Michael Eriksson's Blog

A Swede in Germany

Archive for the ‘Uncategorized’ Category

“Linux” vs “GNU/Linux”

with 4 comments

A sometime claim is that “Linux” is an inappropriate term (when not referring specifically to the kernel) and that “GNU/Linux” would be better—especially by Richard Stallman, who is the founder and main force behind GNU…

However, this view is at best outdated*—at worst, it is an attempt to ride on the coat-tails of a better-known-among-the-broad-masses project. Most likely, however, it is a sign that Stallman is too fixated on his own vision of “GNU/HURD”**, and is unable to see that there are other perspectives on the world: Since his focus is on GNU, those who use Linux instead of HURD obviously appear to use “GNU/Linux” instead of “GNU/HURD”. This, however, has very little relevance for the typical Linux user:

*GNU used to be a much bigger deal than it is today, for reasons both of changing user demographics/behaviors/wants and of an increased set of alternative implementations and tools. Certainly, Linux (in any sense) would have had a much tougher time getting of the ground without GNU.

**HURD was conceived as the kernel-complement to GNU roughly three decades ago—and has yet to become a serious alternative to e.g. Linux.

The general criticism that Linux is just the kernel and that the user experience is dominated by user programs (and other non-kernel software, e.g. a desktop) is quite correct. (This can be seen wonderfully by comparing an ordinary Linux computer and an Android smart-phone: They have very little in common in terms of user experience, but both use a Linux kernel. Conversely, Debian has made releases that use a non-Linux kernel.) However, in today’s world, most Linux users simply do not use many GNU programs, they have correspondingly little effect on the user experience, and a functioning Linux system entirely without them* is conceivable.

*The main problem being “hidden” dependencies. For instance, most Linux computers use GRUB for booting and GRUB is a GNU tool. However, none of these hidden dependencies are beyond replacement.

For instance, a typical Linux user might use Firefox or Chrome (both non-Gnu), LibreOffice (non-Gnu), a few media applications (typically non-Gnu), … Even most parts of the OS in an extended sense will typically not be GNU-programs, e.g. the X-server, the window manager, the log-in manager, the network manager, a desktop environment, … The best way to approximate the user experience would likely be to speak of e.g. “distribution/desktop” , e.g. “Debian/KDE”*, especially seeing that most desktop environments insist on providing their own, entirely redundant tools, for tasks that more generic tools already do a lot better, including text editors, music players, image viewers, …

*KDE is a user hostile disaster that I strongly recommend against, but it is likely still the most well-know desktop environment. Generally, not everyone uses any desktop, but most do.

Even those, like yours truly, who actually do use a lot of GNU programs are not necessarily bound to GNU: Most important GNU tools are re-implementations of older tools and there are alternate implementations available even in the open- and free-source worlds. Are the GNU variations of e.g. “ls”, “mv”, “awk”, better than the others? Possibly. Would it kill someone to switch? No. Even a switch from Bash to Ksh or Zsh would not even be close to the end of the world. Admittedly, there might be some tools that are so significantly better in the GNU-version that users would be very troubled to switch (gcc?) or are not drop-in replacements (e.g. gnumeric). These, however, typically are either developer tools or have a small user basis for other reasons. Most modern users will not actively use a compiler—or will not need the extras of gcc for their trivial experiments. Most users will opt for a component of an office suite (e.g. LibreOffice) over gnumeric. Etc.

For that matter, even on the command line, my two most extensively used programs (vim, mplayer) are not from GNU either…

Yes, using “Linux” is misleading (but generally understood correctly from context); no, using “GNU/Linux” is not an improvement. On the contrary, “GNU/Linux” is more misleading, shows a great deal of ignorance, and should be avoided in almost all cases*.

*An obvious exception would be a situation where GNU is the core topic and a contrast between GNU-with-the-one-kernel and GNU-with-the-other-kernel is needed.

GNU still plays a very valuable role through providing free-software alternatives for many purposes. This role, however, is not of a type that it justifies “GNU/Linux”.

As an aside, Stallman’s own arguments focus unduly on the free-software aspect: Most of his text seems to argue that GNU is valuable through being more keen of free software than Linux—something which is entirely irrelevant to the question of naming. (In general, Stallman appears to see free software as a quasi-religious concern, trumping everything else in any context.)


Written by michaeleriksson

April 14, 2018 at 4:33 am

Other aspects of opinion than right and wrong

with one comment

I have long been convinced that being right is not the only aspect of opinion that matters: We also have to consider factors like why a certain opinion is held, whether it is “epistemologically sound”, and how willing someone is to reevaluate and (potentially) change it.* For instance, I have repeatedly observed that it is more rewarding to discuss something with someone who has the wrong opinion for a good reason, than with someone who has the right opinion for a poor reason. For instance, the main difference between a good scientist and a poor or non-scientist is not the level of education and experience, but how well they respectively fare in these regards.

*However, people who do poorly in these regards are disproportionately likely to also be (and remain) wrong.

