Friday, December 18, 2020

Elitism KO’d in Dr. Biden Kerfuffle

There have been amazing outbursts around a Wall Street Journal article that disparages the use of Dr. as an honorific for anyone but MDs.  This is about how Dr. Jill Biden, the wife of President-elect Biden, wants to be titled in recognition of her Ed.D.  The critic also chose to denigrated her dissertation project and that she is an educator in a community college.

Challenged for the elitism and sexist diminishing of women’s achievements, the Wall Street Journal doubled-down.  This peculiar he-said, she-said battle has been joined across the Internet with divisive social-media commentary. 

Apart from the probably-misplaced “two-sides” coverage on various media, that bastion of conservative dialectic purity, National Review, managed, as is its wont, to join the fray.  The attempted coup de Grace is an egregious own-goal, attracting brilliant rejoinders to its metaphorical excesses.

With regard to the disparagement of community colleges and their value in US public education, Professor Melissa Murray testifies how much community colleges serve actual communities, providing affordable, accredited educational pathways along with continuing education in many forms.

National Review might expect readers to snort their superior approval of “teaching remedial English to slow learners in community colleges” to “being a rock musician who’s in a bar band.  That plays covers.  At mixers.  Held in assisted-living facilities.”   In one fell swoop, teaching is diminished in yet another way. 

With regard to cover bands, Dr. Ian Cromwell, a Ph.D who performed in cover bands for many years, provides a brilliant explanation of why and how that is valuable and, most of all, what music is for.  Even bands who achieve fame for their original tunes end up covering themselves, like it or not, trapped in a Hotel California of their own devising.  And sometimes, they might show up in a bar and sit in.  If you don’t get that, watch “The Queen’s Gambit” through to the end again.

It is heartening that some with philanthropic instincts and resources are also more generous in support for non-elite institutions.

Friday, September 25, 2020

Neither Master nor Slave Be

I just encountered “GitHub to replace master with main starting in October: What developers need to do now.”

It should be clear this use of the term Master has nothing to do with there being Git branches named “slave.”  The usage of “master” is akin to the recording industry and audio-visual use of the term with regard to an original/authoritative form of some kind.

We are up against a problem with words having more than one meaning in language.  Here we are leaping from the use of master-slave terminology in technology to other standalone usages of master, however those came into being. 

I don’t doubt that “master” has become a trigger and that it is an useful removal from Git[Hub] as a replacement “with terms of inclusion that cannot be misconstrued.”  I am not clear how “main” becomes a term of inclusion though.  I cannot argue that the usage is not divisive; I do wonder about the technological use of “male” and “female” as terms of art applicable to household and industrial products and how one speaks of them to hardware-store clerks.

As a practical matter of direct concern for me is mastering (see what I did there) propagation (dare I say it) of replacement terms in existing Git repositories and deep links into their on-line forms at GitHub.  I have created an issue on the matter in the repository that is of greatest concern to me.

It is helpful that GitHub will somehow “indirect” the use of Git “master” to Git “main”, at least for GitHub repositories.  I am a bit concerned about how this will be reflected in an update to the GitHub client for Windows, and how that will impact using it with non-GitHub repositories.

This situation reminds me of the problem created by browsers designed to force https protocol prefixes and then claim that web sites served only via http are insecure.  I find Blacklight more nuanced and helpful.  (Try it on https://orcmid.blogspot.com for starters.)

I hazard that such geek paternalism is rampant and may be a cure that is worse than the disease: absence of systems thinking and failure to consider end-to-end discontinuities. 

I will comply; I claim the right to grumble.

Monday, August 10, 2020

The Edges of the Box

 Discussing Inspiration versus Perspiration, at the weekend Mysterium 2020 con, Rand Miller talks about "the box" and working within it in a creative activity.  This is not about coloring in the lines, it is about accomplishing something with the resources available and the unpredictability and surprises that show up in the development.

Doing the small thing really well can be the ramp to learning/discovery and a way of bootstrapping to anything more ambitious.

Hearing that, I was reminded of my tribulations with The Miser Project and what I should do to delineate the oMiser development inside all of the thinking-out-loud Issues.

