Consolidating Rants

It’s no secret that many things set me off in society and the industry. This results in my constantly taking notes about possible articles, rants, and rebuttals. I’ve been doing it for a long time. Time permitting, and more importantly mood depending, I stop everything and focus on one. It is the only way one gets finished.

For the last week, I have been working on consolidating all these notes. Spread out over four machines, in different formats. While I narrowed it down to three machines, it is appropriate as they are specific to the disclosure venue. This blog for general material, attrition.org for security related, and the OSVDB blog for VDB related (a subset to the security realm).

In the security realm, what surprised me the most, is that some 70% of my rants-to-be were still valid. These covered a variety of topics within the realm of security, and dated back as far as 2001. It is a glaring reminder of how little things have changed, and why I am constantly depressed and frustrated with how ineffectual we have been at achieving an improvement in security.

Almost 50 general security rants, 25 draft blogs here, and another 8 draft blogs on OSVDB. Oh, another 30+ moved to an obsolete folder. So much to write, so little time, so much apathy.

Advertisements

A Holdout for Sanity

Last week, I blogged about the Adria Richards saga, and then linked it into similar activities from the ADA Initiative (AI). Days after, people are still divided on who was right and who reacted poorly. One thing almost everyone agrees on is that no one came out a winner.

In the wake of both incidents, there has been a shift to people being overly cautious, watching their wording carefully. Rather than speak freely as they usually do, they obsess over every word lest someone, anyone, take offense and drag them through the virtual mud. One joke that seems harmless or the use of a word that might be a “trigger” to someone, and you may find yourself a pariah, or worse.

I understand the issue, and I sympathize. I truly do. However, I also understand when something goes too far and recognize when overreaction dominates rational thought, as is common in our society after tragedy, or the perception of tragedy. I believe that time is here with the debate around equality in our industry. While my mind was mostly made up, after participating in the Exotic Liability podcast tonight, with guest Violet Blue, more information came out about recent events that angers me more. The BSidesSF incident that saw Val Aurora of the ADA Initiative get Blue’s talk cancelled, was planned in advance. Claims of her talk containing offensive ‘rape’ material was not only wrong, it was used to emotionally manipulate the conference organizer into getting her way.

If Aurora and AI had their way, every talk that might have controversial material would be cancelled or changed, so as not to offend anyone, ever. Worse, someone that has “triggers”, words that may cause them emotional distress, may knowingly attend a talk with such triggers and it is your fault. Basically, they stuck their hand on the hot stove, got burned, and it is your fault because you didn’t make the stove safe for them. They shouldn’t be responsible for knowing what the red light and excessive heat coming from the machine mean.

Moving past the obvious issue of free speech, there is the rational and realistic argument on how to handle all of this. Should the 99%+ majority only utter G-rated material in any public, semi-public, or private venue on the offchance the word “rape” or “clown” or “pancake” offends them? Or should the minority <1% who might be offended at something you said simply avoid a situation that might cause a problem for them?

Forget the stupidly simple and rational course of action for a minute, and think about the level of narcissism it takes to expect everyone else to dance on eggshells around you. Do you really think that any initiative will change society to the degree you want? If equality is what you are after, act like an equal to the masses. The masses aren’t forcing you to travel a thousand miles to a conference and attend a talk that you clearly know may trigger you. Don’t force the masses to be deprived of a valuable presentation that is all about harm reduction, something you claim to support. If pancakes are a trigger, don’t go out of your way to stop and loiter at IHOP or click this link.

While AI and others are pushing this G-rated agenda and demanding sensitivity above and beyond all rational reason, several of us opted to go the other way last night. On the award-winning Exotic Liability podcast, Ryan, Chris, GK, and I refused to cave in. After a disclaimer warning listeners of offensive content to come, we celebrated our freedom of speech, and our freedom to offend. Innuendo lasted all of a few minutes before truly offensive banter found its rightful place at the top. Our guest Violet Blue, a true advocate of equality and education, laughed with us and praised us for adding levity to the situation. She said she desperately needed it after the past weeks, as being dropped from a speaking engagement and not being able to educate was depressing.

By going the opposite direction, we collectively said “fuck you” to Aurora, the AI, and people like Adria Richards. They seem to look for situations in which they can opportunistically take offense, and they ride it. In doing so, they traipse over good people doing good work, typically those with a noble and giving reason. They subjugate the masses to conform to their selfish rules, demanding change that ultimately will not effect the change they desire. So I will do what I feel is right, and nothing more;

You have been warned! Last night’s podcast is offensive. I don’t need to qualify it beyond that, because it is probably offensive to everyone. We did not hold back, we acted like immature kids, and we said whatever came to mind. If bad jokes, bad acts, or laughing at serious topics is a ‘trigger’ to you, don’t listen. If you do, it is on you, not us. We see your crazy, and counter with our sanity. Until you figure a better way to encourage that equality, consider people like us the holdout for sanity. Dare to listen and laugh with us.

