Hunter Fans and Hidden Functionality

Nothing exciting, just documenting two things about Hunter ceiling fans, at least one of which is not documented in their manual. My electrician had to call and sit on hold for almost two hours to get the information and be told that no, it wasn’t in the documenation. These apply to the Hunter Dempsey model 59242 and 59244 fans with a Hunter Universal Wall Mount Remote Controller model 99375.

Sync Hand Remote to Fan

1. Wall switch – turn off
2. Wall switch – turn on
3. Hand remote – press 0 and 3 at same time (hold down a few seconds)
4. Blinking lights = synced

Sync Wall Remote to Fan
1. Wall switch – hold light and fan buttons at same time

The fans are advertised as having dimmable lights, but they don’t dim by default. You have to activate this functionality, these are the instructions provided via support over Twitter:

Hand Remote:

First turn the light off on your fan for 5 seconds and back on. Then press and hold the fan button, while still holding the fan button, quickly press the light button 2 times. The dimming feature is now activated. Hold the light button down to set dim level.”

Wall Remote:

First turn the light off on your fan for 5 seconds and back on. Then press and hold both the light up and light down buttons for 5 seconds. The dimming feature is now activated.

While Hunter’s support was helpful, I encouraged them to add this to their documentation. Even better would be to include these on a one-pager that helps the installer and the user.

Why @anacondainc Doesn’t Fully Understand CVEs

It’s worrisome that in 2020 we still have people in influential technical roles that don’t understand CVE. A friend told me earlier this year he was in a meeting where someone said that CVE IDs are assigned in order, so CVE-2020-9500 meant there were 9500 vulns in 2020 so far. Of course that is not how it works and a dangerous understanding of CVE.

I ran across an article written by Nick Malkiewicz of Anaconda titled “Why Understanding CVEs Is Critical for Data Scientists“. This article has several bits that show a lack of understanding of what CVE is. One of the biggest is equivocating a CVE with a vulnerability. Yes, many vulnerabilities directly map to a single CVE identifier, but a CVE is the identifier not the vulnerability. Additionally, sometimes one vulnerability can track with multiple CVE IDs, or one CVE ID can track to multiple vulnerabilities. So lines like the following are concerning:

When someone finds a CVE, they report it to a CVE Numbering Authority (CNA).

When someone finds a vulnerability, they report it to MITRE or a vendor, who may be a CNA but more often not one. That vendor can then ask MITRE for an ID via a web form.

CNAs assign identification numbers to CVEs and list them in publicly accessible databases.

A CNA is required to inform MITRE after a CVE-assigned vulnerability has been disclosed. That is actually a fairly recent rule, implemented in the last few years. For most of CVE’s history there was no requirement or specific communication channel for a CNA to notify MITRE of this. That was one of many failings of the CVE ecosystem and directly led to companies being breached, as they relied on CVE to be ‘complete’ and timely.

Each vulnerability listed in a CVE database has a score from .1 to 10, 10 being the highest risk level. These scores are based on exploitability, impact, remediation level, report confidence, and other qualities.

Technically, not even the first line is true as NVD can score a vulnerability as 0.0, meaning it is not a vulnerability and poses no risk. This occurs when a researcher or vendor disclose a vulnerability but don’t fully understand the issue or the subsequent impact. This happens hundreds of times a year although many are not included in NVD. The second sentence from Anaconda is also incorrect as NVD only scores CVSS Base scores. The exploitability, remediation level, and report confidence are part of Temporal scores and not included. You can see an example with CVE-2020-2800 published by Oracle and given a CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N score by both Oracle and NVD. This misunderstanding of NVD CVSS scoring is more baffling as Anaconda links to the same FIRST CVSS document I do in this paragraph.

Anaconda goes on talking about how there are other factors at play including looking at the history of a package, how fast vendors respond, and more. This is great advice and critical for companies facing tens of thousands of vulnerabilities a year. Unfortunately, they slide into the “more lipstick on that pig” problem:

The good news is, there are tools that automate the CVE monitoring process.

