Aractus

Blog of Daniel Baxter, now secure! :)

Free SSL from Let's Encrypt!

Broadchurch Finale: Just as I thought!

SPOILERS!!!

At last my theory is vindicated. Granted I didn’t every specific detail right, but I got most of it right. I had worked out the rapist had not previously been involved with the other rapes, but that there were two attackers – who I believed would turn out to be Michael and Tom. I had also worked out that the accomplice filmed the event – and that it was the films that linked the rape to the previous rapes (as Michael and Tom would be too young to have perpetrated them), although I’m not sure the way depicted in the episode is even possible … can you really run a flash-light mode on your phone and record video at the same time? Not only that, but I knew the sock would either belong to Clive (Michael’s father) or they had matched Michael’s DNA paternally to the sample found at the scene. Michael’s accomplice was Leo, not Tom, but I was essentially right about everything else.

The evidence that either Michael or Tom was involved was overwhelming: to start with, one of them was the Broadchurch Highschool Porn Baron, and I was convinced the rapes were amongst that porn footage. We never really find out definitively if it was, but that was one clear clue. Then, after serving their penalty at the church, the boys watched porn again with Tom insisting and Michael resisting – this is a foreshadowing of the relationship he had with Leo, and of course it made sense because he was in remorse. The attacker knocked Trish unconscious and tied her hands behind her back – that suggests an attacker that isn’t as physically strong as her. Most of the other men – Ian, Jim, Aaron, Ed – were much strong physically and would have had no trouble controlling her. And finally, the boys sub plot of sharing porn would have been would up last week if it was not connected to the larger plot.

Some have noted the police work throughout the series was not very professional, or for that matter realistic. I tend to agree, and I think we had a clear example of this in the final episode. Michael was 16 when he raped Trish, and Leo filmed it on his phone. That’s child pornography, and Leo would find himself under charges for both possessing it, and for producing it – in addition to all his other charges. And they would be very serious indeed. While it was a good series that point should have been addressed. Also, how exactly did Leo film the other rapes if he acted alone?

Also, the scenario is not particularly believable – Michael is quite a shy boy, he gets drunk which lowers libido anyway, and then Leo knocks out Trish and tells him to go have a root while he watches. I just don’t believe Michael would be able to get it up in that scenario – especially if he didn’t find Trish particularly attractive (she is three times his age!), or if he didn’t relish the thought of control by violent force which is what rape is about. Put simply, in the scenario described it is so unlikely that Michael would have been able to get it up – even if he tried, the more realistic turn of events would be failing that that Leo goes and finishes the job. But, again that’s problematic too – Leo normally rapes women alone, it seems quite unlikely that he would change that paradigm.

Another issue I have is that Michael is such a generic antagonist, that he had barely no character development at all the entire season. I don’t think we even meet him until episode 3, and in the finale his mum Lindsay is nowhere to be seen for the entire hour! Again of course, this lack of attention is a big clue to who the culprit is, but seriously why don’t we see Lindsay at least once in the finale? She’s not even at the church service at the end, despite the fact that she’s the most devoutly religious character in the series – even more-so than the vicar.

broadchurch-michael-leo
The guilty parties – Michael (left) and Leo. Michael has guilt written all over his face.

Leo is just as generic – in fact even mores o than Michael. He has no motive whatsoever, and he already ha a girlfriend he effectively controls. He’s far more likely to be a physically abusive partner than a rapist, or to at least start there and then progress to rapes. And come to think of it, not only do we not get to see Lindsay, we don’t get to see Danielle (Leo’s girlfriend) either! In fat we barely see her at all the entire season – I guess that’s how Chibnall thought he was keeping Leo under the radar. Chibnall – some fucking character development of your antagonists would be helpful you know!

As an afterthought, you might be wondering if this was my theory all along why didn’t I say anything before the episode aired? I thought about doing so yesterday, but I decided against it because I knew I would want to post this post if I was mostly correct, which I was. And since you didn’t know what my theory was, the title of this post isn’t going to inadvertently spoil it for viewers yet to watch it – I would have had to have used a more neutral title. It doesn’t bother me if you don’t believe me, after all it’s just a stupid TV show. I’m just pleased with how close to the reveal I got.

World’s worst cyber criminal group identified

The cyber espionage group known as Longhorn has been formally identified by Symantec as the CIA.

