Sunday, October 02, 2016

To N or Not To N, That is The Question?

In Microsoft SQL Server you can hash using T-SQL[1]:
declare @hash varchar(200)
set @hash = '15174141714252'
print hashbytes('MD5', @hash)
This is a nifty feature, of course, because you can now send your passwords over the unsecured SQL connection and do your hashing on the server. Secure your connection [2], please, before doing this.

Note the use of varchar(200) in the code block. The Microsoft sample shows the use of nVarChar. Does it matter what we use? Turns out, yes. The code block above returns:
That is also the same hash produced using System.Encoding.GetBytes(blah) and the .NET MD5 digest provider.

If you opt to use nVarChar:
declare @hash nvarchar(200)
set @hash = convert(nvarchar(200), '15174141714252')
print hashbytes('MD5', @hash)
You will get something different:
nVarChar and nChar use Unicode encoding [3] to process the string bytes. The default encoding on your system may not be Unicode, so you have to be especially careful. If you used nvarchar in your update command, but varchar in your stored procedure that took the password in plain text, you would likely produce a bunch of hashes that will not match.


Tuesday, June 30, 2015

The Hack on HACK

Pull up Bing ( and search on "Hack Fund." There you will see the PureFunds ISE Cyber Security ETF [2]. This is an exchange traded fund [1], meaning that a constellation of computers is constantly monitoring this fund's price and making long and short positions to take micro profits all through the trading day.

The fund is made up of security technology companies who are directly involved in the infosec world. You will have to become an investor in the fund to get the full prospectus of the funds that are being traded. On the PureFunds web site [2] you can see the top 10 holdings in the fund, such as IL, SAIC, PFPT, FTNT, SPLK. Wait, Splunk? Indeed, the log file analysis company, Splunk, Inc. [3], is part of the HACK fund. That's an interesting addition to the fund.

This post is not about the analysis of the holdings, but rather a warning about the fund. Recently Kaspersky Labs claimed to have been hacked by external "nation state" hackers [4]. You have to wonder why Kaspersky would ever disclose their own security breach. Kaspersky benefits from claiming to be hacked because it shows their vulnerability and lessens their "untouchable" status. This is exactly why the C.I.A. claims to have had their public web sites hacked in the past. You should doubt the sincerity of these claims from Kaspersky, or any AV software provider. These companies are just trying to manipulate the hacker's opinion on whether or not these companies are worthy of attack.

Back to the HACK fund and what it means to you. Every company listed in the holdings is an attack vector for the young and aspiring "Wind Ninja." I call them Wind Ninjas because I once tracked a team down to Uruguay and their monikers were the Japanese names for some mythical "Ninja" spirits, one in particular was a "Wind Ninja." These hackers, like you, have money in their pockets, time on their hands, but unlike you, they enjoy disrupting public opinion. Now they have a passive way of making use of their time and money. You won't be seeing much from the ransom ware people anymore because they can invest their $18M [5] in the HACK fund. Once invested in HACK, the hackers will then continue to drive more and more hacker activity, raising the public awareness (and scare-o-meter) of hacking, and thus increasing the value of their equity position.

This all reminds me of the Dilbert "$10 bug fix." (no citation, sorry) Remember that strip, where Dilbert's team gets paid $10 per bug fixed. So what does he do? Make lots and lots of bugs, and then fix them quickly, thus printing his own money. You can bet the hackers of the world are reading Dilbert and they are all moving their money into the HACK fund [8]. The growth of the fund has exceeded $1B in assets [10], which is serious money now. You can bet there will be some hefty manipulation in this fund. We have already seen some hints of it [8] after the SONY hack.

Now for some stock advice. First you get a team of hackers together, some kids from a local high school. Then you invest your money in HACK. Next, teach the kids how to hack and get them to go after some mid-level business. Once the hack is exposed, the HACK fund will go up in value, and you sell. Boom, you owe me 1% bro!