This is true. But, more ways to manipulate bad data still leaves you with bad data. In addition to CVE missing several thousand vulnerabilities a year, their push for quantity in the last few years have led to a serious hit on quality. There are some CVE IDs that have descriptions missing critical information like the vendor, affected version, or impact. All the data wrangling and fancy analysis of that data is still based on bad or incomplete information. All the lipstick on that pig still makes it a pig.

Finally, I will quote on other line from their blog that is curious:

Hacking open-source software also has a bigger payoff because many more people use it.

I understand and appreciate the sentiment, and finding a vulnerability in a library like OpenSSL obviously has a huge impact. However, that and a couple dozen libraries are still the outliers in the bigger picture. Compare your vulnerabilities like EternalBlue to a standard open source library vulnerability and they are not even close as far as how “many more people use it”.

On the origins of the term ‘Hacktivism’…

This blog is not about debating the definition of Hacktivism; I will leave that to the academics and self-described hacktivists. This article is to clear up confusion on the origin of the term, and point out that Wikipedia’s handling of factual information is sketchy. Further, it will point out that the Cult of the Dead Cow (cDc) happily went along with the notion that they coined the term, when they did not. Even when it was clear that their own dates and stories didn’t line up, that didn’t dissuade them from keeping up appearances.

The Wikipedia entry on Hacktivism currently states that the term was coined by cDc:

The term was coined in 1996 by a Cult of the Dead Cow member known as “Omega”.[2] However, similar to its root word hack, hacktivism is an ambiguous term (computer hacking is tied to several meanings).

There is no other reference to the source of this term today. If you look back at the page on prior dates, that isn’t the case. On May 17, 2013 we see:

The term itself was coined by techno-culture writer Jason Sack in a piece about media artist Shu Lea Cheang published in InfoNation in 1995.

This line was added by ‘Orb Weaver’ on July 23, 2009 with this edit. It was deleted by ‘Pkinnaird’ on May 20, 2013 with this edit. The notes for the edit say:

(Removed references to destructive activities since they are well described in cyberterrorism article. Clarified that the word ‘hacktivism’ is contentious and removed most discussion of hacktivists as cyberterrorists since that is a separate notion.)

This looks like an innocent edit, removing a long list of ‘hacktivism’ incidents and changing it to a few short examples. However, in doing so, this effectively killed any reference to a prior source of the word. In short, this edit is very irresponsible. I would cite you the purpose of Wikipedia and something along the lines of “factual”, but curiously enough that is not part of the mission statement. While you may quickly associate “develop educational content” as being factual, that is simply not the case. Look at the battle in the US over schools teaching evolution versus creationism. No matter which you believe in, the other safely becomes “developing educational content” as a valid argument.

The line about Omega of Cult of the Dead Cow was added on November 22, 2011 with this edit and a change message of “Term coined in 1994 by “Omega” of the Cult of the Dead Cow Hacker collective.” At the bottom of the page, the first reference is “Hacktivism and How It Got Here“, a Wired piece by Michelle Delio from July 14, 2004. Note that Delio is not known for quality journalism and was let go from Wired due to serious issues surrounding her sketchy sources and fabrications. From Delio’s article:

But no one called technology-enabled political activism “hacktivism” until 1998, when cDc members Omega, Reid Fleming and Ruffin were chatting online and were, Ruffin said, “bouncing some wacky ideas around about hacking and political liberation, mostly in the context of working with Chinese hackers post-Tiananmen Square.”
“The next morning Omega sent an e-mail to the cDc listserv and included for the first time the word hacktivism in the post,” Ruffin said. “Like most cDc inventions, it was used seriously and ironically at the same time — and when I saw it my head almost exploded.”

Interesting that Delio says it was coined by cDc in 1998 citing cDc member Oxblood Ruffin in her 2004 article, yet Wikipedia said 1994. In a different interview with Elinor Mills from 2012, Ruffin was quoted as saying it originated in 1996. The Wikipedia page has cited this source for most of the page’s history, but has changed years to mention 1994, 1996, and 1998. In most cases, Ruffin’s story is the same about the term originating in an email between cDc members, but apparently has never provided a copy of this email to journalists or made it public. It is clear that Ruffin is not a reliable source on this and is likely doing it to subvert the media, a stated objective of cDc.

