Ganz – Doing Security Wrong

Last week, my mother sent my daughter a gift – a “Mazin Hamster” from Ganz. It comes with a “feature code” that supposedly confers access to a special area of the Webkinz online world. No link; you’ll see why soon enough. The problem is that the hamster’s feature code by itself doesn’t give you access to the Webkinz site. For that, you need the “secret code” associated with a regular Webkinz animal first; then you can use the hamster’s code to get into the special area. Not having such a secret code, I set about procuring one. I went to eBay, found an auction for a cute little gecko with a sealed code attached, and quickly won the auction for far less than it would cost to buy a similar animal in a brick-and-mortar store. So far, so good.

When the gecko arrived, we tried to use its secret code to register on the website. I’m sure everyone can guess what happened next; we were informed that the code had already been used and thus was no longer valid. So here I am, in clear physical possession of both the toy itself and the associated card/ticket with a unique code printed on it, having provably paid for both, but as far as Ganz is concerned I do not own that code. Sometimes possession isn’t nine tenths of the law, after all. The first thing I did was contact the seller, who I will not name because I’m not really sure he did anything wrong. I was polite. I explained the situation, warned him that some of the “sealed” codes on toys he’s selling might not have been sealed in any useful sense after all, and sought his advice. As expected, he swore that the code had been sealed when he got the toy and when he sent it to me. He offered to send me a new code if he got one, but I have to say if I did get a code I could never shake the suspicion that it had come from some other kid’s toy. Having been disappointed twice, Amy was in tears by this point. I don’t much like the idea of merely causing yet another little boy or girl to cry, and I told the seller that.

My next step was to contact Ganz. The phone representative confirmed that the code had already been used, adding that it had been as far back as 2008 and even giving me the first name of who they considered the owner. The toy does appear brand new, in case you were wondering. I’ve seen plenty of these toys before. We even have one (sans code) already, and I can assure you that they don’t stay new-looking long after they get into the hands of a kid who would be interested in registering on the site. Phone Gal also informed me that they do not support sales via Amazon or eBay, only from physical stores or their own eStore. First I’d heard about that. I verified that physical possession of the object didn’t count, and then bade Phone Gal good day.

OK, so I got screwed, but that’s not what this is about. What’s the real problem here? The eBay seller had tried tell me that the codes could be guessed, but I’m skeptical. Each code has to be associated with a particular type of animal. There are enough digits in the code, and enough hundreds of animal types, that making five guesses per day on the Webkinz sites isn’t really going to be very rewarding. No, the first real problem is that the physical security on the authentic codes is very weak. It’s just a simple slip of paper in a plastic envelope tied shut with a little blue ribbon. There’s no plastic thing that you have to break to get at the code, no scratch area, not even a tamper-evident foil seal on the envelope. It would be trivial to buy the toy, use the code, put the code slip back in the envelope, and re-sell it. The physical security is so poor that it would even be possible to do all of this in the store without purchasing anything, and I suspect that’s where most illicitly used codes come from. I was briefly tempted to do exactly that myself, and I’m pretty sure that’s what the eBay seller intended to do, but I try to be a better person than that.

That’s not really the biggest problem here, though. The biggest problem is Ganz’s attitude. They must be aware of how easy it is to steal or misuse codes, and of how often it actually happens. They could secure the codes better, but that might add a couple of pennies to the price. Sadly, I know enough about our collective “race to the bottom” to understand and almost accept that they couldn’t be expected to do that. Alternatively, they could accept proof of physical possession as proof of virtual possession. That would cost them nothing, and would be the fair thing to do according to every moral standard I can think of. Why don’t they? I think it’s because they don’t want to support any kind of re-sale at all. They want to sell you a brand new toy, at full price, even if the toy you already have is only “not new” by virtue of illicit use that they have practically encouraged. Their position is even worse than the RIAA or MPAA, who have at least had to concede that physical transfer of a CD or DVD transfers rights as well. A stolen code is not a lost sale to them; it’s two sales. Doing the right thing would hurt their business. The status quo suits them just fine, and they don’t care how many children’s tears are shed because of it.

No, Ganz, I will not be buying anything from you. Ever. I will endure Amy’s tears if I have to. I will use this as an opportunity to teach her about how companies sometimes do things that are wrong, about the concept of socially responsible purchase decisions, and about boycotts. Then I’ll substitute some other equivalent gift, perhaps a game or membership on some other site, because it’s not her fault (or my mother’s) that you’re evil. I’m so annoyed that I might even do more than that. You’ve made an enemy.

My Brother Rocks

In just about every technical community but one, I probably have a higher profile nowadays than my brother Kevin. I say that not out of younger-sibling competitiveness, but almost for the exact opposite reason – to point out that he’s a pretty technical guy too, and largely responsible for my being one. Here are a couple of points of evidence.