In this, I have largely been driven by my observations of many PC and/or Leftist debaters, takes on religion, various superstitions, etc. People in the relevant groups often score very low on all these criteria: They do not only believe in something which is dubious or even outright and provably wrong—they also hold their beliefs for poor reasons, ignore evidence to the contrary, and refuse to change their opinions no matter what. However, I can also see strong parallels with how my own approach has changed as I went from child to teenager to adult, as well as how my recollections of other children and teenagers stack up to (at least some) adults.*

*Unfortunately, these comparisons usually involve different individuals as representatives for different ages, rather than a longitudinal comparison of the same individuals as they grow older.

Contrast e.g. someone who believes that Evolution is true based on an understanding of the proposed mechanisms, an exposure to fossil records, some knowledge of cladistics, … with someone who believes it “because my school book said so”. Or contrast this again with something truly mindless: “many Republicans are Creationists; I am a Democrat; ergo, I must believe in Evolution”. (This attitude, sadly, does not seem to be as rare as one would hope.) They all have an opinion considered correct by the overwhelming majority of scientists (and me)—but they do so for so different reasons that the one version of the same opinion cannot be considered equal to the other. Notably, it would take a very major change of influence to corrupt the opinion of the first; while the second could be turned merely by having had another book in the curriculum.

If we look at the “why”, which is my main target for this post, I have observed at least four main* categories over the years. In order of descending worthiness**:

*Subdividing these further is possible, but not worthwhile for my current purposes.

**Note that e.g. the question whether an opinion is correct lies in another dimension. It is quite possible to score low here and still have the (factually) right opinion; it is quite possible to score high and still have the wrong opinion.

  1. Opinions that are formed based on own thinking, analysis, observation, experimentation, …

    This typically includes e.g. the activities of many* scientists and philosophers, both professional and amateur.

    *There is no automatism, however: A good scientist should deal with this or the following item, depending on the details of the situation. Regrettably, not all scientists are good; regrettably, a disturbing portion of social scientists fall into the two last categories…

  2. Opinions that are formed through applying critical thinking to claims and reasoning by others.

    (In reality, there will almost always be some overlap with the first item. However, the first item is more likely to deal with using the ideas of others as input for own thoughts; the second with adopting (or not) the ideas of others, after own verification. The first, obviously, contains other aspects with no relation to the second.)

  3. Opinions that are uncritically taken over from a source of authority.

    Such authorities include parents, teachers, celebrities, (real or supposed) experts, books, …

    Note that the difference to the preceding item does not stem from the source (although some sources are better than others)—the main difference is the degree of own thinking and whatnot that is put into the process.

  4. Opinions that are held for reasons like peer pressure, loyalty, a wish to fit in, …

    This includes variations like “I must have the same opinions as my spouse”, “my class-mates all listen to band X; I must do so too”, “I must keep my opinions in line with my party/church/Oprah/…”, and “I must keep my opinions PC”.

    (A related case is those who merely pretend to have a certain opinions, be it for the above reasons or for fear of repercussions, e.g. being sent to a Soviet work-camp or being ostracized. However, this discussion deals with the circumstances around the actual opinions.)

In terms of “epistemological soundness”, in turn, we have to look at questions like whether plausible and logically correct reasoning has been used, whether the conclusions match the known or believed* facts, etc. Cf. the typical differentiation between “knowing” something and merely being “right”.** (I refrain from making a more explicit list, because this area is much more of a continuum.)

*There is no shame in drawing reasonable-but-not-matching-reality conclusions from incorrect premises, if those premises are correspondingly plausible. For instance, Newtonian mechanics is flawed, due to not considering relativistic effects—but it would have been unreasonable to require Newton to address this issue, considering the state of knowledge and the experimental verifiability, within what was measurable at the time, of his mechanics.

**An interesting example in my own history is my first watching of “The Phantom Menace”: I knew that princess Leia was (to be) the daughter of Anakin, I knew that Padme claimed to be sent by queen Amidala, and I just heard the very young Anakin inquire whether Padme was an angel. Factoring in the recurring theme of a prince/princess/king/whatnot pretending to be a commoner, I immediately predicted that a) Padme was actually Amidala, herself, b) she was Leia’s mother. I was highly self-congratulatory as both predictions turned out to be true—and highly annoyed to, later on, find that my reasoning still flew apart on a faulty premise: Leia was not a princess due to her mother’s title, but due to her later adopted parents’.

The willingness to change an opinion, finally, is largely another continuum between those who are willing to make constant adjustments* and those who refuse to change an opinion, no matter what. An additional complication is that a deeply ingrained opinion can take years to change, and that a willingness to be open to changes can need a long cultivation. (I have a longer, half-finished post on related topics that has been lying around a few months. I will try to complete it soon.) The issue can be generalized to how dissenting opinions are treated: Not everyone is content with merely having an opinion set in stone—many go further and actively attack/censor/slander/… those who do not agree with that opinion.

