Equifax

I’d call this unbelievable, but in 2017, the year of untrammeled greed, it’s merely par for the course.

Remember Equifax? You know, the big credit report company whose security breach exposed the personal information of millions of Americans?

The company that collects financial, demographic, and employment information, but is apparently unable to install security patches in a timely fashion or reliably tell you if your information was stolen?

The one that can’t even keep track of its own websites and sent consumers to a fake site instead of their own (unreliable) “check your information” site?

The one that initially tried to force people to waive their right to sue if they tried to find out whether their information had been stolen?

Yeah, them.

The story behind that second link suggests there’s good reason to believe Equifax is using the massive security breach–which exposed personal information on nearly half of the American population–as a revenue-generating opportunity. In short, by directing worried consumers to Equifax’ own credit freezing service, they’re lining up millions of people who will, once the initial year is up, be paying around $30 every time they need to let someone check their credit–when buying a home, a car, a cell phone, or in many cases, even when applying for a job. Nor is that fee fixed: Equifax could raise it at any time.

Apparently they weren’t drawing in enough business, because now they’re getting other companies to shill for them.

Last week, I got a letter from AT&T. Oddly, even though the letter is dated October 23, I didn’t receive it until November 23. Clearly, some poor printer has been working day and night to get these letters out. But I digress.

It says, in part, “There was no breach of AT&T systems or the data we maintain, but we … understand there is a possibility that your personal information might have been exposed.” It then encourages me to go to that same unreliable Equifax site to check my information and “sign up for credit file monitoring and identity theft protection.”

I can’t help but wonder what’s in it for AT&T. I doubt they get a cut of revenue–but only because this is a paper letter, so there’s no way for Equifax to track which suckers came to their site thanks to the letter.

But one odd little possibility comes to mind. If the FCC carries out its threat to repeal the Network Neutrality regulations, will AT&T start charging its customers extra to access Equifax and other credit monitoring services?

SAST 09

With just a tiny bit of luck, this will be the last Short Attention Span Theater for a while. Barring unexpected events, Like Herding Cats will go out to the beta readers this week and I’ll be able to stop stripping my mental transmission by jumping back and forth among writing, re-writing, and copy-editing.

Which brings me to the first production on today’s program. I could use another beta reader. Now, before you immediately deluge me in requests, let me remind you what beta reading is and is not.

It is not an opportunity to read a book before anyone else. Well, okay, it is, but it’s also a requirement that you read the book critically. I’m not looking for “Hey, great book. I love it!” I want to know what doesn’t work. To that end, along with the book, beta readers get a laundry list of questions like, “Were all of the plot twists properly supported, or was there a point where somebody acted out of character in order to change the story’s direction?” and “Were there any jokes that just didn’t work for you?”

I don’t expect every reader to answer every question, but these are the things I need to know to make the book better, so the more you can answer–and especially, the more faults you find–the happier I’ll be. I want beta readers to find the problems, not agents and editors!

Still interested? There’s one more qualification: you must be familiar with modern urban fantasy, by which I mean you’ve read several works in the field which were published within the past five years. “Several” means “more than one, and by more than one author”.

If you’re still interested, drop me an email. Do NOT apply via a comment on the post, by Facebook Messenger, or by Twitter reply. Thank you.

Moving on.

And, speaking of jobs, I got a weird offer in email recently.

We bought our car from a dealership, and we take it in for maintenance every six months. They’ve got my email address because I like getting a reminder that it’s time for the next visit and because they send out occasional special offers. Yeah, imagine that, advertising done right: opt-in.

So then I got this latest note from them. “Join our team!” says the subject line. Uh-huh. Job listings. And not just sales positions. They’re looking for a mechanic and for a person to check cars in and out of the service department.

Apparently they consider recruiting to be a type of advertising. The email has their boilerplate at the bottom reminding me that I opted-in to receive occasional ads.

I find it slightly amusing, but also more than a trifle creepy. Imagine if the idea catches on. “Hey, I hope you liked the espresso you bought last week. How would you like to be a barista?” “Thanks for making your last credit card payment on time. Wanna join our team? We’ve got openings in the boiler room calling the deadbeats whose payments haven’t come in.”