The initial box is having a sufficient proof-of-concept.  That means the SML/NJ mockup will provide a working oFrugal that allows exercise of the oMiser computational model.  The mockup is practical for demonstration of how the theoretical limits of computation are achieved.  The particular model also brings focus to how the stored-program concept affords representing numerous theoretical entities related to practical reality.  

This does not mean that oFrugal is particularly expressive.  It is essentially a calculator for deriving oMiser obs.  oFrugal and oMiser lack support for expressing representations at higher levels.  oFrugal/oMiser make that limitation almost self-evident.

But that's the box.  Having captured a variety of ideas that don't have to be addressed, I will retreat to working inside (but pushing) the edges.


Wednesday, July 1, 2020

Soft Landing for Clear Voice

Before the world shifted under our feet this year, I blogged about restoration of my voices across what I refer to as nfoCentrale, an amalgamation of web sites and blogs.

Lately I have turned, instead, to down-sizing and consolidation, focusing on a small number of projects that are central to my computer-science vocation.  This is a realistic move in light of my age and limited energy and enthusiasm, recognizing I have cast a net with too many unwoven holes in it.

Consolidation will be on GitHub, since it provides version control, Markdown authoring, hosting, wikis, and preservation of projects.  I expect that GitHub will endure as long as I require it, and having Git as a laboratory and preservation mechanism is ideal.

I will continue the nfoCentrale site, although more add-on domains will be surrendered; the content will remain as subdirectories of nfoCentrale.com and the catalog will reflect the altered amalgamation reality.

I also have to consider migration to a blog or two hosted on GitHub rather than Blogger.  This will provide relief from the disconnects between the current Blogger and LiveWriter; LiveWriter files are also not ideal for preservation purposes, though better than none.  I am saddened by the loss of continuity.  I will work through that in small steps. 

Friday, March 13, 2020

Steven Sinofsky on Crisis Leadership

I read the original Twitter thread and felt the need to be able to reread it, probably more than once.  Thankfully, an annotated version is now available on Sinofsky’s Medium blog.

It is worth reading.  It is worth understanding that any crisis arises and must be addressed under chaotic conditions.

There’s also the matter of preparation.  There can be strategies and plans for the foreseeable.  And, as is frequently reported, when the crisis erupts, the plans go out the window.  Yet we are better prepared for having done the planning, actually made the preparatory arrangements, and gained some level of training even if not the same as having been tested in response to a previous crisis.

Mel Conway on Humane Tool Design

Mel Conway has come up with a 85-tweet narrative on his view on having a universal-level arrangement for computational operations that is learned the way we all learned to listen, speak, move, walk, and explore as infants.  The idea is that we will ultimately grown up in this, whatever its forms, and it will have become a natural capacity.  Conway has an approach in mind.

The threads are all on Twitter.

Prelude (1 tweet)

0. Introduction (2 tweet thread)
A cloud-based Application Development Platform for the Rest of Us

1. Thesis (2 tweets)
-   If non-programmers are going to build real-world solutions, a simpler programming langauge isn’t enough
-    posits a collaborative situation in which everyone can participate with the skills they already have

2. Democratization of culture-critical information technologies (Historical Perspective: 16 tweet thread)

3. Universal Human Skills Model of Progress (16 tweet thread)

4. Humane Tool Design: 12 Principles (14 tweet thread)

5. On Platforms (20 tweet thread)

6. Where the Work Stands Now (17 tweet thread)

The proposed goal is a Humane, Asynchronous, Asymmetric Construction Platform for Stateful Business Applications

There is background material in Conway’s Humanizing Application Building presentation (PDF download).

I can appreciate the thesis, and I think Excel is a perfect illustration of the kind of collaborative participation that could be involved.  I would like to know more about what is essential versus incidental in the proposed cloud-based arrangement.

Above all, Conway’s thesis and narrative merits much thoughtful consideration.

Wednesday, March 11, 2020

Situating Performance Architecture

"Without the cognitive work that people engage in with each other, all software systems eventually fail" ACM Queue January 2020
It should be no surprise that our devices and computer software train us to learn how to operate with them.  We are the adaptable participants.  At the same time, we are not aided in formulation of conceptual models and practices that afford successful interactions.  