Now, take a breath and get ready to learn the ugly truth behind this revelation. We live in the digital age, and underpinning that is the illusion of electronic security. Now I say illusion, but I wish to stress that this illusion is so strong that it gives people the confidence to conduct online transactions, and for banks to allow their customers to access their accounts over the internet. How secure is your data and your bank account? Not very. It’s about as secure as an ordinary bank vault. With the right tools, equipment, and expertise it can be broken into.

Electronic security is never truly provably secure. Take a moment to think what that means. Let’s say you have a large safe in your office – should you trust it with a high security mechanical lock (Manifoil MK4, S&G 2740B) or an electronic lock (the TL11G is the SCEC approved electronic equivalent)? Well, allow me to blow your mind for a moment: the mechanical locks are provably secure. They are not perfect, and they can be broken into (for example if someone guesses the right combination). The TL11G is not provably secure, its source code is closed, and the ROMs can of course be flashed if someone wanted to intentionally supply a known-vulnerable product, and it would be impossible for a user to tell the difference. I’m actually surprised it’s SCEC approved given the clear vulnerabilities that could exist or could be introduced. Granted though I’m not a locksmith or for that matter security professional.

On 7 Mar 2017, Wikileaks began publishing information relating to Vault 7. Vault 7 is an arsenal of CIA developed cyber-weapons. They are believed to have been sold for sometime on the darkweb. The reason why security companies and professionals hate intelligence organisations is because these intel orgs deliberately find vulnerabilities in software, but do not publish the information. What this means is that a vulnerability can exist for several years before it is independently discovered outside of an intelligence agency. And it doesn’t matter who you think are the “good guys”, if one intelligence agency found the vulnerability and developed a cyber weapon, you can bet that others did as well – the Chinese, the Russians, etc. In fact it would be unthinkable that the CIA could develop such weapons without the Chinese developing them at the same rate or faster given their expenditure on finding them. But as already mentioned, even without the same vulnerabilities being found, the CIA’s entire arsenal of cyber weapons has been leaked for some time and sold on the darkweb to the highest bidders.

On 10 Apr 2017, Symantec positively identified the north-American cyber criminal group known as ‘Longhorn’ as in fact being the CIA. Longhorn has been active since at least 2011, and has been described as the worst cyber criminal group of our age. They have infected 40 known targets in 16 countries. To quote:

The tools used by Longhorn closely follow development timelines and technical specifications laid out in documents disclosed by WikiLeaks. The Longhorn group shares some of the same cryptographic protocols specified in the Vault 7 documents, in addition to following leaked guidelines on tactics to avoid detection. Given the close similarities between the tools and techniques, there can be little doubt that Longhorn’s activities and the Vault 7 documents are the work of the same group.

That’s a pretty goddamned strong statement. Now there is another way to read that statement, the other way to read it would suggest that whoever Longhorn is they have had access to most or all of the Vault 7 cyber weapons soon after they were developed by the CIA. Meaning that if Longhorn is not a part of the CIA, they are a group the CIA has been intentionally arming with the weapons, or they had the ability to steal them from the CIA. None of those options are any better than the CIA is Longhorn.

Why are Christians persecuted?

It’s at this time of year that Christians claim that they are persecuted. Perhaps they take their cue from Jesus who was persecuted and then crucified. Unlike many other atheists, I believe it is right to remember Jesus as a good man who was unjustly persecuted. And to recognise the good he taught. Where I don’t agree with Jesus was his act of violence, and my reading of the gospels would agree with scholars that it was that specific act for which Jesus was condemned under Roman law and crucified.

Let’s recap. Man becomes violent, and is persecuted. Check. Well I think now we can understand why other groups that use violence perceive themselves to be persecuted. Or feel they are entitled to use violence to achieve their goals.

Christians are persecuted in some countries (some Middle-Eastern countries, and North Korea) that’s true. But in Australia, France, Germany, the United Kingdom of Great Britain and Northern Ireland, Ireland, The United States of America, Canada, Papua New Guinea, Philippines, and well most of the world – they’re not.

But Christians have in-turned showed persecution against others. Hard persecution. Not merely “intolerance” – I should know I used to be one.  I’m not in the least bit embarrassed by the persecution I showed towards others, but I do feel shame and remorse. Christians have been persecuting non-Christian groups and other Christian paradigms for two millennia. Thursday was my Graduation Ceremony. One of my fellow graduates appeared to be a transsexual lady. In times gone by, in Christian-controlled regions and eras such a thing would be unthinkable. On Thursday however there was no visible or audible persecution, although I would hasten to add that transsexuals remain amongst the most stigmatised groups in society. Which is to say that I’m sure the lady in question has experienced discrimination and stigmatisation perhaps even daily.