  • His interest in computers predates mine. When a friend of the family loaned us what had to be one of the first TRS-80 computers in New Zealand, it was Kevin who really jumped all over the opportunity.
  • He made a lot more effort regarding computers. One of the very first things he did when he came to the US (a year after our mother and I did) was save up and buy an Apple II. Given the price tag and our economic circumstances at the time, that was a pretty major expenditure. He dove right into 6502 programming, still years before I took programming seriously.
  • He was involved in open-source long before I was . . . except it wasn’t called that back then. Kevin was on the NetHack 3 development team, which was a pretty complex global enterprise. If you were to look at the way the developers coordinated, you’d recognize a lot of the patterns in common use today. This was back in 1989, as I was just starting my own programming career.

Since then, I’ve gone on to infamy and misfortune. Kevin is now a DNS guru, which is why I said “every community but one” earlier. As it happens, this knowledge came in handy just recently. I’m trying to consolidate my web “properties” which are currently spread all over the place. I want to use one provider for DNS, one for email, and one for everything else. GlowHost is very soon going to web-only, and not even that as soon as I get un-stuck enough to set up my own nginx/PHP/etc. configuration on a cloud server I already use for a bunch of other things. As I was trying to move email from GlowHost to FastMail I ran into a glitch. I transferred DNS and email for one of my less-used domains just fine. When I tried to move atyp.us – yes, this domain right here – the DNS part seemed to be OK but I was having trouble with email. I was able to get email on FastMail, but I could see from the headers that it was still going through GlowHost first. I looked at the NS and MX records from a bunch of different places, and everything seemed fine, but even after several days I was still seeing this screwy behavior. Time to call in the DNS expert to see what I was missing.

Pause: can anyone else guess?

The problem turned out to be that mail transfer agents are dumber than I thought, and my silly insistence on using pl.atyp.us instead of atyp.us was confusing the poor babies. Even though I had the MX records for atyp.us and *.atyp.us in place, they’d still fail to find an MX record for pl.atyp.us specifically. Then, they wouldn’t even go “up the tree” and get the MX for atyp.us as I thought they would (and as the SOA for pl.atyp.us makes pretty clear). Instead – and this is the part where Kevin was able to point me in the right direction – they’d fall back to looking for an A record which was still pointing to GlowHost because that’s still where the website is. Bingo. I added the “pl” MX records, and I can already see email flowing in without going through GlowHost.

So thank you, Older Brother. No, not for the MX thing. For every thing.

Whale Watch

P1000943P1000947P1000954P1000957P1000958P1000963
P1000968

Whale Watch, a set on Flickr.

I haven’t been posting pictures here much, but this set turned out so well that I feel a need to share. For anyone who’s interested in capitalizing on what seems to be a good whale-watch opportunity this weekend, these pictures were taken on a boat run by Cape Ann Whale Watch out of Gloucester. Follow the Flickr link above to see all of the descriptions etc.

Crypto For Kids

I mentioned on Twitter that I’d been teaching Amy (now six) about simple ciphers, and @lucasjosh asked how I went about it. The answer is way too long for Twitter, and probably of more general interest, so I’ll try to explain.

For a while now, Amy has been fascinated by two ideas: other languages (counting to twelve in Spanish as fast as she can) and writing things instead of speaking (writing notes for me and Cindy). These both have to do with alternate means of communication, so I think it’s a natural and common kind of curiosity. I don’t exactly remember where she first encountered the idea of simple letter-to-number substitution (A=1, B=2, …, Z=26) but it was a while ago. It might have come up again in an issue of Highlights that I picked up at the library for her, or maybe even on a kids’ placemat at Friendly’s. In any case, she was the one who suggested that we write some coded messages. After doing some simple ones at first – “I love mommy” and “daddy is a geek” – I let on that there were many more kinds of codes possible. First I used a simple code based on going around the “circle” of letters by mutually-prime seven: 1=A, 2=H, 3=O, and so on. I didn’t actually explain how the table was generated; to her it was just a simple lookup. At this point Cindy made the point that breaking a code is harder when you only have a little bit of text, so we gave her the table. Amy seemed to enjoy that, so I decided to take it a step further and explained that codes could involve reordering as well as substitution. I did this with a simple 4×4 square, with the message written across.

d a d d
y (space) i s
(space) a (space) g
e e k !

Then I showed her how to read down the columns instead of across the rows, so the result is:

dy(space)ea(space)aedi(space)kdsg!