*Strictly speaking, a further division might be needed into why an opinion is changed, and my first draft actually spoke of “in light of new evidence and arguments”. At a later stage, I removed this, seeing that there can be people who are willing to change their opinions, but do so for poor reasons. Whether the openness to change and any given realized change is a good thing, well, that depends on the other points of discussion above. (For instance, in the Evolution example above, switching opinion due to a new school book claiming something different from the old is a poor reason; doing so because it also provides a better analysis or more evidence than the first book is a better reason; doing so after considerable own analysis of known facts and pro and contra arguments is a good reason.)

As an aside, there are other aspects than can be interesting in other contexts, e.g. the degree to which someone actually understands the implications of a given fact (as opposed to merely being aware of the fact it self).

Written by michaeleriksson

April 8, 2018 at 9:38 pm

The rest of Orphan Black / (Follow-up: A few more thoughts on TV series)

leave a comment »

I have now gone through the rest of “Orphan Black” (cf. a recent post)—the overall quality* was high enough to offset the unfortunate story developments. However, while I would recommend the series, it also manages to make every error in the book when it comes to the story lines. For parts of the latter seasons, I had the feeling that the makers watched to much “Lost”** in their spare time. This includes an island (usually referred to as “the island”) with evil researchers, a surprise village, and a monster running around in the woods… The introduction of a 170 years old character, as the evil master-mind, almost had me stop watching—this would have moved the introduction of (still) sci-fi level break-throughs to a ridiculously early time, and in a manner not compatible with previous impressions of the world of the series. To boot, having the evil master-mind be so old, brings nothing to the series***. Fortunately, it turned out that this supposed Methuselah had simply stolen the identity of the (long dead) original founder of his movement and had thereby exaggerated his age by a-hundred-or-so years. Another great annoyance was the entirely unnecessary introduction of some form of low-grade ESP ability in the daughter of “Sarah”.**** It added nothing to the development of events, brought no benefit, and forced the introduction of a fantasy element in a sci-fi series*****.

*Especially Maslany’s acting, but there are also quite a few other competent actors involved, the interpersonal relationships are often developed and investigated in a manner that captures the viewer, and there are a number of funny scenes (notably around “Alison” and “Helena”) that complement the darker sides of the series and increase the entertainment value considerably.

**Another series that would have been better off with less intrigue, fewer competing parties, and whatnot. The supernatural aspects were mostly a hindrance. There is so much that could have been done with just having a plane crash on a deserted island, had the makers had more courage.

***But note that this might have been different in another series or type of series, e.g. a vampire show.

****Really, what is with this obsession with giving children super powers?

*****The fewer “leaps of faith”, assumed deviations from actual reality, whatnot, that is needed in order to make a TV series (film, book, …) plausible (while achieving the intended effect) the better. Having both unrealistic technology and magic in the same work is just unnecessary: We can have flying cars through technology (“Back to the Future”) or through magic (“Harry Potter”), but having both is just silly. A good illustration is the question of languages on different planets or in different time periods: There are sci-fi series who silently assume that everyone everywhere speaks modern U.S. English (e.g. “Stargate”)—except foreigners on Earth it self… There are others who resolve the issue through some type of unrealistically strong translator (e.g. “Doctor Who”) that through some mechanism can translate virtually any language in a transparent manner, leaving the impression that everyone speaks modern U.S. English. The latter require one single unrealistic assumption; the former unrealistic assumption after unrealistic assumption after unrealistic assumption.

The series would have been far better off cutting out three-quarters of the intrigues and secret organizations, having the main target of the clones being simply finding the needed cure, and otherwise focusing mostly on characters, situations, and relationships.*

*Not because these are necessarily the most interesting or entertaining things a TV series can do—one of my current favorite series is “Ash vs Evil Dead”: No, because these are where this particular series had its strengths, and because playing to those strengths would have made it that much better. (I stress, however, that there is nothing wrong with a bit of variety: The strengths should form the bulk, but “seasoning” with someone else is perfectly fine. With “Orphan Black” too much time was wasted on a weakness.)

A particular positive thing was the extensive flashbacks in season 4 (?) that gave more background information, especially regarding “Beth” (the police-woman clone, who committed suicide at the beginning of the series first episode). More: This provided new perspectives, notably with “Beth” moving from a weak-seeming character, who caved in the face of adversity, to a heroic character, laying down her life in the protection of others.

The last episode of a series is often the hardest to make, and suboptimal results are common. With “Orphan Black” (whose last episode I watched less than an hour ago) this was so: The antagonists are defeated in an almost anticlimactic manner half-way through the episode to leave room for an extended epilogue.* This epilogue was satisfying in that closure was reached and there were happy endings (almost) all around; however, it was also too cheesy and gave me the impression of something just thrown together, rather than something carefully crafted. It also manages to throw in another unnecessary error—too many clones. With several hundred clones world-wide, the likelihood that they would have gone undiscovered is small, due to factors like the birthday problem or the Bacon number: People meet by chance, people know people who know people, people land in papers, …, and the more clones are involved, the less likely it becomes that there are no common “birthdays”. (A similar criticism can be directed at the confluence of clones in the one local area; however, here there were a number of coincidental meetings and whatnots, and it would only have been a matter of time before such coincidences would have led to public attention.)