So, many Christians today are persecuted. Not by me, and not by most of Australia, but by North Korea, Saudi Arabia, and a slew of other States that view them as infidels. And I think we should recognise that as valid. But, it does not compare to other groups, I’m thinking pre-WWII Jews, I’m thinking Homosexuals, I’m thinking “other race”, and I’m thinking of Trans people.

Vietnamese Man Violently Thrown Off US Plane

Post updated: 12/04/2017.

Just when I thought the US couldn’t get any more inhumane, a story has broken about a 69 year old ethnically-Vietnamese American gentleman now identified as Dr David Dao being violently assaulted by aviation officers in the US.

Here are the facts:

  1. United Airlines “overbooked” a Sunday flight from Chicago to Louisville. Apparently this is quite common in the US, and when it happens some passengers are shit out of luck. To say the least.
  2. They found someone to volunteer not to board the plane.
  3. Then they decided they wanted to use the flight to ferry 4 of their staff for an upcoming shift – no information was provided as to why they couldn’t have instead taken a bus, train, taxi, or hire car.
  4. They then asked for volunteers to leave the flight – no one wanted to volunteer because the next flight wasn’t until 2:30PM on Monday (the following day). Need I remind you that this was a Sunday flight, so of course people had to get home for work in the morning.
  5. 4 people were chosen, and three left the plane without incident.
  6. The fourth person, Dr Dao, did not wish to leave the flight, he told the staff he was a doctor and had to work in the morning.
  7. The aviation staff then called aviation offers to come and remove him by force.
  8. One officer pulled him out of seat, he hit his face splitting his lip and drawing blood.
  9. Following this officers dragged him off the plane, he appears to be dazed (possibly concussed), and other passengers are horrified by his treatment.
  10. One passenger said that while being dragged off he was heard saying that it’s because he’s Chinese.
  11. He was then allowed back on the plane for reasons not yet understood and he ran up and down the plane repeatedly saying “I need to get home”.
  12. He then stood in an archway of the plane, with blood dripping down his face and repeatedly said “just kill me”.
  13. Following this incident all passengers were removed from the flight so that his blood could be cleaned up.
  14. The flight took off after a three hour delay. Dr Dao was not on the flight.
  15. Chicago police released a statement reading “Aviation Officers arrived on scene attempted to carry the individual off of the when he fell and hit his head on the armrest.”
  16. United Airlines CEO Oscar Munoz sent out an email blaming Dr Dao for the incident and praising the efforts of the staff (see Appendix 1).
  17. The police statement was later removed from the Chicago police website.
  18. The aviation officer was put on immediate leave as of Monday.
  19. The Chicago Department of Aviation released a statement reading “The incident on United Flight 3411 was not in accordance with our standard operating procedure and the actions are obviously not condoned by the department.”
  20. United Airlines has also released a statement accepting responsibility for the incident.
  21. Analysis of United Airlines own Contract of Carriage document reveals that they did not have a valid reason to eject the customer (see Appendix 2).

Now we can make a few observations about this. Firstly, it’s only a four forty and minute hour drive from Chicago to Louisville – why on earth would you kick paying customers off a flight when you can just hire a car or send the staff to Louisville on a train or bus? Heck I’ll bet they could have found a taxi driver who would take $1200 and drive them there. That just doesn’t make any sense, and it goes to show they don’t put their customers first. Also, in what world is it okay to ferry your staff on an already full flight?? Let’s do some maths here: It would have taken the airline staff 4hrs and 40 minutes to drive to Louisville. On the other hand, the flight was delayed 3 hours, and the flight itself takes 1 hour and 15 minutes – so in total that’s 4hrs and 15 minutes. All of this bullshit only served to get the staff there 25 minutes early – and that’s assuming they left at the same time as the flight was scheduled. If they left earlier then then would of course be in Louisville earlier. And by the way, all reports I’ve read are consistent with the staff being required in Louisville the next day (Monday), not within the next 4-5 hours.

This is important, because United Airlines in one of their statements claimed that had the staff not got to Louisville on time that many more passengers would have been delayed on their flights. We know this can’t possibly be true, because the staff only got there a maximum of 25 minutes sooner than if they had hired a car and driven there. I keep calling them “staff”, it’s not clear whether some were pilots or whether they were all cabin crew, etc, but whatever the case they had other ways to get there that did not involve kicking paid customers off a Sunday flight. I also want to stress the point that a number of news stories have repeatedly referred to the flight as being “overbooked”, this is not the case. The flight was overbooked, but that had already been dealt with, the fact is they wanted to eject paying customers to give their seats to their own staff.