All This Over a Dongle?!

As usual, someone is wrong on the Internet, and I just can’t help myself. Many will already be familiar with the incident at PyCon this week. During a talk, two men were talking to themselves, and a woman overheard it. She took offense to what they said, got the attention of convention staff, and had them talked to by staff. Because she used Twitter, and posted a photo of them, it led to one of the men getting fired from his job, presumably to avoid blowback on his company. The men spoke about two things that the woman took offense to. The first was a series of jokes about a “dongle“, and using the term in a sexual manner. The second was a series of jokes about “forking“. After the incident, everyone posted their stories to their blogs or somewhere public. According to one of the men, he admits that the dongle jokes may have been inappropriate, but clarifies that the forking jokes were not sexual at all.

There are several aspects of this saga that bother me, and I am not the only one. While I will start on the PyCon incident, this article will end on a bigger theme, and drag another recent incident into the mix to demonstrate what many see as a pattern of females being overly aggressive on wanting not only equality, but rights above and beyond the rest of us. That is the part that should bother you too. If you have read enough about the PyCon incident, I encourage you to skip down to the “Other, Ongoing Issue” below.

There are a lot of people adding to the discussion, especially on Twitter. In my casual brief search, I ran across two replies to the incident that show many are giving this topic serious thought. As with most things, the topic of sexism, feminism, and all things between is murky to say the least. I offer my opinion as someone who believes in a women’s right not to be sexually harassed, who believes that any rational person doesn’t need special programs or slogans to remind themselves not to do bad things to woman, but more importantly, someone who believes that it is a two-way street. While a woman should be not harassed just for being a woman, men should not be made to feel uncomfortable and second guess every word they speak on the off chance it might offend a woman, especially one who admits to having “triggers”. More on that later.

The woman in question is Adria Richards (@AdriaRichards on twitter), a self-described “blogger, video content creator, technology mentor” who is currently a “developer evangelist” at SendGrid (@SendGrid on Twitter). Until tonight, I had never heard of her, so my exposure to her is only based on skimming her Twitter feed, reading a couple of her blogs, and the other commentary mentioning her that I read while reading up on the incident. Her blog post outlining her side of the story about the PyCon incident is what led to me to write this though. In the process, I found a tie-in to another incident that bothered me, that is very similar to this one.

I read her blog to get her perspective on what happened, because everything is about perspective. Like one of the men saying the dongle jokes were inappropriate, but the forking jokes were actually complimentary and not sexual, it is important to get both sides. However, Richards’ comments about what happened disgusted me. Below are some quotes from her blog:

That would have been fine until the guy next to him… began making sexual forking jokes

Given that he admitted to inappropriate dongle jokes, I tend to believe him when he said that Richards took the forking jokes out of context, and read into them. I also seriously doubt the first jokes “were fine”, and suspect that Richards took offense to those and wouldn’t let it stand either way. Her complaints to PyCon via Twitter could have been the end of this, but after posting their picture and making accusations that now seem partially unfounded, it spiraled out of control.

I know I don’t have to be a hero in every situation.

This is perhaps one of the most disgusting, egotistical, and narcissistic comments I have read in some time. It is only compounded further when you read on. Richards isn’t a hero for overhearing an inappropriate joke that offended her, and ultimately complaining in such a way to getting someone fired. She isn’t a hero at all, and this comment suggesting she can be the hero of every situation is absurd.

I saw a photo on main stage of a little girl who had been in the Young Coders workshop. I realized I had to do something or she would never have the chance to learn and love programming because the ass clowns behind me would make it impossible for her to do so.

This is where Richards really goes off the deep end. Two people in a large crowd (picture courtesy of Richards) say something inappropriate, and it will somehow make a little girl pictured on stage to never have the chance to learn and love programming? Worse, Richards claims that the little girl couldn’t do all that because the two “assclowns” behind her would “make it impossible for her” to learn a programming language? That is textbook libel. Oh, and purely ignorant.

Accountability was important. These guys sitting right behind me felt safe in the crowd. I got that and realized that being anonymous was fueling their behaviour.

Richards then goes on a real stretch, suggesting that their activity was the result of Deindividuation. Apparently, in all of her reading on psychology, she missed the bit on Occam’s razor. Two guys talking to themselves, likely thought they were being quiet enough, and got overheard. It really can be that simple. Instead, Richards wants to prop this incident up and make it seem like they intentionally carried on like this, feeling like their actions were “safe” or “immune” from reaction. I side with Occam.

