Fungible Convictions

For months—months—I’d had trouble submitting the Comparative Media Studies Colloquium podcast feed to iTunes.

Today I finally had a free morning to really sort through these issues.

1. When I tried to submit Feedburner’s podcast feed, I would get the message “It appears the feed has already been submitted.”
2. That was a problem because the podcast was not listed in the iTunes podcast directory
3. iTunes is notorious for not responding to requests for help, though I can’t blame them

(There were also problems with converting our podcast feed to XML and discovering that Feedburner now requires a Google account, but that’s not for now.)

After rooting around a dozen different help forums, one thing was clear: the only way to resubmit a podcast feed so that iTunes doesn’t think it’s a duplicate is to change certain key XML data. Though no one in these forums knew so, it turns out that you can change this data within Feedburner itself:

1. Log in to your feed
2. Click the Optimize tab
3. In the sidebar under Services, click Title/Description Burner
4. And within that, tweak the description of your podcast

I went an extra step and changed more, since all of that “Optimization data” is actually what shows up in your podcast feed’s XML. So I added geotag info, a new image, and selected the SmartCast and SmartFeed options….all the more to make it appear different from the previous version already submitted to iTunes.

The podcast should be on iTunes sometime next week. And though I hate to wait for it, this email I just got was so very sweet:

Dear Podcast Owner

Your podcast feed, [ http://feeds2.feedburner.com/MITCMSColloquium ] was successfully added and is now under review.

Sincerely,

The iTunes Store Team

The wife and I wanted some tips on how to comfortably file our dog’s nails. Naturally Google is a first destination for “how to” searches, but I’m always a little weirded out at what Google’s autocomplete feature—Google Suggest—presents as the most common searches starting with “how to…”:

And once you type some more, “how to file…” isn’t much more reassuring:

What about you guys? Ever run across creepy suggestions while searching for something totally different?

The battery for my Macbook Pro completely died—I can only get a 10-minute charge of out it—just days after my warranty expired. It was a frequent problem with batteries from a particular batch.

So this morning I called up Apple customer service and found out that a new battery would cost $129. So I did what Consumerist always suggests and asked flat out what I could do to get it for free. The friendly rep put me on hold for a minute to talk to a superior and came back with my full customer history and said, “It looks like you’ve been a customer with us for about four years, so we’re going to go ahead and wave that charge.” All I have to do is make sure to send the old battery to Apple, presumably so they can confirm it’s defective and make sure it doesn’t end up in a landfill.

Me = happy customer.

Fascinating interview with a guy that wrote adware for a living:

S: Do you think that in our society we delude ourselves into thinking we have more privacy than we really do?

M: Oh, absolutely. If you think about it, when I use a credit card, the security model is the same as that of handing you my wallet and saying, “Take out whatever money you think you want, and then give it back.”

S: …and yet it seems to be working.

M: Most things don’t have to be perfect. In particular, things involving human interactions don’t have to be perfect, because groups of humans have all these self-regulations built in. If you and I have an agreement and you screwed me over badly, you’ve always got in the back of your mind the nagging worry that I’m going to show up on your doorstep with a club and kill you. Because of that, people don’t tend to screw each other too much, right? At least, they try not to. One danger, perhaps, of moving towards an algorithmically driven society is that the algorithms aren’t scared of us showing up and beating them up. The algorithms will do whatever it is that they are designed to do. But mostly I’m not too worried about that.

Today had two little highlights. First, Gatsby finally laid still while I had my camera in hand to get a shot of her pornographic belly rub position:

Second, I sat in on one of MIT’s dozens of IAP courses—informal classes held between the fall and spring semesters. The one I went to was on surveillance, mainly telephone wiretapping:

The Bugs in Mr. Bell’s Circuits: Telephone Bugging and Debugging
James M. Atkinson Granite Island Group
Tue Jan 27, 03-06:00pm, 1-190

No enrollment limit, no advance sign up
Single session event

The fine art of telephone surveillance and how to detect it, distilled into a two-hour lecture by one of the nation’s top technical counter-surveillance experts. Ever wonder if someone’s listening in on your calls? Maybe that phone on your desk has been turned into a bug that sends your enemies anything you say nearby — regardless of whether you’ve picked up the handset or not. Drawing on 20-odd years’ experience hunting bugs and finding security leaks for governments and major multi-national corporations, Mr. Atkinson will cover both highly rigorous and somewhat more practical ways of frustrating spies and thinking about physical security.

Basically the presentation scared the sh*t out of me, particularly with how easy it is for anyone—a spy, a local cop, a jealous ex, whomever—to tap anything that goes over a wire. James Atkinson was pretty familiar with the MIT campus and its hardware too, so he was able to show a slide with a photo of the very phone I use in my office and show how to bug it so it acts like a microphone, picking up conversations from the room even when the phone itself is hung up. The simplicity of bugging was fascinating though, yet a lot of its success depends on laziness, like phone company workers who don’t lock what they should.

The whole thing made me wish I had understood circuitry better in AP Physics. Circuitry killed my grade.

From Slashdot:

I Don’t Believe in Imaginary Property writes:

“Oprah Winfrey, or to be more precise, Oprah’s Book Club, is being sued by the inventor/patent attorney Scott C. Harris for infringing upon his patent for ‘Enhancing Touch and Feel on the Internet.’ So Oprah’s Book Club is now one of many people and entities being sued over this patent because they allow people to view part, but not all, of a book online before purchasing it. Mr. Harris also sued Google Books for infringing upon this patent. He actually was fired from his position as partner at Fish & Richardson for that, because Google is a client of that law firm and they had conflict of interest rules to uphold.”

It would be entertaining to see Oprah give very wide and mainstream publicity to the abuses enabled by our current patent system.

Indeed. She’s still one of the most influential people in the country—I wonder if her audience is getting close enough to a baseline tech-savviness such that they’d understand the implications of Harris’ lawsuit or the significance of Apple’s announcement yesterday that they’re at last removing digital rights management from songs sold on iTunes. I’d wager if Oprah discussed these legal issues on her show, or perhaps invited Eric Schmidt and record company execs and a few college students, that groups like the Electronic Frontier Foundation would have a banner fundraising year.

Update: The Federal Trade Commission will look at DRM issues soon, including soliciting of public opinion in a town hall setting. To folks new to these issues, it might not seem like digital rights management (software that controls how/when you use other software, such as code in an .mp3 that keeps you from playing that .mp3 on more than two devices) and copyright are explicitly related. But they both can abuse the intended purpose of intellectual property law: to encourage innovation, but not to guarantee inventors (nowadays companies) a permanent income from their inventions.

(Before I continue with this post: Go Katie! Our friend Katie has just gone into labor—it’s early, so she hasn’t left for the hospital yet. But push that sucker out! Good luck, and be safe in the snow!)

Paired with my interest in telecommunications law is electronic security. My favorite parts of Cory Doctorow’s wonderful novel Little Brother were the digressions about (un)secure networks, circles of trust for encryption keys, and encryption software.

So while I’ll frequently experiment with security tools for my own computers, one pitfall with each tool is the requirement that I depend on my own brain to remember a password….

A key feature of good security is plausible deniability: if my laptop were stolen or hacked, my sensitive data would be more secure if its data were not only encrypted but also if it were impossible to tell the encrypted data even exists. A spectrum showing the least secure file to most secure file would, presuming a secure network connection, look something like this:

• Unprotected file on a harddrive
• Password-protected/encrypted file on a harddrive
• Password-protected/encrypted file stegonographically disguised as/in another file of a different type and size
• Password-protected/encrypted file stegonographically disguised as/in another file of a different type and size but with no evidence that the harddrive contains a such a tool to disguise files

That last bullet point provides full plausible deniability. Not only is your data hidden but there’s no evidence you ever had the tool to hide sensitive data. It would be like sending a coded letter via U.P.S. without anyone being able to know U.P.S. ever came to your house or subsequently delivered your letter.

But my weak link—not for security per se but for making the whole thing practicable—is the fact that I have little confidence in always remembering which file is disguised and even perhaps what my tough password is.

Around the time my memory went in 2007, I had recently installed TrueCrypt on my work computer to encrypt a lot of my data. At the time I thought it prudent: I was working with research written by people in east Africa who, if they were identified, could be in some danger. (Not a likely occurrence that a Ugandan would hack my computer, but I considered it a best practice.) When it was clear that my health would keep me out of the office for several months, Tufts brought in a freelancer…who, of course, couldn’t access any of the files she needed. But because of my short-term memory loss, I couldn’t remember my TrueCrypt password. It was only when I felt well enough—a week or two out of the hospital—to go into the office and sit at my desk that my muscle memory (I guess?) recalled my password. I copied the files to the desktop, and I uninstalled TrueCrypt.

I learned three lessons:

1. TrueCrypt, to its programmers’ credit, works exactly as advertised.
2. For me to have had full plausible deniability, Tufts never should have been able to tell I’d encrypted anything. (It was easy to tell: every morning I had launched TrueCrypt to decrypt and mount my hidden file, so TrueCrypt was not only in my Programs folder but was my frequently used programs menu.)
3. But the key lesson, obvious as it sounds: Security is only as strong as your ability to store your password(s) in your own head.

And that’s where I’m stuck. A perfect example. I’m about to test out KeePass Password Safe to store the various passwords I use, as it’s less-than-ideal to use variations on one single password for everything you do. However, doing so requires me to still remember a lot. It’s not too big a deal to label a username/password combo as “Email” in KeePass and still know which webmail service I use. It’s a smidge more troublesome to label something “Banking,” as anyone seeing KeyPass would then know I use online banking. But then it’s very problematic when I try to obscure, say, multiple financial accounts. It would be dumb to label them “Bank of America-Checking” and “Merril Lynch-401(k)” of course. But what about two savings accounts with different institutions? To obscure the names of “Bank of America-Savings” and “ING-Savings”, you’d end up having to remember what non-descriptive nicknames refer to which accounts (“Savings account 1″ and “Savings account 2″). It gets tougher for accounts that you rarely use—savings accounts are a good example, as many people set up a direct deposit with their employer and then don’t think about accessing that account for months.

Which takes us back to the fact that to obscure all the information about a password—the password itself but also which site or service that password unlocks—you need a program like KeePass to hide them all. Yet KeePass’s database of passwords is itself protected by a single master password:

KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database.

So we’re back to the beginning: using one password to control everything. If someone can acquire that one KeePass password, if they can successfully threaten you, they likely know which banks, webmail, etc. you use. That information isn’t too helpful separately, but together it tells a lot about a person. And KeePass itself, like TrueCrypt, isn’t hidden (the best thing to do it keep them on a USB, though that comes with similar problems), so there’s no plausible deniability that you’re not hiding something from someone.

Does anyone therefore know: is it possible to be 100% “secure in your person and effects” if you can’t trust your “person” to remember all your passwords?

One of the most pointless things I could imagine AMTRAK doing:
http://snowflake.amtrakguestrewards.com/

Except that they used one of the better disclaimers I’ve ever seen:

Amtrak is not responsible for the views or ideas posted on this site unless they’re very witty, exceptionally charming and universally liked.

I’m sitting at the back of Bartos Theater at MIT, listening to a panel talk about “Consumption, Value and Worth” during the third annual Futures of Entertainment (FOE) conference. But the panel is half the focus, because so many people in the room are sending tweets from their laptops with the “#foe” hashtag and uploading questions to the FOE backchan.nl: http://foe3.backchan.nl/meetings/view/6. Those questions are projected on a screen next to the panelists, and everyone with a computer can vote on which ones get asked.

Despite the neatness of it all, I can’t help but think of the last time I was in Bartos, when a woman walked up to a mic and asked a really offensive question about a presidential candidate. With backchan.nl, crappy questions get voted down before they’re put to the panel.

I just set up WordPress on a Network Solutions hosted site for my step-mom’s new interior design business. As always, the installation was a cinch except for, as always, one thing that takes an hour to figure out. Namely, Network Solutions is part of that 1% the “handy installation guide” refers to that doesn’t use “localhost” as the value for DB_name.

For anyone else who has this problem, the solution is:

DB_name equals the IP address of your Network Solutions site.