You can view many of the clips below:

Now note that this gentleman bought his ticket and expected to fly home on Sunday.  You could well argue that bumping Dr Dao to a later flight on Sunday isn’t a huge inconvenience – but the next available flight as already mentioned wasn’t until 2:30PM on Monday. I can understand why he would want to barricade himself in his seat – he was a paying customer who should be allowed to travel to his destination in peace. Instead he was violently assaulted by police. Now, bear in mind that passengers were offered $800 each to voluntarily vacate their seats – and no one did. Not a single passenger thought that it was worth $800 to them to vacate and fly home on Monday! Some reports have suggested passengers were only offered $800 in airline credit, however after going over the other facts of the case and looking at their aviation policy it does specify that compensation is in the form of a cheque. To be honest, $800 is pretty reasonable to stay overnight and fly the next afternoon – however people have commitments to make, and as mentioned no one on the flight thought that it was worth $800 to them to voluntarily vacate their seat.

The fact Dr Dao had a ticket and the airline simply wanted to give his seat to one of their staff is absolutely abhorrent. Is it really worth it to the airline to spend $3200 moving their own staff on this flight? This goes back to what I was saying before – flying isn’t the only way to get from Chicago to Louisville – you can take a 7hr train ride, or a bus ride, or a 4hr 40 minute drive. And why the hell are they even allowed to do that shit in the first place – don’t they have aviation regulations in the US? Since when can you revoke customer’s tickets after they have boarded the plane simply because you want to give someone else the ticket? That’s corporate scalping is what that is!

Furthermore, as revealed by a lawyer below, the Contract of Carriage Document does not provide a reason for the man to have been ejected from the flight (see Appendix 2). The document forms a legal contract between the passenger and the airliner and outlines when they are allowed to refuse flight for a passenger. Importantly, nowhere does it say they can remove a passenger so they can give their seats to staff, and furthermore, nowhere does it say that they can remove a passenger that has already boarded except for the reasons of disorderly conduct or security. The clause they are relying on is a denial of boarding – but as is perfectly clear in this case, the customer had already boarded. Put simply, their own contract doesn’t give them any right to forcibly remove an orderly passenger that has already boarded the flight. Or in legal terms, it deals only with denial of boarding and not with refusal of transport, or removal from the cabin after boarding.

The Contract of Carriage is what’s known as a contract of adhesion. That means it’s a contact presented by someone with greater power (in this case the airline) to someone with lower power. In such contacts it is not at all unusual for some of its terms to be thrown out when challenged in court. For example, the idea that you can refuse boarding to paying customers because you oversold the flight clearly advantages the airline’s interests over that of the customer. The Contact though also specifies that denied boarding is a last resort – and this brings me back to my point: why not pay a Taxi driver $2,000 in cash to ferry the staff to Louisville? That would have kept everyone happy – especially the cab driver offered the ride.

Dr Dao is currently recovering from the assault in hospital.

Appendix 1: Leaked email from United Airlines CEO Oscar Munoz:

Dear Team,

Like you, I was upset to see and hear about what happened last night aboard United Express Flight 3411 headed from Chicago to Louisville.

While the facts and circumstances are still evolving, especially with respect to why this customer defied Chicago Aviation Security Officers the way he did, to give you a clearer picture of what transpired, I’ve included below a recap from the preliminary reports filed by our employees.

As you will read, this situation was unfortunately compounded when one of the passengers we politely asked to deplane refused and it became necessary to contact Chicago Aviation Security Officers to help.

Our employees followed established procedures for dealing with situations like this. While I deeply regret this situation arose, I also emphatically stand behind all of you, and I want to commend you for continuing to go above and beyond to ensure we fly right.

I do, however, believe there are lessons we can learn from this experience, and we are taking a close look at the circumstances surrounding this incident. Treating our customers and each other with respect and dignity is at the core of who we are, and we must always remember this no matter how challenging the situation.

Oscar

Appendix 2: Lawyer reads the Contract of Carriage

RIP John Clarke!

I just heard that political satirist John Clarke has died. RIP you wonderful man!

John was 68 years young.

 

Youtube Adpocalypse: Advertiser speaks out

What started out as an ad boycott by several large corporations and governments, has quickly grown into something else entirely. Full disclosure: I encourage all my readers to install uBlock Origin immediately, if you don’t already have it installed, all all devices. It is a featured extension in Firefox. Adblockers are one of the best defences against internet malware, and works hand-in-hand with antivirus software and other technological safeguards to keep you safe. It’s not worth the risk to you not to be using it.