An Earlier Origin

As mentioned above, Wikipedia once attributed the term differently:

The term itself was coined by techno-culture writer Jason Sack in a piece about media artist Shu Lea Cheang published in InfoNation in 1995.

A couple years ago I tried to reach out to Jason Sack to confirm this. My early attempts at reaching him did not work due to finding one email address that he no longer used. Last year, Space Rogue reached out via a different email address and got a response. We both asked Sack if he could dig up the original article and send a copy. Since he only had a copy in print, it took a while to find it, scan it in, and send it to us. But he did. As suspected, and as the original sourcing in Wikipedia says, he uses the term ‘hacktivist’ in 1995 under the pen name ‘Jason Logan’. A year or three before cDc supposedly did. Courtesy of Jason, the cover of the InfoNation magazine along with scans of the article are available as a more definitive reference (click thumbnails below for full size). As the author of this blog, I cannot update Wikipedia to correct the errors in it due to a conflict of interest. Someone else out there will have to do it.

infonation-nov-1995-00  infonation-nov-1995-01  infonation-nov-1995-02  infonation-nov-1995-03  infonation-nov-1995-04

From the article:

Fresh Kill is described by Cheang herself as a work of eco-cybernoia. An environment in which the inability to access the media of change causes the uprising of low-fi activism and hacker mentality, or “hacktivism” if you will.

Welcome to the Internet…

No matter how many articles, news segments, books, web sites, infgraphics, or rumors that warn people about the perils of the Internet, people still flock to this magical Mecca thinking it will bring great entertainment, answers, or whatever else (porn). While I have been in InfoSec for most of the last 20 years, this post is not to warn you about the evil hackers and cybercriminals lurking in every tube. You are basically fucked; your information will be stolen at some point and you will likely be unwittingly involved in fraud. This post is to help you cope with the rest of the Internet. The message forums, mail lists, social media platforms, and comment systems on everything from Youtube to your favorite shopping site.

On a slightly more serious note, you have likely read about incidents of suicide due to “cyber-bullying” [1] [2] [3] [4]. While the news headlines are dramatic, emotional, and full of sorrow, a few fundamental truths continue escape most people. First, a more rational study on so-called “cyber-bullying” finds it is rarely the only thing that caused someone to commit suicide. Second, there is absolutely no comparison to be made between real-world bullying and online bullying. A kid goes to school everyday and may face a bully. There are no alternatives, they can’t just choose to go to another school. Day in and day out, they are forced to be close to the bully. There is also a level of physical intimidation or outright battery against the kid that cannot be compared to a text-based insult. The over-used and ignorant term “cyber-bullying” forgets that if someone is in a confrontation online, they can simply turn the fucking computer off. If someone is in a confrontation and opts to stay online, one must question why. Many adults will stay in the fray because they want the abuse. Either to dish it out themselves, as an outlet for their own frustration, rage, or hate, or because they are a glutton for abuse and fascinated by what these anonymous strangers can serve up. All this hype over cyber-bullying is just that; hype. It may be the straw that broke a few camel’s backs, but it isn’t the root cause of any issue.

On to dealing with the heathens on the Internet! First, understand you are outnumbered, outgunned, outlasted, and most certainly outsmarted. There are legions of people out there that have a single hobby, trolling you. Second, now that you know this, you can be better prepared. Third, there are some rules and laws of the Internet that will help you survive, and flourish. No, these are not actual laws on the books, not found in law libraries, not argued in courts. They exist in a higher power on the Internet; the unregulated masses that somehow manage the content when it suits their needs, along with common sense and just the way humans are wired.
These laws and guidelines will let you navigate this cesspool more safely. These range from the amusing, but true, to the more serious that should have you thinking. Knowing these laws like you know the back of a Twinkie label will help you enhance your calm and traverse the cyber-Wild-West©®™.

Poe’s law:

… is an Internet adage reflecting the idea that without a clear indication of the author’s intent, it is difficult or impossible to tell the difference between an expression of sincere extremism and a parody of extremism.

In the real world, you have hundreds of cues in conversation that you likely aren’t aware of, or do not give thought to. Tone of voice, body language, facial expression, or previous minutes of conversation. Together, they give a whole subset of context that allow you to distinguish between humor and a serious argument. In short, sarcasm relies on these cues. If you can’t distinguish between the two, how does it affect your interaction?

Godwin’s Law:

It states: “As an online discussion grows longer, the probability of a comparison involving Nazis or Hitler approaches 1.” In other words, Godwin said that, given enough time, in any online discussion—regardless of topic or scope—someone inevitably makes a comparison to Hitler or the Nazis.

Hitler and Nazis are offensive! They are the devil! So of course someone will degrade to comparing you or your argument to a dictator and leader of a regime that was responsible for the death of 11 million people. Basically the same, right? That logic is equally infuriating, and they know it dumbass.

Rule 34:

Generally accepted internet rule that states that pornography or sexually related material exists for any conceivable subject.

A Christian rock band dressed as panda bears with little armadillos singing K-pop but dancing to trip-hop while running around stage? Somewhere, someone is jerking off to it. If that exists and is offensive, think about it in the context of your argument and your feelings.

Skitt’s Law:

Any post correcting an error in another post will contain at least one error itself.

Don’t even bother trying to correct someone’s mispelling or grammar. As soon as you do, another person will correct an error in your correction. Instead of looking smart, you will look ironical and dumb. Note: This is also known as Muphry’s Law.

Pommer’s Law:

A person’s mind can be changed by reading information on the internet. The nature of this change will be: From having no opinion to having a wrong opinion.

Perhaps the greatest threat to society, the sheep we’re surrounded by, will read and believe anything and everything, especially if it suits their existing bias. One well written argument, no matter how wrong, can influence many.

Law of Exclamation

The more exclamation points used in an email (or other posting), the more likely it is a complete lie. This is also true for excessive capital letters.

YOU HAVE TO BELIEVE THIS BLOG OK?!!! YOU KNOW I AM RIGHT!!!!!1!!

Danth’s Law

If you have to insist that you’ve won an Internet argument, you’ve probably lost badly.

I’d also include people that don’t so much insist, as they do try to convince you. Some spend more time trying to convince you that they won the argument, than actually presenting facts or arguing the original issue.

Dunning–Kruger effect:

The Dunning-Kruger effect is a cognitive bias in which unskilled individuals suffer from illusory superiority, mistakenly rating their ability much higher than average. This bias is attributed to a metacognitive inability of the unskilled to recognize their mistakes.

I know, I got all fancy on you with psycho-babble, but this is an important one. In very simple and blunt terms, stupid people are not only stupid, they are unable to realize this. They think they are smarter than other people, and as such, are unable to recognize or admit their own mistakes. This is why you will argue with an obvious moron, and wonder if s/he is really that stupid, or trolling you.

Online Disinhibition Effect:

The core concept of the Online Disinhibition Effect refers to a loosening (or complete abandonment) of social restrictions and inhibitions that would otherwise be present in normal face-to-face interaction during interactions with others on the Internet.

This can be boiled down to an age-old insult that strikes to the heart of the matter. “You’re an Internet tough-guy!” This concept is why the 13 year old scrawny geek living in a basement can not only stand up to a muscle-bound jock with a social life, but why one can enrage the other. Put another way, on the Internet, no one knows you are a dog This is also known as the Greater Internet Fuckwad Theory.

Occam’s razor

Occam’s razor .. states that among competing hypotheses, the hypothesis with the fewest assumptions should be selected.

For those of you prone to get into arguments on the Internet, remember this one. Conspiracy theories are all over, some more spectacular than others. This is also good for people who tend to believe anything. No, that Nigerian prince won’t really send you a billion dollars.

Collective behavior:

I’ll leave this one to you. Read the link, which is very academic, and consider it in the context of the words “collective behavior”.

—–

With these rules, laws, and guidance, you are now prepared to withstand the perils of the Internet.


Shortly after publishing, loyal readers pointed out additional laws could, or should be included. Courtesy of Lisa Boals:

Wheaton’s Law

One of the core messages of Wheaton’s speech was the importance of sportsmanship in online gaming, which eventually became encapsulated in the phrase “don’t be a dick.”


Reading a magazine weeks later, ran into another that I forgot to include in this piece. Selective perception allows people to read a rational discussion with facts, and still ignore opposing viewpoints.

Not All Charities Are Created Equal

I support charities. Quite a few of them actually. Maybe it isn’t the best use of the money I donate, as dozens receive small amounts, rather than one or two receiving a sizable donation.

I know that with few exceptions, it seems like my donations are mostly wasted, and it has me questioning my support. In the past, I have taken note of charities and their cost of overhead. However, I haven’t kept up with it and I desperately need to. Before I donate another cent, It is imperative that I research each and every charity that I have donated to, and may donate to again.

If you aren’t sure why I have such a concern, let’s examine two charities that are similar, if not equal, in the eyes of most people. Let’s look at the SPCA International and the Humane Society International. To many, these are both charitable organizations that exist to help animals and prevent cruelty to them. On the surface, this is true.

If you dig deeper, you quickly learn that one of them is not like the other, and is not worthy of your donation. Using CharityNavigator, look at the results:

CharityNavigator – SPCA International
CharityNavigator – Humane Society International

Even a cursory glance shows there are serious issues with the SPCA. It displays a Donor Advisory, outlining past problems and items of interest that should influence your donation choice, as outlined by a CNN article. On the other hand, the Humane Society immediately gives you the current rating, along with important financial information such as the charity spending 79.5% of their money on program expenses (i.e. helping as advertised), 5% on administrative overhead, and 15.3% on fundraising.

Compare that with other well-known charities:

Charity Program
Expense
Admin
Overhead
Fundraising
Michael J. Fox Foundation / Parkinson’s Research 91% 2.4% 6.5%
People for the Ethical Treatment of Animals 84.7% 1.3% 13.9%
American Cancer Society 71.2% 6.8% 21.8%
George Bush Presidential Library Foundation 45% 40.9% 14%
National Vietnam Veterans Foundation 9.7% 2.4% 87.8%

You can quickly see that some charities are not as efficient as others, spending as much as 87.8% on fundraising. Even though they may keep administrative overhead as low as 2.4%, that is a lot of money spent raising more money, that will only be spent to raise more. This ultimately leads to a cycle where huge amounts of money are wasted, rather than spending it on the stated purpose (program expense). In other cases, you have a charity that is only 14% fundraising, but 40.9% goes to administrative overhead, almost as much as the program expenses. This is often a sign that the charity executives are getting paid obscene amounts of money.

When picking a charity, you want to avoid any of them have either a high admin overhead, or a high fundraising cost. These charities are simply not efficient. Using these numbers, you can determine the “fundraising efficiency”, what CharityNavigator.org describes as “The amount spent to raise $1 in charitable contributions, and calculates for you. To calculate a charity’s fundraising efficiency, we divide its fundraising expenses by the total contributions it receives.

Looking at the national charities I have donated to in the last 12 months, it becomes educational:

Charity Program
Expense
Admin
Overhead
Fundraising
American Red Cross 92.2% 4.0% 3.7%
ACLU 86.0% 5.4% 8.4%
Juvenile Diabetes Research Foundation 81.5% 7.0% 11.4%
Dumb Friend’s League 77.8% 8.0% 14.0%
Humane Society of US 77.0% 3.7% 19.1%
World Wildlife Fund 73.0% 6.2% 20.6%
Planned Parenthood 72.8% 8.8% 18.3%
USO 72.2% 10.1% 17.5%
St Jude Children’s Research Hospital 70.3% 9.2% 20.3%
March of Dimes 65.9% 10.9% 23.1%
ASPCA 58.4% 5.2% 36.2%
Wounded Warrior Project 55.0% 8.0% 36.8%
National Law Enforcement Officers Memorial Fund 47.5% 5.5% 46.8%
Paralyzed Veterans of America 33.1% 6.8% 59.9%
National Veterans Services Fund, Inc. 21.1% 3.6% 75.2%
Natnl Cancer Research Center [1] 0.5% 1.6% 97.8%

[1] This is part of the Walker Cancer Research Institute, and has been blogged about before regarding it being a scam. This is why I should have done my due diligence.