Perhaps the way to articulate my concern about this is by reflecting on a situation that was successful.  This was years ago; it is the handiest illustration that I have personal experience of.

Performance Patterns

The diagram below is a depiction that I refer to as a Performance Architecture.  It is a diagrammatic pattern that involves scanned images being captured and organized in digital form.  I term this an RSVP pattern: Read/render, Store, View, Print/present.



Used before Design Patterns became a thing in software development, the template for components of this pattern are very simple.



Based on the notion of dataflow diagrams, the indications of flow can be taken simply as transfer of data across a definite interface from one process to another process or storage.

By itself the RSVP pattern is abstracted at a high level above a detailed implementation case.  The pattern depicts an intermediate performance-architecture level.  Going deeper exposes more internal arrangements.  The surface at which users and operators approach and interact with the (sub)systems is also suggested.  At this informal conceptual level, fidelity of operation takes two forms.  There is specified technical fidelity to specified variations that an implementation supports.  At the same time, there is subjective (light-bulb) fidelity with respect to a particular usage situation and how that is satisfied by experimentation and confirmation of operation.

Customized Application



In an actual custom application, depicted above, the RSVP pattern was divided between two operations, 4.2 and 4.3, factoring the conceptual arrangement further.  Choreography with the additional activities involves considerable manual arrangements involving physical artifacts and a worksheet that is maintained throughout the progression of operations.
  
The purpose of creating digital images was preservation of scarce physical books that were deteriorating as the result of 19th century printing using papers produced via acid-based pulp-paper processing.  The phenomenon is evident in old paperback books and also old newspapers.  The book pages become brittle, discolored, and fragile.  In order to preserve the books digitally, the book is destroyed by removing (guillotining) the binding, separating the individual pages.  It is the individual pages that are scanned without any mechanical feeding, checked for successful capture of the pages, and then added to a digital collection with additional material for organization of the images as pages of a digital book. A printed and bound replacement book is produced and checked against the original pages.

Overall Situation


Rescue of deteriorating 19th century books was part of a prototype effort conducted to determine a successful preservation approach.  The effort was tied into an overall college-campus research library system.  Although the RSVP pattern occurs informally within activity 4.0, Make Digital Preservation, integration into operation of the research library and honoring of the sensibilities of the research librarians and curators was paramount.

People are not explicitly reflected in the diagrams.  There are human activities everywhere the physical and the digital are in conjunction.  Also, fine-grained iterations are to be understood.  There were provisions for rework and also correction from errors –- blemished scanning, pages out of sequence.  There also was a need for training of operators and supervision of operation.  Computer Center operations were relied upon for IT support. 

Although highly-tacit, the diagrams of this kind often serve as touch-stones for the participants to orient themselves with regard to their contributions and the overall enterprise.  It also reflects the constraints on subordinate procedures and what their architecture must serve in the higher level depiction.

This situating provided global context for agreement among the technical team providing the digital RSVP portions and the personnel of the library.  The entire undertaking was through a successful prototype codevelopment.  The digitally-preserved books are now part of an extensive set of digital collections made available on the World Wide Web.

There was important technology dependence.  Adequate preservation required high-quality flatbed scanning of book pages that was protective of the fragile pages.  High resolution xerographic printing of indelibly-fixed toners on archival papers was accomplished using an original Xerox DocuTech Network Publisher fed from a Unix server.


The configuration information is rather barren in the absence of the architectural patterns and the situating external architecture.  We get a view of what the system configuration is, but not what it is for.  And this is the most-replaceable component in the overall performance architecture.

At the intermediate and upward into the external architecture, there is a diagrammatic means for shared understanding and evolution of variations, improvements and extensions.  There is significant acknowledgment of tacit understanding, and a place for confirmation of consistency among those understandings between producers and those who adopt and employ the resulting system.

This case study is meant to be suggestive about preservation of end-to-end and user-situated understanding by sketches of this sort.  Whatever the form employed, distinguishing the levels and capturing the context in which built components must fit is important for understanding of the developers and those the development serves.  

