Weekly Head Voices #113: Science and Creation.

(With this edition of the WHV, I’m looking back through exceptionally forgetful lenses at the period of time spanning from Wednesday November 9 to Sunday Decemer 4, 2016.)

This post has been lying around in draft form since Sunday November 20. However, two of the bullet points I was planning to mention, one making the case for preferring short-form blogging over twitter and the other lamenting the sorry state of security on the Android operating system, somehow grew spontaneously into blog posts and then managed to make their way onto the Hacker News frontpage and various other high-traffic aggregators.

Those of you who know me a little bit, know of my strange little hobby: Getting my blog posts onto the HN frontpage. Anyways, it was a glorious week, and a very good month for this blog.

November saw almost 42000 visitors reading my stuff.

THANK YOU MANY VISITORS FOR ALL OF THE HAPPINESS YOU HAVE SUPPLIED! I TRY TO SPREAD IT AS MUCH AS I CAN!

(At the top of the right sidebar, you can make me really happy by entering your email address to be added to a shiny new weekly blog update email. Every Wednesday you’ll receive an email containing all the posts of the week up to then, saving you time and money! The old email-as-I-post list will also be maintained, but I wanted to offer more options for subscribers.)

Ghost in the Shell

Back in the day, I watched the original Ghost in the Shell anime about 102 times. For a time (picture the 90s somewhere, I’m dressed like Sonny Crockett in Miami Vice, except with really long hair, and utterly metal), the SO and I were seriously planning to use the brilliant GiTS theme song instead of the wedding march. You know, this one:

We ended up doing the wedding march because reasons. (The 90s had enough issues as it was.)

Anyways, fast forward a decade or two and a new trailer for the Ghost in the Shell Trailer live action movie has been released. I can’t help but be very excited about this. Listen, they even put some Depeche Mode in there!

Devil on my arm

(This heading should remind some of you of a certain teenage science fiction dystopian novel of the 80s. Picture me with leg warmers and a head band, exercising to a Jane Fonda VHS cassette, but with long hair and utterly metal.)

That terrible running addiction (it’s not a terrible addiction, but my running itself is terrible, doh.) I mentioned last time conspired with a local daily deal campaign to make me acquire a Samsung Gear Fit 2. This is a rather snazzy-looking (for running watches that is, the bar is not very high) timepiece with a beautiful OLED colour touch-screen, and sporting a 1 GHz CPU, 512GB RAM, 4GB of flash, a GPS, and some apps, including an MP3 player.

verge-2016-07-12_14-58-41-0
That’s the Gear Fit 2 on my arm. I wear many golden bangles when I go running.

All of this means that I can go running without my smartphone and still get full geo-located stats on my terribleness. The gadget has a suitably terrible robotic synthesised voice that encourages me, without any noticeable feeling, uttering the words <GO ON. YOU CAN DO IT. GO ON.> when I am close to the end of my route. Brilliant.

More importantly, this also means that we can have a really good giggle at the cpbotha of 2003, who wrote in a post about his new Tungsten E PDA:

If I had known 15 years ago that I would one day walk around carrying a cigarette-tin sized computer with a 126MHz CPU, a total of 160MB ram and a colour screen, I would probably have gone orbital.

13 years later, and my watch would karate chop my old PDA into orbit, if it were still around. I’m really curious in what way we’ll be laughing at me (again) in 13 years time. That is, if the Ayn Rand readers / white supremacists don’t screw everything up for us all before then. :(

Image crafting corner

This is the bit where I post carefully selected photos so that you think my life is infinitely better than it actually is.

It’s not!

This is a practical example of what happens when you (deliberately) don’t listen to Uncle Nyquist. My life is filled with ups and downs, and a great deal of flattish bits. Whatever the case may be, I do try to optimise as much as possible for the good bits. Part of this is dwelling on them for a little bit longer, like this:

Parting thought

“Post-truth” was named word of the year by Oxford Dictionaries. As if we don’t have enough problems in the world today, it seems that we are now in the post-truth era. Apparently objective facts have become less influential in shaping public opinion than appeals to emotion and personal belief.

Bloody hell.

Somewhere in the future, when we’ve all calmed down a bit, I would like to try and analyse how this could have happened, and what can be done to try and fix it. (My money is on 100% accessible education for ALL (people who can afford it pay, people who can’t, don’t. Really not that complicated.)My money seems to be standing together with the statistics on Brexit and Trump voters. This is obviously completely lost on Brexit and Trump voters. OH THE IRONY.)

