Skip navigation

While road-tripping down to CarolinaCon, a few of us in the car were seeing the “hugs at hackercons” thread on Twitter.  It generated a bit of good discussion among us, but for the most part we were focused on getting to Raleigh and presenting and socializing and generally having a good time.  Of course, the hacker community’s drama-engine is fast-moving and mere days later, we seem to have moved on to RSA dress codes and the awful antics of BlueCoat.  So, while this blog post is hopelessly outdated now, I’m still offering my thoughts.  ;-)

Much of the HugGate drama on Twitter seemed to come down to the following arguments (often badly-expressed and hopelessly truncated by Twitter’s 140-character limit)…

“I don’t want to be hugged at conferences”
“So then tell people to not hug you”
“I shouldn’t have to tell others, they should just not hug people”
“Hugs are awesome, you’re just silly if you don’t like them”
“Hugs vs Handshakes is a clear-cut case in most of the world (link to this article)”
“The hacker world isn’t the business world, we’re a family”
“But some people are aspy and don’t like to be touched”
“No one should ever be touched if they don’t want it”
“So no one should hug anyone?”
“That’s not what I said!”
“I’m going to hug you!!”
“I like hugs, that’s fine!”
“Fine!”
“So, are we still arguing?”

… and so on and so on.  The crux of these issues was distilled down by many into to two camps — pro-hug and anti-hug — but that’s an over-simplification.  A fairer pair of titles would be pro-hug-environment and anti-unwanted-contact and their positions could possibly be summarized thusly…

Pro-Hug-Environment: “We like to surround ourselves with friends and family in the hacker world and we value situations when the context allows for many hugs and close contact.  With much time spent in the cold and impersonal business world, it’s nice for us to create a space where people are much closer.”

Anti-Unwanted-Contact: “That’s great that you love being all friendly, but some folk take it too far… and when I’m at hacker events, I have to fend off unwanted hugs or other contact because of the environment that’s been cultivated.  The onus shouldn’t be on me to prevent what I see as harassment.”

.

Here’s the thing… both of those camps have elements to their arguments that are quite valid.  No one should ever be subject to touching or direct contact that they find unwelcome.  (Unlike speech, which I feel anyone should be able to express at just about any time, actions — such as direct contact — should never be forced on to another party.)  Alternately, if a group of people seeks to create an environment where they feel more at liberty to bond and be more casually intimate with liberal hugs, etc… that’s their right, too.  Let’s not forget that hacker cons are, by and large, private events and it’s fine for them to reflect the views and values of their creators and participants.

Sometimes, we forget that all situations are different and every “event” or “gathering” or “space” has its own unique values and atmosphere.  Trying to map the values and behaviors associated with a workplace on to a hacker con or those of a music festival on to a public park is about as logical as trying to map the norms of one country’s citizenry on to those in a foreign land.

It’s important to consider the base-rate of behavior and the commonly-accepted norms in any circumstance and allow that to dictate our mores, norms, and rules of proper conduct.

.

I propose the following when it comes to hugs… think about the situations around you on a hug spectrum …

hug spectrum - 00 - scale

… for those who can’t read this easily (you can click any of these images for larger versions) it’s essentially a scale of how intimate the greetings tend to be between both (a) people known to one another and (b) people meeting when the don’t know each other very well.  Here’s a written breakdown of the various points on the axis…

+4 Big kisses for basically anyone who comes along

+3 Hugs liberally shared all the time. Small kisses common, too, even upon introduction

+2 Hugs typical as an introduction, little reservation shown among known folk

+1 Hugs common between all friends and acquaintances, sometimes hugs even during an introduction

+0 Hugs for family and very close friends only, handshakes upon introduction to new people

-1 Folk pretty reserved, usually shake hands even if known already. Handshake almost always as introduction to new folk

-2 Hugs are outright considered odd in public, even if known. During introduction, only handshakes are used

-3 People prefer to not have any  physical contact with unknown folk

-4 No acknowledgment of strangers out in public

… so, I’ve made this pretty wide-ranging.  I think that we can safely dismiss or at least not give much consideration to the environments at the +4 and -4 ends of the specturm.  You’re unlikely to see the +4 “Kiss basically anyone who comes along” as the norm outside of hippie gatherings, raves, or the declared end of a world war.  Likewise, the -4 “No acknowledgement of strangers out in public” standard doesn’t really apply anywhere outside of the most repressed dictatorial or religiously-fundamentalist regimes.

.

But almost all of the other points on this spectrum are fair game in some situations.  I think that the zero mark in the middle of the axis could be called “the United States societal standard.” We are a people who hug, but your typical American doesn’t go around embracing just anyone.  Our society’s normal method of introduction is the handshake.

hug spectrum - 01 - US society

.

On the hug spectrum, however, it’s important to consider both the base-rate for a given situation as well as the margins directly on either side of that mark.  A society or group can be thought of as supportive and inclusive if they are aware of others whose preferences and standards lay a little bit outside of the mean.  See here…

hug spectrum - 02 - US society margins

In the USA, it’s not uncommon to encounter +1 people who offer hugs as a form of introduction.  Alternately, there are plenty of  -1 people here who are reserved and don’t offer hugs often at all, even to people whom they know.  Being an accepting person means expecting to meet people like that with some regularity.  The red arrow folk should keep themselves open to social cues and indicators so that the yellow arrow folk do not have to offer a lengthy explanation of their slightly different position.  This is the kind of environment that we should aspire to have.  People on the margins should feel accepted and not like they are troubling others or in need of constantly explaining themselves to others.

.

Let’s apply this hug scale to the business world…

hug spectrum - 03 - business world

… where the norm is handshakes.  Handshakes are always the default when meeting new people, and for the most part they’re what’s shared even between people who know each other.  Of course, the rule of the margins applies…

hug spectrum - 04 - business world margins

… some people in the business world are comfortable hugging friends, even at the office.  Others in the business world consider any kinds of hugging in the office — even if family visits — to be unwarranted.  Again, these yellow arrow folk should not have to explain their position explicitly every time when meeting new people.  Most folk should just pick up on social cues and be able to tell whether someone’s preferences are slightly different and act accordingly.

.

This “rule of the margins” applies, no matter where the base-rate may be.  Consider a society that is very different from the USA, such as Brazil…

hug spectrum - 05 - brazil

While I’m sure there may be some citizens of the world’s fifth largest nation may disagree with the above chart, it’s quite definitive that they are a much more touchy-feely people than Americans are.  Embraces and even the customary Latino kiss-on-each-cheek are common for all sorts of greetings.  And, as the yellow arrows in the margins indicate: for some people there hugs are only “typical” and not absolute, or on the beaches of Rio during Carnival lots of kissing with strangers is abundant.

.

An inverse of this can be seen in many Muslim nations, where repressive religious values result in societies around -3 on my scale.  Instead of touching other people, many citizens opt for the salām… a greeting of peace which is often bestowed not with a hand outstretched, but rather simply held over one’s own chest.  Again, in such societies, one does well to be on the lookout for people on the margins… either those who do opt to shake hands or those who are strictly conservative and prefer almost no acknowledgement of strangers (this particularity usually only manifests itself when the interaction is between two people of differing genders.)

.

So where does this leave us with hacker cons?  Well, let’s turn again to the base-rate as far as hugs are concerned.

hug spectrum - 06 - hacker con

While there are many people who might disagree, I take the position that within the hacker community and at our cons, the norm tends to be the +2 mark on the hug spectrum.  While certainly not obligatory, hugs are typical when meeting new people.  So, when we apply our rule of the margins, what does that tell us?

hug spectrum - 07 - hacker con margins

Individuals whose preferences lay at the yellow arrows should not be made to feel like outsiders or oddballs at hacker cons.  The general attendee base, if they are truly interested in keeping our community a welcoming and accepting place, would interact with each other on the principle that most people are a +2 while at the same time keeping their eyes open to the possibility that a person they encounter could be a +1 or a +3 hugger… social cues and nonverbal communication should hopefully be sufficient most of the time to convey those nuances.

.

What about actual outliers, however?  At a hacker con, maybe some attendees are the type to simply only hug family and close friends.  Or, on the other end, maybe some folk are the type to be super liberal with passionate kisses for those around him or her.

hug spectrum - 08 - hacker con outlier hug spectrum - 09 - hacker con outlier

In each such case, I do not think it’s wrong for these people to be considered statistical outliers.  They are far-enough removed from the base-rate of that particular environment that it could surprise most others there.  This is not to say that there is anything wrong with someone such as this.  Again, I firmly believe that anyone may hold their own opinions and values when it comes to personal contact, and that they should be able to do so without shame or reprimand.

However, when a person is sufficiently removed from the base-rate, obligations under the social contract shift a bit.  I feel that no longer should it be considered the burden of the group to be on the lookout for and be able to subtly detect when this very different value is held.  If someone is an outlier, then the burden shifts further to them in terms of communicating their values and preferences when encountering other people.

