Style over substance Pseudoscience |
Popular pseudosciences |
Random examples |
We need the best Technology |
Programming for Dummies |
Computing woo refers to a range of pseudoscientific practices and urban legends associated with computing, especially computer security.
The world of technical support is a magical place. User[Who?] beliefs include:
Technicians and software developers, many of whom consider themselves rational logical thinkers, are not immune from all kinds of sloppy thinking and superstitions. And among most people there is little conception what's involved in programming, to the point that the moviegoing public can accept the idea that a sufficiently good programmer can write a virus for a completely alien operating system, in a completely alien language, and have it work right the first time.[note 1]
Heisenbugs are issues that never seem the same when you attempt to study them. Often it appears that the computer is doing this to spite the programmer or simply following Murphy's Law, but there are sound reasons why sometimes programs work differently in the wild than they do when a programmer is attempting to analyse or debug them: subtle changes in timing caused by software or hardware debuggers, differences between debug and release builds, differences between test systems and the computers onto which the end product is deployed, even changes in the electrical characteristics of hardware when a debugger is attached.[8]
Cargo cult programming is the style of programming where you do something that worked before without understanding why it worked or indeed any real understanding of programming, software, systems, or technology.[9] In the olden days, people built cathedrals by a variety of informal techniques, including rules of thumb, copying existing buildings, and trial and error (rebuilding if the product fell down), but these days we have civil engineers. Sadly, software is still often developed according to 14th century principles.
Some programmers and IT have a tendency to assume that because code will run on one computer, that if it doesn't run on another one, that the other one is broken. It's usually the opposite. If you have code that runs on your personal computer but not on other machines, it is probably doing something dangerous that should cause segmentation faults or similar, but somehow is being allowed to do it. Alternatively, it may be set up in a way that is peculiar to the settings and file system on your machine.
There are numerous cases where misconceptions about names, time, addresses, maps, gender and more can cause problems.[10] There are many reasons why something which seems reasonable to a white, male, English-speaking programmer near the Greenwich meridian might not work for other people. On the other hand, of course, certain of these supposed "misconceptions" are hard requirements in the context of the software. For example, Icelandic government software may require that Icelandic names are used, as the Icelandic government has that requirement as well, and absolutely reject strings with characters foreign to Icelandic from being used as names.
BadBIOS is firmware malware that was created by Ruiu ... in his head. Individuals like Ruiu are extremely concerned about malicious firmware from hackers and the NSA to the point of literal paranoia.
According to Ruiu (@dragosr on twitter), BadBIOS is a rootkit that can infect computers without bluetooth, ethernet, or Wi-Fi. Instead it can infect other computers by emitting "ultrasonic sound [...] from the device's loudspeakers". Computers nearby somehow pick up the sound via the speakers and thus get infected. Ruiu suspected his computers were infected with BadBIOS once his computers were acting strange.[21] Ruiu later provided data dumps of his BIOS only to have experts reveal it was normal data. Ruiu then countered stating that the malware probably erased itself whenever he tried to make a data dump.[22] While these claims are not outside the realm of science fiction, Ruiu has not provided a silver bullet, only speculation. Despite this, his reputation seems to be intact somehow.
Years later, Ruiu came to the conclusion that BadBIOS can also contaminate USB, through some way of knowing...[23]
Yep, /r/badBIOS/ is a subreddit for a malware that probably never existed! Unsurprisingly, it's inhabited by some users who think that one weird thing in a computer means infected malware. These people are generally paranoid, judging by the threads:
Despite Ruiu's paranoia, there is truth to the madness:
Cargo cult paranoid computer security practices are often advocated by naive internet denizens and trolls towards even more naive newcomers. High profile attacks aimed at Tor hidden services Operation Onymous as well as large attacks on users such as the FBI's legally dubious network investigation malware[32] has created an association of insecurity and surveillance associated with what is in fact one of the most secure and surveillance-resistant networks ever created.
Prospective explorers often ask if they should put tape over their webcam or use Tails in order to 'safely' explore the dark web. They will fixate on how technological configurations can secure their machines, but are entirely clueless about vectors such as password reuse, identity segregation or how to verify safety of file downloads.
