Sunday, August 10, 2014

10 Years in Infosec: The Obligatory Blogpost

I didn't intend for the face to face meetup I had with the BBC to turn into some sort of  gonzo summing up of the last ten years of my life, but looking at it - with pictures of Batman and giraffes as you scroll down the page alongside tales of Chunkylover and the Nigerian Astronaut it's difficult not to feel that your life is pretty weird.

Ten years in infosec is nothing, really, given many people have done it for that length of time three times over or more. But when you thought you'd be getting paid money to make bad movies or paint pictures riffing on the best aspects of high renaissance art via comic book sensibilities, it feels a lot longer. I'm a "Veteran" now! I'm old! I might grow a beard!

I'm still pretty new to the infosec scene, but I think I earned my blogger Vet stripes thrashing it out with all those incredibly rich Adware companies of old at a time when hardly anyone else was, and in very public fashion I might add. I also managed to find a near endless stream of "really bad things" (TM) and shone a light on lots of terrible people and practices, which can only help people in the long run so I'm happy with that. I tell you what, that was probably more use to people than me making yet another bad film or a painting of some dudes with their weenies out.

I might still do the painting, whatever.

The one thing I have learned, above all else, is that there is no bigger challenge than sitting down and hammering out a non-stop wall of text spread out across ten years. Ten years! I never thought I'd be doing anything for ten years. I actually often feel like I could have written more blogs and entries and talked about more threats, but unfortunately I run out of hours like everybody else.

A moment of silence, please, for all those infosec bloggers down the years who either stopped or (in one sad case) went missing - writer fatigue and burnout is a very real problem, and when you're trying to hammer out new research info in a field where last week's news is as good as something that lumbered out of the Dark Ages, it's quite a problem.

Writing opinion pieces on anything is hard. Finding new threats and scams to write about on a daily basis, and trying to do it differently every time, and attempting to talk about things that others aren't already covering, is hard. When I look how many research pieces I've put together, more often than not based on something I found, analysed and then bashed into something approaching readable words it's quite the eye opener. I'm genuinely surprised how much I've done.

This isn't everything by a long shot, but as a random sample: 105 blog posts in 2007, 254 in 2008, 208 in 2009 via the old Spywareguide blog. Think about how many research posts someone can get out in one week - from what I see, it's usually about 2 or 3. One time I discovered and then wrote about 43 things in one month. Which is, by all accounts, completely insane. At the same time I was cranking out up to 30 or so posts a month - often on different threads of research - on my personal blog, for about six years. That personal blog finally died sometime in 2010 when I realised I was blog typing my way into an early grave with anything up to 50 posts a month. Whoops.

The words still keep coming, as I leave FaceTime and move to Sunbelt / GFI Software / ThreatTrack Security. As the blog kept changing and moving home, it's difficult to work out exactly how many pieces of research I put out but - and this is a rough guesstimate - around 283 blog posts on the Sunbelt / GFI blog between 2010 and 2012, then somewhere in the region of 100 posts for ThreatTrack between March and November of 2013.

In December, I moved over to Malwarebytes and just realised I have hit 100 posts in 9 months. I think that's pretty good!

All those words end up helping lots of people and steering them away from bad things. We also get to shut a lot of those bad things down and hand out digital hi-fives every now and then. That's good too.

The technical process for shaping those words is an ever changing sea of "what next?" Too many sentences and paragraphs, you lose your point. Not enough, people may assume what you're talking about doesn't matter. I have written long blogs, and will continue to do so when absolutely necessary but I do try to avoid where possible. I'm always looking to remove a sentence, a paragraph, will happily write 300 words then delete the lot if it looks like it isn't needed. I don't need to throw out thousands of words on something when I can get a perfectly functional entry out the door in half the time. 84 words! That's like four sentences! Awesome.

Of course, the reader doesn't need to care about the technical junk behind the crafting of the blog - though I will be giving a talk at a University on that very subject in December (oh my God, I am old!) - but it is something to think about.

Me, I'm thinking I'll hand myself a short pat on the back for having bludgeoned my way through 10 years of sleazy Adware vendors and an endless parade of scams, files and other shenanigans and come out the other side mostly intact and get right back to it.

Also that monster nudie painting is totally going on the wall above the TFT.

Thursday, July 31, 2014

Google+ updates policies, is still a fiasco

Hooray! Google have finally dropped their idiotic names policy on G+. Unfortunately it's a massive hack job and fails in almost every way imaginable.

I'd much rather be called "paperghost" than "Christopher Boyd" on G+. With that in mind, it should be a piece of cake to change it, right? The first problem is a total lack of clarity on the part of Google with regards how to change your details, what works and what doesn't.

A quick look at the Google posts on this one [edit - I had links but in keeping with the G+ tone they've fallen off and don't want to stick] and you'll see the first issue: people simply don't know what to click on to change the public facing name.  You'd think this rather basic info would be right there on the Google posts about this brave new world of customisation, but nope...nothing.

First port of call is trying to change the name in the custom url pop up, seeing as it's likely the first name related thing you'll have presented to you. Unfortunately, it doesn't work...All you can do is add letters and numbers to the name already in the system.

I eventually discovered that custom url fields are not the way to do it, and they won't be changing how those things operate for the foreseeable future.

Seriously, this is buried in blog comments.

I then worked out  - completely by accident - that you change the public facing name by clicking on it when on your profile. There's no onscreen indication that this field can be clicked on, there's nothing from Google giving you this info and looking in settings will only confound you. It's like the anti-mystery meat of web design.

Google then keeps warning you that you won't have the best experience if you go changing your details - no kidding!  - then presents you with screw up number 2:

You're still stuck with first name, last name boxes. As you might imagine, this isn't optimal if your pseudonym is one word long. The botch job workaround is to place a "." in the second box. Confusingly, one Google guy says this is a glitch and will be corrected, even though it says to do this on the official help pages. Also it hasn't been fixed yet.

An additional knock on effect is that the craven claws of G+ are so deeply embedded into all of your Google services that should you change it, that change is reflected across them all.

That's right, Google idiotic decision to cram this junk into all of their products means you'll now be receiving emails from "paperghost. " complete with the idiotic full stop at the end of the pseudonym.

Really? Really?

Get out of here.

Monday, July 14, 2014


Here's the blog about the cool thing I did.

Here's the analysis of that game I'd been meaning to write.

Here's the storify of the fifty tweets about that thing which pissed me off.

Here's the photoblog of the funniest taxi names I've seen in the Philippines.

Here's the alt take on the security conference I went to where I fell asleep during the keynote and missed all the talks.

Here's the one where I embed an instagram pic and describe in detail what I was doing that day.

Here's the one where I got back to writing music and posted up a bunch of my stuff for you to listen to.

Here's the post with all the old board games I found in the attic, including Key to the Kingdom, Ghost Castle and a magnetized Popeye chessboard something or other.

Here's the one where fuck this guy.

Here's the one where fuck that guy.

Here's the fad where I do a return to comics and complain about DC for six months.

Here's the post about Sontarans and strawberries.

Here's my movies of 2012....13.....14.....oops

Here's the one where I tell you I fixed all the missing Posterous images (I haven't).

Here's the one where I tell you I changed publishing platforms (I haven't).

Here's the one with the music I'm now listening to because all my bands went away.

Here's another videogame thing.

Here's the rage post about how utterly terrible ISPs in Manila are when it comes to setting up SIM based internet sticks.

Here's the then and now post about Uplay and how it still makes no sense to me whatever.

Here's the one about the woman who keeps singing in a nearby club with a repertoire of six songs, all of them consistently terrible.

Here's the blog about the upcoming trips I'm going on which I shall surely publish.

Here's the one about the awful "report people recording movies on their phone in the cinema for a reward" adverts, complete with stupid slide whistle sound effects.

Here's the one about the gaming laptop juggernaut that lasted six months then took six weeks to repair.

Here's a top ten list of things.

Here's the one where this post is a lot shorter.

I think that's me caught up now. I'll assume we're cool like Fonzy.

Friday, July 04, 2014

What I bought - and played - from the Steam Sale

The best of the best from the recent Steam Sale. I bought a lot of stuff, but I'm only mentioning things I've played since picking them up.

1) One Finger Death Punch

All you do is hit left or right. "All you do".

If you think your reflexes are up there with Neo then feel free to give this a shot. It's like Space Channel 5 with punching.

2) Doom 3 BFG Edition

You have to understand, playing this game all those years ago freaked me the hell out, even while running it on an underpowered Pentium 2 (or whatever it was). I never managed to get more than a few hours in before saying "nope" loudly and doing something else instead. Weirdly it feels like I'm cheating in the new edition due to being able to wave the torch and the gun around at the same time. I'm too fast. I should be more sluggish. Maybe that's just the Pentium 2 talking.

3) Ghost Control Inc.

Okay, a bit of a cheat here because I don't remember if I bought this in the sale or just prior to it starting. I don't really care, because it's fantastic. Remember the map screen from the old Ghostbusters game on the Atari 2600? Take that and mash it up with XCOM style ghost battles and you have a great little game. I mean, look at it:

4) Super Amazing Wagon Adventure

oh my god

5) Knights of Pen and Paper +1 Edition

There's meta, and there's this. If I have this right, you play regular people dressed as fantasy characters playing  tabletop RPG where they're attacked by fake real fake monsters. Or something. You also gain stat boost by pimping out the Dungeon Master's pad, and it has a TARDIS in it. How do you not own this game, basically.