Attire, stance, and demeanor go a long way to helping this communication, of course.  Wearing business-casual clothing and maintaining a respectable distance from others during a new introduction at a hacker con can help to signal that you’re more comfortable with the business-world standard of “handshakes are the norm” but I believe that no one should be thought of as a bad person if they fail to pick up on this.  A friendly but straightforward “hah, sorry, I’m not much of a hugger” can be communicated if someone leans in for an unexpected embrace.  No one should feel bad.  The 0 spectrum non-hugger is justified.  The +2 hug-desiring hacker shouldn’t feel dismissed or shunned.  And the con itself shouldn’t feel bad for cultivating an environment populated by predominantly +1 +2 +3 hug-spectrum folk.

.

Hug if you want to.  Shake hands if you prefer.  Kiss loads of people or ignore strangers entirely… the choice is 100% yours.  But let this hug spectrum be a guide.  Familiarize yourself with whatever the base-rate is for any environment into which you proceed (people who know me are aware that I’m a huge supporter of travel and experiencing other cultures, the rule applies there, too) and then do the following…

1. expect that most people whom you encounter will probably have values and actions in accordance with the base-rate

2. be on the lookout for people who are just at the margins of the base-rate and let social cues guide you in those interactions so that these people needn’t explain themselves.  it is the responsibility of the group to help them feel included.

3. if you are not just different from the typical base-rate but actually well outside the margins of an environment, be prepared to communicate your feelings and values to others.  in those cases, the responsibility falls to you more than to the group.

.

Just because a person who is substantially different from the group around them feels the need to communicate that in order to have healthy interactions, that doesn’t imply that they can’t have a positive experience.  I remember reading a very inspiring story which transpired at the 29th Chaos Communication Congress.  One participant was reluctant to attend, due to her Asperger syndrome.  She knew that hackers are huggers and that the CCC events are often densely-packed with people of every stripe.  But instead of letting her fear get the best of her, she chose to attend anyway.  With the support of friends, this person wore a shirt announcing prominently that she didn’t care to be touched directly.

Her blog post was one of wondrous joy and happiness.  The author explained that by and large, the other attendees which she encountered were supportive and very respectful, making the CCC event accessible to even someone who was well outside the base-rate of the Hug Spectrum for hackers.  While the wearing of a prominently-worded shirt might be quite an extreme step to take, it’s just one example of how it is very possible to communicate your differences to those around you and everyone can come out better for it.

.

I’ll let this blog post speak for me.

I’m a hugger, through and through.  If you see me, feel free to hug me.  If I know you, chances are I’ll approve.  Even if I don’t know you, chances are high that I’ll smile and be happy about it all the same.

Just do me (and everyone else around you) a favor: smell nice.  A recent shower coupled with clothes that have been laundered goes a lot further in making me comfortable during an embrace than whether or not I know whose arms are around me.  ;-)

.

.

.

Years ago, I posted in a thread on the DEFCON Forums where folk were discussing travel tech.  What bags, what gear, what tools, and what must-have items made life on the road easier and better were all being shared.  In that thread, I posted a rundown of the backpack which I used for carry-on during all my flights.  An array of photos showed the backpack I used and the gear within.

I just re-read the thread and now so much of it is quaint from a time gone by.  A paper book for “take off and landing” times when the Kindle wasn’t permitted was in there.  I used to keep my laptop with me in carry-on.  But, most of all, a lot of things look the same.  What has changed the most is my bag.  I’ve moved to an even slimmer and smaller carry-on, and that’s probably the best advice I can give to anyone who is preparing things like this… GO SMALL.  You’ll force yourself to fit into a smaller space and you’ll carry less gear.

Even now, as I type this post, I am seeing some things that are in my frequent-flyer backpack which are seldom used.  I could prune down even more, I bet.  This post may inspire others to pack smart, but it’s likely going to inspire me to pack even lighter than I used to.  :-D

So, without further ado, here is what accompanies me on every single one of my 100,000+ flight miles each year…

 

travel_backpack_01

I now use a bag from 5.11 Tactical, their MOAB Rush 10 backpack.  It’s a single-strap design that slings over the shoulder and can be adapted for left-side or right-side use.  The single-strap allows the wearing to spin the bag to their front for quick access to most pockets and it balances the load well, despite only resting on one side of my frame.

travel_backpack_02

The bag has all the customary veclro areas for adding patches, which I have done.  Also the webbing straps allow for extra hooking of gear and other add-ons.  You don’t see it, but I always have a Kleen Kanteen water bottle on the outside, for quick fill-ups once I’m through TSA screening.  Opposite that is an extra pouch that a friend gave me…

travel_backpack_03

This perfectly holds my Kindle.

travel_backpack_04

The add-on pouch is super padded and keeps the Kindle (one of my most frequently-grabbed items) in the same spot 100% of the time.  I used to have a Nexus 7 tablet in there and it also worked perfectly for that.

travel_backpack_05

Also through the outside loops of the bag are some markers and pens.  They are always useful and I keep them on the outside for fast access.  If I lose one, meh, they’re cheap.

travel_backpack_06

The main pouch of the backpack contains four large things and one small envelope…

travel_backpack_07

The main pouch contains a ziplock bag of some spare clothes, a travel wipes packet, a black zipper pouch, and a gray 1st class complimentary sundry kit that I’ve augmented over the years.

travel_backpack_08

The spare clothes include boxers, a t-shirt, and both white and black socks.  I can get through basically any “day after misrouted luggage” whether it’s a meeting, a casual time, etc.  There is also a waffle-knit long-sleeve thermal shirt from Colombia.  I can wear this under (or over) anything I’m wearing on my flights and be comfortable in cold conditions.  Whether a plane is chilly or I’m stranded in Denver for the night, this will get me through the worst of it even without a coat.

travel_backpack_09

The extra garments squish down into that ziplock bag and don’t take much room. They live at the very bottom of my carry-on.

travel_backpack_10

The sundry bag has pretty much what you’d expect…

travel_backpack_11

In addition to the typical things, i also have a spare toothbrush if I’m with a companion, plus eye drops (artificial tears only, NEVER Visene because it’s awful) and nasal spray.  A tiny tin of moisturizer and powder are also helpful in rough flight conditions.

travel_backpack_12

The black zipper pouch is entertainment/relaxing/etc gear.  Lockpicks and a few practice locks are in there.  A BlueTooth game pad controller for emulated old NES and SNES games on my phone is fun sometimes.  Keeping spare spoons, knives, and chopsticks is very helpful for in-flight dining or “stranded in a hotel room and eating stuff from the gift shop” dining.

travel_backpack_13

The envelope in the large pouch is a self-addressed flat rate envelope and some smaller envelopes with forever stamps, in case I ever have to mail something home.  I also have a free pair of slippers from a previous flight (they fold super flat) and some printed-out policies and correspondence from TSA and airlines clarifying policies.

travel_backpack_14

The main pouch has two small additional pouches.

travel_backpack_15

A deck of cards (which I almost never use but can’t seem to stop keeping on me) is in one such small pouch.  The other contains a little case of which I spoke in my earlier post years ago on the DEFCON Forums…

travel_backpack_16

This used to be my “keep in the seatback pocket” case… it had basically anything I’d need while in-flight.  I rarely reach for it nowadays, however, and really just keep it in case someone else in my travel party needs something.  From meds to make you sleepy or settle a stomach or ease pain to gum for ear-popping to power/audio adapters, these are things that are good in a pinch but which I need less and less.  Nowadays, I just listen to my phone via earbuds or I read the Kindle or I sleep.

travel_backpack_17

The tiny pouch built into the shoulder strap has a few things I like to access quickly.

travel_backpack_18

USB charging cables (one 10′ one and one 1′ one) are in there along with my earbuds and a wet wipe.  The LEGO flat bricks are part of an old joke.  If you saw a talk of mine from CarolinaCon you’d understand.  ;-)

travel_backpack_19

This small top pocket is designed for glasses.  I use it for that and a couple other odds and ends.

travel_backpack_20

Sunglasses are up there, yes, and also some spare floss and a lighter and a USB drive.  It’s also the dumping-ground pocket for loose change, which I empty out after each trip.

travel_backpack_21

This bag has a TERRIFIC additional pocket in the rear.  I use it as a food stash.

travel_backpack_22

In addition to Cliff bars and similar things, I keep a small supply of heavy-duty ziplock bags in there.  I raid lounges for free things if I know I’m headed somewhere that might not have proper food options.  Yes, these little goldfish crackers or the carrot sticks are kind of crappy… but it beats being hungry when you are wheels-down in Moscow and checking in to a hotel at 2AM hours after everything is closed.

travel_backpack_23

The very front pocket is where all of my essential tech resides…

travel_backpack_24

In here we have:

  • A backup power supply for charging phone/etc
  • A universal power adapter for foreign plugs
  • A cigarette lighter adapter for charging in rental cars
  • An orange power splitter which makes me VERY popular in airports sometimes
  • Spare reading glasses (my main ones travel in checked baggage in my laptop bag)
  • Small bag of chargers and adapters (fitbit charger, etc)
  • Pens, screwdriver, little tools
  • Cash Can (google it, it’s great to have a spare $100 bill tucked away somewhere)
  • Notebook (which also holds all receipts and scraps of paper as needed)

 .travel_backpack_25

.