There is something about crushing a little kid’s dream that gets me really angry.

Me too. Except, neither of those men crushed a little kid’s dream. Richards is talking about a picture of a kid on a projector. Suggesting they shattered anyone’s dreams is absolutely ludicrous, and shows this entire matter has an agenda.

Yesterday the future of programming was on the line and I made myself heard.

Because the picture of a kid wasn’t enough, now the future of programming was on the line. I am at a loss for words, except one that keeps coming to mind. Idiot. The crap Richards spews in this blog is worthy of disgusting politics, and nothing else. Top it all off with a subsequent Tweet, and to me it seems like she has delusions of grandeur. This entire ordeal, from her side, screams of a desperate attempt to better justify her overreaction.

adria-tweet2

If you stop for a minute and picture the situation, you should quickly realize that Richards’ portrayal of what happened is egotistical, overblown, and completely out of line. What really prompted all of this? Was it really a dongle joke, which has been around for over two decades, and even used in mainstream advertisements in a sexual manner? Is Richards’ frantically typing out an email to this site, the advertiser, and anyone else to get it yanked because it too is offensive? Or is there a more rational explanation, specific to Richards?

Because of my experiences growing up, I have triggers. This means that I’m always scanning for danger; for situations that seem like something from the past that could hurt me. When I recognize something that matches, I can overreact and feel intense fear, anger or anxiety.

That is a quote from Richards’ blog, titled “Success Against The Odds: Filling My Technology Knapsack From Scratch” and published on February 6, 2013, a month and a half before the PyCon incident. Richards clearly has an awful past, and she not only endured it, but she ‘beat’ it. Rather than letting her past dictate her future, she overcame it and became a successful person in technology. However, like she said, she has triggers that may cause her to overreact due to anxiety. Based on everything I have read, I think that is exactly what happened today. I am more sure of it when I skim her Twitter feed and see the following Tweet, just days before this incident:

adria-tweet1

The person she made this joke to tries to defend her comments after someone points out the hypocrisy of it. What he fails to see is that her joke between two people, in a public forum, was “overheard” (read) by many others. The two men at PyCon were talking among themselves, and someone overheard it. One of these situations isn’t magically more appropriate than the other.

While Richards may be offended at a dongle or forking joke, I am offended that any one person, male or female, has the power to get two people ejected from a conference, and one of them fired from his job, all based on their perception of an overheard conversation. Apparently, Richards’ company SendGrid ultimately decided to steer clear as well, as they announced she had been terminated today (statement on their site). That will undoubtedly cast enough gas on this fire to keep it going for a few more days.

The Other, Ongoing Issue

The PyCon incident follows on the heels of another incident a few weeks ago. Richards’ invocation of the PyCon Code of Conduct as justification to have the men removed actually provides the tie-in. At the bottom:

This Code of Conduct was forked from the example policy from the Geek Feminism wiki, created by the Ada Initiative and other volunteers. which is under a Creative Commons Zero license.

If you aren’t familiar with the Ada Initiative (@AdaInitiative on Twitter), it is a “non-profit organization supporting women in open technology and culture”. It is important to remember that both Richards and the Ada Initiative feel that women are under-represented in technology (true), and want to help facilitate women gaining growth in the field. That is what makes the following story from weeks ago more baffling.

The cliff notes: A woman named Violet Blue, an accomplished writer and sex educator, was to speak at BSidesSF. She was to give the exact same talk she gave at BSidesLV in 2012, a talk titled “sex +/- drugs: known vulns and exploits“. The content was not only public to some degree, but the abstract was clear on the content. Despite that, Valerie Aurora from the Ada Initiative lodged a complaint with BSidesSF staff, claiming that if Blue gave the talk and if it contained reference to rape, it may trigger her in a negative way. Blue’s talk had educational information about the drugs behind date rape, how to be better informed, so that such situations could be avoided. As Blue describes the talk, it is about harm reduction.

So we have a group that claims to support women in technology and culture, arbitrarily stopping a talk designed to educate and protect women, because it “might” have content that “triggers” her. One might wonder that if Aurora truly knew (or believed) it had such content, why not just avoid the talk? You may also wonder why Aurora made such unfounded claims, when the talk was already public, and the content of it is already out there and easy to verify. Of course, Aurora did not approach Blue to talk about it, just like Richards did not confront the inappropriate jokers. Violet Blue gives a detailed account from her perspective, and Aurora gives a detailed account from her perspective along with a “TRIGGER WARNING: RAPE” at the top. Note that the guide to giving such talks that the Ada Initiative touts, mentions rape, without the same trigger warning. Without consistency, your personal agenda shows.

The Ada blog goes on in an attempt to justify their actions by claiming that such talks are appropriate for their conference (AdaCamp), but not other conferences. A small group of feminists have taken it upon themselves to influence and dictate what happens at conferences, even at the risk of working against their own stated goals. While I do not have references, and I haven’t searched them out, several people have come to me in my role as a maintainer of the Errata project and asked about adding the Ada Initiative, saying that the Violet Blue incident was the tip of the iceberg.

The result of this overly aggressive behavior and self-important moral policing only has the opposite effect. Rather than improving the the industry for women and enabling them to better move forward, more people are left with the wrong impression. Richards and Ada do not come off as heroes of the feminist movement; instead, they come off as petty and over-sensitive. That remark has nothing to do with gender either. The Internet is a cesspool at times, and we are frequently subjected to a variety of ideas and pictures that are likely to offend most. Our friends warn us to have thick skin, especially if you choose to engage in certain places (e.g. Twitter, 4chan). Many joke that a DSL modem should come with a warning label about the perils of the Internet. To brave it, we all have to keep our sensitivity in check, lest we live miserable lives constantly subjected to random 1’s and 0’s that upset us at every turn.

My message to any activist, regardless of your cause. Pushing for equality is a good thing, and I support that. However, when you push so hard so as to tip the scales in your favor, you are alienating yourselves to the masses that you just struggled to educate and influence. Sometimes part of a battle is knowing when to avoid a fight, and doing so strategically. Showing up to a conference, seeking out a talk that might offend you, and pushing for it to be cancelled shows you do not understand that.

The Lesser of Two Weevs

Yesterday, Andrew Auernheimer (aka Weev), was sentenced for his 2012-08-16 indictment on one count of “fraud and related activity in connection with computers” (18 U.S.C. § 1030) and one count of “conspiracy to commit offense or to defraud” (18 U.S.C. § 371). This was the result of Auernheimer’s activities in 2010, where he manipulated a URL on an AT&T web site, and discovered an information enumeration vulnerability.

While a lot has been written the last 24 hours on this topic, mostly via 140 character Tweets, most stories aren’t covering the full range of issues surrounding this case. Some stories cover the harsh sentencing, while older stories cover the simplistic nature of the vulnerability found. What I find lacking are stories that put it together in context, to explain how absurd this is. There are three high-level components to this story.

The Vulnerability

Enumeration vulnerabilities come in a wide variety of formats. Via the web, they are often very simple and straight-forward. A web site serves up content specific to you, customer #1234. Poorly designed web applications will identify you as customer #1234 to the application using a variable that is passed via the URL you send to the server. For example:

/banking/account.php?date=20130317&account=checking&customer=1234

You can clearly see your customer number in the URL. What happens if you change 1234 to 1235 and submit it to the server? In this case, you go to jail for 41 months. No exaggeration, no bullshit. That is a basic example of an information enumeration vulnerability, due to extremely poor coding practices and absolutely no security review of the application.

The frequency of such vulnerabilities is disturbing. But not as disturbing as the multi-million dollar companies that are entrusted to protect hundreds of thousands of customer’s data. If you are browsing the web or using your banking application and notice the above, and casually change 1234 to 1235, who is the real bad guy here? You, or the corporation that decided not to employ the most fundamental security measures from the last thirty years?

The Crime

This aspect of the story is the perhaps the biggest disconnect for most readers. Instead of being exposed to the fundamentals, and the history of vulnerability discovery and how it influences disclosure, they get wrapped up in the media’s portray of Auernheimer. Yes, “weev” is a controversial character. He is an admitted Internet troll, an asshole of sorts, and a character of questionable repute. However, that doesn’t matter, at all. If being an asshole was a crime, all 18 people in the U.S. who weren’t would be left to read this.

So what did Auernheimer really do? He figured out an enumeration vulnerability in AT&T’s web site, that let him determine the entire iPad user database. This constituted some 114,000 iPad 3G users. What information did the AT&T site give up, that Auernheimer got access to? Email addresses. No full names, no physical addresses, no phone numbers, no credit information, no passwords. In case you weren’t aware, you can purchase 50 million email addresses on a single ISP for a whole $500.

Why the big deal? This is where it gets a bit murky, at least to an outsider. When a researcher finds a vulnerability in a product, service, or web site, they have several avenues for disclosure. First, they can sit on the information and simply not disclose it. This doesn’t protect anyone, because the idea that no one else will find it is absurd, and has been proven wrong many times over. Second, they can disclose it in a ‘responsible’ (poor term, commonly used) or ‘coordinated’ (better term, use it) manner, in which they work with the vendor to disclose it only when the vendor is ready, and the issue has been fixed. Third, they can disclose it without informing the vendor, or they can disclose it after informing the vendor but not waiting for a fix. Each of these scenarios happens every week, a hundred times over.

The average citizen, including jurors and judges, does not understand the history or intricacies of vulnerability disclosure. There are vendors and service providers that have a long history of not caring about vulnerabilities. That is, until it affects them in the public eye. A serious issue can exist for five, ten, or sometimes seventeen years, without being fixed. When the right light hits the ordeal, usually via a negative high-profile media article, the company suddenly takes an interest. If Auernheimer had reported this to AT&T directly and waited for a fix, there is a good chance it would have gone unfixed for months, possibly years. Every day that ‘coordinated’ disclosure happens runs the risk of someone with bad intentions finding the same issue.

Rather than go to AT&T and risk months of back-and-forth and/or waiting, Auernheimer opted to go to a media outlet. Why? Media pressure is one of the strongest motivations for a company to fix a vulnerability. One could argue that since the vulnerability was not very serious (again, just email addresses being disclosed), that going to a journalist instead of the company was not a big deal. Regardless of Auernheimer’s potential intentions regarding the embarrassment to AT&T, he took a route that would likely have the most success in getting the issue fixed.

The Sentencing

For his “crime”, Auernheimer was sentenced to 41 months in prison, 3 years probation, and ordered to pay $73,000 in restitution. Again, for showing how anyone could harvest a list of 114,000 email addresses. SC Magazine quickly wrote an article detailing 8 criminals that used computers in the commission of their crime, but received less prison time. I understand that courts are behind the times on computers, their use, abuse, and how to punish crimes related to them. I expect to see some discrepancy between sentencing in such cases. What I fail to understand is how a court can offer up such a sentence as compared to other crimes, that are certainly more destructive, and more heinous. Consider the following crimes and sentences, all handed down very recently:

  • Molesting 2 children can get you 14 months. [Source]
  • Child abuse can get you 32 months. [Source]
  • Manslaughter can get you as little as 42 months, just 1 month more than email addresses. [Source]
  • Possession of child pornography is good for 48 months, just 7 months more than email addresses. [Source]
  • Involuntary manslaughter, 50 month maximum per victim. [Source]

Perhaps the biggest comparison has been Auernheimer to the two Steubenville (Ohio) rapists who were sentenced for a total of three crimes, and collectively received less time. Trent Mays was convicted of raping a teenage girl, and ordered to spend “at least one year in an Ohio Department of Youth Services facility or until they are 21 years old“. Since Mays was was also convicted of having pictures of a minor in “nudity-oriented material”, he received 1 additional year. Ma’Lik Richmond, also convicted of raping a teenage girl, received one year in the Youth Services facility. Two rapes, and essentially one count of child pornography, and collectively they get 36 months, compared to the 41 Auernheimer received. More disgusting is what is being called the “rape culture”, where news outlets such as CNN were apologetic to the rapists, decrying the sentencing and claiming their “lives were over”. Perhaps if Auernheimer’s lawyers argued that he only “raped the AT&T system”, he would have received a year.

The Lesser of Two Weevs

Once again, forget about Auernheimer’s predilection for trolling or seeking to annoy people. That is entirely irrelevant to the case. He found a minor vulnerability on AT&T’s web site, he told a journalist who wrote an article about it, and AT&T fixed it. No one suffered real damage from his activity. He did not seek to profit from his activity. More interesting is that AT&T specifically wants bugs reported to them, which Auernheimer did about the same time as he notified the journalist. While he did not follow their desired process, both sides made their intentions clear; they want bugs fixed. In this case, they diverged in the method for effecting that change.

If Aurenheimer had tried to profit from his activity, I understand how the court would seek to punish him. If he sent emails to all 114,000 people defaming AT&T, or caused them to receive excessive emails, I would expect a harsher punishment. But given that a bank loan manager was recently sentenced to six months in prison for computer fraud in an attempt to increase her own lines of credit by more than $200,000, you have to wonder what other factors are at play here. Companies are frequently dealing with vulnerabilities, some disclosed directly to them, some exploited by bad guys, some reported via the media first. Why is the AT&T case so special?

It will be interesting to see how other crimes are dealt with in comparison. For example, the same day Auernheimer gets sentenced to prison, other anonymous researchers share their recent work that involved illegally accessing 420,000 systems on the Internet. In the United States, that constitutes 420,000 felonies.

That said, I for one am grateful that Aurenheimer reported the vulnerability, both to the media and AT&T directly. Given my personal history of dealing with vendors in vulnerability disclosure, I don’t blame him or any other researcher who opts not to work with a vendor. It is often a time-consuming and painful process, that typically challenges your faith that a company cares about security and their customers. In this case, we got the lesser of two Weevs; the one that wasn’t intent on pissing as many people off as possible. The one who didn’t opt to use the information for profit, that didn’t sell the list to criminals, that didn’t actively try to compromise AT&T systems. And for that, he will receive over three years in federal prison. Think about it.

Why Panels Don’t Help InfoSec That Much

The other day, a brief Twitter rant, followed by a few blog replies led to “that would be a great panel”. I don’t disagree, it would be a fun panel if I was on it, or could participate from the crowd. I’ve been on my share of panels in the past, one about Anonymous, a few about vulnerabilities and related topics. At some point during the Twitter masturbation over the greatness of such a panel, I had an immediate thought that I am probably done with, or at least scaling back on panels.

The next day, I read an article in Time Magazine (Mar 18, 2013) by Joel Stein titled “No Comment”. Only briefly mentioned, but this quote from it sums up my primary problem with panels:

“That’s because most discussions are inane. Not a lot of students are asked to memorize history’s classic panel discussions.”

Some of them are streamed, some get fun quotes live-Tweeted, but none of them are transcribed. As such, the points you can make do not carry a solid reference, or it is buried in the middle of a dozen other points. In some cases, a few quotes are great, but in the full context of the panel it may not carry the same meaning.

What we’re left with is reasonably smart people, arguing with each other, debating away, and ultimately doing nothing to improve the sad state of the industry. We often joke that Twitter and conferences are an echo chamber. If so, panels are those really small acoustic rooms from which no sound escapes.

A fascinatingly disturbing thought…

Dr. Neil DeGrasse Tyson offers us a “fascinatingly disturbing thought”:

Not only does he remind us that our perception of intelligence is laughably flawed, but he reminds us that any superior race out there (e.g. the kind that could achieve interstellar travel) would likely look at us as if we were chimps. Like we look at monkeys in the zoo, such a superior race would probably do the same, meaning they may not stop by our planet to look at the animals.

The last few years has seen an incredible jump in the interest of scanning our universe. Despite continuing drastic budget cuts to our space program, which includes looking for things like asteroids that pose a risk to our planet as well as distant planets that may support life. Fortunately for us, searching for these planets requires at least one satellite, and interested parties that can crowdsource the effort. Hopefully, by the end of the year, the scientific community will get a huge boost in capability, making the search even better.

In the meantime, anyone with a few spare minutes, interest, and curiosity can help the effort. The Kepler team has set up a web site called Planet Hunters, that lets anyone participate. As time permits, you use their guide and classify stars. Each one may be just another star, or it may show signs that an exoplanet is lurking about. No shit, some random citizen just poking at this web site could be the next person to identify an exoplanet that is capable of sustaining life. If that isn’t scientific power at your fingertips, I don’t know what is.

You posted the business hours, not me…

Safeway (@safeway), my local grocery store. A few blocks from home, where I go several times a week. Also the home of my pharmacy, where I spend an inordinate amount of money, including almost $1100.00 yesterday. That is not a typo.

Tonight, I get there at 11:47 and find the door closed, even though they close at midnight. I am sensitive to the customer who comes in a minute before closing, especially a restaurant. However, this is my Safeway, where I am faster on the self-check machines than half of your checkers. I am in an out in under 10 minutes on a big shop, let alone tonight where I want a couple items.

The security guard says they are closed, but opens the door for me when I say “i just need a couple items”. Two steps in, he starts giving me a hard time, and I ask him when they close. I show my phone, which reads 11:50 by that point. He says no problem, go ahead quickly. I take one more step, and a loud cashier is yelling at me from 20 yards away saying they are closed. By now, security guard and cashier, with a Denver Police Department officer standing idle watching, I realize they really do not want my business. My final “I just want a couple things” is met with a half-assed “well…” by the cashier, so I leave the store. I get it, you want to leave early tonight, and you want me to leave right now.

Most nights? I wouldn’t care. Tonight? I care. Denver is expecting up to 18 inches of snow tomorrow, making such shopping difficult, problematic, or dangerous. I showed up 15 minutes before closing, well-timed, as I planned, with the intention of being out the door and on the way home before midnight; your posted closing hour.

Fire code makes you post those silly “These doors to remain open during business hours” stickers above your doors. Yet you do not follow them, despite people being in the store. Sure, not all customers, because you turn most away despite your posted business hours. You are breaking fire code to some degree, to turn away loyal customers, hours before a huge snow storm is to hit our city. No matter how you cut it, you are a terrible business, and you crap all over your loyal customers.