*There is nothing wrong with an extended epilogue, per se. The problem is rather that the antagonists put up so weak a fight that a) the final showdown was hardly worth watching, b) the epilogue (in some sense) came too early. By analogy, consider an evening-filling boxing event where the concluding main fight ends with a first round knock-out.

As an aside, another area (in addition to “tabula rasa”, cf. the original post) where “Orphan Black” is potentially dangerous is the negative take on eugenics: Eugenics does not only bring opportunities, but could actually turn out to be a necessity to rescue humanity from disaster. Every time eugenics is associated solely with mad scientists (evil master-minds, Nazis, whatnot) in fiction, the prejudice in the broad masses increases and its civilized use becomes the less likely.

Written by michaeleriksson

April 6, 2018 at 2:05 am

Follow-up: My recent problems with Unitymedia

leave a comment »

The situation around Unitymedia (cf. [1], [2]) remains extremely frustrating:

  1. My support inquiry is still unanswered, despite a reminder.
  2. I still cannot use the main Internet connection of my apartment.
  3. While I am able to use the hotspot functionality as a workaround, it is (not unexpectedly) considerably slower than my real connection used to be. To boot, there are continual, highly annoying interruptions, leading to e.g. SSH sessions dying and needing a restart, and “ping”* does not work at all. Not to forget: This type of access is inherently more dangerous than the regular use, because it is easier for a hostile entity to listen in on and/or manipulate the communication.

    *Neither does e.g. “traceroute”, and I suspect that the entire ICMP is blocked, which would border on the negligent, seeing that this protocol has an import role in ensuring correctness and efficiency of Internet communications. (Blocking just specifically ping is dubious, but might be somewhat excusable due to its occasional abuse for denial-of-service attacks. For me, however, the lack of ping is a major nuisance, since I need to keep an eye on a few servers, and ping is the best way to do this; especially when reachability problems can be either a server-side problem or a connection problem, as is currently the case.)

  4. The miserable web interface of the router* works better in the newly installed Chromium than it did in Firefox; however, the situation is not satisfactory: Approximately every second attempt to run the built-in trouble-shooting results in a long wait and then an unspecified failure; every second results in a long wait and the claim that everything would now be OK—while de facto everything remains just as broken as before.

    *I note that the router is provided by and is the property of Unitymedia, with the implication that problems, malfunctions, whatnot, are Unitymedia’s responsibility—not e.g. those of an independent retailer.

Written by michaeleriksson

April 1, 2018 at 7:24 pm

A few more thoughts on TV series

with one comment

I recently got my hands on the first few seasons of “Orphan Black”—and was initially very impressed: A novel concept, wonderful performances* by Tatiana Maslany, and characters put into interesting situations (see excursion below). Series like these prove that it is not necessary to just dust of the same old idea or franchise to squeeze out a few extra dollars. (Cf. previous posts, e.g. [1].)

*She plays a handful of central characters, and another handful of less central, that are clones, managing to bring over so different personalities and traits that, looks aside, they might as well be played by different actresses. She even, on several occasions, plays one clone pretending to be the other in a manner in a realistic manner, actually hitting A-pretending-to-be-B. (Similar scenarios often end up with an actor/actress playing this almost exactly as either A or B, or sometimes trying to do a realistic A-pretending-to-be-B and failing badly.)

However, approaching the middle of the second season, I am less enthusiastic, the series having lost some of its initial strengths and entered several hackneyed conspiracy and intrigue lines. The Dyad institute might be unavoidable, seeing both that its works are central to the premise of the show, including explaining why there are clones, and that some type of antagonist is needed. The Proletheans, on the other hand, are just unnecessary. Similarly, what is the point of turning “Mrs. S” from a more-or-less regular foster parent into an extremely shady, possibly criminal, possibly terrorist, character, with involvement in the clones’ early history? Why not try the novel idea of not having every second character have a “surprising” dark past?

This is paralleled by my very recent watching of the fifth season of “Grimm”: While never a candidate for an all-time great, it remained quite enjoyable while it focused on the “monster of the week” format and the exploration of the series mythology. However, it had had long excursions into global intrigues and whatnot, and with the fifth season this area exploded—as did the cliches. We now have a state of semi-war between various parties, the hero’s former girl-friend going “Dark Phoenix” and working for a secret organization, several secret organizations, an extremely powerful magic child causing trouble,… The destruction of the “Wesen Council” is not only a hackneyed destruction-of-the-potential-saviors/-allies-in-advance, it also very closely parallels the specific destruction of the “Watchers’ Council” on “Buffy”. The events of the penultimate episode took me to the point that I did not even bother watching the last episode—and will not bother with the concluding sixth season. A particular weakness, committed by many other series, is the explosion of the number of originally rare beings (here “wesen”*), to the point that it would be virtually impossible for “civilians” not to be aware of them, had they existed in reality.