All of that packs into a bag which is small enough to fit under any airline seat (although I prefer using overhead space, of course) and which is “squishy” and capable of being wedged into overhead bins on both large and small airframe craft.  I can sling it and carry it a variety of ways (even wearing it comfortably on my chest if I have a larger bag behind me somehow) and it sees me through just about anything.

The bag currently weighs 15 lbs.  I’m pretty happy with this setup, and will continue to strive toward reducing its weight and size more and more over time.

Travel well, people.  I’ll see you when I see you.

.

.

.

In a recent podcast interview (The Social Engineer podcast, run by Chris Hadnagy and his team) the topic of DerbyCon came up, and naturally all participants enthusiastically recommended that the listeners attend.  During this chatter, I spouted the oft-heard remark “DerbyCon is the new DEFCON” (a phrase that I didn’t originate but which I have been heard to utter from time to time) and all heads nodded.

In some follow-up on Twitter with nick8ch, we realized that this is a perhaps-controversial phrase and could benefit from some clarification.  So here goes…

.

“DerbyCon is the new DEFCON” – This is not to denigrate or snipe at DEFCON in any way.  I love that massive Vegas hacker gathering and will keep attending forever.  However, the size of DEFCON and the fact that it’s no longer in small (often seedy) hotels means that having intimate and casual meetings with close friends is challenging and also some antics are harder to pull off than they used to be.  You don’t find yourself just chatting in hallways or hanging out on the hotel roof anymore like was the norm in the past at DEFCON.  DerbyCon, however, has a very very high signal-to-noise ratio and it’s held at a much smaller venue than DEFCON.  Many of the old guard are present, as are enthusiastic up-and-comers.  Folk chill in the lobby bar and it’s not uncommon to see massive penis art in the elevators.  DerbyCon most closely captures the vibe, in my opinion, of the earlier days of DEFCON… but, of course, in truth nothing could ever really be equivalent to that particular place and time in history.  And what’s more, DerbyCon has developed their own wonderful and unique energy that is distinct and vibrant in its own right.

IMG_20140927_225252this kind of thing you just don’t see at on-strip hotels at DEFCON anymore

 

“DEFCON is the new Black Hat” – This is also a slightly questionable statement, but one that sometimes follows the previous one.  Why?  Well, while DEFCON used to be 100% focused on the friends you knew who were there and the antics/catching-up you could do with them, now there’s a much more significant element of going to DEFCON in order to see people whom you don’t know.  The idea of rubbing shoulders with the latest INFOSEC rockstar or, similarly, getting your research out in front of people who might hire you or invest with you… those are very BlackHat-ish elements that now are common at DEFCON.  I’m not saying that what makes DEFCON great isn’t still there… but there’s a new vibe.  As someone like SpaceRogue or SimpleNomad would say, “the Money that has changed the industry has found its way into DEFCON.”  People take specific steps to “be seen” and portray their efforts at DEFCON in a way that could positively affect their business the rest of the year.  In the past, you went to DEFCON with a “don’t give a damn” attitude about the fact that it could negatively impact your professional reputation the rest of the year.  ;-)

blah05this is what a “DEFCON party” used to look like

blah06who else remembers the purple fountains? think this could happen at a Caesar’s property?

blah07before it was an official, professional event… the Wall of Sheep was just people being d0x’d or having creds dropped on paper plates on the wall of the hotel

blah08poolside fun and general chill.  i can’t remember the last time i could just chill out at DEFCON.  well, maybe at the Beer Cooling Contraption Contest ever since Uncle Enzo took it over.  ;-)

 

“Black Hat is now RSA” – Even more folk might agree with this somewhat unfortunate turn of events.  Full Disclosure: i still appear at Black Hat since my company trains there.  Most of my friends’ companies also train there.  However, the event has ceased to be about the hacker community in any real way other than name only.  Much of the best information is still there, yes.  But the community feel is not.  Put another way: when is the last time you stuck around at Black Hat in the evenings to go to any of the parties?  For me, it’s been years.  Plenty of sponsors host parties when Black Hat is in town, but now the whole INFOSEC core community is either at BSides or the 303 house or just gearing up for DEFCON itself.  Black Hat’s pricing has continued to grow and scale upward with the influx of money in the industry and this has made it a lot harder to find smaller voices among that crowd.  Black Hat was never an event where folk would streak naked into pools or wander through DJ-pumping halls high on a galaxy of drugs, but even those of us who have been appearing there for years know that it’s somewhat more “corporate” nowadays.  The size of the vendor expo area has grown as much as the admission price… but it’s not going away any time soon.  Hence, the RSA comparison.

blah04Black Hat… way back when.

“So if Black Hat is now RSA… What has RSA become?” – COMDEX.  RSA is now COMDEX.  It’s 100% trade show, and any “talks” or other speeches are little more than veiled sales pitches.   A giant sea of marketing with little to no real value to anyone who is key to the industry, most INFOSEC pros whom I know now avoid RSA like the plague.  Confession: when our company was still new, we did a brief presentation at RSA.  It was one of the saddest things I’ve ever been a part of.  I felt like we were just one more piece of a massive dog-and-pony show.  Besides the event itself having awful security and the participants having awful OpSec and privacy practices, the whole affair just reeked of circle-jerk.  I am sure that I’ll piss some people off here and maybe one day I’ll pay the price for that professionally… but perhaps that’s just the old-DEFCON side of me showing through.  :-)

blah01we used a FedEx Kinko’s to mod our badges for access outside of regular hours. we did this at the on-site FedEx, right on that floor of the hotel.  no one noticed or seemed to care.

blah02i can’t even.  “prevents tampering, spoofing, & hacking” … well alright, then.  seems legit.

blah03even Babak couldn’t believe we were there, talking to this goofball 

.

Feel free to share your thoughts below in comments or just share a drink with me when you see me.  I’ll be at DerbyCon in the fall.  And DEFCON before that… but you can’t find me for so much as a free second at that event.  ;-)

.

.

.

Well, i finally made it.  I’ve completed another House of Cards marathon.  This one wasn’t as rapid and blitzkrieg-ish as the first or second season was for me (both of which I’m fairly certain I watched in almost one or two sittings… just powering though.)

This season, however, I just kind of got to it as I found the time, on this recent business trip.  I wasn’t watching each episode one after the other, as if I couldn’t look away.  No, this time… it became just a long, awful, grueling slog.  I just wanted to see it through, like having chosen an awful hiking trail, yet not being willing to turn around and head back to the car but instead pushing on to the next shelter or campsite because… well… it’s just something you feel you have to do.

And, as any hiker in that situation can tell you, the mix of feelings and emotions that overcomes you at the end can be gut-wrenching.  This blog post is part of my necessary catharsis.

house

Phew… I am done with watching House of Cards.  And I do not just mean in the sense of completing season three.  I am done for good.  Yes, I know they left it (as they so often do) with such a compelling plot point as to coerce people to tune back in next time.  I don’t give a single damn.  Do so if you want to see what happens.  Me… I’m out.

How can I react that way, given the last episode’s breaking updates and everything left on edge?  It’s easy: I no longer give the smallest shit about any of the characters.

Let me explain it this way.  Were I to start viewing season four — for reasons beyond understanding — imagine the first episode were to just be a cold-open set in a hospital or medical center.

[indistinct voices over a tinny PA system, paging some medical tech to another floor, etc]

[camera shot looks through the cracked door of a specialist’s office, as we see her at her desk, looking at files and addressing a character who is out of frame, but clearly seated across from her… the camera pushes in and a tracking shot brings us into the office where the discussion is taking place. There is a severe look on the doctor’s face.]

doc

Doctor: “I know this comes as a shock.  But we’ve checked it twice.  I’ve even sent one more sample to the Jennings Institute in Atlanta, but at this time we have no indications that they will come back with a different result.  I’m sorry, but the evidence is clear.”

[camera pans down slightly, as to showcase more of the chart in the doctor’s hands.  the top of the image still frames the lower-half of her face, and we see her mouth as she reads the diagnosis]

Doctor: “You have cancer of the AIDS of the eyeballs.  And it’s inoperable.”