Anyways, until that future time when we’ll have that mature discussion about these matters, I leave you with this:

This is what I think of "post-truth".
This is what I think of “post-truth”

nvpy 1.0.0 has been released!

Oh happy day!

Last night I released version 1.0.0 of nvpy, a cross-platform (linux, mac, windows) simplenote-syncing note-taking app. nvpy is also my most popular open source baby, at least by github stars and forks.

Screenshot of nvpy 1.0.0 with a demo database of notes.
Screenshot of nvpy 1.0.0 with a demo database of notes.

Since I first released nvpy in 2012, automattic have released their own official open source desktop app for simplenote. Although the official app is prettier (it is electron-based), nvpy is faster and uses a fraction of the RAM (70MB RSS vs 1000MB+ RSS). Furthermore, nvpy’s syncing is more deterministic: You can see exactly when and how it syncs.

Personally, I use nvpy on my Linux and Mac workstations and laptops, and the official simplenote apps on my Android devices for the text-only notes I always need to be with me.

I am currently planning to write a new sqlite-based storage backend for nvpy, which should greatly speed up its interactive note-searching.

Android security in 2016 is a mess.

Summary

Your phone probably contains banking, payment and personal information that can be remotely stolen via numerous known and unknown bugs in the Android software. This is attractive to criminals.

Vendors (LG, Samsung, Xiaomi, etc.), after selling you their phone, have no incentive to keep your phone’s software up to date with Google’s fixes. Your Android phone is probably out of date and therefore a gaping security hole through which attackers can steal your stuff from the safety of their own laptops.

Read on for more.

Between 1.3 and 1.4 billion Google Android phones in March of 2016. Click image for source.
Between 1.3 and 1.4 billion Google Android phones in March of 2016. Click image for source.

An illustration: MediaTek / BLU phones are uploading your data.

You might recently have read about the incident with the popular BLU phones sold by Amazon in the US. It turned out that these phones were regularly sending bunches of personal information to servers in China: text messages, call logs, contact lists and so forth. After more investigation, it came to light that this was happening via a low-level piece of software called ADUPS.

When Google had previously updated its systems to check for ADUPS, MediaTek (they make the chipset in millions of low-end phones) simply modified their system software to evade Google’s checks. Nice one MediaTek!

This is a painful example of the fact that the software on your phone, although based on Google’s software, is customised by the phone vendor. The further frustrating effect of this is that when Google releases security patches to Android (which they do regularly), there is very little incentive for the phone vendor to spend money on updating phones they have already sold.

What about A-list phone makers?

I bought my LG G3 in 2014 here in South Africa. It was LG’s flagship in that year, and sold extremely well. LG is a well-known smartphone OEM.

However, only because I took steps to flash the official KDZ image (V30a-ZAF-XX), which consumers would normally not do, am I now running Android 6. However, my security patch level is 2016-03, meaning there are 6 months of security updates I don’t have. (You can check your Android security patch level by going to Settings | General | About Phone | Software info.)

Before you think six months lag is not too bad, here’s a nice example vulnerability from the November 1 Android security bulletin:

The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files.

In short, your phone could be hacked wide open from afar through a single innocent-looking email, MMS or web-page.

My friend’s South African LG G3 is still stuck on Android 5.0 (V20n-ZAF-XX). Most probably this is being blocked due to his carrier (MTN). In any case, 5.0 does not even show the security patch level, so we have no idea how many months of security fixes this phone is missing.

(LG seems to be tracking Google’s security updates quite well, but somehow these updates are not reaching phones.)

A scary little aside

I just tried Check Point Labs’ QuadRooter Scanner app on my “updated” LG G3, and this is what I saw:

LG G3 with Marshmallow and Android security patch level 2016-03 is vulnerable to QuadRooter.
LG G3 with Marshmallow and Android security patch level 2016-03 is vulnerable to QuadRooter.

So my manually updated LG G3 is still very much vulnerable to QuadRooter. In theory, my phone could be (or already has been) rooted and pillaged by any old innocent-looking app, although I keep mostly to the official Play Market, so the risk is slightly mitigated.

At this stage, even as a relatively knowledgeable user, there’s not much I can do to patch my phone against this vulnerability.

Google’s leniency cuts both ways: More than a billion Android users, but most of them vulnerable.

It’s fantastic that Google’s openness and leniency with Android has helped to make smartphone technology accessible to more than a billion users (probably closer to 2 billion taking into account Chinese Android phones not connected to Google services, see Ben Evans’s post). However, this same leniency allows manufacturers to be irresponsible about keeping their customers safe.

The fundamental problem here is that there are a great deal of Android phone vendors who make phones from absolute entry-level to top-of-the-line flagships, who have very little incentive to spend money on post-sale security updates.

Once you’ve paid for the phone, you’re not important enough anymore to have a secure(ish) telephone.

What can we do?

Buy an iPhone. No really.

I’ve been using Android since the HTC Desire Z. I love Android, because I love Linux which I have been using since 1993.

However, if money is no object, my only sound advice can be to buy an iPhone. Apple is still shipping security updates, albeit on iOS 9, for the iPhone 4s which was released in 2011 (5 years ago). The iPhone 5 is still being kept up to date with iOS 10.

Furthermore, in terms of phone encryption, iOS 4, released 6 years ago, was already more advanced than than Android 7 Nougat, released in August of this year. In short, already then Apple made better choices in how exactly different files are encrypted, whilst Android implemented full disk encryption, which for the smartphone usecase is not the right choice. In Nougat, Android has finally also changed to file-based, but they’re missing important parts of the puzzle. The phone encryption blog post I link to is insightful, please take a look.

Stick with Android Pixel or Nexus.

If you prefer sticking with Android, the best choice is getting an official Google device, which means either a Nexus or a new Pixel. Google’s policy for Pixel and Nexus security states that they will ship security updates either for three years after device introduction, or for 1.5 years after the device was last officially sold from the Google Store, whichever is longer.

Unfortunately, iPhones are really expensive, and Google’s new Pixel devices are also aiming for the higher-end market. The previous generation Nexus phones offer a more mid-range but very temporary reprieve.

In other words, most normal consumers on a budget, i.e. the largest part of the Android user base, actually of the smartphone-using world, are stuck with insecure, vulnerable phones. This is not cool.

Consider installing a custom ROM.

Installing a custom ROM such as Cyanogenmod brings with it another set of issues with regard to the phone being rooted, and with regard to driver-level support of proprietary hardware. In any case, this is not something your average consumer will have access to, but Android gurus can certainly apply.

Efforts like CopperheadOS (hardened Android) are certainly promising, but it will be quite a while before they are accessible to the largest group of Android users.

Update: David Metcalfe pointed out in the comments that you can buy a secure Android phone from Copperhead.  If you are in the US or Canada, and you have some budget, you could buy the LG Nexus 5x or the Huawei Nexus 6P with CopperheadOS pre-installed. It’s great that this is available, but due to price and geography not really accessible to most Android users.

Keep manufacturers honest.

Ideally, Google starts taking a much harder line with manufacturers who put Android on their phones. They could for example maintain and publish a list of phone models that are kept up to date with the latest security fixes, and a list of those that aren’t.

I was happy to see that at least Huawei has a pretty good record in terms of keeping their Android phones up to date (although the results were probably skewed as they counted the Huawei-produced Nexus 6P phones, and these formed the majority of the test set, doh). This factor will play a role in the next smartphone that I buy.

Do you know of any (other) manufacturers of more affordable Android phones who are committed to keeping their users safe? Please let me know in the comments!

Addendum: Android phones with acceptable security update records

Blackberry PRIV, DTEK50 and DTEK60

lobste.rs user jabberwock tipped me off to the fact that Blackberry’s Android phones get monthly security updates. Read more at CrackBerry and here in the BlackBerry Android security bulletin for November: It looks like these phones receive monthly updates (when not blocked by the carrier, sigh) and have already received the November 2016 update.

Here is the original blog post where BlackBerry explained their security patching policies for the PRIV.

OK Go’s new video for “The One Moment” is a stunning example of high-speed video.

The whole music video was shot with high-speed video in one single, glorious 4.2 second take, and then played back at “normal” speed to result in this mind-blowing end-product:

(BTW, since when are facebook videos a thing? Fortunately, WordPress immediately understood the facebook video link I pasted and correctly embedded it.)

Google’s 0-shot neural machine translation system shows intriguing evidence of an interlingua

In recent research (full paper also available), researchers from the Google Brain and Google Translate teams have shown intriguing evidence of a so-called interlingua, that is, a language-agnostic common representation of sentences with the same meaning from different languages.

What I also found interesting about this work (and related to the above finding), is that they’re able to perform translations between language pairs that the system has never trained on.

A further pleasant surprise was seeing how they used the t-SNE visualization technique to embed the high-dimensionally represented sentences in 2D, in order to study the interlingua phenomenon.