Now that’s out of the way, have a look at this video:

Interestingly, Dave has actually understated the severity of his channel’s situation! By that I mean that given my interest in the Trump fiasco, his videos typically appear in my recommended videos. Yet today, they were nowhere to be seen.

It has been revealed that in his case, he has an advertiser who specifically chooses his channel because she likes it to advertise on, but Youtube is blocking her ads from appearing on it. If you’re still under the delusion that Google operates under a manta of “do no evil”, hopefully this has broken that illusion for you. Here is a screenshot of the email she sent to Dave:

david-packman-email

Looks to me like Google is purposefully doing this to appease competitors. For all I know, big publishers have paid to have ads removed from these channels. You know, kind of like how Uber pays big sums to drive out taxi operators by subsidising rides. Maybe Trump himself paid to silence the channel? I absolutely abhor anticompetitive behaviour like this. But this goes to show why Youtube is actually a terrible thing for the internet. Do you know, for example, that they apply foreign guidelines (i.e. US guidelines) to determine what is considered “mature content”?

This brings me I think back to the start of all this. Dave, if he so wanted to, could partner directly with advertisers and read out their ads instead. Of course that would be impracticable for his backlog of videos, but it is an option available to him if he wanted to diversify his revenue steam from the beginning. Now I doubt that he could make the same amount of money doing it that way as opposed to letting Youtube run pre/post-roll ads in the video (they’re not going to keep paying for old videos the way youtube advertisers do), but it’s something he could have done in a proportion of his videos… or something he could start doing immediately if he so wanted while there’s a Youtube blackout of ads on his videos. He could do it with the above advertiser instead of simply reading her email to him.

Youtube though is a fundamentally broken content delivery system, and I’m surprised that it hasn’t collapsed under its own weight.

Prison Break is back – review

If the early reviews are to be believed then Prison Break is in trouble, and its return is lacklustre and offensively islamophobic on a 24 scale. Before proceeding do note that some spoilers will be given towards the end of this review, after the two images of Michael’s tombstone.

pbs05

Let’s start with the criticisms of the original run. Yes, much of it was terrible. Most of the show’s charm was in the first series, and quickly descended into chaos from the start of Season 2. Season 4 was not worth watching, frankly. Prison Break is a serialised drama/action show like 24. And like it or hate it (I actually love 24), the genre has its fans and of course those who would prefer to watch a different type of show. So in essence, the show’s viewership base is not found in Neighbours fans, nor is it found in Star Trek fans, nor is it found in Ice Road Trucker’s fans. It’s found within the people who like this specific genre.

Prison Break Season 1 was a great series. Not a “good” series, a great one! What made it great was its bold new style, its ongoing mysteries, Michael’s plan for escape slowly and meticulously unfolding, and a brilliantly executed prison escape. And not just that, but an amazing cast as well – Wentworth Miller went from an unknown actor into stardom.

This is what all other seasons so far have lacked. Season 2 started well, but descended into chaos when it became clear that there wasn’t a path for Michael to follow. And without that the series felt well too drawn out. Not to mention the silliness of bringing back the brother’s dead parents, etc. Series 3 was OK, at least due to the writers strike it was short and snappy weighing in at just 13 episodes. Also, Series 3 had a truly brilliantly executed escape that upstaged the first series’ escape. It was lacking in other ways, but it’s a more re-watchable series than Season 2. Season 4 was an unmitigated disaster. It really had little at all going for it, and listing out all the problems that series had would take up an entire blog post. So let’s jump forward to Season 5.

Season 5 has started well… in fact, very well. I was very pleased to see that in the new title sequence, Miller and Purcell have equal billing. The series begins with a montage of the first 4 series, culminating with Michael’s tombstone mysteriously changing location, and date (as below). Then there is a rather improbable start to the series, such as that Michael has apparently sent dozens of origami  swans all now stuck in the drain right outside Sara’s house (from Yemen?), followed by T-Bag being release after just 7 years following the end of Season 4. That is even more improbable that his unexplained escape from Penitenciaría Federal de Sona at the start of Season 4. I thought escape attempts resulted in an automatic 10 year extension to the prison sentence? I thought that the fact he killed a guard in Fox River State Penitentiary would keep him locked up indefinitely? And since when is he a “model citizen”?

Let’s get to the criticism of the show – offensively islamophobic. Well, no I don’t think so. Jesus, in the first season the only openly gay or bisexual character was a sexual predator – and we’ve since learned that the series star Wentworth Miller is a gay man. He was in the closet at the time, but he did the series despite the negative stereotype of homosexuals that the series perpetuated. I think it’s a great shame that the left always complain about negative stereotypes – yes I will agree that it’s a problem, but the way to solve it is not by criticising people that hold them: stereotypes develop subconsciously and are largely a social construct. Given that Miller is now an openly gay man I personally would hope that the series has a more balanced perspective on homosexuality.

Sarah Wayne Callies is still terrific. Don’t get me wrong, I wish to death that they had left her character dead in Season 4 and hated the fact they retconned her death, but Sara is such a great character,  next to Linc and Mike I would say she’s the most important. Perhaps they shouldn’t have killed her off in Season 3?

SPOILERS follow these images…

Michael’s Toombstone as it appears at the end of Season 4:

prisonbreak-toombstone-s4

And as it appears in Season 5:

prisonbreak-toombstone-s5

Okay, so right away they’ve retconned the series continuity. Originally Seasons 1-4 all take place over a few months in 2005 (unbelievably), it’s specifically mentioned that Michael is 30 years old, and his toombstone is on a beach in either central America (Panama) or Mexico near Linc’s surf shop. Actually, that scene in Season 4 almost made me vomit – are you really going to hug love and kiss Mahone? I did say didn’t I that taking about everything wrong with Season 4 would take forever, but just to reiterate – everything is wrong with that season. For a start, all of Season 3 was building to some great revelation about Whistler, and a the end of the series he and Mahone are plotting something … and that never eventuates. Anyway, in Season 5 the grave is now mysteriously not on a beach, and it’s in America so that Linc can dig it up. Also the tombstones are different! Also, as mentioned, now Michael dies in 2010 creating numerous continuity errors, not the least of which being that are no smart phone in the original series because they didn’t exist in 2005! Why not just set it 12 years later… problem solved.

Okay, so in a rather improbable turn of events T-Bag is released early – just 7 years after being returned to Fox River. I thought that prisoners were given an automatic 10 year extension on their sentences? Also… what is Linc even doing back in the US … why did he abandon the surf shop? And what’s Sara doing back in the US … she’s a fugitive on the run! That’s the reason why Season 4 ends with her in Panama! So there are some serious continuity issues here … Linc has fallen back into the criminal underworld (no surprise there), and T-Bag delivers him the news that Mike is alive somewhere.

Linc’s car gets hacked by that cross-eyed freak Steve Mouzakis, and despite not wearing his seatbelt and being ejected through the windshield … survives completely unharmed. That’s even more improbable than T-Bag’s release from prison. I’m just waiting for Wade Williams to reappear from the dead… any time now. This is after he exhumes Michael’s grave … you know the one that mysteriously moved from a beach in Panama to a lawn cemetery in USA … which is unrealistically shallow … and finds that it’s empty!

Next we go to Sara who just happens to keep unsecured guns around the house. Oh my fucking god, maybe the show really is morphing into 24’s little brother after all. Do you have any idea how dangerous that is … especially with a 7 year old in the house?? Jesus H Christ! At least put it inside a wall or floor safe. An assassin comes in with a gun fitted with a suppressor… and wouldn’t you know it, when the bitch fires it it unrealistically doesn’t make a gunshot sound! Not to worry though, she only shot Sara’s husband in the leg, and luckily Sara is a doctor.

Eventually they go to Yemen, and find Michael. He denies his identity, claims he doesn’t know Linc, and asks to be taken back to his cell. All in all, a brilliant start to the series even if they made a gut-wrenching number of “creative liberties”. With a 9-episode format this series promises to be short and snappy – something that Season 2 certainly could have benefited from.

The Great Youtube Ad Boycott of 2017

Well by now you should know exactly what I think about internet advertising. Youtube represents everything wrong with the internet. And I must admit that I spend way too much of my time on it.

UBlock Origin is now the recommended/featured ad blocker in FireFox. When you click on Get Add-Ons (about:addons in the address bar), it is one of only seven extensions featured and the only adblocker. Install it today! Use the Youtube Ad Boycott to spread awareness. Third party internet ads are a security vulnerability, and one that affects the most popular websites. In 2014 for example, Youtube was serving malware through their ads. If you blocked their ads you were safe from this threat, even if your antivirus program was not installed or not working.

What is the Youtube Ad Boycott?

In a nutshell, the ad boycott refers to the mass withdrawal of advertising on the Youtube platform by major advertisers. It’s not really a boycott, and it’s a bit silly of people to use that term. It began with the UK government withdrawing advertising from Youtube, and that action has trigged many other large companies both corporate and otherwise to follow. Australian companies (note some are subsidiaries of international companies) that have withdrawn ads completely during this period include: The Federal Government itself, Bunnings, Foxtel, Caltex, Telstra, Ford, Hyundai, Holden, Kia, Toyota, and many others.

What is the problem?

Well there isn’t really one. This can be seen in some ways as a large “market correction”. Advertisers have realised that many of their ads appear on trashy, junk videos and aren’t happy – or worse still, on videos that support violence and terror. The reason why there’s a shitstorm about all this is because many Youtubers produce content for a living, and they’ve just realised that their market and platform is more volatile than they realised. Welcome to the real fucking world you knuckleheads! How do you think print media in particular Newspapers have felt for the past 15-20 years as the internet has slowly eroded their ad profitability?

When Youtube was launched it was intended as a platform for people to express themselves, not as a way for people to make a living. Now I’m not saying that making a living through the platform is wrong: but I am saying that third-party internet ads are fundamentally bad. Advertisers claim the internet would suck without ads. Well wake the fuck up, there are plenty of websites – my blog included, Wikipedia to name another – that don’t run any ads… if you ask me the internet would be better without them. Or will less sophisticated first-party advertising.

Do people have a right to complain?

People have a right to complain. However it’s no one’s god-given right to profit from creating internet content. And it’s certainly not their right to expect third party platforms like Youtube to have their interests at heart. We saw a similar thing 5 or so years ago when certain popular youtubers like Hank Green claimed that AdBlock was destroying their revenue and that it wasn’t fair, blah blah blah. Hank even claimed that they don’t run pre-roll ads on their channels because they know how outright intrusive they are, for proof view his video:

I’ve got news for you, Hank. If I disable uBlock Origin and the MVPS hosts file and view your popular youtube channels they do play pre-roll ads you lying sack of shit. Seriously dude, maybe this was true at the time you made that video in 2012 – I don’t have a Time Travel Capsule so I can’t go back and be absolutely certain – but how do you get off claiming that you recognise those ads are intrusive and shouldn’t be played, and then change your mind and put them on anyway? Does that really show that you care about your users?

The Symantec SSL shitstorm!

UPDATE 1: A few of the facts outlined below are wrong. I will update this post in a few hours to make it both more balanced, and more accurate. Until then I refer to a response from Symantec here, and you can make your own minds up about it.

Okay, so in my last post I was not abreast of the full facts. Now that I am I will start by quoting the guy that discovered the security vulnerability, Chris Bryne:

My STRONG recommendation, is that anyone who purchased a Symantec certificate from a third party, between early 2013 and late 2016, revoke that cert and have it re-issued… either directly by Symantec, or simply revoking and having another trusted CA issue a different cert… as soon as they are able to do so.

As to first party certificates… I don’t know and have not been able to validate how extensive the exposure was, through which interfaces, etc… I do know that they fixed the specific issues that I found in the specific interfacecs I was able to validate, within six months as they agreed to. That said… It would be safer to revoke and re-issue, given the problems that Google themselves identified.

As to end users… I would be extremely wary of any site with a symantec cert issued before late 2016, and take some extra caution regarding any symantec cert period.

You can read all about it on his Facebook post. Chris is a fucking legend. In early 2015 he discovered a severe security vulnerability. The vulnerability is simple enough, and easy to describe and understand. When a customer purchased a security certificate from Symantec (all kinds of certs, not just SSL certs) they would be sent an email with links to retrieve/revoke/renew their certificate. There was no authentication performed besides a simple URI in the links. This could be easily modified to retrieve, revoke, or renew certificate for other customers. At the moment, this isn’t too horrible – after all every time you visit my site it sends you the TLS certificate so you can establish a secure connection, it’s not a secret. So at worst people could get up to mischief by revoking certificates other people had paid for, or issue fresh ones they have to pay for. However it’s still a very serious security breach because it means that an unauthorised person managed to get certificates issued – and it’s the CA’s job (CA = Certificate Authority, i.e. Symantec) to properly verify requests before issuing certificates.