Then I imagine the camera makes a rapid yet smooth track toward the doctor’s side of the desk, and pans directly across to reveal seated before her…

ABSOLUTELY ANYONE ON THIS SHOW.

I honestly could not goddamn care.  I have so little empathy, sympathy, or even general interest in ANY of the characters on this show, that my reaction to such horrific and life-changing medical news for them would be a resounding, “meh.”

Remy has eye-AIDS-cancer?  Meh.

Claire has eye-AIDS-cancer? Meh.

Doug has eye-AIDS-cancer? Meh with a side of karma.

President Underwood has eye-AIDS-cancer? Meh with half a chuckle.

Jackie Sharp has eye-AIDS-cancer? Double Meh.

Heather Dunbar has eye-AIDS-cancer? Meeeeeeehhhhhh.

You could put any one of this show’s dozens of characters into that (ridiculously contrived) opening sequence in the very first moments of season four and I would feel utterly nothing at all for them.  The camera could linger on their face.  The highly-trained acting talent of so many quality actors on this program could be aptly applied to the ever-so-subtle slightest microexpression that crosses them.  All of the tremendous production values and talent of the people who are behind this program could be poured into that opening scene.  And I wouldn’t give a single damn at all.

The fact that I don’t care a jot about anything or anyone on this show anymore should come as a relief to me.  I don’t have to watch.  I utterly LOVE cutting TV shows out from my life.  I never got into Breaking Bad.  I’ve written off Mad Men.  I barely bother downloading Family Guy or the Simpsons anymore.  I celebrated the ending of the West Wing.  With each show that ends (or gets the kiss-off from me) I have more free time and I’m thankful.

So why don’t I feel so exuberant now?  Because season three didn’t just turn me off from the future of House of Cards.  It was so underwhelming as to literally taint the previous installments.  The first two seasons were a triumph.  The ending of season two, with Frank behind the desk in the Oval Office, rapping his fist twice on the Resolute wood… that moment was untouchable.  And now, it’s like they’re all just compromised to me.

Ah well, I was raised Catholic.  And before I left the church long, long ago… I learned of the power of self-persuasion and the ability to put on blinders so tightly as to convince oneself of a fiction that you just need to be fact.  Now, I was never one who actually bought into all that bollocks… but maybe, just maybe, if I try hard enough I can forget that season three ever happened.

Hell, if the fans of The Matrix can believe in their hearts that two sequel films never actually took place, maybe with enough will power (or enough whiskey) I could blot out this season from my mind.  And, one day in the future, if someone asks me if I enjoyed House of Cards, I could honestly answer them, “Yes.  It was quite an amazing show, those two fine seasons it was around.  And to end the way they did… with that swelling music score and ghastly foreshadowing of a presidential administration to come.  I’ll never forget that final scene, as we looked right into Kevin Spacey’s eyes and he looked into ours.  Rap Rap! on the desk… smash-cut to black.  A perfect ending to the show that redefined what it meant to distribute new and fresh content in the digital age.”
ending
(And then if they start to protest and try to say anything about a third season or anything that may follow, I could always Catholic it up just a little bit and stick fingers in my ears, walking away saying, “La la la la la, I can’t hear you, la la la la!”)
 .
 .
 .
 .
P.S. – Correction.  If for some sadistic reason the writers were to give Old Freddy (the ribs joint fellow) Cancer of the AIDS of the eyeballs, I would feel something.  But I still wouldn’t watch the next season.
 .
 .
 .
 .

This short rant is probably unnecessary, given that anyone who sees this post will probably either (a) instantly agree with me, thus obviating their need to actually read this, or (b) not think there’s any problem with this behavior, in which case my words here aren’t likely to help them improve themselves… or help them find a fire to jump into.   (Pity, because either of those actions would benefit the rest of us massively.)

It’s 2015.  We all have smartphones.  They all have cameras.  With that great power comes great responsibility.

Most people understand that it’s not polite to whip out your phone and attempt to photo something in, say, a restroom.  Many people have learned that their friends online probably do not need to see pictures of every single comestible about to be put into someone’s mouth.  However, time and time again, I encounter one incredible failing of social grace that seems to persist even while most people are learning all other forms of smartphone etiquette.  So I must ask the question…

Why are some of you jackasses trying to record concerts and other performances??

I understand that you may be particularly pleased to be experiencing melody, dance, and voice to your liking.  I understand that you may wish to preserve this moment so as to experience it later… but that is why we have cognition and memory.  Please use your own evolved human brain and remember the performance by simply paying attention to it and enjoying it.  You’d think this would be obvious, but that is not the tactic employed by so many people.

Nowadays, no matter the venue or the genre, it’s not uncommon to see one or more jackasses holding up smartphones and attempting to record the event, ostensibly for later viewing…

Recording Performances with Smartphones

 

Of course, there are a number of problems associated with this idiotic behavior.  Let’s make a short list of them here…

1. Doing this bothers everyone else

2. Doing this means you are not actually paying full attention to the performance you are spending the time (and probably money) to attend

3. Doing this yields invariably shitty results

4. Doing this is often unnecessary

Please take these criticisms to heart and understand that everyone else in the theater (at least, everyone behind you) hates you when you are holding up your smartphone or other device.

 

1. Doing this bothers everyone else 

I’m going to borrow a line from Maddox when it comes to the use of phones or pretty much any other kind of technology in a darkened theater…

youtube-maddox

No matter how much you think that you have turned down the brightness on your screen or how well you are attempting to hold the phone close to your body (which almost no one actually even makes the effort to do) it is painfully bright to everyone else behind you.

You think that your phone looks like this…

What you think

When in fact it looks like this…

What we see

 

2. Doing this means you are not actually paying full attention to the performance

Many of the photos in this blog post were taken by me (yes, I realize the irony… but understand that I was actually in the back of the theater) during a performance by the famed Irish musician Danny O’Mahony who had traveled all the way to Montana.  This was a rare and wonderful opportunity to hear a talented and worldly performer and storyteller.

Yet, during the evening, there was no shortage of jackwagons with their smartphones and cameras, attempting to record.  One woman was so painfully inept that she spent the better part of the evening scrolling through menus and configuration settings on her phone while almost never successfully recording anything that she wanted to…

Idiot woman

… and another man in front of her was attempting to only record the song segments of the evening, but this meant that he had to hustle and shuffle around at the start of each piece, attempting to unlock his phone and start the video footage.  He was cutting off between 5 and 10 seconds at the start of every song.

And then, as if to put a cherry on top of this shit sundae, down in a front row we got to see… iPad man.

iPad man

If you thought smartphone people were the worst in public, you were wrong.  That honor goes to the more elusive but also more idiotic creature known as iPad man.  Using your iPad as a camera (or a videocamera, no less) in public is just about the most inconsiderate thing you can do to others.  The massive screen is not only brighter, its sheer size makes for blocked views behind you, too, due to simple geometry.

iPads are our generation’s Fanny Pack… no one looks cool with one out in public, and the fact that they hold more than what you can put in your pocket means that the most gauche among us think they’re the greatest thing ever: capable of storing loads and loads of crap that no one needs or wants, and allowing you to collect more along the way.

 

3. Doing this yields invariably shitty results

Travon Free said it best during an old installment of The Gentlemen’s Rant

youtube-rant

No matter how steady you think your hands are or how great a view you have, etc etc… nine times out of ten, any recording that you make on a smartphone during a concert or other performance in a theater space is going to turn out like crap.  The lighting will be severe, the resolution will be blurry, and almost always the sound will either be muffled or full of clipping due to levels that aren’t right for your shitty little microphone which your hand is blocking half of the time.

Regardless of the quality of the recordings, I’d wager that most people aren’t even going to bother playing those clips in the future.  Not for their own pleasure, not to show friends, not for anyone.  These are just recordings that will take up space on their device, and which bothered everyone when they were being filmed.

 

4. Doing this is often unnecessary

This would be the most hilarious part for me, if it weren’t quite so sad and annoying.  Many, many musicians and other performing artists nowadays have roadies (or just good friends) with professional gear and genuine skill who record their performances for them.  That was even the case during this concert in Montana…

professional recording

…when it was all over, I shared a laugh with the cameraman who had set up in the back corner and had captured the entire performance with a long zoom lens and board-level sound input.  This kind of set up is no longer the exclusive purview of headlining bands that sell out stadiums.  Check your local artists’ youtube or twitter pages, chances are the have recordings of the shows that you attended.  It’s very possible to enjoy can enjoy the melodies and lyrics again and again without having to bother anyone around you.

So, please… if you’re the type of person who feels inclined to whip out your smartphone and record during a concert (even just for a song or two), STOP.  Just stop.  The results are ass and you are annoying the hell out of everyone else.

If you really, really want to enjoy the concert after-the-fact and your mind is too addled and fried for you to remember it with sufficient clarity, contact your artist and ask them about a recording.