Friday, February 21, 2020

Bruce Schneier on Policy vs Technology

Bruce Schneier posted this IEEE Security & Privacy essay on his blog today.

Read the posturing in the comments and wonder about the ones that resonate with you.

Compare with the thrust of the article and the purpose and nature of law and politics.

Discuss among yourselves.

Friday, February 14, 2020

Complexifying Elections: Technological Wishful Thinking over Accountability and Demonstration

Via ACM TechNews, Computerworld’s Lucas Mearian reports MIT researchers say mobile voting app piloted in U.S. is rife with vulnerabilities

There is a fundamental tension between having secrecy of ballots and a desire for auditability and detection/prevention of fraudulent manipulation of the voting system.

The TL;DR: The most important question concerning electronic/internet technical mediation of a voting system is this: When the system is determined to fail or corrupted on election day, what fall-back is in place for swift and certain recovery?

The next question is, what provisions are there for detecting such an incident is occurring or has occurred?

The Quandary

Insistence by researchers that paper ballots be the best choice has to do more with avoiding additional vulnerabilities and exploits that can be invisible, massive, difficult to audit, and not subject to the usual verification of chains of custody and handling between the means of submission (polling places and mail/drop systems) and current means of authenticating the registered voter and/or the unopened ballot.  Paper-ballot systems  limit the varieties of attack and their potential absence of detection.  Integrity of the system is grounded on human activity and the transparency of election administration. 

The paper ballot provides the best case of privacy, with the only connection being the handover of a ballot to a registered voter or the receipt of a sealed ballot before removal and introduction into processing.  The secrecy of the voter’s balloting is established at that point.

It is also the case that widespread fraud against voting systems has never been demonstrated, as much as it is feared by those who are contemptuous of voters not like themselves.  The small numbers of cases tend to be more pathetic than any serious rigging, such as the greater impact of voter suppression and distortion of choice through gerrymandering.

In some sense, those current manual-system provisions and safeguards do not go away.  Adding technological solutions is more complex and requires much more understanding, preparation, and dependence on specialized skills and appropriate conceptual models not possessed by polling place workers, those in election headquarters, and the management/administration, however well-intentioned. 

Advocates of technological fixes are on a death-spiral starting with the abandonment of paper ballots and continual fix and repair, adding complexification without addressing the importance of standard security requirements and especially risk management that applies to the delivery of invisible technology. 

A particular problem with citizen-facing voting technology is that it is not possible to have the normal cycles of learning and improvement.  It has to work the first time and every other time.  Furthermore, adversaries are not obligated to reveal their ability to penetrate and manipulate a system until it is too late. 

There is nothing new here in the difficulty of creating and deploying technical systems in which there are critical privacy and security requirements.  What is new is the impact on an area that is much more fragile in the face of disruption and breakdowns and the lost of trust inevitable breakdowns invite.  If the producers of technical components resist transparency for whatever reason, one must presume defects, not believe perfection with no evidence, only wishful thinking.

Thursday, February 13, 2020

What does “Winner” Mean?

As of today, there have been two Democratic Party Presidential Candidate Nomination events: the 2020 Iowa Caucus and the 2020 New Hampshire Primary. 

At this point, the Associated Press and other news media are distressed that they are “unable to declare a winner.”  Really?  What self-important ridiculousness.  

This is neither horse-race nor sporting event.  There is no such title and reward distinct from what is already determined: delegates pledged to different candidates going into the National Democratic Party Convention later this year.  Simple boring facts.

The candidates will, of course, step into the media-distorted view and proclaim their fortunes for their own purposes.  The behavior is akin to prize fighters claiming their advance to the title.  There are even metaphors such as “knocked out.”

We are seeing politics in the manner that politics is useful in a democratic society.  Noisy, disruptive, thrashing about, looking for consensus and if not consensus, determination of a way ahead in the face of uncertainty.

There are inside-baseball dramas of course, a feast brought about by failures of accountability and transparency, in the case of the Iowa Caucus operation. 

Although there has now been the equivalent of a public hanging, it remains unclear whether the lessons to be found in that process are being learned.  I’m thinking of the unfortunate introduction of technology and inadequate/absent risk management.