*One point that annoyed me from the start: This German import, roughly “being”, is invariably pronounced like the word “wessen” (“whose”). Foreign pronunciations can be hard, but when one specific term is used several-to-many times per episode, the minimal effort of just once asking someone proficient in German for feedback is not too much to ask. (Virtually all German words used in the series are mangled or semi-invented, but most are used in just one or several episodes, and most are used by speakers who, in a real-life scenario, could not be expected to know better. “Wesen” is mispronounced even by the wesen themselves and even by purportedly German characters.)

Not every series has to deal with dark conspiracies, threats to the world as a whole, insurrections against the current order (be it by the antagonists or the protagonists), … Indeed, most series would be a whole lot better if they were left out!

Similarly, not every new season needs to up the stakes, invent greater threats, whatnot.

Similarly, there is no need for a series to continually reinvent it self: Most reinventions work worse than the original and even those that do work well risk alienating the original fan base. Usually*, it is better to stay with a single great concept. True, this can eventually lead to viewers growing tired of and abandoning a series, but nothing lasts forever. Good new ideas that do not fit the original format can be explored in a new series, while the original series runs its natural course at full quality.

*Doing a quick brain-storming, I actually could not name a single exception of a major and lasting change in concept/premise/setting/… that had a positive net-effect. (But I am certain that they do exist. The list of smaller changes causing an improvement, e.g. a strong new supporting character, is considerably longer.) The closest I came up with was “Chuck” and the addition of intersect-provided physical abilities. These made for both many interesting plot developments and a lot of entertaining action scenes; however, I still consider the earlier series more interesting and enjoyable. A case could possibly be made for some of the developments on the various “Stargate” series.

Excursion on “interesting situations”:
As I realized watching “Orphan Black”, one of the things that I appreciate the most in fiction is protagonists being put in (in some sense) interesting and unusual situations (mostly based on their own frame of reference). “Orphan Black” e.g. has the main protagonist among the clones see another clone die—and take over her identity with no previous information. Ensuing experiences include having to get through a hearing about a lethal shooting committed by her police-woman alter ego and trying to keep parts of her “old” life going in parallel to the “new” life. This applies in particular when learning and personal development are involved in variations of the “Bildungsroman” theme. A somewhat recent example is the movie (I have not read the book) “Divergent”: I was fascinated by the heroine’s move from the highly specialized faction she was born in into another and her efforts to cope in the new environment, including having to hold her own against people who had lived in that environment since childhood. Unfortunately, this part of the movie was not explored in the depth I would have preferred—having to leave room for conspiracy and insurgency… A similar trend is seen in “Counterpart” (mentioned as “very promising” in my recent post on “Back to the Future”): Two alter egos (or counterparts…) from different realities meet each other and eventually switch places. Early on these situations are at the core of the series; by now, still in the first season, conspiracies and whatnot dominate.

In all fairness, it could be argued that the use of an “interesting situation” also borders on the hackneyed in the genres I tend to watch/read the most. Consider e.g. how the likes of Bilbo/Frodo or Luke Skywalker are torn out of an idyllic existence for great adventures, how any amount of earth humans are transplanted to unknown worlds (most notably in the “Narnia” series), how the ignorant-of-magic Harry Potter finds himself in Hogwarts with minimal preparations, or, looking at some of my posts on fiction, e.g. the early events of “iZombie”, “Grimm”, and “Orphan Black”. However, this is a point where I am willing to give a lot of leeway—not only because I enjoy the situations, but also because they have a narrative advantage of being able to explain a new world to the viewer/reader without jumping through hoops: Explain the world to the protagonist and the audience receives the same information.* To boot, many of these situations are radically different from another, while e.g. fictional conspiracies have a great degree of fungibility.

*There are examples of doing it otherwise that work well. An extreme case is the “Malazan Book of the Fallen”.

Excursion on (dis)similarity of alter egos: A common problem in fiction is that alter egos are far further apart from each other than they realistically should be. This has narrative advantages; however, it is also potential danger in that it misleads the broad masses on topics like personality development, perpetuating the outdated “tabula rasa” models and their highly negative political influence. “Counterpart” does a reasonable job in that the differences between the main protagonist and his alter ego are small enough to be explained by different events and developments in their lives. “Orphan Black”, on the other hand, shows so extreme differences that the clones basically have no more in common than a group of randomly selected individuals—something considerably less realistic than human cloning.

Written by michaeleriksson

March 29, 2018 at 12:31 am

Posted in Uncategorized

Tagged with , , , ,

More on password security / Follow-Up: My recent problems with Unitymedia

with one comment

An expansion on the password security issues briefly mentioned in my previous post.