There’s a place for everything–and that’s not the place for job postings.

Next time I take the car for maintenance, I’ll ask how many job applicants the email generated–and firmly request they remove my name from that list.

Moving on.

It appears our cats know there’s a place for everything. And once in a while, they take a vacation from playing “Gravity’s Little Helper” to put things in the right place.
14-cmf
We’ve taught them that fish comes in cans. So yes, that’s the current incarnation of Mr. Mousiefish, carefully place in a gooshy fud can–presumably so he can be eaten later.

Moving on.

14-psps
I can’t decide if this is so meta it’s hilarious or so cliché it’s painful. Though I lean toward the latter.

Joe, ya shouldn’ta oughta done it.

SAST 07

Happy Halloween!

We’re not planning to give out any candy this year–although we do have a couple of emergency bags in case someone shows up despite our best efforts to look like we’re not home.

There’s no particular reason we’re being anti-social, just a general lack of holiday spirit.

Beyond that, I am a little distracted at the moment. I’m neck deep in the third draft of Like Herding Cats–I’m hoping to finish before Thanksgiving–and I’m starting to run into the places where I got lazy in Draft 2. See, Draft 2 is written with a pen. On paper. So if I need to add a lengthy stretch of new text, I’ll often just make a note to myself: [Hey, Fred needs to explain why painting City Hall blue was a good idea.]

It’s not that I don’t know why it was a good idea. I just don’t want to have to read and transcribe half a page of my scribbles. And so I defer it to Draft 3, which gets done on the computer.

The downside is that it’s kind of like freeway driving at rush hour in a car with a manual transmission. Cruising along at twenty mph, transcribing the Draft 2 changes. Come to a complete halt while I check my notes–was it robin’s egg blue or sapphire blue–and then creep along at ten mph while I write the scene.

And then get off two exits down the road and circle back because I just came up with a great line that has to go into the new scene.

Anyway, distraction. So you get a bit of a Short Attention Span Theater for Halloween.

Moving on.

Am I the only person out there who got a scam spam of the 419 type from “Jeff Sessions Attorney General” recently?

I know the Trump administration is, shall we say, a trifle challenged, ethically-speaking. But really, Jeff, there are faster, easier, and–dare I say it–even legaler methods to separate fools from their money.

Now, you may say it’s probably not Mr. Sessions sending out these letters, and you’re probably right. Perhaps it’s some flunky in the Justice Department trying to curry favor–or line his pockets at the boss’ expense.

But there’s an more likely explanation. Read the letter I got:

Now ask yourself: who in the current administration is well-known for cranking out dozens of grammatically-suspect, logic-deficient electronic missives in the middle of the night?

Yup.

Donald, put down your phone and go play golf.

Moving on.

A sneak peek at Thursday’s final summation of how I did in predicting the playoffs: I got one of the two World Series teams right. Go, me!

As others have pointed out, it’s far too soon to anoint this the Best! World! Series! Ever! But it’s not too early to say it’s been a great one so far. Close games, mostly not decided until the final inning. Lots of home runs, some interesting strategic decisions to argue about, and a fascinating sideshow in the Yuli Gurriel and Bruce Maxwell stories.

We’re getting Game Six tonight and, if the Dodgers do us a solid, Game Seven tomorrow.

But.

I don’t know about you, but I’m having so much fun with this series, I don’t think even seven games will be enough. I’m hereby petitioning Commissioner Manfred to extend the World Series to twenty-three games. If we alternate two games in each city with a travel day in between, that’ll wrap it up with Game Twenty-Three on November 24, the day after Thanksgiving.

Let’s not forget that Los Angeles and Houston are warm weather cities. No worries about games getting snowed out. And really, isn’t twelve a much more satisfying number than four?

And the best part: consider the advertising tie-ins! Everyone can watch that climactic Game Twenty-Seven on the new TV they picked up that morning in a Black Friday sale.

What do you say? Who’s with me?

Cough

No, the fires aren’t that close. They are close enough to make the air distinctly smoky.