Friday, October 24, 2014

Typical Fall From Grace

I have had an Apple device in my life since 1990. My first Apple computer was a Mac SE which was my second computer, the first being a Commodore 64. The Mac SE was a beautiful design, smoother, encephalon like form that was entirely contained. It was the second generation of Apple's unified hardware design, something copied only in the mid 2000's by Hewlett Packard. When Steve Jobs left Apple in the 90s we saw a diversion in Apple's aesthetic designs. They moved away from the unibody computer and moved forward with the pizza box architecture that plagued the IBM PC/x86 world. They still had the characteristic platinum coloring of their units, but now you had a bunch of boxes that ran Apple software. It all stopped looking like Apple.

Jobs continued with his own aesthetic designs at NeXT, but that did not go well. While he tried to realize the greater encephalon design (that's a computer that looks like a head, by the way), the software didn't have the stability that Apple had to offer. Jobs needed Steve, and Steve needed Jobs, and together they needed Apple. This was all too obvious when Apple started producing new computer models twice yearly, each more competitive than the other, but each competing with its siblings.

When Jobs returned to Apple we didn't see technology innovation. That was already done by the likes of HP, Compaq, Microsoft, and Symbian. What those innovators all lacked was the aesthetic genius that Steve Jobs saw in the world. So when Apple released the iPod and then iPhone, it wasn't a technical innovation, rather it was an aesthetic innovation in technology. It was then in 2007 that technology needed to be more pretty than functional, and that's what Steve Jobs knew how to do.

That's why today I am writing this fun opinion piece about my iPhone 6 Plus. I have just about every kind of phone, from a Samsung Galaxy generation 1, to a new Galaxy Note 2, to iPhone 4, iPhone 5, HTC Windows Phone, and Nokia Lumia. These phones are all smooth bricks with shiny OLED screens. The Nokia phones were the most stylish of the non-Apple phones, and they all had a very common feature. The phones didn't have warts.

A wart is anything that sticks out from a surface. On the back side of these phones there is a nifty camera lens that is hidden in the surface to keep it safe. That countersink on the lens also causes flash glare and can disrupt the quality of the photos taken by the device. That's why the original iPhone was white, and always white for a long time. A black shiny surface causes a nasty lens flare from the flash and results in junk pictures. Steve Jobs knew that was important as a mission critical feature of the mobile phone. Even my Qualcomm Brew phone (Kyocera) got that right, with its recessed lens for photographs.

Today, though, I noticed that my iPhone 6 Plus does not have a recessed lens. Rather, the lens sticks out like an ugly wart. it has a metal ring around the lens to protect it, but that still it's a wart. Warts always snag on things, and the wart on the iPhone 6 will not disappoint in that regard. Furthermore, the wart causes the iPhone 6 Plus to never rest level on any surface. Now the iPhone only has three contact points with its host surface, which means less friction to keep it on a slanted surface, and a higher likelihood of it slipping off a closed laptop and falling onto the floor.

Some may argue that this was Steve Jobs' design idea, or that he approved it before his passing. I doubt that argument's validity having seen Steve Jobs' unique approach to aesthetic technical design. The device is a failure in my opinion. The sales of the iPhone 6 Plus should be halted and the lens should be recessed. Every mobile device should lay flat and stable on a flat surface.

Tuesday, February 11, 2014

Banking RICO

Every person who is a customer of private banking agrees that banks are corrupt entities. We all say that because they charge senseless fees and spill out busy talk that nobody understands except used car salesmen. Yet, has anyone ever tried to quantify a case of RICO [1] against a bank, or the banking industry at large?

We are going through a refinance transaction on our house. There are two mortgages to refinance. The first is the larger of the instruments and is the target of our refinance transaction. The second is serviced by another bank and is much smaller than the first. The second is termed the "subordinate" loan [2].

After approval of the new loan we were informed that there is a fee that must be paid to the subordinate loan servicing bank for the bank to review the terms of the refinancing agreement. In this case, the fee we must pay is $250 [3]. I complained to the "mortgage consultant" that is refinancing our loan and he conveyed his equal disdain for the fee and went on to explain that they would charge the same fee had the roles been reversed. The important detail he conveyed though was that their fee would have been $150. That got me thinking, of course.

This subordination fee is being required by the second bank. They require me to pay it so that they can review a loan that I am refinancing. This loan is not being serviced by this subordinate bank, so they have no reasonable claim to review its terms. This is not only an invasion of my privacy, it smells like price fixing [4].

Let's make this easier to explain. Bank A is the refinancing bank. Bank Z is the subordinate bank charging the $250 fee. Bank F is the bank that held the original loan that is being refinanced.

Price Fixing [4]

Bank A offers affordable loan terms to refinance a loan not serviced by Bank Z. Bank Z demands to see the terms of that loan to discover competitive pricing and terms that Bank A and Bank F. Bank Z can then adjust its lending practices to be more in line with Bank A and F. Proving that is difficult, but not impossible with insider and regulatory help.

You know about LIBOR [10], right? This is the interbank lending rate, a rate that is set by a bunch of bankers who lend out money at the LIBOR rate. If you haven't made this connection yet, then consider that these bankers are setting the PRICE of the money that they are lending. They are colluding together as independent bankers to control the price of this commodity, known as money. This is price fixing at its purest and most shameless form. These bankers are in the U.K. though, so they are not directly affected by the RICO Act. They do fall under the Foreign Corrupt Practices Act [11]. Should any bank do business with these bankers, and those banks are also guilty of these other crimes, then they can be argued together as RICO.

Racketeering [5]

The $250 service fee charged by Bank Z is a service fee for which I get no gain, no product, and no perceived resolution to a problem. By example, it is a fee to solve a problem that does not exist. Why would I need to pay a bank (Bank Z) for them to review my loan? This not only impedes my effort to manage my debt and finance instruments, but it also offers an opportunity for Bank Z to collude with other banks in retarding the refinance process.

Extortion [6]

This one is a little more difficult to stomach. My argument is that Bank Z is engaged in a form of Blackmail/Extortion where they are hindering the progress of my engagement in commerce unless I pay them this $250 subordination fee. If I choose not to pay this fee, then they refuse to review the loan, and Bank A can not proceed with the refinance. Furthermore, since this fee is not a regulated fee, they could charge any fee they desired. Should they be in collusion with Bank F, they could charge an exorbitant fee, a fee so large that it would eclipse the loan origination fee[7].

More Price Fixing[13]

From the Rolling Stone article you will learn that these super giant investment banks are starting to buy up industries. From owning the raw resource to the logistics and distribution channel, they are controlling the entire industry. When a single entity owns the entire supply chain of a commodity it can control pricing on that commodity. Since these are investment banks, they are buying and hedging on the very commodity that they trade in the commodity markets. This creates an inflated market value for the commodity and results in an enormous bubble that bursts across numerous industries. We saw this during the Great Depression when banks were engaged in cross-industry investment, and we are seeing it again today thanks to Bill Clinton's repeal of the Glass-Steagall Act. Thanks Bill! You were probably distracted by that girl again ...

For a RICO consideration on any corrupt organization, the FBI must prove 3 cases of criminal activity. I have described three such cases in this one fee required for a simple loan refinance. What really saddens me the most is that Dodd-Frank[8] did not address this fee. Senator Frank, a pervasively outspoken critic of the organized banking industry, did not (or could not) put his regulatory stamp on this egregious fee.

It is clear that these surreptitious fees are nothing more than a phantom way for banks to continue to charge a "tax" on a service that has no resolution, no product, no outcome, and no benefit to the person paying the tax. If I were living outside of California and trying to refinance a loan that was held in California, then this egregious fee might fall under the Interstate Commerce Act [9]. I would certainly not want to choose a bank in California that charges an exorbitant subordination fee, but rather choose one that does not charge a fee at all.

If only I had Senators Frank or Dodd, or Governor Spitzer on speed dial. This one fee, one single fee, can be arguably the Achilles Heel [12] of the banking industry.



For The Record

Bank A : Union Bank formerly Union Bank of California
Bank F : Wells Fargo Bank, N.A.
Bank Z : JP Morgan Chase

Furthermore, I know that Wells Fargo would forgo this fee on us because we are an avid customer of Wells and they have been extremely helpful in finance instruments for both personal and business transactions. I really like how Wells Fargo treats me as a bank customer, but everyone has different experiences.

Monday, January 14, 2013

Zeptolabs Spying on You?

I am a developer. Today, I hooked up the device log to my android tablet which has Cut The Rope on it (Zeptolabs). Surprised, I found a curious series of log entries:

01-14 20:54:17.833 D/GetJar SDK [com.zeptolab.ctr.paid](14868): [] : sendInstalledApps() -- FOUND_INSTALLED: com.djinnworks.StickmanBaseJumper.lite
01-14 20:54:17.833 D/GetJar SDK [com.zeptolab.ctr.paid](14868): [] : sendInstalledApps() -- FOUND_INSTALLED: com.duckduckmoosedesign.ibs
01-14 20:54:17.833 D/GetJar SDK [com.zeptolab.ctr.paid](14868): [] : sendInstalledApps() -- FOUND_INSTALLED: com.facebook.katana
01-14 20:54:17.833 D/GetJar SDK [com.zeptolab.ctr.paid](14868): [] : sendInstalledApps() -- FOUND_INSTALLED: com.fandango
Furthermore, it even sends application usage information:
01-14 20:54:17.833 D/GetJar SDK [com.zeptolab.ctr.paid](14868): CommManager: processesRequest() [thread:467] [request:1230252154] Sending POST data as part of the request [length: 5221]:
01-14 20:54:17.833 D/GetJar SDK [com.zeptolab.ctr.paid](14868): app_usage_data=%5B%7B%22usage_type%22%3A%22FOUND_INSTALLED%22%2C%22app_metadata%22%3A%5B%7B%22value%22%3A%224.4.54%22%2C%22key%22%3A%22android.package.ver

Apparently this game is enumerating all of the installed apps that I have on the tablet and is sending it to their server.

Here is where they upload the payload to their servers:

01-14 20:54:17.843 V/GetJar SDK [com.zeptolab.ctr.paid](14868): CommManager: processesRequest() [thread:467] [request:1230252154] ROUTE [ResolvedIP:  ProxyHost: null  TargetHoust:  Secured: true  Tunnelled: false]
01-14 20:54:17.843 D/GetJar SDK [com.zeptolab.ctr.paid](14868): The request properties for this request:
01-14 20:54:17.843 D/GetJar SDK [com.zeptolab.ctr.paid](14868):       Content-Language = 'en-US'
01-14 20:54:17.843 D/GetJar SDK [com.zeptolab.ctr.paid](14868):       Content-Type = 'application/x-www-form-urlencoded'
01-14 20:54:17.843 D/GetJar SDK [com.zeptolab.ctr.paid](14868):       User-Agent = 'GetJarSDK/20120921.02 com.zeptolab.ctr.paid/18 android/4.2.1 (google; nakasi; Nexus 7)'
01-14 20:54:17.843 D/GetJar SDK [com.zeptolab.ctr.paid](14868):       Authorization = 'client_app.token=&user.user_access_id=&app.capabilities=18&legacy.client_app.soft_id=75206&'
The IP address ( belongs to Getjar, inc., located at:
Getjar, Inc. 
Street 1510 Fashion Island Blvd, Suite 300
City San Mateo 
State/Province CA 
Postal Code 94404

Thursday, November 17, 2011

End The IRS

Before you read this, you need to download the accounting spreadsheet from IRS:

IRS Accounting Spreadsheet

You want to click on the "2010" link as that is the most current data. After you download the XLS file, open it and see the Table 29 "Collections, Costs, Personnel, and U.S. Population, Fiscal Years 1980 - 2010".