But to make matters worse, and this is why you should NOT sign in to CBA’s Netbank or any other bank that uses a Symantec security certificate effective immediately, some resellers generated the private keys for their customers. Chris found that when this was the case it was also possible to steal customer’s private keys covertly using the same method to get the certificate. Symantec never told their customers that their private keys could have been stolen! Most websites never change their key pair, they will keep the same keys for year or even decades. That means if an attacker stole your private key using this method, they can use it any time they want so long as you keep getting new certificates generated from CSRs generated from the private key. It doesn’t matter if you change CAs and switch to say Let’s Encrypt or something, unless you change the private key all an attacker needs to do to decrypt your visitor’s traffic is perform a MITM attack a la PRISIM.

Symantec claims they don’t believe any attackers stole private keys. However, they outright lied when they issued this statement to several media outlets that ran the story (one such source for it is BleepingComputer):

We have looked into Chris Byrne’s research claim and could not recreate the problem.  We would welcome the proof of concept from the original research in 2015 as well as the most recent research.  In addition, we are unaware of any real-world scenario of harm or evidence of the problem.  However, we can confirm that no private keys were accessed, as that is not technically feasible. We welcome any feedback that helps improve security for the community.  Anyone who would like to share further details about real-world scenarios or proof of concept should contact us at https://www.symantec.com/contact/authentication/ssl-certificate-complaint.jsp.

Symantec has completely mismanaged this whole shitstorm. Chris Bryne now regrets not going public in the first place, and I can’t blame him. He states specifically on his Facebook post (in a comment) that Symantec failed to live up to their end of the agreement. They didn’t take any proactive or remedial action whatsoever to ensure everyone who was exposed to potentially having their private keys comprised generated new ones. They didn’t do shit. Since when do you need to confirm a malicious security breach first before you take action to protect your customers? You don’t – that’s not how security is done!! You assume that EVERYONE who had a private key generated by a reseller that could have been compromised was compromised, then you get all of your affected customers to generate new private keys, and then you tell them why. Symantec never even publicly disclosed the full details of this vulnerability, even after they believe they had finished fixing the problem.

So… if you have a Symantec certificate, and you bought it from a reseller like your host, and the reseller generated the private key and CSR, then revoke your certificate now, generate a new private key, and a new CSR, and use that to get a fresh certificate. Oh and, obviously do not trust any website with Symantec SSL certificate older than November 2016, especially including banks. Fuck Symantec! Chris… you’re a fucking legend.

Whirlpool Topic

The Commonwealth Bank loses its green bar!

UPDATE: Corrections made (01/04/2017).

Here’s a look at Australia’s “big four”… first in Firefox:

banks-ff

And then in Chrome:

banks-chrome

Notice anything? Where’s the green EV Bar? Should you be concerned. Well if you’re a CommBank customer – absolutely you should.

I have just sent a short email to Commbank informing them their website appears to be hacked. Appears to be – it isn’t, but with the green EV Bar that’s exactly what customers should assume has happened. This is what separates a genuine banking website from a fraudulent one. Anyone can get a domain-verified certificate, even me! Furthermore – they’re free! But there’s a big difference, I’m not asking you to enter your credit card number or other sensitive information in to my site – at most you might enter a comment with your name/pseudonym and email address in it.

So what has happened? Well to put it delicately – Symantec has made a huge fuck-up. They were found to have miss-issued over thirty thousand SSL certificates, and as a result punitive action has been taken by Google. The first phase of that action is to no longer recognise EV signed by Symantec. Google will then move to distrust all Symantec issued certificates older than nine months.

Update: It turns that previous paragraph was incorrect. It was an entirely unrelated bug in Chrome. It’s easy for us laypeople to confuse security issues, especially as this happened at the same time as Google announces their policy to revoke EV status. Anyway, this makes the remainder of this post no longer relevant.

The thing that makes me unhappy is that I don’t think they have gone far enough. This is the same shit that happened with WoSign (see here), and yet their rubbish certificates from their corrupt CA are still trusted!! Can you believe it? One third of https websites use Symantec SSL certificates. Given the impact and implication of this, I cannot understand why Google and Mozilla don’t distrust the authority outright effective from 2013 when the problem was first discovered? I mean, call me fucking cynical, but why are they now only taking punitive action FOUR goddamned years in the future? I mean in 2015 they made a goddamned counterfeit EV SSL certificate for GOOGLE.COM – that act alone should have got them booted from ever issuing another trusted certificate again. Who the fuck knows what they could have done in the one day they had that certificate – was it operated by the CIA for a covert operation perhaps?

Symantec and WoSign both need to be distrusted permanently. If this were any other security industry there would be no second chances. And by the way, shame on Google for not making it easy for users to see who the certificate issuer is when we click on the green padlock. And Mozilla – step up your fucking game and tear these rogue CA’s a new one.