Smoky enough that schools are canceling classes and sporting events. I note that there are major college sports scheduled for the next few days: football games in Berkeley (Washington State and Cal) and Palo Alto (Oregon and Stanford) are the most notable. As of this writing, both games are still expected to go on as scheduled, which means teams are out practicing as usual. At the professional level, I see the 49ers are on the other coast to play the Team Which Needs to Change Its Name, so they’re unaffected, but the Oakland Raiders home game is still on. More evidence that football is hazardous to your health, I suppose.

Smoky enough that the Bay Area Air Quality Management District has issued a warning for everyone, not just people with respiratory issues. They’re saying many parts of the Bay Area currently have the worst air quality they’ve ever recorded, and Friday and Saturday are expected to be worse.

We’re holed up inside, as recommended, but the house is old enough and porous enough that we can smell smoke inside. It doesn’t seem to be bothering the cats, but if it gets bad enough that we feel the need to move them someplace with better air quality control, we’ve got plenty of carriers standing by.

Nor is there any rain in the forecasts. Firefighters are on their own, with no help from nature.

On the brighter side, fires around Napa are sufficiently under control that people with critical needs will be allowed in. It’s not much, but we’re looking for any bright sides we can find.

I’m definitely seeing less automobile traffic with locals staying indoors. Can we hope that the reduction in automotive exhaust will help keep the air quality from rising above its current “Unhealthy”? I’d prefer to avoid the next level, “Very Unhealthy,” much less “Hazardous”. There’s a map here if you want to see what the current conditions are like.

Finally, I have no doubt the religious lunatic fringe is blaming the fires on God, who is, of course, punishing us decadent Californians for our liberal views on human rights. I don’t wish similar disasters on them in return–I don’t wish them on anyone–but I take a certain quiet pleasure in knowing they’ll feel at least one bit of God’s punishment themselves, a jab where it will hurt them the most: the price of sacramental wine is going to spike upward.

Again, small victories.

WQTS 11

Would you believe there’s a WQTS (Who QAed This Shit) story with a happy ending?

I’ll get there. But first, a tale that’s not so much WQTS as WTTWAGI (Who Thought This Was a Good Idea).

I’m calling out the Holiday Inn Express in Sedalia for gross violations of common sense in their handling of technology. And, just to be perfectly clear, I’m not talking about HIE hotels in general. As far as I know, these problems are unique to that particular location.

Let’s start with the hotel Wi-Fi. Finding good Wi-Fi in a hotel is a rare event, one that should be celebrated with parades and (hopefully brief) speeches by elected dignitaries. The Sedalia Holiday Inn Express’ Wi-Fi is not that sort. To be fair, once you get connected, it’s no worse than many other hotels’. It’s just that getting to that point is by far the worst experience I’ve had with, not just hotel wireless, but any public wireless.

Like most such, the SHIE uses a “captive portal” setup: once you connect, a web page launches, allowing you to enter whatever login credentials are needed. Many hotels either ask for your name and room number or a global password which changes periodically. The page is generally simple so it can display cleanly on anything from an old phone to a modern laptop.

SHIE has a huge page filled with text. That’s necessary because it offers three different ways to log in. Three.

There’s the traditional “last name and room number”.

There’s a numeric code. The web page calls it a PIN, but the envelope your room key comes in calls it an “Internet Access Code”. Calling the same thing by different names is just asking for trouble.

And there’s the third method, which requires half-again as much screen space as the other two combined. That’s because it’s only available to Holiday Inn Express Club members, and the portal login page has to explain all of the benefits of club membership, only one of which the ability connect to the Wi-Fi in any HIE hotel with your email address*.

* No password, at least not on the login page–I’m not a HIE Club Member, so I didn’t try to go any further–but the text strongly implied that all you need is your email address. Which means that if you know an HIE Club member’s email address, you can get all the free Wi-Fi you want in Sedalia. Assuming you want hotel-quality Wi-Fi. I wouldn’t want to download illegal images on something that slow, but if I wanted to launch a virus, how better than to do it through a hotel using someone else’s email address?

The login methods, all crammed onto the one login page. Any half-way competent user interface developer or QA engineer will tell you that having multiple methods of doing the same thing risks confusing your users. And indeed, while I was checking in, there was a couple at the front desk asking for help connecting their laptop to the wireless*.