The processes behind the conduct and resolution of elections tend to be good enough until something “too close to call” arises.  Then reforms arise.  The injection of technology and technology fads offering technological cures to technological failures suggest that the lessons about human responsibilities, and our mutual fallibility, are not willingly recognized and learned.

Wednesday, February 12, 2020

nfoCentrale: Longing for Clear Voices

I have had several blogs.  Some of their dormant states are linked on the sidebar here.  My inattention to maintenance of consistent voices on particular themes has led to fracture and confusion (for myself at least) with respect to my Internet presences.

A feature I miss is having separate blogs focused on roughly-consistent themes.  There has been 10 years of neglect since I was flummoxed by breaking-for-me changes in how Blogger worked. Now there is fragmentation of voice to reconcile. 

What a mish-mash!

Some of this has to deal with me being so easily distracted and pursuing of new shiny things. “Squirrel!”.  At the same time, there is also confirmation that life-cycle of vendor (i.e., MIcrosoft) products and the continuing-use dependency of end-users are wildly different. 

So many blogs are dormant since 2010 because I failed to come up with appealing replacements.  Self-hosting of Movable Type on nfoCentrale.com and node.js development of hexo-based blogs didn’t pan out and they managed to have little deployment apart from experimentation on Spanner WIngnut. 

Here I am, having traveled full-circle, using Blogger and free blogspot,com hosting.  This restoration of Orcmid’s Lair (and continuation of Orcmid’s Live Hideout) is just one step. 

I remain wary and cautious, faced with tending this octopus’s garden of mine and achievement of some manageable consistency.

Monday, February 10, 2020

Teaching and Research: Front and Back of the Same Hand?

Amy Ko’s article “The false dichotomy of teaching and research” unveils great questions and a personal story.  That's amazing.

Forty years into my career and then retired, I began an M.Sc in IT (I'm ABD though so it is a University of Liverpool diploma for courses without the degree). My thinking was to qualify an adjunct/lecturer at a place like the U of W. What scared me was teaching taking me away from the scholarly/research pursuits that retirement afforded me. I was and am also wary of academic culture.

Work on the M.Sc, conducted on-line with many discussion assignments, did teach me something unexpected. It confirmed I am a good student, much better than when I dropped out of college in my freshman year.

I had never taken any academic CS courses (though successfully challenged the major for my late-career BA).  The M.Sc courses taught me how much I already knew and understood having grown up in the field.

Before retirement, I once sat down with Terry Winograd (when I was located at PARC) and pondered going to graduate school at Stanford. When he asked why, I said it was because I wanted to do the work. Terry's remark was I was already situated to do that, and if I did not desire to be a professor, I didn't need the graduate school.

I recognize now, as an independent scholar, the value of colleagues and a community where our mutual intellectual juices are nurtured. I get more out of GitHub issues that question and challenge my efforts than almost anything else. I can also confirm seeing how graduate students interact and thrive among themselves. It would be great if there were forums for that, especially for adult learners.

Oh, and I have been a mentor/TA on Coursera MOOCs. How did I manage to forget that? The discussion and sometimes-collaboration opportunities on MOOCs are also rewarding.

Navigating the Rapids of the Long Tail down to the Sea

In 2004, the idea of the Long Tail was promoted in a Wired article by Chris Anderson.  The idea was catchy and the somewhat anecdotal evidence was appealing to many, including myself, blogging about it in 2005.

The Long Tail meme seems to have reached its use-by date.  Hannah McNamee writes, What Happened To The Long Tail (and LongTail.com)?

Although it is considered ironic that Chris Anderson’s own web site of that name has disappeared, I don’t think that defeats the long-tail idea.  Appealing to a power curve model may have been inappropriate, and assuming the long tail is a bigger market is perhaps a grave misunderstanding of how it works.  Yet the long tail does persist, and the ability to search the Internet supports its visibility.  That’s different than being a guide to undertaking eCommerce and making more money.  It is more like having an antiquarian bookstore and a deep social resource, a kind of living almanac, encyclopedia, and yellow pages at our fingertips.  