Such common misconceptions stem from limited public understanding of threat modelling, privacy and practical computer security. As such, there is a massive market for bloggers and YouTube charlatans such as Takedownman to offer off-the-shelf tips which increase the user's feeling of security.
Every day, an intrepid dark web explorer will read that the US Navy funded the initial creation of the Tor network and fancy themselves the next Edward Snowden by disseminating this information.[33]
Due to the low understanding of what hackers do and how viruses and malware works, it has been a relatively accepted trope for someone to claim their account was hacked as a get-out-jail-free card in the event of certain drug-fuelled rants and dramas.[35]
Some computer users will attribute changes to their computer to malevolent forces in a method comparable to astrology when it comes to rationalising changing and intermittent issues.
Of course, in a video gaming context, anyone who is better than you is a hacker.
There is a small number of 'anti-updaters', an anti-vaccination movement-like contingent of people arguing against automatically updating applications due to the misplaced belief that significant numbers of people care to manually review and install all patches.[36][37] Patches and updates are generally good, except maybe if you're working with the CIA.[38] Yes, there are occasions where an update breaks something that was working before or causes other mischief, but by and large updates are something you want: they fix problems and improve the security of your system.
Depending on who you ask, encryption can be anything from the largest piece of social good modern mathematics has ever produced to a dangerous weapon utilised by terrorists[39] and child abusers[39] in order to evade justice which must be carefully controlled.
In the early days of strong cryptography, the US government attempted to issue export bans, classifying the technology as akin of munitions.[40] While such bans were overturned in 1992, it wasn't until the rise of ubiquitous personal computing that governments would once again characterize mathematics as a dangerous tool.
The 2010s saw an increased call from politicians[Who?] around the world to backdoor common encryption software.[41] From the encrypted-by-default iPhone[42] through to bans on WhatsApp[43] in Brazil[44] and proposed and later withdrawn in the UK,[45] governments around the world remain convinced they can create a secure back door into software to counter criminals; however, it's not like backdoors are only exclusive to government agencies.
Said statements could be considered rhetoric to coerce tech giants deeper into mass surveillance programs, and less charitably as mathematical denialism from senior elected officials.
How much do your teachers, coworkers, employers, or other people really know about what you do online?
"The Internet" is really an inter-network, or a network of networks.[note 2] Your home Internet, the free WiFi at a coffee shop, your campus or work networks, etc. are all networks that talk to other networks. When you view a website, check your email, or chat with your friends, your computer achieves that by sending traffic from your network to someone else's, and routing it through every network in between.
Anyone with control of the network can try to figure out what kind of traffic you're sending, where it's going, and what's in it. The modern Internet is moving toward HTTPS by default, which is an attempt to make things more secure. If your browser reports that your connection is "secure" or "insecure", it's talking about HTTPS specifically. It doesn't mean that there's no chance that anyone can intercept what you're doing. By analogy, you're writing letters to a friend, and passing them through the hands of a series of strangers. By agreement, everyone has agreed not to tamper with the contents of the letter. HTTPS lets you seal the letter from (most) prying eyes, but does nothing to hide which friend you're mailing.
There are good reasons for network administrators to monitor what goes into or out of their networks. If someone downloads and runs malware from an unsafe site, it puts the whole network at risk. If an employee does something illegal with their computers, their employer might be implicated. Few admins should have any kind of interest in spying on individual users, but every good admin has an interest in a safe and healthy network.
Who can read your email? Whoever provides you with email services, for starters. Microsoft read a blogger's Hotmail inbox in 2012, suspecting a software leak.[46] Ironically, around this same time, Microsoft was running the Scroogled ad campaign, attacking Gmail for using inbox contents to serve up targeted ads. It also defended its own right to read your mail.[47]
Email alternatives such as Slack might also expose even direct messages to your boss.[48]
Secure email and instant-messaging tools do exist, but no security system is absolute.
Web filtering is a magical solution to all the world's problems. Simply by stopping people (particularly children, but also library patrons) reaching the wrong website you can prevent sexual depravity bringing about the fall of modern civilisation, and prevent terrorism. Companies including Impero, Future Digital, and Securus sell "anti-radicalisation software" which prevents children reading about Islamist terrorism'.[49] According to online security company Akamai, British law requires schools and universities to consider the use of such software.[50] Whether Akamai is an unbiased source of legal advice is for you to judge.