* They were looking for where to enter that Internet Access Code. Remember, the page calls it a PIN. At least on a laptop they could see the whole page. Imagine how much zooming and scrolling they would have had to do on a phone before they even arrived at that level of confusion.

For the record, the desk clerk couldn’t help them. She had to call the “technical expert”. I left before I got to overhear that conversation. Must have been a doozy.

And don’t forget, by the way, that the portal was set up so you had to re-enter your login information every time you reconnected to the Wi-Fi. Go to dinner? Re-enter. Lose signal? Re-enter.

But enough about the wireless. Let’s move on to the computers in the so-called “Business Center” in the lobby. The hotel is very proud to have Microsoft Office on the computers. So proud, they put up a sign advertising it. And, to be fair, it’s a big step up from last year, when the only software on those machines was Windows itself. But let’s face it: Office is the least you can expect to find on the computers in anything that calls itself a Business Center.

I was impressed to see that the computers were running Windows 10. I was rather less impressed to see that they needed a password to use. Why bother? It’s not like the hotel was exercising any control over who uses the machines. I asked for the password at the desk–and note, by the way, that there were no signs telling would-be users how to get the password. Amazingly, the clerk knew it. It’s all lower-case, with no digits or punctuation, and it’s one of the first three words anyone of even moderate intelligence would try–and it’s not “password” or “guest”. I don’t know if they’re supposed to confirm that users are staying in the hotel, but if so, she didn’t.

So if you’re not limiting usage, why put passwords on them? If you want to exercise enough control to keep kids from tying the up all day playing games, just have the clerks glance in that direction occasionally. The computers sit in the lobby, no more than ten feet away from the front desk.

And it’s not like the password prevents people from mistreating the machines. I couldn’t use the first one I tried because some prankster had changed the password and locked everyone out of the machine. On the other machine, someone had created his own account, presumably so he wouldn’t have to remember the hotel’s password.

On many public computers, the USB ports are disabled to keep people from installing malware. Well-designed Business Centers have heavy-duty virus protection, but allow you to use the USB ports to transfer your work from your laptop to the computer. SHIE found a different security method: they put the computers under the desk, forcing users to crawl around on the floor to plug in a thumb drive. OK, so it’s not totally effective security, but it’s better than nothing.

The final blow? There’s no printer in the Business Center. Instead, there’s a networked printer hidden somewhere behind the front desk. Can you imagine what your corporate information security team is going to say about you using that printer to run off last-second changes to your presentation about buying the Holiday Inn chain?

sigh

OK, ready for that happy ending? This one really is a WQTS story.

This time last year, I wrote about Project Fi and how pleased I was with it.

I’m still happy with Project Fi, and when I heard about the Project Fi Travel Trolley shortly before my Sedalia trip I was totally charmed.

The Trolley, in case you haven’t already heard about it, is a glorified vending machine set up in several major airports around the US. It’s stocked with small items that might be of use to travelers: USB cables, luggage tags, sleep kits, playing cards, and–the real prize–fuzzy travel socks. Project Fi customers can get a free goody just by tapping their phone against the kiosk. The kiosk and your phone use NFC to validate your Fi account and generate a QR code. The kiosk then scans the code and dispenses the prize you wanted.

That’s the theory. In practice, somebody missed a bug.

Either there’s a hidden problem in the kiosk’s NFC reader, or nobody thought to test the scenario where a customer has more than one account on their phone.

Maggie and I both have two accounts on our phones. When we tried to use the Trolley, instead of getting QR codes, we got an endless series of browser windows opening, each of which informed us that we were logged into the wrong account. Logging into Google with the correct account did no good. Neither did any of several other methods we tried to convince the system we were Project Fi customers.

No fuzzy travel socks for us.

Our trip wasn’t ruined. Somehow we soldiered onward, cold toes notwithstanding. (For the record, temperatures in Sedalia were in the high eighties. Frostbite was not a significant concern.)

The happy ending?

I reported the problem to Project Fi support, who referred me to Swyft, the company that manufacturers and supports the Travel Trolley kiosks. Within minutes, I received an apology for the “bad experience,” an assurance that the issue will be investigated, and a promise to send us socks.

Now, it might just have been a bedbug letter. We’ll find out next time I fly through an airport with a Travel Trolley–I fully intend to see if they’ve come up with a fix. One can never have too many sleep masks and earplugs, after all.