For each 5 year span marked in the table:

1980 - 1984:
24% increase in tax
30% increase in IRS cost ($998M)
4% increase in population

1985 - 1989:
27% increase in tax
31% increase in IRS cost ($1.597B)
4% increase in population

1990 - 1994:
17% increase in tax
25% increase in IRS cost ($1.804B)
5% increase in population

1995 - 1999:
28% increase in tax
11% increase in IRS cost ($879M)
5% increase in population

2000 - 2004:
4% decrease in tax
15% increase in IRS cost ($1.497B)
4% increase in population

2005 - 2010:
3% increase in tax
16% increase in IRS cost ($1.955B)
4% increase in population

This information tells us that:

1. We are taxed more and more each year.
2. Our population growth does not match the tax revenue growth.
3. The IRS has continued to be MORE INEFFICIENT in 30 years.
4. The IRS has cost about $400M more each consecutive year since 1985.

IRS 2010 Data Book (big)

The IRS Data Book, link above, shows that in 1997 we have the single largest leap in the number of electronic filings (27% increase). In Table 29, we see a happy time in 1995 to 1996 and 1997 where the cost of the IRS was actually going DOWN, as you would expect in the case of electronic filing.

Then, after 1997, the $400M per year trend returns and continues to spiral out of control to a whopping $12.35B to collect $2.345T in revenue.

Each year, according to the IRS Data Book, the number of electronically filing tax payers is growing, from 11.8 million electronic returns in 1995 to 87.3 million returns in 2007.

From the IRS Data Book, 2010, page 10, Table 4, the total number of electronic filings for individuals was about 67 million out of a total 116 million. Table 3, page 6, gives us the total number of returns, both electronic and paper, filed in the USA in 2010 as 230,408,678. That means about 50% of ALL RETURNS were filed electronically, by a machine, processed by a computer, and assessed electronically.

Why is it that we need 82% MORE MONEY to operate an agency to collect money when nearly half of the job is being done by a computer.

Write to your Congressional Representative and Senator, then send email to the President ( Demand to reduce the IRS to an operating level that is en par with its real cost of doing business.

Wednesday, October 26, 2011

Money, College, and High School Sports

I have a daughter who is a freshman at George Washington University. She has been in school for about 59 days now. For the last two weeks, we have gotten several appeals for more money on her "GWorld" spending card so that she can "eat."

When she started school, her GWorld was funded with $1,000 and her Dining Dollars account was given $700. That's $1,700 to spend on food and sundries. After 59 days of school, and an infusion of $200, she is down to about $300 overall.

We are able to get the transaction breakdown of her spending, which allowed me to come up with some metrics.

Being female, she needs makeup and other girl things from a pharmacy store like CVS. To that, she spent $438, or roughly $7.42 per day.

Being a hungry college kid, she spends most of her food money on carbohydrates and fast food from 7-11. To that, she has spent $745 or roughly $12.63 per day. Recently she discovered the magical elixer of caffeine, which comes in nifty packaging from Starbucks.

$12.63 is pretty high for food. You can get the NutriSystem delivered to your door for 28 days for just $8.33 per day [1]. You could eat relatively good frozen dinners (college kids do have Microwave ovens) for $3.50 each [2], or about $10.50 per day.

This is her first experience with being entirely on her own. During the summer she had a job and was paid a good amount of money, probaby about $2,000. Nearly all of that was spent by the end of summer, 43% of which was spent on fast food from Wendys, Jack In The Box, and other restaurants.

To what do we owe this apparently lack of feduciary responsibility? Of all things, I blame High School sports. My daughter was an athletics student and spent most of her non-school time engaged in sports. As a result of such an experience, she never had to be responsible with money because her parents were always there to "do it for me." As she did more sports, more so did the athletics programs encourage her to continue along this path, thus perpetuating the athlete cycle.

I could blame me, her parent, but I've lectured her so many times on being more responsible with money. In the end, when it comes to money, only life experience can teach us how to manage it better. Maybe $12.63 per day for food isn't so bad, just a little on the rich side, but not so bad given the location of her school.

[1] NutriSystem Pricing

[2] Vons - Hc Naturally Gourmet Light Pumpkin Squash Ravioli - 9.2 Oz - $3.29