The traditional use of such software is to block access to pornography online, but such filters are pathetically useless. A British newspaper report complained that one filter blocked searches for "sex education" but allowed explicit searches in Spanish; it concluded they provide false security and could be easily circumvented (as anybody who knows anything about children could tell you). More seriously, anti-porn filters may discourage children from talking to their parents and actually promote porn addiction: "Filters can also encourage secrecy, deception and shame – key conditions for nurturing dependency or even potential addiction."[51] Because the naughtiness is half the reason why porn is appealing. There is also the simple solution of getting around a porn filter by getting a friend to let you watch porn at their house.
Web filters also rarely if ever consider the blocking of pornography or jihadism to be their first priority. The majority of their efforts go to the blocking of websites offering alternative proxies and websites offering translation software. The former because it allows people to easily and perhaps even unintentionally bypass these filters and the latter because they often allow for diverse translations of the thing that people want to be censored and thus increase exponentially the work required to censor everything. Even more worrying is that some have them by default, meaning that no matter what you do, you won't be able to access Babelfish.[52]
You'll be glad to know that the best in the business who have a firm place in the international market are currently selling their software to dictatorships that want to avoid their citizens reading about any information that might potentially harm the way the government is perceived by its citizens. [53] On the plus side, since these governments are spending their time with censoring internet traffic and they will never be able to fully do so anyway, this is often accompanied with a more uncensored traditional press and television. However, one might still question why democratic governments support something that is partially marketed to dictators.
CVE (Common Vulnerabilities and Exposures) is a system developed to create unique identifier codes to facilitate exact communications about vulnerabilities and to enable the synchronization of different vulnerability databases, as well as to evaluate the interoperability of vulnerability database tools and services.[54] While CVEs are an useful tool for their intended purpose, some laymen sometimes confuse it for a some kind of statistic while arguing for their favorite or against their disfavored software. Some security experts have written public postings against that kind of misuse, citing the heavy reporting bias of the non-statistic.[55][56]
“”Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.
|
—xkcd[57] |
Most security tips for password work if you're trying to avoid someone discovering it through brute force, that is, trying every combination of letters and numbers, starting at 000000 all the way to ZZZZZZ. Any system whose password is solely composed of numbers will be incredibly easy to brute force. However, as most systems allow passwords with any combination of alphanumeric characters, plus special characters such as empty spaces, exclamation, interrogation, parenthesis, ampersand and others, brute forcing every possible combination of those is mathematically unfeasible, as each character position has 26 lowercase + 26 uppercase alphabet characters + 10 numeric digits + 30 or more special characters. That means that a 6-character long password has a total of 92 ^ 6, or over 606 billion combinations, while a 7-character long one will have over 55 trillion combinations. Amazing numbers, but the reality is different.
Forcing users to mix upper case, lower case, a number and a special character is good in theory, but users are humans, and humans are terrible at remembering things, especially if they're "nonsense". *EEg38*G(&X83f2zzB
is, under any measure, a very strong and secure password, but near impossible for any human to remember it without writing it down somewhere, not to mention time consuming to type out. Thus, people will often opt for something if not memorable, at least guessable, such as P4$$word
. Coming up with a password that uses all those things is usually frustrating, trying to remember a dozen different ones is even worse, which leads to one very common problem: password reuse. This is the main reason hackers use passwords from previous leaks first, because the chance of them working on at least one account is high. Once the password is cracked, the attacker will use that same combination of username/email + password everywhere they can think of and, in many cases, will successfully invade.
123456 is still the most common password found in leaks and "password" is often in the top 10.[58][59] Perusing said lists will show a distinct lack of those enforced mixed characters passwords but, when they do show up, they're almost always "easy to remember" or easy to type, because they're either g00dPa$$w0rD
or 1qaz!QAZ
(keyboard walk), as can be seen in a 2017 list of the top 100k most common passwords.[60][note 3] QWEqwe123!@#
certainly looks secure but, in reality, is not, since a quick glance immediately shows how to type it out. It's easy to remember and quick to type and hackers will expect a number of accounts to use that password or some permutation, such as qwe123QWE!@#
or 123!@#qweQWE
, it's easy for a computer to guess every different permutation. Reuse of these types of password will be high for the simple fact that people will prefer to remember only 1 instead of a dozen, and "guessing" which they used for which site.