Returning to and setting the hotspot password, I was faced with the following rules (paraphrased into English):

  1. At least 8 characters, at most 64.

    A lower limit of 8 characters is very weak in today’s world, and negates much of what is attempted to be gained by the other rules.

    (Any upper limit is sub-optimal, but it is hard to avoid having a limit somewhere, 64 should be enough for these purposes, and compared to some idiots who actually put upper limits of e.g. 16 characters, it is quite good. Some banks go to extreme lengths to increase security with various TAN-mechanisms, yet leave the online-banking password/PIN at exactly 5 characters…)

  2. At least one upper-case letter.

    This is obviously geared at nitwit users who chose too easy passwords, up to and including “password”. However, it also reduces the search space, making life easier for crackers of random passwords—and it poses a problem during password generation: Especially with shorter* passwords (say 12 characters) and in combination with the following two items, there is a non-trivial risk that a randomly** generated password will not be conformant. To boot, such restrictions only look at one aspect of a password and a password of 11 characters made solely from lower-case letters will be more secure than 8 characters mixing upper/lower case and digits.***

    *And note the below item where a longer password will be more likely to be non-conformant: Unitymedia has us coming and going.

    **A randomly generated password is almost always the best choice from a security point of view. A randomly generated “ertya123456dmqpdfe” will be more secure than a manually chosen “consTituti0nal_amendMent”, despite the conspicuous digit sequence and other violations of these rules, and despite being shorter. To boot: If everyone used random passwords, these rules would be entirely redundant and dictionary attacks (cf. below) pointless.

    ***Assuming 26 letters, the former has 26^11 combinations, while the latter has (2 * 26 + 10)^8 combinations. The former wins by a factor of roughly 17…

  3. At least one lower-case letter.

    As above.

  4. At least one digit (literally, “number”/“zahl”).

    As above.

  5. Special characters are allowed (e.g. !@#+-=).

    Good: They should be.

    However, it is extremely unlikely that Unitymedia is set up to handle all variations (cf. the next item) and a complete listing should be given. Also, someone who does use special characters increases the risk of violating one of the preceding rules with an automatically generated password.

  6. No spaces.

    An arbitrary restriction that should not be needed with correct password handling by Unitymedia, and which reduces the search space. This might be an attempt to protect users against confusion arising from (accidental) leading or trailing spaces, but, if so, the rule should not apply within the password. More likely, there is some deficiency in Unitymedia’s systems that falls on its face when spaces are used.

  7. No consecutive letters or digits [literally, “numbers”/“Zahlen”] (e.g. 123, abc).

    Firstly, this is a very unclear rule, making it hard to determine what the actual restrictions are. What is almost certainly meant, based on knowledge of common password errors and the examples, is that there must be no string of one letter (or digit) followed by another which is “one higher”. That is not what is said, however: The most reasonable literal interpretation would exclude e.g. “145” and “azt”, because we have digits or letters following each other in the string. Other potential interpretations are possible, however. The examples used make it unclear if e.g. “12” would be OK.

    Secondly, this rule is highly problematic for those using password generators: With a long password, the chances that a perfectly random password does contain one or several such combinations is fairly high, even assuming a minimum of three characters. Assuming just two characters, automatic generation will fail very often.

    Thirdly, without additional protection against e.g. “321” or “135”, this rule is toothless.

    Fourthly, even non-random passwords are weakened, because the search space can be reduced.

  8. Must be different from the customer-area password.

    Strictly speaking, it is a good thing to use different passwords for different objectives. However, without also banning trivial variations (e.g. just adding a “1” at the end), the benefit of this is small. It it also well-known that the more passwords users have, the more likely they are to write them down or cheat* in other ways, thereby turning the security advantage into a disadvantage. This risk is particularly large with unsavvy users, which is exactly the group these rules are so obviously targeted at. Of course, a much worse error would be to use the same password for two entirely separate services, e.g. Unitymedia and Hotmail; however, here there is no restriction**.

    *E.g. through using trivial variations, foregoing random passwords in favour of “dictionary” passwords, resorting to personal facts, …

    **For practical reasons, such a restriction would likely have to be limited to an admonition. This admonition, however, could well bring more benefit than the Unitymedia-internal technical restriction…

    (It also very, very slightly reduces the space of available passwords/the randomness of possible passwords. In this case, it is highly unlikely to have any practical effect, but similar rules would be detrimental in a cryptographic context.)

Two additional weaknesses are:

Firstly, no mention is made of what happens with letters not normally present in German, e.g. “å”, or Unicode variations of letters that happen to look the same but are considered different. This is not only a major source of insecurity for the foreign user (for instance, a Chinese user might prefer to have an all-Chinese password), but also makes it very hard to judge search spaces. For simplicity, I go with the English alphabet and 26 letters above.

Secondly, the single greatest danger is the use of passwords vulnerable to a dictionary attack, e.g. “consTituti0nal_amendMent”. These, however, are not banned. A dictionary of, say, 100,000 words is almost certain to contain “constitutional amendment”. It has 24 letters (including the space). Allow a geometric average of three* variations per letter. We could now take 3^24 * 10^5 as an estimate of the randomness of this password. This is a smaller number than 26^12, corresponding to a perfectly random string of 12 lower case letters. It is actually almost as weak as a mere 8 random characters from a 100 character space, as could be approximately achieved by mixing upper/lower case, digits, and special characters from a regular German keyboard.

*Most will only have two, the upper and lower case, for such naive transformations. Some will have three, e.g. “o”, “O”, “0”. Some could have more, e.g. the space being replaceable by any special character. Also note that the above randomness estimate is likely on the generous side, because most other words in the dictionary will be considerably shorter. (The above, however, is only intended to give a rough ballpark figure—not as a stringent mathematical analysis.)

As an aside, what weaknesses are the more severe can depend on the type of attack attempted and the surrounding circumstances. Is the attacker looking to crack one specific account or any account? Does he have access to e.g. a set of hashed passwords that he can attack off-line or does he need to attack through the log-in masks? Etc. Notably, if a non-random password is used and a specific account is attacked, then “social engineering” is likely to work better than a dictionary attack.

Written by michaeleriksson

March 23, 2018 at 9:23 pm

My recent problems with Unitymedia

with 2 comments

Incompetent and user/customer hostile businesses has been a recurring theme in my writings. My experiences with Unitymedia rank among the very worst, however.

Problems until recently were mostly limited to abusing my email address for spam. However, the developments in the last two weeks are utterly inexcusable. Even in a somewhat abbreviated listing:

  1. Visiting my apartment in Wuppertal for pre-sabbatical preparations*, where I have had an Internet connection from Unitymedia for almost a year-and-a-half, I find that the connection no longer worked. This after my only using it for a total of roughly two months, due to my long absences, and now that I finally was going to use it on a daily basis for the foreseeable future.

    *Cf. a previous post.

  2. I attempt to trouble-shoot through the web interface of the router—only to find that the web interface simply does not work with my Firefox. This without any messages as to why, no “please activate X”, or anything indicating that something was amiss—apart from things not working. For instance, a button that was to be pressed was not visible; for instance, after finding the invisible button and pressing it, nothing happened.

    This state persisted after I had verified that all the likely complications, including cookies, JavaScript, and images, where activated and functioning.

    Having limited time, I (temporarily) gave up and focused on other things.

  3. Back in Cologne, I tried to log in to the customer area of Unitymedia’s website. This was not possible, with repeated errors of

    Bad Request

    Your browser sent a request that this server could not understand.

  4. I also investigated Unitymedia’s WiFi hotspots*, hoping to use them as a work-around. This was fruitless, with no information easily found (but compare below).

    *Every (WiFi-)router is per default enabled as a hotspot for other Unitymedia customers, implying that they can access the Internet without extra cost when away from their own routers. (Assuming that another router is sufficiently close by.)

  5. I now contacted customer service per email, giving a detailed record of events and including my last invoice number (the customer number not being obvious from any of the information available in Cologne).

    The result was a pure boiler-plate email claiming that my customer account could not be found based on the data given—utterly absurd since I copy-and-pasted the invoice number. (And have subsequently verified that I sent the correct number.)

    Worse: This email committed many of the sins I discuss in a previous post, including altering the subject line and not including the original message—and added one entirely new: The sender was replaced by a “no-reply” address in an ongoing conversation. These are inexcusable in any context (cf. the linked-to post), but in an ongoing conversation?!?!? Effectively, I have to go back to a previous message and copy the recipient address from there in order to reply!!! An absolute and utter travesty of email use.

    Whether Unitymedia is just utterly incompetent or are deliberately trying to sabotage email communications*, I do not know. Either which way, this is so far beyond the acceptable that the decision maker should be summarily fired for this alone.

    *For some reason, many businesses appear to be extremely email adverse and/or view email as a pure one-way channel for them to send messages, mostly spam, to their customers. Common problems include hiding email addresses, taking any chance to ask the customer to call customer service instead, trying to divert customers to Facebook instead of email, … On a few occasions, I have even had emails to officially publicized addresses be given an automatic response of “please use our contact form instead”.

  6. I sent back further (redundant!) information, and now Unitymedia apparently did manage to find me. However, instead of addressing the issues at hand, a message amounting to “we tried to call you; please call us back” was given—something which is entirely pointless, seeing that I am not in Wuppertal at the moment… Worse: Going by the time the email was sent, I and most others would have been at work in the first place—if they had reached me (or whomever) it would have done no-one any good, making the phone call a waste of time. I had described the events in sufficient detail and without being in the presence of the router, there is very little else that I could reasonably have added or tried.