Or, do what all proper dedicated fans do at shows where crowd recording is encouraged (hint: it’s the same thing plenty of dads did back in the 80s and 90s with their camcorders at school plays and the like)… position yourself in the very rear of the theater and learn how to document a show properly.  You may not be 100% “present” for the performance as it happens, but at least then you’ll have a fighting chance of producing a recording that is worth something to you and others after-the-fact.

Or maybe it won’t be, because you’re a nimrod and can’t operate your camera.  I don’t care either way.  Just stop doing it in front of the rest of us, lest we start resorting to pouring drinks on your head “accidentally” when we get up during a break.

So, i cannot believe the volume of tweets and discussion that this all generated.  :-)  Loads of people replied to me on Twitter (that link is just one of about a dozen conversation threads that rattled away) and the answers I saw were wide-ranging.  Of course, there were more follow-up questions than there were actual answers, i think.  :-)

People disagreed if the distances should be calculated based on surface travel or as the crow flies.  The great-circle theorem and Haversine formula were linked.  We all mentioned that moose do not fly.  Someone asked about the moose stealing a plane.  The question was clearly phrased with the words “running” and “walking” and no moose-bearing plane could fly at those low velocities.  Someone asserted that moose COULD fly and someone started working on art to show this.  Someone else asked about the forward surface area & air resistance of an adult moose.  My house mate responded that this should already be presumed to be factored in.

On the ground routes, people disagreed over whether the moose would use Google’s walking or driving directions for route planning.   I stated that while I hadn’t considered that, the photo in my blog post clearly shows the moose on a road, near a car.  Someone asked if that was just a moose CROSSING a road.  Bruce Potter brought up the issue of moose and swimming.  Noise and Aloria both asserted that moose do not proceed across the landscape with any urgency and often stop to rest and eat.  People discussed whether a moose could hijack a car.  Someone else asked about a moose with a jetpack… clearly irrelevant, but now that’s all I can picture in my mind and I wish to see Congress appropriate funding for the development of this technology.

And there were no shortage of people offering theories involving the Philadelphia (or, alternately, the Cleveland) moose being drunk, a brawler, or eager to leave his or her own city faster.  Space Rogue pointed out that neither city is part of the natural range of any moose so that the moose “From Maine” is the winner because that moose actually exists.  It was also pointed out that I did not specify which Cleveland in my original question.

I was inclined to give a prize to Carl Numbus…

But ultimately, here is how I was calculating things…

Cleveland, OH moose has to travel 369 miles and at 25 M.P.H. this takes 14.76 hours
Philadelphia, PA moose has to travel 138 miles and at 10 M.P.H. this takes 13.8 hours

ANSWER: the Philly moose should get there ~58 minutes sooner

It turns out that the first person to actually tweet to me was the one who came the closest to the answer I was expecting.  He followed-up with the answer in minutes shortly thereafter and was therefore declared the winner in my book.  He can email me this week and purchase a spare ticket I had grabbed for face value.

Thank you to everyone and I’ll see you in Washington, D.C. this January!

.

.

 

– — —– ———-[ ORIGINAL POST ]———- —– — –

Two moose are going to ShmooCon.

 

Moose 1 runs from Cleveland to Washington D.C. at 25 Miles per Hour

Moose A walks from Philadelphia to Washington D.C. at 10 Miles per Hour

If they start at the same time, which moose gets there first and by how many minutes do they beat the other moose to the finish?  (Plus or minus 5 minutes)

 

First person to tweet the answer to me gets to buy a spare ShmooCon ticket at face value from me.

volvo-wild-animal-detection-testing-with-moose-in-road

Thank you to everyone who reached out to me, helped spread the word, helped re-tweet, and did things I don’t understand on the Facebook, something of which I am not a user.  ;-)  Extra big thanks to Heidi Potter whose exceptional efforts in spreading the word came to the attention of some other hacker friends elsewhere in PA.  Their cat has been lonely ever since her companion bunny rabbit in the house passed away.  They reached out and so lovingly offered up a home for Chico and Mouse Face.

The actually process was nothing short of a catastrophe, thanks to the badly-managed and logistically broken SPCA here in Pennsylvania.  Despite making all arrangements with the Philadelphia office to have the cats held and waiting for their new owners on Friday, things went awry.  The new folks were driving all the way down from the Poconos to meet me in North Philly at that SPCA office when I learned that, with NO explanation, the cats had been MOVED many hours away.  So, abruptly and after having almost made it to Philadelphia, they pulled off the road, I spent time on the phone, and we tracked down the cats like prisoners who had been mistakenly lost somewhere in the DoC network.

In the end, we all arrived at the Danville, PA SPCA and it was so dysfunctional that over an hour passed before things could be completed.  The administrative “do not adopt out” holds that had been placed on the cats’ files could not be removed, then the staff kept attempting to attend to dozens of other odd tasks at the same time, and even (surreally) a farmer and his wife came in and started trying to talk to everyone present about a sheep theft from their farm.  This was a case of over-worked staff trying hard to do “everything” at the same time and ultimately doing nothing at all in the process.  Eventually, we took matters in to our own hand and took the carriers back to the holding areas and sprung Chico and Mouse Face from their cage.  They were so scared.

This is the most morally-conflicted part of the tale for me.  I mean, I love the SPCA and the work that they do and I am SOOOO grateful for the organization’s No Kill policy, but let’s face it… it’s kind of a hell hole back in those holding areas.  There are just row after row of huge barracks of cages.  All the animals are stirred up and constantly yowling and yapping and howling.  It’s really like some sort of awful jail to them, where everyone is shaking and unsure of what’s going on.  Chico immediately ran into my arms when I popped the lock on his cage.  Mouse Face was initially hard to find… he had hidden himself beneath all of the bedding and cushions in the cage.

In the end, we got them secured and finished all the paperwork, petting them the whole while…

IMG_20141205_175701

IMG_20141205_175708

IMG_20141205_175751

And, many dollars in fees later, my friends were taking them home.  Getting a photo sent to me later that evening showing my pair of cats resting comfortably and undisturbed on nice chairs like regular pets set my heart glowing and lifted a tremendous weight from my shoulders.

cats home

Despite all its logistical failings (and the stories we heard from staff and patrons while waiting were manifold… Transport services often moves animals incorrectly, people lose paperwork, medications are handled incorrectly, etc etc etc) the SPCA is a wonderful organization and deserves our support.

And, of course, if you are thinking of bringing a new pet into your home… please consider adopting from shelters or other services where animals without homes are waiting for you.

Thank you.  And thank you to all my friends who helped make this one of the best Holiday Seasons ever for me.

Much love to you all.

- — —–[ ORIGINAL POST]—– — -

As some folk who know me are aware, I am the owner of two adorable and friendly cats — Chico and Mouse Face — who deserve more love and attention than I can provide at this time.  When it was me and my then-girlfriend, someone was always around.  Then it was just me, plus other housemates from time to time.  Now… it’s just me.  And I am out of the area (and out of the country) more and more every month.  My time is becoming divided between D.C., Montana, Europe, and the Middle East.

 

chico 01

Chico

Because I am spending as much as half of my time overseas for the foreseeable future, it was undeniable that this was not fair to the cats or to any friends whom I would ask to look after them when I’m away.  I was forced to seek a new home for them where people were around more often and they would not get so lonely.  One friend pitched in for a while, because he shelters animals with no place else to go.  In his tiny 2-bedroom house he was caring for 5 cats but still agreed to give Chico and Mouse Face a good home.  This arrangement was imperfect, but for the past few months it’s been what we had to do.

mouse face 01

Mouse Face

 

Now he is forced to take on an 85-lb Labrador pup because of an owner who was urgently called out of the area on a legal matter.  The situation at his place reached a breaking point, and my cats had to move on.  After trying for weeks and weeks to ask anyone whom I knew, it was clear that we were out of options.  With the dog deadline day looming, the hardest thing I can recall doing in my life was to take Chico and Mouse Face to the SPCA and offer them for adoption.  The PA SPCA has a no-kill policy and Good Home Guarantee if the pets meet proper health and personality criteria.  Many medical tests, many fees, and many tears later, they were being accepted back to their new cat condo in North Philly.

Because they are a pair, that means they get a little more space at the shelter.  But it might also be harder to place them.  So I am turning to the Internet for help.

 

kittens 01

 

These two cats are both almost 8 years old and from the same litter.  They squabble on occasion but always make up soon after.  They are both fixed and have clean medical histories.  I will supply their new owners with treats, toys, and also their hardware.  What hardware?  Well, these two cats use an automated feeder that dispenses their servings at the right time of day and a water fountain that recycles and cleans itself.  My buddy also still has their pet carriers.  All you’d need to provide is love.