While correcthorsebatterystaple
itself is no longer secure, the principle is still valid and more likely to result in a secure password. Using a passphrase instead of a password, allowing all types of character without forcing the user to mix them all, can result in very secure and easy to remember passwords.[note 4] Unfortunately, many places have an upper limit on how long your password can be, such as no more than 20 characters, while others won't let you use some special characters common in Latin languages, such as Cedil, which is great for attackers, since it reduces the number of variables they have to consider when attempting to crack.
Whilst common computing misconceptions are numerous, often too many serious issues are written off[citation needed][Who?] as such including:
Government mass surveillance capabilities have been revealed by the likes of Edward Snowden, particularly with regards to the NSA in the US and GCHQ in Britain.[67] The US government has incorporated backdoors and vulnerabilities in servers and routers exported from the US overseas, while warning about the danger in products from Chinese tech companies.[68] Multiple backdoors allowing access by government agencies have been found in Cisco networking products, some apparently put in place at the request of the CIA, some allegedly (according to Cisco) without Cisco's knowledge.[69]
However not all these stories are true. There is a lot of paranoia about what Chinese companies ZTE and Huawei might do to hack or monitor western telecoms networks, but little evidence that they have done anything (although there is legitimate concern that their programmers are idiots).[70] In 2018 financial news service Bloomberg ran a series of stories about Chinese companies putting a tiny secret hacking chip on computer mother boards, but these stories rapidly unraveled with no evidence of any specific product that was actually affected.[71][72]
Insecure backdoors into software and operating systems pose a serious threat.[73] Some politicians, particularly in the UK Conservative Party, have repeatedly called for communications software such as WhatsApp to include a backdoor that allows governments to decrypt and view all communication for purposes of fighting terrorism and other crimes, despite warnings from civil liberties and computer securities experts that this is a very dangerous thing to do.[74] Such schemes risk introducing vulnerabilities due to their complexity, and there is also the danger that an encryption key meant for trusted governments could become available to criminals or foreign states.[75] If a repressive government was able to read all communications it would allow a massive crackdown on dissent and free speech.
The debate is complicated by erroneous claims that software such as WhatsApp already incorporates backdoors (in reality it generally incorporates bugs rather than intentional backdoors).[76]
For example Carding, online banking fraud, and much more.[more detail please]
The online trade in child pornography, which unfortunately is very real.
Sextortion based cybercrime, where users are blackmailed based on explicit photographs, which can be obtained by hacking computers to gain control of webcams[77]; stealing existing photos from computers, secure online file storage sites, or email services; or social engineering (e.g. pretending to be a sexy person of the appropriate sex and getting someone to send nudes or do things on webcam).[78] This has been the subject of myths about surveillance and calls for everybody to tape over their webcams, but the government and other people can't access your camera remotely assuming you follow good computer security practices. You have to actually do something stupid like visit a dodgy website or download questionable software, but sometimes there is reason to cover your webcam.[66]
The dangers of password reuse, a mundane but fundamental flaw with password-based computer security. A 2018 report suggested business employees in some sectors could have up to 191 passwords needed for different services, and if they reuse them across multiple services, then if one system is compromised, all the rest with the same password are compromised too. The problem is, people can't remember 191 different passwords.[79]
Darknet commercial operations selling a large amount of drugs, a lot of stolen data and a small amount of weapons.[citation needed]
Your 'smart' TV[80], Barbie[81], console[82] smart phone assistant[83] recording your conversations.
Ransomware, where hackers take control of a computer system and claim they will release it upon receipt of a ransom (often in the form of Bitcoins), is an increasing problem, even for US state governments.[84]
Tech giants selling your data to advertisers[85]
Cyberwarfare and cyber espionage see military operations, spycraft, and propaganda carried out online rather than through traditional channels. Russia is a pioneer but other countries are trying hard to catch up.[86] Including: