Category Archives: Life

The general nonsense you encounter in life.

An interesting experience: Writing to 400 candidates

During the last week, I worked on an interesting project. But instead of programming, this time it involved politics: I wrote a message to 403 german candidates to the European Parliament in the upcoming european elections, on the topic of “digital rights”.

It all started when I heard of In a nutshell: Candidates can promise to follow a charter of basic digital rights, supporting laws that strengthen these rights and opposing those that seek to reduce them. The charter contains a lot of very obvious, sensible points, and some less obvious but also very sensible points like export controls for surveillance / censorship equipment. Voters, in return, can promise to vote in the elections, and vote for a party whose candidates support these rights.

Now, my original plan was to write a physical letter to some candidates from my area, but when I asked the people behind WePromise for some material, they also supplied me with a list of all german candidates, including their eMail addresses. And since tools like Mail Merge make sending a lot of personalized eMails very easy, I decided to just write to each and every single candidate from that list. I quickly removed all candidates that had already pledged their support to the project, and all candidates without a known mail address, leaving me with 403 candidates, ranging from people almost guaranteed a spot in the european parliament to people on the 88th spot of a tiny party that may or may not get one or two candidates into the parliament. I quickly wrote up a message detailing the project, the aims, why I support it, and asking them to support it as well (or, alternatively, write me a quick mail detailing why they do not want to support it). I fed the message and the spreadsheet to Mail Merge, waited two minutes, and the mails were sent.

I received a bunch of autoreplies and some error messages concerning incorrect eMail addresses (which I tried to correct and update in my spreadsheet, sending the corrected addresses back to WePromise). Then I waited. That was one week ago.

Until today, I have received replies from over 25 candidates, ranging from the aforementioned 88th spot on the ÖDPs list to current members of the european parliament. The number of german candidates has jumped from 22 to 37, with a few more candidates having promised their signature and not yet appeared on the website. I had some very interesting discussions concerning the advantages and disadvantages of online anonymity, during which I convinced at least one candidate to change his views (two more discussions are ongoing). I also received three replies from parties that are generally not considered to be very pro-internet (all of them stating that they would not sign the pledge, but would “continue to fight for data protection”, and all of them from supporters of data retention laws. I’ll leave you to figure out how the hell that is supposed to work, because I have no idea).

So, some statistics from one week into the project:

  • 15 new signatures (6x Die Grünen, 4x ÖDP, 3x SPD, 2x FDP)
  • 4 signatures pledged that have not yet appeared on the website (2x Linke, 2x SPD, 1x ÖDP)
  • 6 refusals for different, mostly acceptable reasons (2x CSU, 2x AfD, 1x CDU, 1x SPD)

As you can see, a large majority of candidates has never replied. That was to be expected. Still, it has been quite an interesting experience, interacting directly with people that may, in the near future, be called upon to represent my interests in the european parliament.

I can only recommend contacting (some of) your candidates. Ask them their opinion on a cause close to your heart, maybe even have a (civil!) discussion on the matter if they have a different opinion. My experience has shown me that, at least in the smaller parties, you can actually change someones opinion on some matters. And who knows, maybe the candidate will actually be elected to the european parliament. And maybe, just maybe, your discussion will change their vote on a crucial issue… And wouldn’t that be worth the 10 minutes it takes you to write up a mail?

“Crypto-Hypocrisy”, or: on what is wrong with the security community

I’ve been annoyed at some of the things in the computer science and, more specifically, computer security community for a long time, and decided to finally write them down. This has become quite a wall of text. Depending on how you read this, this may be a rant or a plea.

A few days ago, when I was browsing the website of a security conference (SEC 2014 in this case, but this is applicable to a lot of conferences), I became curious. Shouldn’t a conference focussing on “Applied Cryptography”, among other things, automatically forward me to the HTTPS version of their website? I changed the http:// to a https://, and OH GOD WHAT THE HELL?

Shiny...Interesting. A self-signed certificate, expired for more than three months, and with a Common Name of “ensa ident” (as opposed to, you know, the domain name it was supposed to protect).

Well, someone  must’ve been sleeping, I figured, so I went to the contact page of the website, and OH MY GOD WHAT THE HELL?

Contact Information

A hotmail address. Not only that, but a hotmail address with no information about a PGP key for secure communication.

Now, some people may ask “so what?”. To which I reply: How can the security community as a whole condemn bad security practices and demand secure, end-to-end-encrypted communication for everyone, if the organizers a conference that attendees pay between 250 and 550 € to attend can’t get their shit together enough to at least provide a valid, well-formed SSL-certificate for their websites. Hell, I’m not even asking for one that is signed by a proper CA. I can live with a self-signed certificate, but at least put in the effort to have the CN match your domain name and to create a new one once the old one has expired.

As for the PGP key: I can understand if conferences do not provide a PGP key because their contact address is actually a mailing list that sends the message to multiple people (although it is beyond me why, in 2014, there is no program that will decrypt all incoming messages and re-encrypt them with the keys of the recepients of the mailing list. Or, if there is such a program, why no one uses it). But this is a address. This is bad on so many levels. A conference on “Information Security Education” can’t even afford to have their own eMail address?

I regularily annoy companies by writing them eMails closing with “P.S.: Have you ever considered adding the capability to receive encrypted eMails to this address? [Link to a tutorial]”. Some ignore this, some make excuses. I only know of two companies who allow me to send them encrypted eMails. One of them is my bank, who will then reply unencrypted with a full-quote, rendering my encryption worse than useless. The other are the people at, who I am not a customer of, but who provide their key prominently on their website.

How can I keep a straight face demanding this of those companies if the people running our conferences are too lazy or just plain don’t care enough about the ACTUAL TOPIC OF THEIR CONFERENCE to take the 30 minutes to set something up? How can I keep a straight face if, until a few months ago, I could write encrypted eMails with more of my parents (2) than other computer scientists I regularily mailed with (1)?

The general reaction if I propose mail encryption to the average CS student is one of the following:

  1. I should totally do that, but it’s too much work
  2. I’m not writing anything secret, so why would I encrypt it?
  3. I don’t know anyone who is using mail encryption
  4. I’m not writing any mails anyway, I’m using Facebook to talk to other people.

To which I would reply, respectively:

  1. It’s 30 minutes of work, once, and then you can have it up and running until you reinstall your system. How is that “too much work”? Don’t you value your privacy enough to invest 30 minutes into protecting it?
  2. Because it is good practise to encrypt it. Because, even if you don’t write any secret letters, you would still not be happy to have other people read them (hopefully).
  3. Then be the first and pester your computer scientist friends. Take them to a crypto party. It’s gonna be fun.
  4. …Goodbye. *shake head, go away, loose faith in humanity*

It is not about the contents needing hiding. It is not about keeping something from the NSA (although that’s an awesome side effect). It is about making encrypting communication a social norm, at least within the computer science community.

At 30c3, I received three business cards. Two of them were from people working for the Tor Project (Roger Dingeldine and Jacob Appelbaum). Both of them had their PGP Fingerprints printed on their business card. This is what I want to see. Get away from “here’s my eMail address” towards “here’s a way you can send me an encrypted message and be sure you reach me and no one else”.

The third business card was from a nice woman of maybe 50 years with barely any background in computer science. She wanted to help an open source project, so she got a ticket to 30c3 and went to different assemblies and workshops (which, in itself, is pretty awesome, I might add). I recently sent her an eMail, signing it with my PGP key, as I always do for those mails. I received an encrypted response, stating that she had just started using GnuPG and Enigmail and asking if I would help her set up a laptop with Linux and full disk encryption.

If 50-something year old executive consultants can figure this our, why can’t the security community?

The “Humble Store” Method: Results

So, the Steam Christmas Sale is basically over, let’s see what the results of the Humble Store Method are.

First, some notes. I decided to also apply this method to games purchased on other sites (GoG, the Humble Store (ironically), Humble Bundle and Humble Weekly Sale, as well as any other store where I may buy games). I also decided to follow the method throughout the year, as opposed to only during sales. It shouldn’t make a big difference, as I get almost all of my games during sales, but this makes it easier to follow.

After looking at my purchase history, I am also not sure if 10% are actually enough. I’ll have to think about increasing it to 20% or even 50%, as 10% appearently do not scare me enough.

My purchases were:

  • Bioshock Infinite (7.49 €)
  • 2x Chivalry: Medieval Warfare (5.74 € each)
  • 2x Shogun 2: Total War (7.49 € each)
  • CS:GO (3.49 €)
  • Risk of Rain (5.03 €)
  • Humble Weekly Sale: Puppy Games (6.66 $ => 4.49 €)
  • Stronghold Crusader HD (4.99 $ => 3.77 €)

This leaves us with a grand total of 50.73 €. Damn.

Looking back, I probably should not have purchased Shogun 2 and the Puppy Games Weekly sale. I haven’t played Bioshock infinite yet, Chivalry is great (already sunk 10+ hours into that one), CS:GO is okay (I need more people to play this with), Risk of Rain is RSI-inducingly fun, and, judging from my experience with the original version, Stronghold Crusader HD is probably fun, although I have not played the HD version yet.

So, following the 10% rule, that leaves us with 5.07 €. That’s not very much. So, I’ll just raise the percentage to 25% for this sale, leaving me with 12.68 €. I’ll have to think about the percentage for the next time, but I think 25% is a good first step. I’d set it higher, but I just donated a bunch of money to different organizations at the 30c3 conference and so am a bit short of money at the moment (which is totally not the fault of a lack of restraint on the steam sale, as you can clearly see above. Totally. *ahem*).

So, the only thing left to decide is who will get the money. At the moment, I see a few options:

  1. The CCC, as they did a great congress this year and did not get any donation from me so far (also because they did not accept it when I tried to give it on day 4 of the congress)
  2., for generally being awesome and informative.
  3. The Tor Project, for generally being awesome and always in need of money
  4. …?

So, if you have any proposals on who should get the money, write it into the comments. I’ll decide over the weekend and update this post with the results.

Update: I decided that the money will go to this time around. I’ve been planning to donate to them for a long time (probably more than a year by now) and somehow never got around to it. And since 12.68 € is a terrible number, I’ll just round up a bit. The only thing left to decide is if it will be 13.37 € or just a plain-old 15 €.

Next time, I’ll pick a different organization, but I’ll decide on that once it becomes relevant.

Surviving the Steam Holiday Sale and… doing good? Aka: The “humble store” method

From past experience, I know that I always spend way too much money on the big sales of the Steam Game Distribution platform. I always buy a lot of games that I never play, or only play for half an hour before never starting them again, and I always end up repeating the same mistake on the next sale, because DAMN CS:GO FOR ONLY 3.49 €!

So, since I am obviously unable to learn my lesson, let’s try to at least do some good while buying games I will never play.

The “humble store” method

For those of you who do not know what the humble store is: It is a store for (mostly indie-)games by the guys behind the humble indie bundle. And, the most important part for the purpose of this article, 10% of the price of any game is donated directly to charities like the American Red Cross, the EFF, Child’s Play Charity, World Land Trust, and Charity: Water. They have already raised over $280k using that store, and combined with all the humble bundles they have sold to date, have raised over $29 million for charity.

So, starting with this sale, I pledge to keep track of how much I spend on those sales, and, after the sale has finished, tally it all up and donate (at least) 10% of the money to a charitable organization of my choice. This can be the EFF, but it could also be the wikipedia, Worldbuilders (the charity of my favourite author), (a german blog I read a lot which could use a bit more money) or any other charitable organization.

Now, 10 % isn’t very much. BUT:

  1. I think any charity, having to choose between a small donation and no donation at all, would choose the small donation.
  2. Nothing prohibits me from donating more than I strictly have to.
  3. If 100 people would do the same, it could still easily make a difference of a few hundred euros.

My challenge to you:

Think about where you are spending way too much money. Maybe you are playing a free-to-play game and are constantly buying more virtual currency for it? Maybe you are drinking too much starbucks coffee? Maybe you are reading too many books No, that’s impossible. Whereever you find yourself spending way too much money, think about this: Could the “humble store” method work for this? Would you be willing to turn your vice into something that helps the world a little bit each time you give in to it?

I’m interested in your feedback on this idea. I will try it out for this sale and report back afterwards.

On the Topic of bad error messages

Yesterday, I was on my way home and had just missed my bus. No Problem, I thought, that’s the reason I have an account at StadtRad Hamburg (an automated bike rental service we have in Hamburg). So, I made my way over to the next station while pulling out my phone to unlock a bike.

Now, there are two ways to unlock a bike (more, actually, but I only had access to two). One is via the StadtRad App, and one is via calling a special telephone number written on the bike. So, I started up the App, entered the number of the bike and pressed “rent”. And…

Englisch: "An Error has occured"
Englisch: “An Error has occured”

Oh well, it happens to the best of us, right? So, let’s retry this.

Hmm, still the same error. Interesting. Well, it’s not the first time the app screwed up (the last time I rented a Bike, the servers went down and did not register me returning the bike, leading to me being billed for three days for a bike I could not even ride because it was broken. Needless to say, I got my money back, but since that evening, I no longer trust their servers). So, I called the phone numer to unlock the Bike.

So, the Telephone system is fully automated and supposed to recognize your phone number if it is registered to your account, which mine was. So you can imagine my surprise when the friendly computer  told me that my phone number was not registered to any account and that I would be forwarded to a human for support (Poor bastard, having to work at midnight).

After verifying my account information, the friendly support rep informed me that my account had been locked because the credit card they had on file was about to expire and they (understandably) did not want to be left without a way to get the fees they are owed. This is not the problem. I don’t even have a problem with the fact that this left me having to wait 20 minutes for the next bus (a timeframe which would have been enough to ride the bike home).

My Problem is the way I found this out. I mean, seriously. “An Error has occured” in the app? Could you be any less specific? And then my phone number was “not connected to any account”? If my payment details are wrong, for gods sake TELL ME, and don’t give me unspecific or just plain wrong error messages. Writing good error messages is one of the most important things you have to do concerning usability. It’s not hard, people. So much bullshit could be avoided if a few programmers could have been arsed to implement a special case for this error (especially since this is a show stopper for the end user, and something he should be concerned about, instead of thinking “well, seems like they screwed up their servers again. I’ll just try again tomorrow”).

Please, PLEASE write decent error messages.

That is all.

On doing things right the first time

If you haven’t got the time to do it right, when will you find the time to do it over?

– Jeffrey J. Mayer

If there is one lesson I have learned at my current job, it is that you should always, always, take the time to do things right the first time, especially if everything else you do will be built upon it.

For example, about a year ago, I was tasked with migrating an aging access database to MySQL. The Database was horrible. There were just about no checks in place to prevent inconsistent records (Changing an ID in one place would not update other references to that ID in the remaining parts of the database), a bunch of very inefficient data types and needlessly complicated ways to store values (For example, instead of using a boolean value to indicate if a course was offered at a specific university, the column would either contain NULL (or the access equivalent) or the name of the university.

Now, someone had already imported the database layout into MySQL, so I took a look at it. I wrote down several ideas on how to improve the database, including the usage of “Foreign Keys” to preserve consistency, boolean variables to store true/false-Values, the use of IDs instead of names as primary keys, and so on. Once that was finished, I talked those proposals through with my employer and we discussed the changes. Most were accepted, some were scrapped, including the foreign keys for some reasons I cannot remember (but which seemed somewhat logical at that time).

The database has been in use for a while now, and it has come the time to add some functionality (triggers to automate boring tasks and new ways to display the data, for example). So, for the first time in about 6 months, I took another look at the database, and at the data it contained.

My initial reaction:

Some bad decision on my part, combined with bad decisions when creating the frontend, combined with the fact that the database was accessed through three different interfaces, and only one of them having any form of sanity checks, the database had deteriorated into a state which made it nigh impossible to do anything without at least three different ways of abusing MySQL in ways that would have made my databases instructor weep.

The problem? The database is in use. I cannot change it, at least not within a reasonable timeframe, and without rebuilding most of the frontend (which was created with a piece of software called “PHP Generator for MySQL”, which has some nice features but also frequently throws a hissing fit if you do not use it in exactly the way it thinks it should be used, not to mention generating code that is vulnerable to the most basic of XSS (which has been reported by me for more than 9 months, by the way)). That would be an effort of at least 20 hours, which could have been avoided by one or two hours of work improving the database structure in the beginning of the project. And I don’t have those 20 hours.

My contract with my employer will end soon, and once me and my supervisor are gone, they will have no one left who can even understand MySQL. I pity the person who will inherit this database and try to make sense of it. I am trying to document things as good as I can, but there is only so much you can do for a database that should have never existed or been put out of its misery a long time ago.

Seriously. Do things right the first time, or you will regret it in the long run.