Either change your business hours, or instruct your employees to honor them. One or the other, it doesn’t matter to me one bit. I planned around your hours, and I will continue to do so, as long as you continue to operate under the hours you set. Now that I know you will not honor your schedule, there is no reason to continue to visit your store when I know King Soopers is 24 hours, and honors that commitment.

Twitter, the Ultimate Better Business Bureau

Over the last year, I have learned that Twitter has become the ultimate medium for getting a company’s attention. When you complain about a company and include their @ name, the potential for a lot of people to see it is there. As such, companies have quickly figured out to be very responsive, and very quick in responding to public complaints there. Personally, I have had good luck with this, and found many companies to be responsive and quickly fix, address, or promise to look into my issues. Today, I had another quick win.

ABC news sends out email-based news flashes for high profile happenings. I subscribe to them, as well as the blasts from CNN. ABC’s mail however, for a year+ now, has not carried a date header. This means that mail comes in, and if you sort by that date, it doesn’t sort well. It is also just bad etiquette not to follow a 30+ year old RFC that mandates that header in all emails. I took @ABC to task over it this morning before I went skiing:

twitter-abc

By the time I got home, ABC had sent out another news blast, and this time it carried the date header! After over a year, all it took was a single Twitter complaint.

abc-date

Invariably, All Good Software Shall Pass

Countless times, we see software that has promise go away. We get hooked on a new app or new software package, it gets better, we sing its praise. Ultimately, and invariably, at some point the developers take a sharp turn away from sanity.

I haven’t upgraded to the latest major version of iTunes because of the overwhelming negative feedback about it. I know that many people satisfied with the version I have, can’t be wrong. There was no reason to do a major overhaul of the interface, yet Apple did. Not only was it a major overhaul, it was not intuitive, and a drastic change from the comfortable and working. That has alienated many of their users.

A few days ago, I noticed that the ‘Shazam’ app has removed one of the best features. It was not one most people used, and it was not advertised. It was however, brilliant. It was the feature that someone added because they actually used the app themselves, and they had been in the position I find myself in frequently. A new song comes out, the app can’t identify it. I get that, there is a time between song release and adding to the catalog. Previous versions would keep that tagged sample and label it ‘Unknown’, very logical. Even better, you could then wait days or weeks, and re-submit the sample to be identified. This let you wait for the song to get more airtime or make its way into the system. A version or two ago though, that feature vanished. Why? There is not a single logical reason for that to happen. There is no logical contract or political crap between companies that would make it go away. Yet it did.

Tonight, I noticed Shazam introduced something else that defies logic. I try to identify a song playing at the end of The Walking Dead (S03E12) and it comes up as “The Walking Dead”. At first I think, hey, it can’t ID the song but it knows where it came from, that isn’t bad. Then I see all kinds of crappy options below it. “Music in the Broadcast” that has many songs not in the show. “Listen now on Rdio” (sic) even though it couldn’t identify the song. “Celebrity Buzz” because identifying that song is so close to me wanting to know the latest spew about dipshits. “Cast”, because I might be curious to know John Doe plays Fred Blerp as a result of hearing a song toward the end of the third season of the show. “Latest Tweets” because that is a total crap-shoot on getting any real information. “IMDB” because hey, that web site is bound to give me all the music I need. “Wikipedia” because .. what the fuck, really? “Official Site” because now this app I paid for wants cross-marketing and click-through revenue no doubt. “Share” because I want to share that I watched this episode, and not share the actual song I was after in the first place. Last, “What is Shazam for TV?” advertises this new feature. Top bullet point and why I should like this new crap? “And get more info about what you’re watching, as you’re watching it! – Music in the show”.

This all makes me think, what software found a sweet spot of just working, where users were happy, and the company left well enough alone? No web browser has, very few operating systems have, no office packages have, no online services have…

Kusters Yakuza – Book Review

I don’t review books that often, especially not recently. While I read my share, they usually end up as side discussions with friends or a quick comment on Facebook. One topic that has always fascinated me is the Yakuza. I’ve read a variety of books on the subject over the years, including Confessions of a Yakuza: A Life in Japan’s Underworld, Tokyo Underworld: The Fast Times and Hard Life of an American Gangster in Japan, Yakuza Diary: Doing Time in the Japanese Underworld, and Tokyo Vice: An American Reporter on the Police Beat in Japan among others. One thing these books don’t come with is pictures. No surprise there, while the Yakuza is hardly a secret, their circles are of course closed.