There are a few others I have donated to as well. One is a 501(c)(3) but isn’t required to file the paperwork for Charity Navigator to perform an analysis. Several others are legitimate charities, just much smaller so they fly well under the radar of such a site. For example, Lita’s Squirrel Rescue, Ellicott Wildlife Rehab Center, and Cavy Care are such charities.

Based on the chart above, I know that I have donated to one sketchy charity, and not picked so wisely for others. I am not sure what a good ratio is to maintain, but the top percentile is a good guideline. Moving forward, I will only donate to charities that have a good return on investment.

In case you are wondering what prompted this article, it was the relentless snail mail sent by most of these charities. For a few, donating $25 one year led to what seems like solicitations that cost them $50 included pens, calendars, notepads, lapel pins, stickers, address labels, envelopes, cards, stamps, calculators, and more crap. Every time I received one, I wondered why they didn’t use my money to help their cause. Why do they mail me every 10 days asking for more money? This led me to wonder about their fundraising efforts, and as we see above, some charities specialize in it instead of actually helping people.

When information aggregation scares and baffles me…

I’ve been around the block. I am familiar with most of the ways companies and web sites track data. I am familiar with aggregation techniques, know the real value of the most ‘harmless’ things (e.g. clicking ‘Like’ on Facebook), and know the power of modern databases. In my mind it is a simple fact that computers with badass (i.e. scary) algorithms can link two people through a slew of random bits of information. When I read an article about how companies are using, linking, and aggregating this data, it is business as usual.

Today, all of that didn’t matter, as I am still trying to figure out the phone call I just received.

“Yeah is Elgin C there?” (note: they used full name)
“Uh… wrong number.” I replied, since 95% of voice calls to my cell phone are spam or wrong numbers.
“You sure you don’t know Elgin C?” This question triggered my “credit collection agency” radar.
“Well, kind of, I knew him over 20 years ago. He was my boss at a job I worked at.”

So here’s the gap I can’t figure out. When I knew Elgin, and we were friends off work as well, I did not have a cell phone with service in my name. We lost touch a year or so after I left the job as our interests / hobbies were very different. Eventually I moved out of Colorado, bounced around for work, and came back. Once back, I got a new cell phone and have had the number for going on 9 years. The only other ‘contact’ was an email I sent to his publicist (he’s an aspiring actor) asking that they pass on my email address, sent on Dec 5, 2011. The mail was from jericho@attrition, and signed ‘Brian’, no last name, no cell phone.

So how does this guy get my number associated with Elgin C? It was clear that the file he was accessing indicated we knew each other and were likely friends. After I cleared it up (by relaying some of the above), he said he wasn’t sure how the investigative team got my number but assured me it would be removed from the file.

No contact with Elgin, other than the one mail to his publicist which went unanswered, in almost 20 years. Yet somehow my current cell phone number got linked in such a way that they thought they could reach him via it, or via the person who answered it.

Color me baffled, and a bit scared, because I am either missing something not-so-obvious, or the aggregation algorithms have evolved more than I realized.

A fascinatingly disturbing thought…

Dr. Neil DeGrasse Tyson offers us a “fascinatingly disturbing thought”:

Not only does he remind us that our perception of intelligence is laughably flawed, but he reminds us that any superior race out there (e.g. the kind that could achieve interstellar travel) would likely look at us as if we were chimps. Like we look at monkeys in the zoo, such a superior race would probably do the same, meaning they may not stop by our planet to look at the animals.

The last few years has seen an incredible jump in the interest of scanning our universe. Despite continuing drastic budget cuts to our space program, which includes looking for things like asteroids that pose a risk to our planet as well as distant planets that may support life. Fortunately for us, searching for these planets requires at least one satellite, and interested parties that can crowdsource the effort. Hopefully, by the end of the year, the scientific community will get a huge boost in capability, making the search even better.

In the meantime, anyone with a few spare minutes, interest, and curiosity can help the effort. The Kepler team has set up a web site called Planet Hunters, that lets anyone participate. As time permits, you use their guide and classify stars. Each one may be just another star, or it may show signs that an exoplanet is lurking about. No shit, some random citizen just poking at this web site could be the next person to identify an exoplanet that is capable of sustaining life. If that isn’t scientific power at your fingertips, I don’t know what is.