the girl wouldn't stop yapping at her man for a song or two. A couple arrived late for the seats next to ours, the guy clearly already drunk and stinking of beer, yelling what an honor it was to see Ian Anderson. Gee, what a respectful way to be honored: showing up late, drunk, and leaving early. Why would you pay $100 to hear five or six songs then leave? I just don't get it. Is it just to be able to say "I saw Tull, dude!"

This is the banner for the tour. It'll probably break eventually as I'm linking it directly from what I thought was the Tull web site, but it's something else.

Left to right that's John O'Hara on keyboards, Scott Hammond on drums, Ian Anderson who plays the flute or something, Florian Ophale on lead guitar, and David Goodier on bass.


In other Ian Anderson news, he has a new album which released in March called Jethro Tull - The String Quartets. He got together with the Carducci String Quartet, conducted by John O'Hara, his keyboardist. It released complete with a factory defect! For some reason on the first pressing the track list on the back of the box does not match what is on the disc, so they slapped a sticker on top of the shrinkwrap, which doesn't do you much good after you remove the shrinkwrap! But once you rip it to MP3 or whatever, you're OK.

The album is quite good, but one track strikes me as kind of odd: Living In The Past. It's already practically a chamber piece: I think it would have been better to put a violin in a high register playing the vocal and put Ian on the flute in to playing trills, I think that would have been more interesting. But what do I know.

Here's the album cover. Definitely recommended.

I expect that eventually there will be an album/DVD released of this tour, which I will probably buy. Saturday night was their third USA stop: Friday night was in Colorado at Red Rock with a full symphony orchestra, and a night or two before was in Utah. If you pull up the tour schedule from the JethroTull.com web site, you'll see that they tour like mad men!

EDIT: for some reason paragraph breaks appeared when I previewed it, but not when I posted it. Odd.

so if you've transitioned over to DW, I'm dropping you from that side to shorten up my reading page over there. No changes on the DW side.

This looks really good. Galaxy Quest ramped up a few notches with more Star Trek. I'm guessing that this is slated for Fall '17.

"We need no longer fear the banana!"

Sunday I ordered a right angle viewfinder and a remote timer for my Canon. The viewfinder I went non-Canon to save money, I hope it works out. I thought with magnification that I might be able to focus my 6D at night. Here's to hope!

The timer is Canon, though used. It arrived about 24 hours ago, and I was disappointed by what I thought was a dead battery. There's no way to get a CR2032 up here, and I didn't want to drive down to Alamogordo for one thing. Fortunately my wife was amenable to go down to dinner, and Home Depot had the battery in stock. Getting it at HD also let us look at storm doors, so it was an excellent twofer.

I get home, replace the battery, and it's still dead.

ARGH!

And they're closed on Saturday for the Sabbath. But at least that means they're open on Sunday, so I can call them tomorrow to see what we can do. I'm hoping they'll send me a replacement promptly, I might have to buy another and then have them refund the dud.

The only good thing is that the timer also works as a remote release with a lock, so I can do long exposures with it and just time it with my watch, but without the timer function, I can't do a series of shorter intervals. I know that the star trails work at ISO 800, f2.8 and 30 seconds, but long exposures don't mathematically scale at this low of light levels as you'd like.

I NEED THAT TIMER! I wonder if they'll test the new unit (still going to be used) before they send it? Also need to dig out my multimeter and confirm that the original battery and my replacements are good: CR2032s are used in lots of things and should have enough turnover to ensure fresh stock.

I was wondering what Roger had been up to since the end of the election. It had been rumored that Trump was planning a conservative news channel and that Ailes would head it up, but then Trump made the mistake of winning the election and look at where we are now. Well, it turns out that Ailes had hemophilia. Apparently in '12 he said that actuaries said he had 6-12 years left, I guess he didn't make the odds. Still, to make it to 77 with that condition is an achievement.

Aside from heading up Fox and exploiting his position of authority to sexually exploit women, he previously was the chief media advisor to Richard Nixon, Ronald Reagan, and George H.W. Bush. He also helped create the Merv Griffon Show and several other TV programs.

I can't say that I'm too sorry to see him gone. It would have been nice to see him have a reformation and make some amends for his past behavior, but it would be so totally out of character as to be all but an impossibility.

http://www.npr.org/sections/thetwo-way/2017/05/18/528925119/roger-ailes-former-fox-news-ceo-dies-at-77

And we don't know what it is! This is a screen grab from Photoshop with the original zoomed 100%, the artifact is about 10" over and about half an inch down. While almost everything else is streaking in an ascending to the upper right direction, this one is descending to the lower right, or SE direction.

There's a web site called heavens-above.com that will tell you satellite orbits above you based on your location, and nothing really matches what is in the picture. My wife, who only has a PhD in astronomy and astrophysics and works as a professional astronomer, thinks it's a reflection off a power line. Notice those dark streaks in the photo? Those are power lines. But there's a slight breeze, and considering the length of exposure, I think that would distort the image.

Based on the timing of the exposure, i.e. knowing that the length of one trail represents about 15 minutes, and that the anomaly is at pretty much a right angle to the celestial equator, she thinks it might be a satellite in a geosynchronous orbit but much further out.

So here's the image, at 100%:


We might go out again tonight and repeat the exposures twice from both ends of the observing pier to try to counter where the power lines appear. We'll see what happens.

Recently, hackers stole the first ten episodes of the new season of Orange is the New Black from Netflix and demanded a ransom in bitcoin or they'd post the episodes on Pirate Bay. Netflix didn't pay, the hackers were true to their word, the episodes were posted.

Now Disney has been hit. Hackers have demanded a "large" ransom or an unnamed film will be released, the name of the film is unknown but the two big named upcoming releases are the new Cars and the Pirates of the Caribbean movies, neither of which am I particularly interested in seeing. Bob Iger, CEO of The Mouse, is refusing to pay and is working with Federal investigators.

What I'm wondering: (A) is this the same same group that hit Netflix, demonstrating some pretty good skills to hit deep in two different megacorps, and (B) is this a new business model for the criminal hacking community? It could certainly be profitable, I wonder if it could also encourage entertainment megacorps to create a consortium to build a big network of bitcoin mining machines so they have a ready supply available if they decide that they need to start paying. Of course, the better solution is to beef up their IT infrastructure and rid themselves of the mindset that it's cheaper to absorb the cost of the occasional hack than to maintain up to date security postures.

http://www.hollywoodreporter.com/news/disney-chief-bob-iger-says-hackers-claim-have-stolen-a-disney-movie-1003949