A couple years ago I saw a post about a new coffee table photography book coming out, depicting the Yakuza. Reading the photographer/author description made it sound incredible:

YAKUZA is a personal visual account of the life inside an inaccessible subculture: a traditional Japanese crime family that controls the streets of Kabukicho, in the heart of Tokyo, Japan.

Through 10 months of negotiations with the Shinseikai, my brother Malik and I became one of the only westerners ever to be granted this kind of access to the closed world of Japanese organized crime.

With a mix of photography, film, writing and graphic design, I try to share not only their complex relationship to Japanese society, but also to show the personal struggle of being forced to live in two different worlds at the same time; worlds that often have conflicting morals and values. It turns out not to be a simple ‘black’ versus ‘white’ relationship, but most definitely one with many, many, many shades of grey.

A visual account” – “10 months of negotiations to be able to take the pictures” – “One of the only westerners to be granted this access” .. How could that be bad?! Of course I purchased the book, for something close to $50. I figure a unique look into Yakuza life was well worth that price. Disclaimer: I appreciate artistic photographs. That includes questionable focus, perspective shots, and more. I get that each picture has more meaning to the photographer, and that it doesn’t always translate. Five minutes leading up to the picture may carry a world of context lost to the subsequent viewer, but captured entirely in the eyes of the shooter.

However, when I finally received the book and flipped through it, I was disappointed. 197 pages of pictures (several being one picture across two pages), but almost no feeling that Kusters had more than casual access to the family he was with. Below is a list of my description of the pictures in the first half of the book. To emphasize the lack of content, I will italicize where a picture is blurry, and underline where there is any hint that the Yakuza are involved.

16: Blank (small text describing next page)
17: Full page picture of calligraphy “jump”
18-19: Distant shot of city/neighborhood
20-21: Random Tokyo block
22-23: Blurry shot of rain on window
24-25: Slightly blurry picture of 3 men in suits
26-27: Paper lantern
28-29: Cabinet in abandoned? building
30-31: Close-up through window of man driving car
32: Blank (small text describing next page)
33: Full page picture of calligraphy “learn”
34: Leather jacket clad shoulder/back of a man
35: Back of man in suit at security-laden door
36: Picture of security monitor, with leather jacket clad man on it
37: Japanese writing on wood wall
38-39: Intricate sealed letter in offered hand
40-41: Three men in restaurant, looking serious
42-43: Drinks and cigarette pack on restaurant table
44-45: Three men in suits waiting outside building (click for actual picture)
46-47: Slightly blurry picture of ~ 8 men walking down street, odd angle doesn’t show much of them
48: Blank (small text describing next page)
49: Full page picture of calligraphy “boss”
50-51: Slightly blurry picture of random highway (click for actual picture)
52-53: Close-up of chest and face of man in suit, sitting in car (click for actual picture)
54-55: Picture of highway signs
56-57: Nice park, tiny silhouette of man
58-59: Outdoor shot, slightly blurry man in lower corner on phone
60-61: Paper with Japanese writing and picture of a Federal Bureau of Prisons Inmate ID of Yoshimura Mitsuo
62-63: Random city block, group of men walking away
64: Blank (small text describing next page)
65: Full page picture of calligraphy “belong”
66-67: One blurry man, one more clear man, waiting by car
68-69: Close-up of heavily tattooed hands, one pinkie missing
70-71: Several paper lanterns
72-73: Blurry shot of three figures in a car
74-75: Blurry shot of landscape, perhaps out of moving car
76-77: Three cars outside of a residence?
78-79: Eight men seated around table
80: Blank (small text describing next page)
81: Full page picture of calligraphy “training”
82-83: Two men sparring in Karate, several sitting on floor around them
84-85: Four silhouettes sitting under beach umbrellas
86-87: Two men on beach swinging baseball bats
88-89: Man sitting on floor of residence (no ink on arms or visible chest)
90-91: Close-up of man practicing knife fighting
92-93: Four men drinking
94-95: Blurry shot of man walking into building at night
96: Blank (small text describing next page)
97: Full page picture of calligraphy “the way of the cherry blossom”
98-99: Lace window coverings
100-101: Blurry shot of building in distance
102-103: Close-up of two men, possibly in gym locker room
104-105: Very blurry shot of 3 men bathing, post gym?
106-107: Picture of dozens of men sitting on beach facing water (click for actual picture)
108-109: Blurry shot outside back of train window
110-111: Man with raised shirt, showing 1 tattoo on chest

In the first half of the book, there are only 44 total pictures. Of those, 12 are blurry and only 14 (some of them blurry) could be argued to be Yakuza-related pictures. That is not what was advertised by any means, and the rest of the book does not take a sudden turn for the better. In short, steer clear of this book.