6) One Way Heroics

Take Groundhog Day, the left-to-right chase mechanic of FTL and a chatty fairy. This is the game you'll end up with. If you're bored of endless yakking with characters in RPGs, you'll love this because it's a little bit like a solo Marathon (albeit with swords and the occasional monster). How far can you run?

With the exception of Doom, none of the above are AAA+ games. To be honest most of the big titles available right now look like they'll bore me to tears so these are a welcome addition to the ranks. I'd ask you what you bought and played, but I'd be amazed if there's anybody still out there.

Is this thing on

Thursday, June 26, 2014

Current Status

A few things:

1) Yes, I'm aware I haven't posted in aaaages. I admit, I was surprised by the length of time gone. On the other hand, I changed jobs close to Xmas which is never a sensible time to change anything and I had a bunch of other stuff to sort out alongside it. Then I had to deal with six alien invasions, rescue a kidnapped Eastern European Prince and...uh...look, I just forgot. Or something.

2) The new blog is over here.

3) It isn't really the "new blog", given I've been writing on it for close to seven months and LOOK I FORGOT.

4) The publishing interface is still a bit rubbish. Also thanks to Posterous dying, my worst fears have come true and nearly all old images uploaded via Posterous have vanished. I will get around to fixing it eventually, but oh man that's a lot of blog posts to dick around with. True story: uploading images to blogs is the slowest, most painful experience of blogging you will ever come across.

5) Don't go Googling for Peep Show slashfic.

Videogames: The Hacking Edition

I did an interview with Gamespot a while back on the subject of hacking in videogames.

Off the back of this, I wrote a piece on the history of hacking in videogames. If you'd like to see some of my favourites (alongside a few "What were they thinking" efforts) then here comes Christmas.

Monday, September 09, 2013

Payday 2: doing something with the safehouse and encouraging stealthy gameplay

Problem: I have a safehouse and a ton of offshore money / loot stashed in said safehouse. At present I can't do much with either.

How to make them more interactive?

The dev team are going to bring in safehouse customisation, but I don't want to just spend thousands of dollars making it look nice. I wonder if it's possible to do the following:

1) More than one safehouse. maybe 3 or 4. I don't really care if they all look the same.

2) It makes sense that the police would be constantly looking for your safehouse / money. The less stealthy you are in accumulated missions, the more likely they are to find your safehouse.

3) Imagine being in a heist and getting message that one of your safehouses is being raided. Do you bail and go to defend it or finish the job you're on?

4) The safehouse customisation should be about shoring up the safehouse. The more cash you spend, the harder it is to breach (locked doors, metal doors the cops can't shoot open and / or drill, barriers, traps, tripmines, glass / boarded / shuttered windows etc.

5) You have to decide which safehouse(s) to keep all your money in, and maybe your safehouse(s) can only hold so much loot so you have to split it up between the ones you have until you can upgrade them. Given how much offshore money you're likely to have, upgrading should be multi tiered and cost serious amounts of offshore money. This would mean you don't just end up with millions and millions of offshore cash and would constantly have to keep dipping into it to be able to make more down the line.

All of the above results in 3 things:

1) It makes the safehouse(s) play an active role in the game, and gives a point to customising them.

2) It gives a reward / incentive to go stealth and not just shoot everything up.

3) If you decide to bail on a heist, you could bring your current crew to help defend and they get a share of some of your cash as a reward (offshore or otherwise).

4) It would increase the feeling of always being on the run.

Here endeth my idea.

Sunday, July 28, 2013

10 thoughts on The Wolverine (spoilers)

1) It's good to see Poison Ivy still getting work.

2) Did they even giver her a name? I thought I heard "Viper" but I could be wrong. Hot damn, that costume is terrible. Wait, she's peeling off her skin. Oh boy, she's going to look like a lizard or a snake underne-

...nope, she looks like a bald woman. Uh, okay.

3) I was massively excited to see a SEGA sign. Shush.

4) "We're going to remind you Logan has been depowered by having him shot every ten minutes."

5) His depowering is kinda weird, isn't it? He can't regenerate but he can jump around on trains and bounce all over the screen? Worst most expensive power sapping spider robots ever.

6) Why didn't he bleed to death when his claws came out? #nerdynitpickbutwhatever

7) Rila Fukushima was the best thing in the film, and she's written out for a huge chunk of it in the middle.

8) "We're going to remind you Logan has regained his powers by having him stabbed like fifty times in five minutes."

9) Good job that Japanese guy had his head conveniently located in the body of the robot instead of the helmet, right?

10) Not content with writing Fukushima out of a significant chunk of the movie, she also manages to vanish from the post credits sequence. At the very least, she should stand a good chance of appearing in the next one.