Increasing the economic cost of WordPress logins to bad client browsers

With the recent attack on Workpress sites it struck me that if all logons were more expensive in CPU to the clients and if this CPU burden was used to generate crypto currency then whilst normal logon demands would not impact any one legitimate user, a distributed brute force attack would be slowed and at the same time financially aid the attacked web sites. This would thus offset the economic cost to sites that are brute force attacked.

This is a very different strategy from plugins which mine visitors. A logon is a client solicited  request whereas a mining plugin that mines visitors is unsolicited use of the client CPU.

Most human users of WordPress sites stay logged on through  cookies so a one-off load (which could be dynamically adjusted to only kick in inversely proportional to the attack rates) would not be noticed. An attacking client though would suddenly find that WordPress logons become ever increasingly more expensive in client side CPU. The greater the attack rate then the more crypto currency mined for the benefit of the attacked web site.

This would not create a new opportunity for attackers as any attacker that has control of client machines would just mine crypto currency locally on the machine without all the hassle of attacking other machines.

Using DNS TXT records to effect EU/UK cookie law

It struck me that the most logical way of expressing what policy you have for a web site for the use of cookies or personal data is to detail this policy within the DNS records that a person (or their device) must look up BEFORE they hit your site. A bit like how SPF records detail email delivery policy for your systems and recipients can use this (or ignore it) when they look at emails that are claimed to be from your domains.

The suggestions of using web page forms or pinch pages or similar requires both the site operator and the site user to do things for no logical and practical gain to either party.

So how would this work ? Well you would add a TXT record that has an expiry and for each CNAME or A record or a default, it would list either a URI to a privacy policy which would include details on cookie use and/or a set of flags on cookie use the URL of the policy is a bit like the CRL within SSL)..

The user, before they visit the web site thus has the opportunity to examine the privacy and cookie use policy without actually visiting the web site.

Actually we know anonymous web site users won’t give two flying ducks about what cookies our web sites use given they probably already use anything from ad blocking software to browsers within virtual machines, but for some bizarre reason the UK Information Commissioner’s Office (ICO) has managed to gold-plate an equally bizarre EU cookie directive.  Yes the ICO is the same group that gets everyone who handles personal data from babysitters through to government departments to pay either Tier 1 of  £35 or Tier 2 of £500 (if you have 250 or more employees and £25.9 million revenues – yes logic isn’t their strong point) but the ICO doesn’t have an online payments system nor can it take credit/debit cards so you end up having to print out the forms you just filled in online and send those with your cheque or you can use a direct debit from your bank account only they can’t actually do direct debits if you had to pay a Tier 2 £500 fee. In sharp contrast the Companies House that is the regulator and registrar for companies does everything online and you can renew your annual company registration for the grand sum of £14 online as well.

Print it : Read it : Use it : Flush it.

I saw that someone had created an old style ticker-tape printer for Twitter feeds. I remember the days of 50 baud TELEX systems so there is a nostalgia here but I also remember being electrocuted on frames a few too many times with the +/- 80 VDC signalling that TELEX used from the exchange. That hurt.

A long while ago I thought of printing Wikipedia onto Toilet paper. The ever-changing, ever-growing nature of Wikipedia meant that you would never run out of material. Copyright was simple. Content filtering would be a lot harder. Then I imagined what would happen if someone found their favourite leader, person or icon was pre-printed onto toilet paper and back-burnered this idea.

Perhaps if there was a printer that was made that you could print your own toilet paper at home with your own Wikipedia data, Twitter feeds or even RSS feed. No need to censor as it is your home and it obviously needs no ideas from me for you to think what to print if you’ve spent even a few minutes in the more radical political arenas of the Internet. The more inappropriate and bizarre the political sentiment the more deserving to be printed onto this paper.

Maybe done centrally and you order say a dozen rolls of Political quotes from 1992-2012. Now that is adding value to a commodity !

Anyway just an idea…..

UPDATE: It appears that some else has the same idea – http://www.getshitter.com/ – for printing the toilet paper centrally from your Twitter feeds so I guess the technology to print on demand, rather than a pre-set pattern, must exist in the toilet paper world.

They launched on the 28th March so 4 days after my post here on the Twitter feeds but I see their domain name WHOIS was a month ago so they’re ahead as it’s a real product so great work whoever you are !.

Observations on eBook usability

One interesting if emotional event had happened recently that has helped me understand the advantages and usability disadvantages and my observations about use of eBooks with the terminally ill.

One of my clients was admitted into a hospital and then later moved to a hospice (they have since died) and they had become very attached to their Amazon Kindle prior to their illness as it allowed them to read a large array of books without carrying around kilos of paper. When hospitalised then this certainly was an advantage as they were bedridden for around 3 months until they had died.

They had purchased the Kindle mid last year so I unwittingly ended up looking at a lot of usability issues of this device for older people right through to the day they died albeit with just this one example.

Other than the charging issues which I had blogged about here, the device worked well up until the client started to lose manual dexterity towards the last week of life and the loss of visual acuity around 36 hours before death.  Given all the eBook readers I have seen at the electronic stores have similar delicate and flush controls there is no clear solution here other than someone bringing out a more rugged device with a more chunky (think Steampunk or Industrial-Military) design and no one has done that yet.

The floors at hospitals are always smooth and hard so there is never the chance of a safe landing if the device is dropped. You must put the device in a hard case. The device also has the risk of being crushed or similar with either the patient or the nurses moving the patient so a hard cover that is visible is neccessary. The client had commented on the case I got that “Pity it was dark”; again this is an issue of visual acuity in finding the device on the bedside or bed covers. Modern beige, greys or black are not the best – it needs to be bright and eye-catching – maybe just retro-fit sticky fluorescent safely tape to the case ?

The device case or cover can’t be smooth plastics and slip out of fingers or slide off surfaces so a high-friction surface is needed but equally the device case or cover will get food on it so it must be a wipe-clean surface.

The electronic ink has a good contrast and the ability to scale fonts is certainly essential to help readability and I understand pretty well all eBook readers do this though towards the very end you will find that the client (patient) may significantly lose vision and cannot read at all. I don’t think there is much that technology can do to overcome this but it would be a helpful feature if you could get a reading summary or statistics page that detailed what was read e.g. as pages/words per session. I had to make a guess based on what the screen was on and what the percentages were of the books being read – based on the completion bars but I was only guessing. Even a basic statistics screen to allow per-session and/or per-day page flip counts would be extremely useful objective feedback to help provide an early warning of changes in the client’s (patient) mental or physical wellbeing.

Other ideas I had were that it would be nice if the reading spot light in the hospital room could come on automatically when the eBook was turned on (I was thinking infrared remote  – this could be aft-market in the retro-fitted case – and uniquely key-coded lights a bit like X10 – IR shouldn’t interfere with medical devices). I though that because the client had to fish around for the light controls and get those right and then find the eBook: I believe that technology should anticipate what you want to do thus if you pick up the eBook then you want to read so you want the reading lights on.

When the patient wanted a new book it was hard to work out what they wanted and how to get it to the device. If the online web site could also have a printed book listings with codes (including QR codes) so you could print out a cheat-sheet of new and related books for your client and then give those to them to choose. They can then decide and you can then buy and download via, for example, your mobile phone. Not all hospitals have WIFI built-in to rooms but cell phones usually work somewhere though they like you to turn them off in places but you’ll get service in public places – if the eBook was tethered to the cell (even if it was via USB or Bluetooth bridge) then this could be a way of synchronising the eBook with new material. The Kindle Whispernet is a good idea and worked well even on GPRS but navigation is naturally hard for the patient and the Whispernet is only Amazon’s not eBooks in general. Just ideas for now.

Idea: using sound to detect engine problems.

I found a problem with splits in the rubber coupler that connects the carburettor to the intake manifold of an Aprilia Leonardo 125 ST (year 2001) and it struck me that given the sound of the problem that an expert system could have identified this problem quicker and quite automatically.

I’d initially thought it was valve gap but checked that but still had a problem whereby the acceleration and top speed seemed fine but it sounded a bit throaty with backfiring at low revs and it would stall when parked at idle (especially hot idle).

I was also fixing the starter motor at this time and that’s located under and near the carburettor and I’d wiggled the carburettor and noticed the coupler seemed to be twisting. I then ran the engine and forced the carburettor in so that any gaps in the rubber coupler would be closed and it started to idle fine – moved the carburettor back (thus opening the splits) and the engine stalled.

So that was my fault solved – bought a new coupler, installed and all my problems gone.

Now an experienced mechanic could probably recognise this sound and point to the problem but there is a fundamental problem with that approach in that it takes time for a mechanic to become an expert and as vehicles get rarer then this knowledge disappears and certainly when the mechanic dies then this knowledge is lost forever.

A library of the sounds of the failing machinery coupled with the expert interpretation and actual real-world solution in some central database would provide an interesting corpus in which a user provided sound sample could then be analysed against this library of sounds and the possible problem and solution could be offered. Imagine holding your phone up to your car or bike engine or other mechanical device and then sending the photo and sound sample to some central server, which then breaks it down e.g. using a FFT to get a spectrum and a time series and then seeing what matches the library of samples.

It shouldn’t be as hard as speech recognition but it should be a similar workflow in the computations.

This would not remove the need for the mechanic – someone still will have to source the part, replace it and potentially tune it and this would still be hard and messy. Such a system would allow a skilled mechanic who can remove and replace parts fast to work on engines that they normally would not have much experience with because they would have the problem already diagnosed by others.

This also is congruent to the Open Source community if the software was open source in that non-mechanics such as me who like to work on our own vehicles could sample and upload the sounds and the solution and so, in the same creative commons way, build up the expert system so that everyone can benefit.