If you are from anywhere in the tri-state area or even as far north as New York or as far south as DC, I would totally make it cost-neutral for you to adopt these two lovely, lost souls.  I will cover all fees at the SPCA, help you with mileage to and from here, and even take you out for a meal (I’d want to do that anyway, to get to know you.)

If anyone in the hacker or tech community is willing to open their home to two little animals who need more love than I can provide, I can’t say what a difference that would make for my Holiday Season.  It’s all I want for Christmas.

Please feel free to email me anytime… deviant@deviating.net

 

 

I’m totally not above trying to play on your emotions here.  So allow me to just say: here are my two cats looking up at you, hopeful that your home would be right for them…

IMG_0002

IMG_0001

And I’d like to tell you a little bit more about them.  Chico loves to explore in order to find new places to investigate…

2012-03-22 16.05.34

… and Mouse Face loves to explore in order to find new places to sleep…

2012-02-12 15.05.32

… Chico likes to sleep, too.  But his favorite sleeping spots tend to be under covers (see the white feet sticking out)…

2012-01-16 14.36.21

… some of Mouse Face’s favorite spots are boxes…

2012-01-24 13.04.21

… but what cat doesn’t like boxes?  Chico also appreciates them sometimes…

Chico in a Box

… Mouse Face always gets told how a brave and well-behaved he is, even on trips to the vet…

2012-10-05 15.36.00

… but mostly these two just like to lounge and stretch out and spend their day sleeping. Next to people if possible, but on any soft surface is all they ask…

2012-11-07 8.06.29

… well, that and tummy rubs.  If you see this inviting pose…

2012-02-23 13.58.50

… then you shall know immediately what time it is!

2012-06-11_07-55-01

Please let me know if you think you have extra belly rubs to give to deserving cats this holiday season.  Thank you.

In mid-November, Twitter follower Kevin Anderson asked me about a firearm lock box product called the GunBox.  Every now and then, because of my general interest in teaching and presenting about firearms and gun technology folk will reach out with such questions.  Often, the safe and lock box inquiries come my way because of a presentation I gave at DEF CON 19 regarding the relative security (or insecurity) of many popular firearm lock boxes.

According to the manufacturer’s web site, the GunBox “has cutting edge technology, state-of-the-art design, and incredible features that make safely storing firearms with quick access a reality” and it is “the ideal way to Defend Responsibly.”  As you will see from the analysis below, while the GunBox is as effective as any other low-cost firearm lock box (most of them retail in the $150 – $300 range and the GunBox is within this zone, albeit on the higher end) at preventing a toddler from accidentally laying hands on your gun and having a terrible accident, it is not at all suitable for long-term storage or for deterring criminals or even curious teenagers.

The staff who monitor the GunBox’s Twitter account were not keen on discussing how their hardware functions, but it becomes apparent from the moment that you open up this unit how their lock (and also the bypass/override method) works.  Honestly, this is the first thing you see when the lid is open.  I didn’t even have to take the internal compartment apart or pull back any rubber or plastic elements.  Because the bypass method is so painfully obvious, I do not have any real ethical qualms with documenting it here.  The manufacturer is more than adequately aware of how this works and (it would seem) has no plans to change how this feature (or “vulnerability” depending on your point of view)  is implemented.

 

Amazon has this item available via Prime shipping, so the unit actually beat me to my house.  I ordered it a couple of days before flying home from the Persian Gulf and it was there when I arrived.

gunbox01

Upon opening the unit, one immediately can see the latching mechanism that keeps it shut when closed and locked.  There is a small peg with a metal cone on its tip sticking up from the base…

gunbox03

… and this peg interfaces with a pair of sliding metal plates in the lid that form a hole which can expand and contract via spring pressure…

gunbox04

 

As the lock box can be closed just by pressing the lid shut, one can immediately discern that the metal plates slide apart simply by any force acting upon them.  The lock and circuitry mechanism is not needed to cause them to move…

gunbox05

gunbox06

 

As mentioned by the GunBox folk on Twitter, the unit ships with a small hex head Allen key which can be used to bypass the main locking mechanism and open the box if other methods fail to work.  While the conversation they had online was intentionally vague, they attempted to indicate that the Allen key was simply “the tool that is used [to access the bypass hole]” and they went on to state that “the manual override is not that simple.”  This is patently false.

Yes, the hex head bit is used to remove a small set screw in the bottom of the box, exposing the bypass hole.  After that, however, the same exact tool is inserted and simply wiggled from side to side.  That is all.  That’s the entire attack.  The shaft of the Allen key interacts with this small slot on the metal plates…

gunbox07

When we opened up the box and look at this, you can see that we figured it out in seconds.  The following video (which was Take One of the whole analysis) shows the process unfold.  Not only did we figure out the attack in short order, but it was trivial to perform.  It took me about 15 seconds to seat the handle of the Allen key in the correct slot the first time, then 5 seconds later the box was open. Subsequent attempts took under 10 seconds total.  It’s a process of (1) insert, (2) rock the handle of the tool toward you and therefore angle the inside tip of the tool rearward, (3) find the bypass slot in the metal plates, (4) press the tool to your right and therefore disengage the upper plate which moves to the left inside the box, (5) press the tool to your left and therefore disengage the lower plate which moves to the right inside the box, (6) the box is open.

.

(If for any reason that video becomes unavailable on YouTube, I’ve also uploaded it here on Vimeo)

 

There were quite a few things that I found disturbing about this whole process…

1. This entire bypass process was monumentally trivial to discover and to perform.  The fact that anyone could speak of this as though it were some massive secret is astonishing.  The bypass hole and the slot in the plates where it is performed are immediately visible to anyone operating the safe or even just glancing at it when it is open.

2. There is no evidence at all that the bypass is used.  The safe doesn’t appear to have any logging functionality if the latch is released manually.  The small set screw could be secured with a tamper-evident seal (although, as The CORE Group will tell you, tampering with security seals is often a very valid attack vector, as well)

3. The unit does not alarm if the lid is made to open up without any valid credential or token associated with that event. (For instance, by bypassing it.)  There is no reed switch or contact switch to tell the GunBox if the lid is open or closed.

4. In general, it was surprisingly hard to actually set off the “tamper” alarm at all.  I could not tell what manner of conditions cause it to beep, but as you can see in the video a lot of jiggling and banging did not set it off.  Apparently, only totally tipping the unit vertically seemed to cause the alarm for me.  Maybe I was doing something wrong.

5. The fingerprint reader and RFID tag appeared very unreliable in their operation.  Again, I’ll leave it to GunBox to respond… maybe I was making too many repeated attempts with fingerprints and mis-reads of the RFID tag and this caused some kind of delay/timeout period to trigger.  In general, however, I would most assuredly NOT trust my safety or my family’s security to this unit during a tense situation when a firearm was needed quickly.

6. The RFID technoloy used looks highly clone-able.  Babak is still in the Gulf for another week, but once he gets home we’ll test the RFID tokens out with his ProxMark.  I’ll wager dollars to doughnuts that these RFID credentials have zero protection against cloning and copying.  That will constitute Part Two of this review and analysis.

.

Beyond all that, the unit appears to be your run-of-the-mill firearm lock box.  It is spacious enough to store one (or more) pistols or revolvers of adequate size…

gunbox08

gunbox09

gunbox10

… and I even hit on an interesting phenomenon: when I had two of my H&K pistols in this box together, they obscured and occluded the bypass hole and made it unfeasible to perform the manual override opening technique…

gunbox11

… of course, given how shaky the fingerprint and RFID readers were on the GunBox that I was testing, I don’t know how wise it is to lock up any valuable pistols with the override disabled.  ;-)

Honestly, though, if I were forced to choose between a lock box that offered almost no protection versus a box that was unreliable but had no bypass opening, I’d probably go with the latter.  Were I to own a GunBox, I’d use some ThreadLock (the red permanent kind, not the blue light-duty variety) on that little set screw and feel a lot better about the unit.  But that’s if I were somehow forced to use this.  In the end, my plan will be to let my buddy tinker with the RFID controls, then box it all back up and return it to Amazon.  The folks at GunBox have stated that they “do not want everyone knowing the manual override” but I can’t imagine how anyone would predict this information not becoming public.  They have taken utterly no steps to obfuscate or protect the bypass feature.  Ultimately, of course, security engineers know that the best way to prevent details of a backdoor in your system from becoming public is to not design a bypass in your security in the first place.

Personally, I’m very happy with my MicroVault and LockSĀF products, since I’ve modified their manual override locks for greater protection and robustness against attack.  And that’s just for times when I need a quick-and-simple solution in my home or my car for carry pistols.  Essentially ANY small firearm lock box tends to be something designed first and foremost to prevent little hands from causing a negligent discharge and then –only secondarily– to guard against some forms of basic quick theft attempts.  Small firearm lock boxes should NEVER be though of as guns safes and they should not be considered a means of housing and storing valuable firearms in a permanent way.  Only my daily carry pistols are kept in small lock boxes.  My main collection all resides in heavy-duty Liberty safes at the various homes where it is housed.

That’s just my two cents.  Feel free to do your own testing and do whatever you feel is right and best for you and your loved ones.  Stay safe out there!

It’s Halloween and not April Fool’s Day, so hopefully you won’t take it as a gimmick when I say “I had a rather rewarding Twitter conversation recently” at the start of this blog post.  But I did.  This long collection of thoughts is my reply and follow-up to that dialog with some other folks since — as you’ll see — if I tried to shoehorn these comments into 140 character chunks I’d be kicked off of Twitter via the rate limits in their API.

It all began (for me) when my friend Laura (@soapturtle) retweeted something where the author C E Murphy (@ce_murphy) had linked to an article by Kat George (@kat_george)…

 

Six things you might not think are harassment but definitely are (because apparently we need to clear a few things up)

This article lists the following behaviors as unwelcome forms of harassment practiced by “sex pests” on our city streets…

  1. Telling someone to “smile”
  1. Saying “god bless you”
  1. Giving compliments
  1. Staring
  1. Speaking to someone who clearly does not want to be spoken to
  1. Becoming incredulous when you are ignored

 

While I found the main thrust of the piece to be very accurate and a good accounting of speech and actions that are totally creeper behavior, I (and apparently many other people) took issue with item #3… “giving compliments.”  One must presume that Ms. George was actually talking about “compliments that aren’t really compliments” but the tenor and tone of the article made it difficult to really gather where the author felt the line should be drawn.  For instance, Kat mentions that…

…we can receive compliments that are given out of kindness. For instance, there’s an elderly man who lives on my block and when I see him on the street and I’m dressed up to go out he’ll tell me I look lovely. He’s pretty much a stranger, I don’t know his name or anything else about him. But he’s not eye-fucking me when he says it, and there’s a sincerity in his tone

…and if that point were made more prominently, I feel that the whole piece could be received a little more easily.  However,  Ms. George calls that individual a “complete anomaly” and takes a much harsher tone elsewhere.  I and other readers who commented a bit started to fixate on other passages, such as…

Complimenting the physical appearance of a random woman on the street is not a compliment. Even if you think of it as a compliment, and think you’re being nice and that she should feel glad to have received your compliment, well, that view is indicative of a really problematic mindset that says your opinion matters enough for us to want to hear it.

The man “complimenting” her feels entitled to look at her, judge how she looks, force that judgment onto her, forcing her to internalize his view of herself. And if he feels entitled to her in those ways, where does it stop? Where is the line of entitlement drawn? Maybe that’s as far as it goes with this one person. But how does the woman know? How does she know that he doesn’t feel equally entitled to have sex with her or beat her or kill her, as some men do feel entitled to do to women?

Being complimented by a stranger for her nice dress or top is just as insulting as it is harassing.

Ultimately, the notion that we should all ignore our fellow citizens in the streets seemed to be the theme expressed.  I do not believe that was actually what Kat George was attempting to convey, but the wording grew particularly harsh and very concrete in some places…

It’s safe to assume that a vast majority of people don’t leave their house in the morning looking for a conversation with a stranger on the street.

Unless there’s something circumstantial that creates cause for polite conversation (the loose shoelace, for instance), there’s no reason to assume a woman would like to be spoken to

I would strongly encourage everyone to take the time to read fully through Kat’s piece, however.  Clearly, I am picking and choosing specific quotes from her article to illustrate a certain atmosphere that some sentences carried, but I don’t want to be seen as crafting her theme for her.  Read the whole piece, and see how it strikes you.

It moved me enough to reply on Twitter.

I responded to Laura and Ms. Murphy, registering my unease at the tone of defensiveness and dour attitude espoused in the article’s writing.  “Lines like ‘being a woman walking in the street, almost ALL uninvited attention from men is threatening’ make it hard for a lot of readers to accurately judge the tone of that piece. It’s easy to dismiss as alarmist,” I remarked (across a few tweets).

Laura encouraged me to see it more from the perspective of women, and Ms. Murphy made a more in-depth response…

But it’s true. Most uninvited attention is threatening. It’s not an alarmist statement to/from/by women.  I’m not trying to be difficult when I say that I assume from your userpic that you’re male, & that to me when you say “a lot of readers” it scans to me as “men” because most women wouldn’t find it alarmist, just accurate.

One problem is this: if a man grabs a woman’s ass, uninvited, he is presumed to be getting something out of it.  If a woman retaliates, i.e., grabs a man’s ass uninvited… he is presumed to be getting something out of it. The power dynamic there is always in the man’s favour, see? It’s the same with nearly any male/female interaction.

I genuinely appreciated these and other folks’ desire to respond and engage me on this topic, so I made the best attempt I could at replying with a few more tweets…

I’d love more dialog on this. And yes, I am male. :-)

I fear that my perspective on this is inherently flawed due to (a) being raised right, (b) the circles i’m in.  A number of other women have reached out to me, essentially saying, “the hacker world is not the same” etc etc.  Most of all, the small 140-char limit is poor for deeper discussions like this. I wish we could all hang out sometime.

While the limits of brief tweets and the lack of any facial expressions or body language injected into the social discourse can often lead to unnecessary ratcheting-up of emotions and unhelpful sniping, this was a really rewarding conversation and we both agreed that it would be good to attempt fleshing out of our thoughts a bit more via some other medium.  Ms. Murphy made the following comments back to me which I found deeply rewarding.

“It’s really heartening to have an interaction with someone like you. So seriously, thank you. Also, do you guys mind if I blog about this conversation? … I’d like to talk about it.”

That’s wonderful, in my view.  I find it very heartening when brief chatter can turn into a real dialog and no one resorts to ad hominem attacks or being needlessly catty or rude.  I later emailed Ms. Murphy, offering up some of my own words and thoughts.  And now I’m sharing them here… because Twitter would most assuredly not suffice for the torrent of commentary I had on this topic.

 

My response to Six things you might not think are harassment by Kat George…

While most men (or just about any people who would attack the position voiced in the article) probably hold opinions of the unhelpful “ah, speech is speech, just ignore it or toughen up” variety, I feel that my take on the matter is somewhat different.

Let me be clear from the start that I hold deeply passionate libertarian views and therefore part of me really does believe that on a fundamental level, society is best governed by the old adage “free speech stops where the fist meets the face.” One can rant and rave and get right up in someone’s mug but unless they actually touch the person or directly impact them physically, I’m loathe to see legislation that would curtail the behavior of the offending party. (That’s not to say societal norms shouldn’t put pressure on them… I’m just being clear that being an asshole shouldn’t be a crime, in my view.)

However, I think a different streak of my libertarian persona is actually driving my feelings on this topic. It’s more akin to the “someone else’s bad behavior is not adequate reason to curtail my liberty” kind of thinking. Allow me to approach the topic from a wholly other perspective for a moment… the realm of intoxicating substances. It may further make me look like an extremist libertarian whackjob to say it, but I’ve believed in decriminalization of nearly all drugs and alcohol for quite some time. The freedom of an individual to put whatever they want into their body and alter their consciousness as they see fit — even to their own detriment — is something that I see as their own choice which should not be impeded by the state. Again, societal norms and pressure from friends/family are wholly appropriate means of attempting to affect someone’s decisions, but law enforcement and criminal penalties are not, in my view.

“But what about the rife problem of addiction and negative behavior that society faces!” comes the criticism in retort. “From drunk driving to broken homes to abuse to school drop-outs to blah blah blah on down the line…” runs the list of ills that we face when people become dependent upon and ultimately abuse alcohol, marijuana, cocaine, and the like. I do not deny this, but (and now we finally come to my key point) I see myself as a responsible person. I see myself as in control. I see myself as a fully free agent capable of (and by right entitled to) making my own decisions, including decisions about substance use. In short… “The bad behavior of other people — including law-breaking people — is not sufficient grounds to curtail my own behavior, especially since I am decent and law-abiding” is my philosophy.

Often innocent people (or, phrased another way, people who are not posing or doing any harm to others) are the ones most impacted when calls are voiced for limiting behavior or speech in some manner. Since there are far more decent people in the world than bad people, inevitably new regulations or attempts at curtailing behavior wind up impacting good people more than bad ones.

1. People use alcohol
2. Some people abuse alcohol
3. Alcohol is made illegal
4. Now no one (ostensibly) gets alcohol
5. A few bad people are (again, in theory) denied alcohol
6. Far more good people are denied alcohol
——————–
Net Result: more harm done to society than ill prevented

Side Result: step 5 doesn’t work well and plenty of “bad” people are still drinking and causing trouble

I think that people like me see the tenor and theme of many articles like Ms. George’s as almost advocating the notion that “men should never talk to women whom they don’t know on the street” and this, of course, leads people to the following logic…

1. People talk while out in public
2. Some jackoffs talk abusively and harrassingly
3. People are told “don’t talk to others whom you don’t know”
4. Now no one (ostensibly) speaks to women they don’t know
5. Maybe some jackoffs shut up (but probably won’t)
6. Mostly, this just prevents normal societal intercourse while out in public
—————–
Net Result: streets are actually a LESS friendly place for all citizens

Side Result: women’s interactions with others now actually tend to seem /more/ hostile and unfriendly because good folk are encouraged to stay silent but assholes will continue to be assholes.

Ultimately, I think that as outsiders reading a piece like this, we come away with the impression that the author and those like her advocate a rule of thumb being, “When out in public, just don’t talk to women around you if you don’t know them… especially if you’re male.”

Aside from giving me visions of time spent in repressed Muslim countries, that kind of logic leads (in my view) to the problem described above: it just makes society a less friendly place and ultimately reduces how we can interact with one another. I would think that for maximum impact and greatest acceptance to all readers, articles like that one would do well if their overriding theme and take-away lesson was twofold…

1. If you see harassing or ungentlemanly behavior towards women (or, frankly, towards anyone else) on the streets or out in public, stand up to it. That applies to both men and women. Taking an active role in saying “this is not OK and you are a loser who is a joke to everyone else” has a real impact. It has the MOST impact if it comes from friends and associates of the asshole and they register their complaint directly and plainly to them.

2. Just as important, in my view, is “if you are NOT an asshole and not hitting on everyone you see, be friendly, polite, and open in your hellos and compliments to others… including women.” I see the solution as not less speech, but more speech. Specifically, good and kind speech.

I say hi to almost anyone I encounter while waiting for a trolley, standing in line, holding open a door. I say “how do you do” in a brief but friendly manner to others sitting in my row on a plane or riding the same elevator as me. And, yes, I frequently also compliment things about them. “That coat is exceptional… you don’t normally see people wear purple, but that really works on you!” or “Let me just say, those boots are really spot-on. Nice leatherwork!” and “Wow… you don’t see someone reading The Guardian often. Good choice! Who carries that around here?” are three examples of comments I made just yesterday. In all cases, it was clear that I was not hitting on anyone and had no expectation beyond brightening their day. In all cases, I was met with smiles and kind chatter back.

Yes, it is true that I tend to compliment women more than men. But that’s not an exclusive thing, and I like to believe I’m not doing it out of some position of sexual desire. I’ve told guys out in public that their jacket was kickass or that I liked the band or political sentiment represented on their shirt. I’ve done so on the streets of West Philly or in the Gayborhood on Pine Street. I treat all genders and orientations pretty much the same in my conversations because in all instances I am not interested in having anything to do with them without benefit of my pants.

So yes, that’s my main philosophy and it works for me…

1. Discourage assholes from assholin’ whenever you see it

2. Say hi to as many of your fellow citizens as you can and make it clear from your behavior that you’re not interested in immediately seeing them naked

… If more articles were to include that as their overall theme and not word things quite so much along the “leave women alone at all times because they are in constant danger and need to be insulated from men” kind of phrasing (yes, I’m over-dramatizing) then I think society would be a much better and happier place.

 

 

Incidentally, if I were ever afforded the chance to sit and chat in person with Catie Murphy or Kat George I would jump on that opportunity.  I’d even buy the first round.  ;-)  (OK, maybe this is the wrong time for that joke.)

Overall, I hope that this post just generates more positive discussion.  I also hope that my analysis above of Kat’s piece didn’t give the indication that I dislike her or find her to be wrong-headed.  It was just the manner in how she chose to speak that raised an eyebrow with me.  And this is expected, perhaps, given that when we write something with passion on a topic where emotions run high it is natural to speak with fervor more than finesse.

The bulk of Kat’s work appears to be delightful and enjoyable.  I’m eager to see future installments of “The Big Gulp” but I have thus far not experienced any of Catie’s creations as of yet.  At least one appears to involve handcuffs, however, so my interest is piqued somewhat on that front.

If you’re here with me at DerbyCon right now then I hope you’ve stopped by the Lockpick Village.  I have nothing to do with running it, rather it’s offered up and operated by the outstanding FOOLS (Fraternal Order of LockSport) who do an epic job every single year, bringing out new tech and new toys to teach all the girls and boys.

I have added one thing to their Village this year, however.  It’s a single purple padlock, hanging on one of their lock boards…

Purple Puzzle Padlock

… this is a contest lock.  If you aren’t familiar with this style of mechanism, let me explain.  This is known as the Master 1500i, which they call the “speed dial” but which we call the “hash lock” because “speed dial” is a stupid name for it.

Nothing is “dialed” when operating this mechanism.  The combination to open a padlock of this type is entered as a series of pushes… up, left, down, or right …on the single big button on the front.

Press in on the shackle (to reset the gears inside), enter your series of pushes, then pull it open… simple, right?  Well, the actual internals are pretty amazing stuff.  Our good friend Michael Huebler of the German sportpicking group SSDeV did extensive research on these locks and even produced a very interesting internal visualizer tool and white paper to teach others.

There is a decode attack for these locks.

It is not super easy.

If you want, you can try to decode this lock.  If you’d like to try to get the combination by another means, however, I’ve put up a little crypto puzzle.  Follow the clues and you should be able to discern the correct series of pushes to open the lock.

If you show the lock to any member of the FOOLS staff in the Lockpick Village before the end of DerbyCon, I’ll have a prize for you!  (You must bring the lock to them OPEN, not merely photograph or video it or tell them what you think the code is.  They do not know it.  Although, you should still try to bribe them with drinks.)

We’re calling this puzzle “Around the (most of) the World in (more or less) Eighty Hours.”  Here you go…

Around The World

.

.

UPDATE – The above Puzzle has been solved by Scorche of TOOOL and DC949. Way to go, man!

The solution appears below, along with a step-by-step breakdown of the stages and the clues that were available to help people along.

.

Step One - the above image from the post announcing this contest (which was paired with some nonsense text about being at the controls of a spaceship, etc) contains a reference to a YouTube URL.  Some people spotted that the font on the blackboard was different in one place…

Chalkboard Text

… and if people didn’t think that a v= variable could represent a youtube URL element, I later tweeted this hint image…

youtube

So hopefully that steered enough people to find this clip.

.

Step Two – The YouTube clip was clearly a Morse code segment, and if people couldn’t figure that out I even included the image of a signaling key there.  So, folk would listen to that and hear a series of letters.

If someone is very, very good with radio they might have been able to just listen to the dots and dashes, but there are also a series of other tools that can make the job easier.

Morse Translator

The above is an app that runs on Android and iOS and will listen to Morse via the microphone and simply show characters.  Also, later on I tweeted the following hint…

Off Liberty

offliberty.com is a site that will easily allow you to download a YouTube video as MP4 or MP3 audio.  If someone were to pull the file and view the soundtrack in a wave editor, the dots and dashes of the Morse can become very easy to read…

Wave 01

Wave 02

So these dots and dashes would transcribe into the following groups of letters…

PCG     XEX      RJE      LZK      YVF      PVN      ROO      CUY      FQS

.

Step Three – The letters above could mean a lot of things, but I tried to give people a slight hint with the following tweeted image…

boarding

You see a boarding pass, hopefully you think Airport Codes.  And all of the above letter groups are airports… almost.  These letter codes represented airports in very, very obscure places (and someone later told me they almost lined up in a nice great circle route!) but one letter code is just wrong.

Some people explained that they thought I had done something wrong in keying the Morse code letters.  So i later sent out another tweeted hint image…

Apollo 13

…now while this may have led some people very astray in their thinking, given that this is clearly a press photo for a NASA mission, a few diligent and observant folk spotted that this was the crew of the Apollo 13.

What do hackers think during crypto contests when the number 13 appears?

.

Step Four – That’s right… run the letter codes from the Morse message through a ROT-13 pass.  This is the result…

CPT     KRK      EWR      YMX      LIS      CIA      EBB      PHL      SDF

Now THOSE look like some more common airports.   All that was left was to plot the route going from those cities, in order, and see what “direction” you would be flying.

Scorche map

The hash padlock uses a series of pushes.  So if the “plane” is flying North, that’d be “up” and West would be “left” etc etc etc.  Look down the flight itinerary and this is what you ultimately find…

U    L    U    R    R    D    L    L

And here you can see Scorche solving the puzzle… great work!

.

Thanks for letting me whip up a little contest like this for DerbyCon.  Thank you to everyone gave it a try.  I always focus on mechanical locks, so this little crypto puzzle was a hoot.  (Best part: realizing that when I ran the airports through a ROT-13 pass that they STILL were legit codes in all but one instance.  That was awesome and totally unplanned.)