screaming at my screen! what's hot en-en you! 2014-03-06 20:00:27.117860 GMT iMessage is secure enough

Apple published a iOS security whitepaper. One thing that was discussed a lot is iMessage. Since mainstream media thought it would be a good idea to report about it some people became insecure if it is a good idea to use iMessage or if it should be considered insecure. Let us try to figure out if you should be worried while using iMessage or not.

I will start with the conclusion and try to explain the thought process how I came to it: iMessage is not secure. But it is likely one of the most secure systems people are willing to use and it is, most of the time, good enough.

Possible attacks

Your device requests the public keys for the recipient and all of your devices from Apples servers. It uses the public keys to encrypt the messages you send. You can not verify which keys are used, you cannot pin them and you cannot check how many are returned for a request. So it would be possible that they just send you one additional key for a private key they use to encrypt the messages.

Another point to criticize is that Apple is securing the connection using TLS, but they are not using certificate pinning. So a possible attack is as "easy" as getting a certificate from a trusted CA. If you believe this is an unlikely scenario - ask the French cyberdefense agency and Google.

One thing to remember is that if you use iCloud to backup your devices, Apple can likely read your messages.

And last but not least: iOS, OSX and iMessage are not Open Source. So it is not possible that a 3rd party verifies the security of the implementation. While you never know what a review would uncover, if anything, reviews never hurt and likely increase the quality of the implementation.


There are some resources to read if you are interested in the topic and want to read about the possible attacks in detail.

This will cover all points and provide links to additional material.

How concerned should you be?

That is the big question. All attacks outlined require skill, time, money and a lot of effort. iMessage will not prevent a government agency eavesdropping. But it also does not have to. If one of the agencies wants to know your secrets they will find a way - depending on how badly they want to know there is always the wrench. So if you are trying to oppose a dictatorship or want to plan highly illegal things, I would not rely on iMessage.

Do you want to tell a non-technical, even if tech-savvy but not into encryption, coworker a password but you have to do it over the Internet? Want to tell your parents how your illness is developing? Chatting about how super awesome your little kitten is? iMessage is fine. The effort required to eavesdrop is just too much to just do it for random surveillance, even for big government agencies. And do not worry about other companies trying to gain insight on business critical things - bribing an unsatisfied, underpaid secretary is easier and cheaper.

Apple set the bar pretty high. I would not send nuclear launch codes over it, especially the really secure ones. But basically everything else. I care about people and computers intercepting my communication, creating profiles and selling it to marketing agencies. I care about potential profiles created by organizations for whatever purpose. I care about companies trying to get business critical information. And this are things highly unlikely to happen using iMessage.

iMessage is the easiest, while still secure, way to communicate right now. It does not require people to learn about encryption. It is not hard to use. It protects the messages good enough from all risks ordinary, private people and most companies should worry about. And again: it does not require people to learn anything. This is by far the most important point. No lazy passwords. No explanation about private and public keys. It just works(tm).

You can discuss this article on HackerNews.

2014-03-06 19:56:00
Candy Crush and Dungeon Keeper are only one half of the problem

I was never a fan of "free 2 play" games that offer a "pay to win" option or try everything to trick you into spending as much money as your credit card allows, either by slowing down gameplay or making the game unplayable if you do not buy yet another crystal pack or the next power up. But game developers that obviously can look into a mirror and not care less what they see are only half of the problem.

Let us not focus on the fact that game makers are trying to trademark ordinary words. Sometimes this is pretty important for them, especially if they have to sue the game they ripped off out of business to increase their market dominance and trick more 12 year olds into spending their parents money for digital crap. Ramen profitable is not cool, jet profitable is and that is the way to it for them.

We also should not discuss how taking a classic game - loved by many people, that brought joy and was the reason to waste more time in front of a screen than studying for school or walking the dog - and making it unplayable unless you pay nearly $2000 to build the same rooms and chambers in around an hour as you did in the original game. This is a move that can only be made by people who think as much of themselves as patent "lawyers".

How could the game industry start with this ridiculous practice? If you think it is only the mobile game industry you obviously did not play any recent EA title, did you? But while EA just saw that gamers are willing to put up with DLCs and broken games you have to pay for to be able to buy the rest of the game after you installed your base package, there was obviously a reason for mobile games to start with this practice.

If it is not cheap it does not sell

If you go through the AppStores you see free and $0.99 applications and games that provide nearly no functionality or are broken to an extend that you cannot use them if you do not use the in app purchase option to unlock features. This is not the fault of developers. Customers decided that they want to be the product and not a customer when they choose a webservice - the same way they decided that free is still to expensive and $2.99 is a ridiculous price tag.

Many indie developers without a strong brand had exactly two options: Keep the price realistic and hope that the fewer sales will be compensated by the higher price - or figure out something else. The "figure out something else" turned into massive usage of in app goods. And initially it was kind of working till people noticed that once the app is installed people stop thinking and start buying.

I am sure there is an Internet law that goes something like "if people figure out a way to rip off other people they will exploit it - even if they have to turn a trading card website into something like a bank" - and if it does not exist yet we should make sure it does.

Right now there seems to be no way to change it anymore. If you publish an app with a price around $10 you will never see as many downloads or sales as if it would be $0.99. But fewer downloads and being ranked below the top ten decreases your chance for sales further to the point that you will drastically sell less than 1/10th of the $0.99 sales and you start losing money. So you have two options: Figure out an alternative model to finance your application or not publish it at all if you are looking for a way to make money.

Some people complain that there should be demos - honestly? This is a great idea, especially for games where it is dead simple. But show me any publisher that still ships a demo instead of showing some in game footage on YouTube for a big title, even for indie titles demos are rare. As much as I enjoyed the days when waiting for the new PC Games with the demo CDs was exciting, they are gone. And judging from the standard reviews you see in an AppStore people would believe the demo is the full game and complain that it is too short - but AppStore ratings is material for another rant.

This is not the chicken egg problem

We need developers to start selling their games for a price that makes it worth spending time and money developing it and we also need customers that finally start buying games for a sane price.

The solution is pretty easy: start publishing games for a price that works. Of course this is a big gamble for the developer. If the game is priced so high no one starts playing it there will be no media coverage, there will be no additional sales and there will only be poverty, suffering and cheap alcohol. But if more developers start with a sane pricing there is a small, a really small, chance - and I do not dare to calculate the possibility to prevent us from becoming frustrated - that people finally understand that game development costs money and that developers, even those publishing for a mobile platform, need to make a living.

The other option, the one that is more likely, everything stays as it is. Mobile gaming is dominated by soulless leeches trying to get enough money to buy hell from Satan to increase their possibilities to take out competitors and no sane indie developer without a kickstarter - or whatever the new crowdfunding hotness will be - to bake the game will start developing a game that has the depth, fun and addiction factor of a console or PC game.

Square Enix started publishing old Final Fantasy titles. For me, as a fan of the franchise, this is great. $7 - $13 is an acceptable price for me. The games are old, lack modern graphic, I played all of them but having a way to play them again without booting an emulator is worth every cent. And those games show that you can actually make great games for a mobile platform. It is possible. Of course they have a brand that is well known which makes it easier for them to sell those games. But as history proved, if a big player can do it, a small one can do it, too. This does not mean I would complain if we would see the next Final Fantasy series released for mobile the same time it is released for the Playstation and Xbox... - hey, one can dream!

There are not many options to save mobile gaming - gaming as in: sane, great triple-A and indie titles with am acutal story line, long time motivation and challenges, not "click click, ohhhhh shiny stuff, hurr durr, buy moar" - and the chances that things are turning around are not big, but I still hope that it will happen somehow.

2014-02-26 19:59:00
EA's long term goals - not caring about gamers

While browsing Gamasutra I found an article about the long term goals of EA, directly brought to you by the CEO. I think it is no secret that I find the current state of gaming frustrating and just cannot stand EAs attitude and behavior, treating gamers like second class idiots who are willing to put up with whatever they think of. But this just brings it to a new level.

Did you ever read any start up announcement, blog post or feature presentation? Most of them, sometimes even meaning it honestly, focus on what they are doing and how it will improve the life of their customers. Did you ever watch an Apple keynote? A Microsoft advertisement? Anything from another big player like IBM? Focusing how the customer gains an advantages from their product. From a fresh start up consisting of three people and a garage to multi-billion dollar enterprises - they try to focus on the advantage they bring to the customer.

This is marketing 101. They try to make money. We do not have to skip this part or believe all they do is trying to improve peoples live because they are so generous. This is purely calculated marketing. But even if it is marketing you should not lose focus of the actual product: it is build to make money. And it is supposed making money by bringing an improvement to the customers life.

Now let us go back to EA. I hope you have already read the article.

"They chose someone internal versus external … [the board members] like our strategy as a company, believe we have great talent internally, and they're looking for us to continue a strategy of building hit titles with the foundation of cost management."

Build hit titles as cost efficient as possible. Let us look back at all the hit titles. Pretty graphics, no content, no innovation and a load of add-on packs that should have actually been part of the game. This is what we will continue to see. Nice, isn't it? As much profit from "hit titles" as you can make. If I recall most games I enjoyed and most games that became a hit - it were not games that were considered hit titles being tied to an existing series. All of them were games build by people who wanted to see an awesome game.

"It was one of the more advanced-thinking of the divisions of [EA] in terms of digital, and our evolution into digital,

Fifa xyz, NBA xyz, NFL xyz,... I see the advanced thinking, pure innovation and the undoubtably evolution of... add new graphics and replace the year. Good job - only a genius could have thought of this.

I am aware that this is a bit frustrated and sarcastic. Wilson did a good job delivering something sport fans want to play. But this is not exactly what this sentence claims.

"We want to get to a view of EA as one company and one team, where we can truly manage and focus the investment on the biggest opportunities."

Read: no innovation. Investing on the biggest opportunities and not focusing on side projects or other small stuff means that you will only see game designs by scheme X which already proved to sell millions of copies. No particular new game play, no new ideas, no new story telling - sell what you already have in a new box with new graphics or add a dog. If it is part of a big franchise you will find enough people to buy it.

He added, "I'm the first CEO to come up through the studio system. [With that, the board is] saying that games are important. Platform is important, analytics are important, marketing is important, but at the end of the day, the future of this company will live and die based on hit, quality software. They wanted someone with a passion and an aptitude for that."

Everything is important but one thing is missing: Gamers. For who exactly are you building this stuff? Games are important? Guess which games are remembered 20 years later - games build for gamers. Ask the two Johns for example. They did not build games with analytics or marketing in mind. They build games they watend to see happening, they have build what they thought gamers will enjoy, what would break traditional rules and what is fun to play.

Quality software? You have to be kidding. Installing any recent EA game puts more root kits on my system than I had in over 16 years owning a computer. Having to hope that a game is only broken for some weeks after it is released is not quality. Being forced to stay online and connect to a DRM server, hoping it is only DDOSed for weeks by gamers who bought the game after the release. Scaling? Capacity planning? Not forcing people to put up with this stuff? This is neither quality nor is one thought spent on the gamers. This is just about profit.

Over the years I played many EA titles. I enjoyed them. But EA changed. Gaming changed. And this interview represents it perfectly. I just refuse to put up with this. I do not play many titles I am interested in because of those reasons. Publishers treat gamers like second class idiots who put up with everything. Me not buying their games will not change it - but if more people would actually remember the times when gamers where the focus of publishers and make sure that they notice it in their quarterly earning reports things could change again. If this ever happens I will gladly get a gaming system again. If this will not happen I continue enjoying indie titles or titles from a few publishers who actually deliver games worth the money and not continuously try to sell me add-ons that should be part of the game.

2014-01-16 20:05:00
Happy New Year - Welcome 2014

I hope you all had an awesome start in this new year and that you have the chance to do something awesome and exciting. As regular readers know I think of "new year resolutions" as something worthless. If you want to change something you should start now, not on an arbitrary date.

But not having any life changing plans for 2014 does not mean that I have not planned some projects for this year. I want to give you a quick idea what you can expect to see the next 12 months.

  • a new version of drupan will be released making the generation of blog unrelated sites a lot easier
  • an entirely new blogging platform - if you read my past CMS rant you could figure out what it will look like, but I will also blog about it the next few days
  • I will publish my first book
  • currently it looks like a side project could turn into a service I open for everyone, maybe release it on GitHub, not aiming for profit

Enough ranting for the first day of the year. Stay as awesome as you are and do something extraordinary!

2014-01-01 22:59:00
GnuPG Is Still Too Hard To Use

You should encrypt your emails. Actually you should encrypt anything you do not want other people to see. While talking to tech-savvy people this is a common sentence you hear, especially the last few month after the whole Snowden and secret agency revelations. What I find mildly amusing is that people actually believe encryption is so easy that everyone can use it.

I am aware that there are things which are quiet easily usable by everyone. Some services and tools work great and some of them are just snake oil. I do not want to talk about all the different tools and which make sense. I want to specifically talk about encrypting your mails.

My benchmark for "the ordinary user" are my parents. They both have a tech background but started pretty late using computers. They know their way around most problems, can install software, update their systems and are able to tell me the exact error message and what they did when calling me, asking for help.

You do not just download GnuPG and start using it. You install it, create keys, fetch the recipients key and so on. Especially the part involving keys and key servers is the hard one. Not to mention different key servers. Before being able to actually encrypt a mail they have to learn about all this things. It is nothing they could knew from anything they have ever used before. Now you could argue that learning new things is always necessary, more about that shortly.

The next thing that will just fail is reading mails on most mobile devices. I know, I know... Android can do this if,... blablabla. On most mobile devices it does not work in a convenient way, if it works at all. So instead of just checking mails they would have to wait till they are at home or in the office. I remember doing this - I think it was in the late 90s.

And if this is not enough: updates break the GnuPG integration. "Just reinstall it and it will work again". Pretty comfortable and a pretty obvious solution, huh?

The Ordinary User

An ordinary user does not want the most secure and mathematically proven system. The ordinary user actually does not even understand why he or she would benefit from encrypting mails. "Hey mum, you HAVE to encrypt your cake recipe you are sending me, the NSA could read it otherwise!". I am aware that this is a great oversimplification and that there are valid arguments why you would even want to encrypt your cake recipe - but I hope you get my point. Raising the awareness and explaining the benefits and reasons to encrypt things is exceptionally hard if it goes hand in hand with losing comfort or increasing the overall complexity of standard tasks.

Users who do not care about computers became used to the fact that they can just sit in front of this thing and do what they wanted to do, without blue screens, drivers and all the other things we wasted the 90s and 00s with. Starting to use a secure encryption software would set most of them 20 years back. "You have to learn this and this and that. Than you can do this but beware of doing that". No matter how many secret agency programs would become public, you will likely not be able to convince a user who just "wants this thing to work" to use GnuPG as it is right now.

I have no solution for this problem. I also never thought about how you can improve the usability of GnuPG to be honest. There are mail services, which are just built or on kickstarter, that will try to solve this. And this is the best thing that could actually happen for "ordinary users". A system that just works server side without bothering the user or forcing him to learn something new is a system that could be adopted by the masses.

2013-11-16 17:15:00
Learning Scala - Four Weeks Later

It was over four weeks ago that I put a small service written in Scala into production. Some people wanted to know how the service is performing and if I would consider using Scala again. Let me give you a short summary.

The service I wrote is a reimplementation of an analytics server. It receives some data via JSON, stores it and on request processes all data. The actual service was written in Python and Flask and later rewritten in Golang. It is fairly trivial and if you know a language half decently you should be able to do it in a matter of hours, depending how fit you are with the math behind the analytics.

Over the last year it was becoming my "hello world" for new languages. Trivial enough that it can be implemented in a short amount of time but complex enough that you see different parts of a language and its library ecosystem and tools. So for me the perfect test for what I would do with it on a daily basis. When I am confident that a rewrite works it becomes a backend for "screaming at my screen". I could hardly care less if the analytic service goes down or is broken for some time.

The Scala implementation worked flawless. I had to move it to a bigger instance since the 512MB on the virtual server I usually use were not enough and it started swapping. I do not want to blame Scala on this. My experience is still fairly limited and I am sure an experienced Scala developer would be able to optimize it to consume less memory.

I would not start a new product or service using Scala. I really do not like the tools, the language does not provide anything special I would consider a killer feature or must have and the JVM, well... I know many people love the JVM. I neither like nor dislike it but it is certainly no selling point for me to look over the other things I do not like about Scala. If a system or architecture is already using Scala I would not hesitate to continue using it though.

2013-11-03 17:16:00
Learning Scala - Week 3: Webdevelopment

Another week with Scala. After ditching the Coursera course I just started working a bit with the language and building some smaller applications. I looked at Scalatra and Play, deployed a test application and finally uninstalled Eclipse. Let us talk about web applications.

Naturally I am most interested in anything web related. It is my job, I enjoy doing it and it is the area where I am most likely to use a new programming language, framework or technology. So how does Scala compare to what I am currently using - Django, Node.js and Golang?

Deploying Scala is pretty easy. Just throw it at a servlet container or embed Jetty and start your war file using java. Pretty simple. Compiled, one file, all the joy of Golang - a pleasure compared to Django - with more and better third party libraries than Go but not with the same development speed. This is highly unscientific and only based on my experience but compared to Golang the learning curve feels a lot steeper and I have to open the API reference or Google more often.

I did not run any benchmarks and if I did, we all know they would likely be wrong. If we stick with TechEmpower for framework and performance comparisons we can say that Scala and Go are, especially using a framework, both a solid choice if you need to write performant services. But judging from the adoption of Scala it will likely be a lot easier to find developers who already have experience deploying Scala applications to production and knowing how the language and tools behave if you throw more than 5 requests / second at it.

As some of you could know, I am a fan of Golang. But if you are operating on a tight deadline, have a team who has to work on the codebase and if the Go standard library is not enough to get the job done I would currently suggest you take a look at Scala. Compared to Go it is ready for its prime time. Libraries are just more stable, tested and well maintained, often thanks to the fact that you can "just" use a Java library. I know, bad practice and stuff, but sometimes shipping is more important than writing yet another ORM.

2013-10-06 19:25:00
Learning Scala - Week 2: Coursera And Scala Related Tools

I am a bit late with my week two summary but let's do it anyway. Week three will be ready on Sunday. I stopped attending the Coursera class. I fought against the tools and I even managed to actually learn some Scala.

Why did I stop the course? Well, first it is absolutely not the way how I can effectively learn a new language. It just doesn't work for me. Second, I was a bit disappointed by it. I will still watch the video instructions to know if I am right about it but currently I feel like there is some part of Scala, some part of functional programming in every weeks lectures and at the end of the day, without any prior knowledge, you know nothing about both of them. Maybe it is also just my first impression and I'm wrong.

Some people argued that I should still complete it to get the certificate. First: I do not really care about it. I do not need papers, or PDFs, to show me what I can do. Second: It will not be accepted by any university as prove that I am able to do something or learned it. And I think most, if not all, potential employers and clients also do not care about a piece of paper from an online course, especially if I can just demonstrate the skills.

The tools are still a bit strange, especially sbt and Eclipse. This is not directly Scala related since I thing I can just ignore both for now. Life is pretty easy right now. python, go run, node foo.js. One file. You can have this with Scala, too. You have the usual Java-ish stuff kit compile and than run. You have the same Java-ish stuff with specifying the classes. If you ever worked with Java you know how it will be working with Scala. Beside that you also get some nice things like an interactive shell.

Working with Scala, right now, after the first tutorials is not really spectacular. I only made it through the basics to get an understanding of the syntax, parts of the library and some best practices. I think the "real fun" starts after I got through those things. It doesn't make a big difference for me if I am writing Scala or Go for example. I believe line count is about the same.

What made me chuckle is the fact that using MutableList threw a style warning that I should not use it. I'm not sure what the Coursera system used to check the code style and quality. But throwing an error for using something from the standard library is just hilarious if you ask me. "Hey - I know the people who wrote the language gave you this tool. But I think you should not use it. Because reasons (actually: mutability). Nah, they surely do not just make it unavailable or throw an error if you use it directly or warn you for using it. Thats my job. You really should not use it."

Sadly I did not get as much done as I expected till last Sunday. But this week was a bit more productive - update will be ready on Sunday.

2013-10-04 19:08:00
Learning Scala - Week 1

I decided to learn Scala. It was more a spontaneous decision than well thought out. I have heard many good things about it, it seems to do a decent job at Twitter, other start-ups and established companies, it runs on top of the JVM and Coursera just started a course "Functional Programming Principles in Scala". I will write a short recap about my journey every weekend.

This are basically two new things at the same time for me. Coursera and Scala. Functional programming is not something new to me but I never used a purely functional programming language or focused on learning everything about it. I am aware how it works, the advantages and disadvantages and how to use it if necessary.

Finishing the first week, I have not seen much of Scala. Defining a function, some recursion, nothing spectacular. This is not necessarily bad. A lot of time was used to explain fundamentals of functional programming and I believe someone who has no experience with it really needs those explanations before starting with anything else. And I have high hopes in this course, especially since we are talking about Martin Odersky, who, beside the one - or one of the people - who came up with a programming language could explain the fundamental ideas better?

The homework looks ridiculous compared to what you learn. It would be interesting to see someone without programming background trying to complete the assignments - if you are fitting in this category or know someone I would love to hear your thoughts. As far as I can tell you get enough hints but concentrating on Scala, deciding how to implement something and not knowing if the problem with your implementation is caused by a wrong implementation or if the solution you came up with is wrong can surely be confusing. Maybe the course is meant for people with a math and / or programming background but currently I do not believe it is well suited for beginners.

Scala runs on top of the JVM which means I had, for the first time in many years, a reason to install Java on my notebook. If you follow the instructions closely you will end up installing Eclipse. I do not want this to become a discussion of IDEs or why, of all IDEs I have worked with, Eclipse is the last one I would want to use.

Something that currently did not happen - and I have seen the same thing in many Java books - is an explanation how you setup a project, file system structure and run it using command line tools. Maybe it will follow in a later lesson and was just skipped for simplicity, at least I hope so. I have seen to many people not being able to run a Java project when you take away their IDE with explanations ranging from "I never needed to do this" to "let the sysops guys handle this, it is not my job". In my opinion this is a lack of base knowledge.

The material for the second week looks promising. I hope to talk a bit more about Scala and less about everything else next week.

2013-09-22 20:35:00
Sublime Text as Python IDE - jedi

I used Sublime Text exclusively for the last two weeks. The major drawback, beside the not really native user interface, was the way jedi works. After tweeting that the integration in vim using YouCompleteMe is way better I received the question how to properly configure Sublime Text to use jedi - let me give you a short walkthrough.

If you are not sure why you want jedi - believe me, you do - let me show you two screenshots with and without jedi. Without jedi editing a file looks like this

nojedi1 nojedi2

Now if we configure jedi properly and it looks like this

jedi1 jedi2

I don't know how you work and what your preferences are, but I prefer a working autocompletion and not one who only completes words in the same file or open files - I'm looking at you TextMate. Makes it a lot easier working on larger codebases if you do not have to remember every single class attribute, method and argument.

First have to install SublimeJedi. It looks like the people who asked why it isn't working for them are either using virtualenv or never used the projects functionality and don't know how to configure a project in Sublime Text. This are basically the only two options I can think of.

Open Sublime Text and the project you are working on and save it as a project using Project -> Save Project as…. The only thing left to do is editing your project file using Project -> Edit Project. The most basic configuration looks like this

                  "follow_symlinks": true,
                  "path": "my-project"
    "settings": {
        "python_interpreter_path": "/Users/tizi/my-project/venv/bin/python"

Now jedi will use the Python interpreter from the virtual environment I created in my-project/venv. It will also index and complete all packages you install in your virtual environment. For more configuration options I suggest reading the documentation of SublimeJedi. Now that you have understood the configuration is should be fairly easy to add the additional options if needed.

2013-09-14 18:34:00