    To boot, I currently have no use for a cell phone and have let my pre-paid SIM expire. Apparently, however, someone who does not have a cell phone is not allowed customer service…

    Also to note: The information that I had additionally requested should have been given per email, not per telephone. If I had wanted information per telephone (extremely error prone), I would have called myself; I sent an email and both common sense and common courtesy requires a reply by email.

    Almost needless to say, this reply also committed all the above email sins…

    As an aside, there are quite large bootstrap problems involved by now: Almost any attempt to open a contract requires leaving a phone number and/or email address—quite often “and”; often specifically a mobile phone number. This even when there is no actual justifiable need; this even when the contract is for e.g. telephone services. When I moved to Düsseldorf in 2011 (?), for instance, the provider I first turned to for telephone and Internet services (Deutsche Telekom) required a pre-existing phone number to even leave the first screen of the process. We could be approaching a state where e.g. an immigrant simply is stuck, not being able to get basic services because he does not already have basic services.

  7. I replied correspondingly, including pointing to the fact that most of the checks Unitymedia should do could or even must be done without my involvement. (For instance, checking that everything is OK with my contract does not require my involvement; correcting errors in Unitymedia’s web pages must not involve me.) This email is still unanswered.
  8. Today, I had grown tired of waiting and not wanting to risk further delays, seeing that I only have the Cologne apartment (and the Internet connection there) until the end of next week, I installed Chromium*, hoping that this would work with the atrocious web pages of Unitymedia. Well, to some approximation, it did. After various hitches, including a password field that refused my securely generated password** and an incorrectly constructed confirmation email***, I finally managed to register and login in.

    *An open source version of Chrome.

    **The best approach to secure passwords is complete randomness. Restrictions like “must contain a digit” can be helpful in slightly protecting idiots who try to use “password” as the actual password, forcing them to move to e.g. “pasSw@w0rd”. However, the emphases is on “slightly” and these restrictions lower the security of random passwords. (Since they are no longer completely random.) The procedure of Unitymedia is made a mockery by insisting on a “security question”, which very, very significantly lowers the security of the password mechanism: A glass window next to a steel door. (The considerably better, even if not perfect, way is to have the ability to send an email with a “reset” link to a pre-defined email address.) As for the security question, I originally tried to use (approximately) “security questions are a bad idea” as the answer. This was rejected as invalid, with no indication of why. (Length? The spaces? After replacing it with a shorter, random string without spaces it worked.) Complete and utter idiots!

    ***The (HTML) email was so poorly written that it did not even render in my email client, appearing to be entirely empty; I was forced to save the email to a text file and to open it manually in a browser. The actually needed contents where several lines of text and a link; the actually provided contents were an order larger due to the inclusion of various information about who was the CEO and whatnot; the actual size of the HTML code was 61406 (!) characters, compared to 1657 for the actual text. (The latter, imprecisely, measured through copying the text from my browser and copying it into the Linux “wc” tool; the former not including several external images, which are incidentally a big “no no” when using HTML emails.) Running the HTML through tidy, a HTML validator, gave no less that 159 (!) warnings.

  9. After navigation through the visually horrifyingly designed pages, with their illogical structure, dodging repeated annoying and uninteresting messages that Unitymedia had wonderful new offers for me, and generally being on the very, very end of my patience, I finally found instructions for how to use the hotspots—with smart phones. A use with computers, even notebooks, is apparently not on the agenda (but I assume that the instructions are sufficiently adaptable that it will be possible).

    However, before use I had to activate the functionality, set a password, and whatnot. Before submitting the corresponding form, I clicked on the link for the Terms-and-Conditions—only to unexpectedly find myself looking at a PDF document within Chromium. I closed it to download and reopen it in a proper PDF viewer—only to find that the tab with my data was gone. (Apparently, the PDF had opened in the same tab.) I re-opened the tab and went back to the original page—only to find that the data I had entered were gone. At this point, I just gave up, wanting to save my blood pressure from a complete disaster.

    (This is of course only partially the fault of Unitymedia. Most of it likely falls on a weird default behavior from Chromium, which incidentally proved to be very frustrating and limiting in other regards too, e.g. in the use of annoying animations and filling the “new tab page” with a redundant Google search page, neither of which appeared to be possible to deactivate through the main settings.)

The web pages of Unitymedia could basically be used as an example for aspiring web designers of how not to do it. I will not attempt a detailed analysis (because that would require me to go back and look at them in corresponding detail, for which I have neither the time nor the patience). However, I do note especially on the visual side the need for excessive scrolling to reach any content, any screen typically containing just a few lines of text—and large, uninteresting images or large swatches of even less interesting empty space. Technically, they provide an excellent example of why Ajax/DHTML/whatnot are rarely a good idea and why it is almost always better to develop regular HTML pages, using vanilla forms, and possibly some very minor piece of JavaScript for some special tasks. Content-wise, the pages are confusing, making it hard for even a very experienced surfer to find the right information. By and large, I would liken the visit to trying to find useful product information in a supermarket flyer.

Written by michaeleriksson

March 22, 2018 at 5:31 pm