But I’ll take a Happy Ending For Now–as long as I really do get my socks.

Listen Up!

I love the Internet’s response to new forms of advertising.

Specifically, I’m talking about Burger King’s recent attempt to hijack TV viewers’ cell phones and Google Home devices.

In case you missed it, BK ran–and is still running–an ad that deliberately uses the “OK Google” activation phrase to trigger any gadget in earshot to start reading the Wikipedia page about their Whopper burger.

The response? The page in question was almost immediately edited to describe the burger as “cancer-causing” and to list cyanide in its ingredients.

Allegedly, a senior BK executive tried to change the page to something more complimentary, only to have his edits removed.

So, yeah, I think that’s the perfect response. Google, who apparently were not warned about the ad in advance, modified their software’s response to ignore the ad. While I’m sure many people appreciate that, it does raise a few questions.

Let’s not forget that most of Google’s billions of dollars come from advertising. Suppose BK had come to Google and said, “Hey, we want to tie a TV ad to your devices. Here’s a stack of money.” Does anyone think Google’s response would have been “Buzz off”? I’m guessing it would have been more along the lines of “How big is the stack?”

And then there’s the privacy aspect. This contretemps should serve as a reminder that “OK Google” does not use any kind of voice recognition to limit requests to the device’s owner. Nor can the phrase be changed. I’ve complained about that before: not only does it lead to multiple devices trying to respond to a single request, but it also makes it simple for outright malicious actions.

Amazon, Apple, and Microsoft are equally guilty here–Alexa, Siri, and Cortana have fixed, unchangeable triggers too.

And now, perhaps, we’re seeing why none of the manufacturers want to let users personalize their devices’ voice interaction. If we could change the trigger phrase, or limit the device to taking instructions from specific people, then the manufacturers wouldn’t be able to sell broadcast advertising like this.

If the only way you can prevent random strangers from using your phone is to turn off the voice feature, then you don’t own your phone.

Microsoft is making it harder and harder to turn Cortana off. Microsoft is also putting more and more ads in Windows. Do you sense a connection?

How long will it be before you can’t turn Siri and Google off?

And editing Wikipedia pages will only get us so far in defending ourselves.

Google was able to turn off the response to BK’s ad-spam. But they could just as easily have changed the response to read from an internally-hosted page or one housed on BK’s own servers. Either way, Internet users wouldn’t be able to touch it, at least not without opening themselves up to legal liability for hacking.

The most annoying part of this whole debacle is that now I’m craving a hamburger. I won’t be getting one at Burger King, though.

Another Failure Mode

Oh, goody! A whole ‘nother way the Internet of Things is getting security wrong.

Last month, security researcher Charles Henderson wrote about his experience trading in his car.

Briefly, both he and the dealer wiped all of his personal information out of the car–phone book, garage door opener, list of authorized devices. And yet, months later, the car still showed up in the app on his phone.

It’s not that the dealer and the manufacturer were unaware of security. Henderson makes it clear that they took the correct steps. But the focus of the team that designed and built the app and integrated it with the car’s systems was obviously on the “first owner” scenario, and not enough attention was paid to the possibility that someone might want to sell their car.

And it’s not just auto makers who have that problem. Henderson mentions another researcher who purchased a used home automation hub and found that doing a factory reset only wiped the configuration on the device itself; it didn’t touch the cloud-based configuration which included, among other things, the list of devices authorized to control the hub.

Right: even after wiping the device, the original owner would still have had access to every light bulb, every thermostat, and every door lock connected to the hub.

Still feeling cheerful about your Amazon Echo or Google Home giving you voice control over your house? After all, you’re not planning to sell that device, are you? No? Well, what if something goes wrong and you have to send it in for service? Are you certain you’re going to get the same device back? How confident are you that your original device won’t wind up being refurbished and resold?

Let’s face it: this isn’t a new problem, and we should have seen it coming. How many stories have you seen in the newspaper about someone buying a used computer and finding porn on the hard drive? Henderson notes that early smartphones lacked a way to wipe them for resale, and it was only after many well-publicized tales of people buying used phones for nefarious purposes that a wipe command was added.

Nor is there a good solution. Even if every new IoT device was designed with security as the first consideration, there are still millions of gadgets out there that have no security and no way to upgrade them to add it. In many cases, the company that made them isn’t even in business any more.

YARBI

That’s “Yet Another Really Bad Idea”. Arguably the worst one yet.

If you agreed with me that the electronic license plate was a bad idea, wait’ll you get a load of this one.

According to a story in The Atlantic last December, the Air Force is planning to make “a missile for the modern age”. In other words, a missile with a network connection.

The Air Force Scientific Advisory Board will be conducting a study this year on how to make it happen. Not if they should make it happen, but how.

If you don’t see why this is a bad idea, take a look at Eric Schlosser’s recent piece in The New Yorker.

My trepidations have nothing to do with who’s in charge of the military or who’s running the Department of Energy. They’re all about the path technology has taken in recent years. The first step has been to provide the network capability. Then comes the ability for “learning”. Security, if it comes at all, is a distant last.

Do we really want our missiles to talk to each other and the early warning systems and make their own decisions about whether the US is under attack? Look how well that sort of capability has worked out for “smart” thermostats that learn when you change the settings and begin to anticipate your needs. Or smoke detectors. Remember the Nest smoke detectors that all started screaming when one of the set had a false alarm–and none of the could be be shut off?

Even if the missiles remain “dumb” and the network connectivity is only used to transmit maintenance and self-test data, how long is it going to be before someone decides that security testing is unnecessary because the devices will only be connected to a private military network, or an even more restricted local-to-the-base network?

Even if we ignore the possibility of an unauthorized connection to the Internet being set up in the name of “convenience”, let’s not forget about all of the research that’s been done by the NSA and other “interested parties” on remotely accessing computers that aren’t networked at all. There’s not such thing as an unreachable computer these days if someone is willing to devote time and money to reaching it.

So someone reaches the missile through that network connection. What can they do? It’s only for maintenance, right? Are you confident that there’s no connection between the monitoring and maintenance hardware and the command and control system? I’m not. What’s the point of monitoring the missile remotely if you can’t test the functionality of the launch system?

I can’t argue against the need to update the technology behind the nuclear arsenal. There’s a limit to how much you can do to interface modern systems with 1970s technology. BART is having increasing difficulty expanding opening new stations and increasing capacity because they can’t hook up modern trains to the ancient computer systems, and I’m sure the Air Force has similar concerns about the Minuteman system.

But updating the off-missile systems does not require updating the missiles themselves. Keep them offline and make damn sure that humans stay in control of the decision loop.

Another Really Bad Idea

Monday’s Chron had a story documenting one of the worst ideas I’ve ever seen.

It’s a profile of a company called Reviver and their “rPlate” product, which, they say “modernizes and reinvents the license plate for the 21st century.”

What’s wrong with the license plate that it needs modernization and reinvention? There seem to be three major problems: renewing your auto registration is expensive and time-consuming, license plates are boring, and they can’t be monetized.

Let’s take those in order, shall we?

The rPlate could potentially store a credit card number and use it to renew the registration “at the push of a button”. Is registration really that much of a problem? How long does it take you? When I get the bill once a year, I pay it online, and when the new sticker shows up, I put them on the plate. I doubt it takes more than fifteen minutes of my time. Yeah, there’s also the time spent on getting the smog check, but automating the renewal process won’t change that.

But let’s say Reviver is correct, and those fifteen minutes are an insupportable burden. Letting the plate pay the bill and update it’s image of the sticker would, of course, require the plate to have some kind of a network connection via Wi-Fi or cellular. I presume Reviver is sufficiently security-conscious to put that button inside the car, not on the plate where anybody walking through a parking lot could push it. But really, does anyone think their security is good enough to keep your credit card information safe? We’ve already seen cameras, TVs, and light bulbs hijacked and used in DDOS attacks. How optimistic are you that your license plate wouldn’t be misused the same way?

And don’t forget that there would need to be a software update at the DMV to accept those automated registrations and send back the instruction to update the tag. Just what we all need: another avenue for attackers to break into the DMV’s database. Think for a moment about how much information the DMV has on you. It’s not just your vehicles, after all. Organ donor status. Voting registration. Medical information.

Plates are boring. Yeah, they are, but so what? If you don’t like the standard plate, support a worthy cause by getting a special design, or pay a little extra for a personalized plate. But that, in Reviver’s opinion, is so 20th century.

When your car isn’t moving, the rPlate can show “Amber alerts and weather warnings, as well as custom messages from the driver…along with images”. Why not? It’s got that Internet connection, so why not make use of it? I don’t know about you, but when I’m sitting at a red light, I really don’t want the drivers behind me and in the next lane over looking at my license plate; I want them watching the road.

And how much control can, or will, Reviver exercise over those custom messages? “Go [sports team]” is relatively harmless, but what about “Kill [political figure]”? Presumably they’d include a filter for offensive words, but who gets to decide what words are on that list? How many Internet filters block access to gay rights organizations and breast cancer survivors’ groups? And it’s much harder to filter images. I suspect the first hardcore porn pictures will show up within twelve hours of the plates going on sale.

There’s also the chance (somewhere between 99% and 100%) that someone will figure out how to hack the plates via that Internet connection to put their own pictures and messages on tens of thousands of plates. Think those ads people leave on your windshield are annoying? Wait until they start hijacking your license plate to hype their hair and nail salons, DJ performances, and political candidates.

But that Internet connection is really the heart of the whole plan. No matter how bad an idea the automated renewal and message display options may be, they’re not going away, because they’re the excuse to include that designed-in vulnerability. Why? Reviver is quite upfront that they plan to sell advertising.

I’m sure they have the loftiest of intentions to control the content of the ads to avoid offensive content, but even companies with long experience in advertising don’t always get that right.

I’m also sure that the states will appreciate their cut of the ad revenue–and the ability to use that Internet connection to track where your car has been. Who needs license plate cameras and red light cameras when your car will cheerfully offer a time-stamped report of every mile you drive?

And I’m quite sure that we’re not going to get a kickback of any of the ad money–we may even pay an annual subscription fee for the use of the plates (on top of the cost of registration; what was that about saving money?)–for the privilege of being a mobile billboard and being tracked far more precisely than ever before.

Batter Up

Welcome to 2017!

The beginning of the year is completely arbitrary. There’s no relationship to any specific event*, but it is when it is, and we’ll have to make the best of it.

* I’ve long been of the opinion that the year should begin with the Winter Solstice, when the days begin getting longer again. Better yet, set it in mid-February, when pitchers and catchers report for Spring Training. But there’s too much cultural inertia behind the current system to make a change at this point. A shame nobody thought to introduce Pope Gregory to baseball. The 1582 season was a thriller, and might have converted him. As it was, the confusion caused when Italy adopted the new calendar in October, while Greece remained on the old calendar forced the abandonment of the World Series with Milan and Athens tied at two games apiece. But I digress.

My first post of 2014 covered continuing problems with the Bay Bridge, BART, and the San Francisco Giants. In 2015, I talked about BART and Caltrans again, and added a few thoughts on the NSA, police militarization, the Oakland As, and phablets. Despite the initial gloom and doom, both years had their ups and downs, but turned out relatively well.

I started 2016 with “The Tale of Knuckles Malloy” and we all know the general consensus on last year. I won’t accept sole responsibility for the state of the world, but it’s clear I should begin this year with a rant instead of trying to entertain.

Unfortunately, I really don’t have anything new to say about the problems besetting our transportation infrastructure, super-giant phones, or the increasing number of threats to privacy and security. And the less said about the Giants’ and As’ off-season moves thus far, the better.

How about a generic admonition instead of a rant?

If you’re one of the majority who regards 2016 as the worst year since [insert date here*], don’t just sit back and hope 2017 will be better. That’s not going to work.

* Popular choices include 1969, 1944, and 1930. If that seems rather 20th Centuryist, you might want to consider 410, 1066, or 1348.

Granted, there isn’t much any one person can do about some of the depressing aspects of 2016. But some can be dealt with. Pick one–any one–and do something–anything–about it.

It doesn’t have to be something big. I’ll spare you the usual platitudes about grains of sand and beaches or acorns and oak trees. But you’ll feel better for having made a contribution.