So far, so good. Finally, I showed her how you could reverse the process to decode, and just for extra fun how you could repeat the process and end up where you started (giving her an early exposure to matrix operations as well). She thought that was great, and gave the message to Cindy who decoded it quite quickly. For the second one, I used a 6×2 matrix, and challenged Cindy (who had heard the original message) to figure out what size matrix I’d used. I don’t think the idea of the matrix configuration effectively being the key really sunk in, but I think I’ll be able to demonstrate that pretty well when I show her the closely related Caesar cipher.

At that point it was bed time, so Amy and I headed upstairs. The coolest part of the whole thing, though, was that Amy insisted I get her up at 7am sharp (usually Cindy does that while I get ready for work) so we could do some more codes. Awesome.

Checking In

I know I’ve been kind of absent lately. Part of it was traveling to Michigan to see my mother, brother, and cousin. Good times. We flew this time, and I was worried that it would be awful. Last time the three of us flew through DTW, Northworst took six hours there and four hours back for what should be a two-hour flight. That’s a lot of time in a plane on the tarmac trying to keep a three-year-old entertained with the few things you can carry on. The last time I went through DTW myself, I found that they’d scheduled a dozen flights at exactly 6am on a Sunday morning, leading to a huge security-theatre backup and to me missing my flight. I ended up getting routed through a very busy O’Hare – which I’d just left – before finally getting back to Boston. Considering all that, and that there was an “incident” there not too long ago, I thought it would be crazy, but in fact it all went smoothly.

The other reason I’ve been quiet here is that I’ve been busy doing actual work. I’ve been writing lots of actual code for my way-cool GlusterFS translator, for one. I’ve reached the point where I can run actual tests and see how well it works, which I’m pleased to say is very well. Now I just have to slog through all of the entry points I haven’t bothered with yet, figuring out the GlusterFS object-lifecycle rules so I can make sure there are no memory leaks, making sure I return consistent error codes, and then running some real functional tests like fsx, etc. More about that later, I’m sure.

The other thing I’ve been busy with is techno-evangelism. I’ve already mentioned the podcast, plus I gave a half-hour presentation about cloud storage at Red Hat’s Cloud Computing Forum yesterday. I’ll post a link to the archive when I get a public one myself (all I have is a private one that I’m not sure is usable by others); meanwhile you’ll have to read the The Register had to say about my talk and others.

OK, now back to that code.

My Little Programmer

Last night at dinner, Amy happily announced,

I’m in zeroth grade.

I’m so happy that we got her started early on counting from zero instead of one. :) In a similar vein, a couple of weeks ago we visited her classroom for “Back to School Day” and one of the projects the kids had done was a drawing with an “I can” caption. I can run, I can swim, I can ride a bike.Amy’s said,

I can build a circuit.

Actually the spelling was a bit off (they’re not even trying to work on that yet), but you get the idea. She got a Snap Circuits set for her birthday – or was it Christmas? – and has had a lot of fun with it. I’m sure it won’t be long before her hardware abilities exceed my own.

P.S. Her drawing is really improving lately, too. I’ll have to remember to post some pictures of her art soon.

Family Camp Pictures

Photos from family camp are posted on Facebook. Here’s a sample.

There’s also a video of Amy telling knock-knock jokes at the talent show. The quality’s poor, but the content makes it worthwhile.

More Funny Amy Quotes

Part One: at Santino’s, a quite good Italian restaurant in Winchendon, Cindy commented on how blue Amy’s eyes look. That being the only physical feature she seems to share with me, the comment led to a comparison of Amy’s eye color with mine. Then we asked Amy what color Cindy’s eyes are. It’s kind of a trick question, since Cindy’s eyes are a hard-to-describe kind of blue/green/brown, but Amy was up to the task. She immediately replied that Cindy’s eyes are “basil” which you have to sound out to realize is a cross between blue and hazel. Perfect.

Part Two:

Amy (quoting from her pajama shirt): I’m Mommy’s Little Dreamer.
me (what I actually said): You’re Daddy’s little dreamer too.
me (what I think Amy heard): Daddy’s a little dreamer too.
Amy: No, Daddy’s a big dreamer.

Monday Pictures 2009-05-25: Lake Dennison

This weekend Cindy, Amy and I went camping – Amy’s first time. The venue was Lake Dennison, a state park I’d never heard of in Winchendon MA. That’s only about an hour away, but it feels much further. I had to keep reminding myself that we were not in New Hampshire but Massachusetts, and not even western Massachusetts at that. It’s nice to know that there are such places so close to home. Anyway, we got rained on a couple of times and bitten a lot, but had a great time nonetheless. Amy kept saying that she wanted to stay until they closed, i.e. until fall, which does a lot to dispel fears that she’d hate camping and never want to do it again. Enjoy the pictures.

Special Bonus Pictures – Harvard Museum of Natural History

These are from Sunday.