I am a serious Internet inhabitant, and the ability to connect internationally and temporally is something I am able to thrive with.  I am a long-tail persona among long-tail communities.  Operating without that is unimaginable.  The opportunity has only been available for the last 25 years, mostly in retirement, of my 62-year vocation and I cherish it.

On the downside, apparently spammers do succeed to achieve a long-tail economy, as do opportunistic security/privacy intruders.

Back Story

In addressing the Uncomfortable Truth that Links Are Not Forever, I remarked that I periodically receive emails about broken links in 15-year-old blog posts.  That happened once again regarding links in my 2005-04-02 post on The Long Tail Meme.  On examination of that page I also detected broken links, now repaired, to my own archives under a domain name I have since abandoned in favor of another.

In the latest case, I was offered a substitute for the link to a now-absent web site.  Unfortunately, that breaks the time sense of my 2005 post.  I have provided that link in this new post instead.

I remain heartened that my document-engineering of blogs has the files be on a server that I lease and back up to my private web-development machine, all under source-code control.  Those ancient-in-Internet-terms posts will remain accessible about as long as I do.  I have a virtual Windows XP running obsoleted software that preserves the document-engineering approach that I have sustained all this time and affords means to repair link rot.

I don’t have that capability with my current use of blogger (or of GitHub).  What I do have, instead, is my own archive of Live Writer originals (for Blogger posts and reposts from other blogs) or Markdown files (in the case of GitHub published pages).  I can repost and make repairs, and I can move posts where Live Writer or Markdown remain workable. I am going through an adjustment period; my efforts have not settled down to some convergent consistency just yet.

Saturday, February 8, 2020

Suspicious Numerals in the Forest of Representations

In speaking of representational ambiguity as it arises in connection with the Miser Project, I realize that such ambiguities should not be surprising.   Representation ambiguities are plentiful in the daily lives of those reading this post.  They arise casually but suffer when incorporated in computer-processed data.

Here’s a value that is relevant in my world: 800-00-0271.  It has the form of a United States Social Security Number (SSN).  It might be one, if it’s established that it was so-assigned to someone by the US Social Security administration, and if that is the intended usage.

Calling something a Social Security Number because it has the pattern of one is different than claiming it is the SSN of an identified person.  In working around computers, we need to be more careful in distinguishing what a data element might be intended to designate and the simple data form used absent any context.

So far, the “800” is not used in SSNs, and it is used where I see it on the assumption that will never change. 

Something that 800-00-0271 can be is a Student ID Number appearing on a transcript from Regents College of the University of the State of New York.  I attest that I am that student. 

US educational institutions have tended to rely on actual SSNs of students as identifiers for student records and other purposes.  In the State of New York, at the time I registered, the State requested SSNs but did not require them. It was considered illegal to compel SSN for that purpose at that time.  I declined and was provided with a unique identifier having the same form.  It has SSN form because the Student ID Number in their systems are mostly SSNs and have that format.  The “800” part is not found in any actual SSN (so far) and that ID number is safely comingled in the college’s records and databases indexed by their Student ID numbers, ones which are most-often also SSNs.

Another case arose recently, with the date of February 2, 2020 being represented as 02-02-2020.  The question is, considering that as representative of a date, is the form mm-dd-yyyy or dd-mm-yyyy?  It can be either, and the form does not reveal the answer.  In this case, it doesn’t matter.  Both forms are satisfied and can be taken to reference to the same date (with agreement about the same calendar).  The differences are apparent when different dates are recorded in different international contexts.  Both forms have been used in the USA in the past.

It might be easier now to understand the International Standard preference for recording dates in form yyyy-mm-dd.  Although only about as well received in the USA as the metric system, this form does tend to be used in the internals of data systems.  If we mean that to be a date somewhere on the planet, the time zone becomes relevant and without it, the expanded form 2020-02-02T02:02 is still representationally ambiguous, assuming of course, that this is intended to represent a local-time date somewhere on the planet.  Then, what about Daylight Time?  In Australia?

[added 2020-02-09T11:03] The “T11:03” here resolves another representational ambiguity.  It is in 24-hour time.  So there need be no concern whether it is AM or PM (T23:03).

[added 2020-02-09T10:53] Although it took a few years too many for Microsoft Outlook to deal with local times and time zones, it now does so and I can record on my calendar a trip starting in one local time (departure) and ending in a different local time (arrival) on the same or different date.  I can also record times from two time zones along a day-calendar page.  I use s pair of UTC and whatever the local time zone I awoke in on a particular day.  The tricky part comes with Daylight switch-overs and the fact that the daylight time status of a date in the past is not retained.  Recurring items can get a little wonky.

[added 2020-02-09T19:10Z] (with the “Z” for Zulu signifying UTC) One case I hadn’t figured out how to manage in all of this is for timestamps on my public web sites.  I author pages on a local machine and file timestamps are in my local time, the way that has always been presented on the Windows file system.  When I FTP changed pages to the public site, they get a different time stamp.  So I can have my FTP utility check and only upload newer pages than those there, I have to specify a time-offset so FTP gets it right.  I fumble this far too often, and passing in and out of Daylight time messes me up even more.  I would love to just use UTC in this context and have not figured out how to accomplish it.  Hmmm.  Maybe if I fudge the clock on the local web-site development server?

Tuesday, January 21, 2020

UGLY EXPLOIT: Sneaky Phisher Goes for Google, Microsoft, Office 365 on PC, Smartphones too?

I received a bogus email from my spouse, sent to my @msn.com email address.  It arrived on my Google Pixel (shown arriving by each of my phone's Outlook and Gmail apps).  It also arrived on my PC in Office 365 desktop Outlook.

Here is a facsimile I created by forwarding the message to myself, changing the names and email accounts accordingly to protect the identification of the exploited victim.

Beware of Any eMail that resembles this, with just the names changed




  • In the actual exploit emails, the "To:" entry is empty.
  • There is no attachment.  The Adobe icon is an image, not a link.
  • The exploit is via the Original URL of the link "Open"
  • The URL is not wrapped for checking as a Safe Link.  The copy I mailed to myself has a safe-link-check wrapper URL; that's not the case with the ones received from the attackers.
IF YOU SEE ONE OF THESE, DO NOT CLICK THE "Open" LINK.

Background

On January 20 (a US holiday, always a good day for exploits), my spouse received an email on the same pattern as the one fabricated above.  
  • It was from someone known to my spouse, but not a regular correspondent.
  • It was from that person's @hotmail.com email address.
  • The bottom line was "Sent from my iPhone" rather than "Get Outlook ... ".
  • The link ending "0ogctna2j3" is the same.
  • My spouse did attempt the "Open" 
  • Doing that now opens a fake "Google Drive" login page on my spouse's PC.
    • The fake I see is at a sercin.co.mz page for a site that has likely been compromised.
    • The Google Drive login handily accepts Google Mail, Microsoft, Office 365, and Other Email logins.
    • It is a phishing for credential attack at this point, and offering a login will have awful consequences, depending on which one is chosen and submitted.
  • At that point, a glance at the browser address bar should reveal that there is something awful at hand.
I learned of this exploit by receiving the exploit email to my @msn.com address from my wife's @msn.com address.  This is also the Microsoft Account that is tied to her Windows 10 PC.

It also appears that there has been scraping of my spouse's Contacts @msn.com (essentially, Hotmail now named outlook.com) that are shared on her Pixel 3, along with the Outlook.com calendar.  Those contacts are no longer accessible from her Office 365 Outlook contacts screen.

In addition, she has since received an apparent "Security advisory" email from Google.  This may be legitimate, except it is asking for confirmation using an email address password that has nothing to do with Google.  We will see.

Precautions

If you ever receive an email that offers you an attachment, whether an image, a PDF, or anything else, AND YOU WERE NOT ALREADY EXPECTING IT, DO NOT ATTEMPT TO OPEN IT WITHOUT CONFIRMATION FROM THE ALLEGED SENDER.

There are other clues.  Brief and innocuous content with no explanation.  Strangeness in the salutation or ending name.  IF YOU MISTAKENLY CLICK AND END UP AT WHAT SEEMS LEGITIMATEDO NOT LOG IN.  JUST DON'T.  On your desktop machine the browser should show you a URL (in the address window) that seems completely unrelated to what the page you are viewing is identified as being.  That's another clue: