The Codebelay Blog https://www.codebelay.com/blog Safely Reach New Tech Heights Through Our Startup Insights Tue, 05 Feb 2019 19:10:20 +0000 en-US hourly 1 https://wordpress.org/?v=5.1.1 Building an OK, Sorta Secure Computer https://www.codebelay.com/blog/2019/02/05/building-an-ok-sorta-secure-computer/ https://www.codebelay.com/blog/2019/02/05/building-an-ok-sorta-secure-computer/#comments Tue, 05 Feb 2019 19:09:08 +0000 https://www.codebelay.com/blog/?p=1464

In my last blog post, I talked about how a seriously compromised supply chain prevents us from ever building a secure computer. This morning I logged into my Instagram account and found that I had 7 followers even though my account was set to private and 2FA. I’m hoping this is a bug, but even so, it just shows that nothing presents as secure.

Let’s assume – and this is a big assumption – that we can build a secure computer because we now have a secure supply chain. So you buy a CPU, a motherboard, a hard drive, some memory, a power supply, input devices like a mouse and keyboard, something to connect to the Internet with, and a bootable USB stick with the OS of choice on it. I won’t go into the specifics of building a computer from these parts, but suffice it to say, you should be asking, “How will I know the OS is secure?” On some level, this is hard to do. Can you imagine reading all those lines of code? Historically, Red Hat Linux 5.2 was insecure. If you installed it with an FTP server running and exposed to the Internets, you would get hacked in days, if not hours. The hacker would just use a buffer over flow attack. For years, SSL, one of the central encryption layers for web browsing, was compromised.

OK, so you boot up your newly built computer with a “secure” OS like Kali Linux or Parrot. You create an account with a super secure, never used before password, and maybe some biometric protection. Nevermind that these OS’s are complicated to use and not consumer friendly. But you can be sure they won’t expose you to the Internet the way something like Mac OS or iOS will with bluetooth, or some other services with file, music sharing and Active Directory.

Are we secure? Well, right now the OS might be asking to run an update to make your OS really secure. However, in doing so, you give up your IP address, and thus an 80/20 chance of giving up your location. So before even getting to this point, you will want to proxy all your connections, but then again this begs the question: how can you even trust the proxy? Does chaining proxies you can’t trust equal security?

Let’s assume we trust a company like NordVPN or a network like TOR. We’ll also setup and turn on a firewall, too. Great, now we can download software updates. We’re not going to use social media though. That will surely give us away, even when we share an alias account with friends and family. When we browse the web we’ll just be using a browser like Brave with ad blocking with JavaScript turned off because we all know JavaScript is insecure – except for the JavaScript subset, CAJA. When we search, we’ll hope that Duck Duck Go doesn’t give up our privacy. We will use proxies all the time to keep our privacy. Still this will leave some sort of fingerprint. If you go to a website like Am I Unique, you can see if your browsing configuration & habits have set you up to be tracked.

Let’s review what we’ve done:

  1. Built a computer with components from a secure supply chain.
  2. Used a USB stick to install a secure OS. Make sure you’re account is secured by a password and if your computer has it some sort of biometric protection. We won’t connect to the Internet yet. Nevermind we haven’t even discussed vetting the security of the USB stick.
  3. Set up a proxy / tor and firewall.
  4. Update the OS.
  5. Use a secure browser like Brave.
  6. Turn off JavaScript except maybe for CAJA.
  7. Use only Duck Duck Go for searching since they supposedly don’t keep records.
  8. Don’t use social media. Even an alias can betray you.
  9. Check to make sure you’re web fingerprint isn’t unique.

We haven’t even discussed email yet. And your set up isn’t really secure. All I really need is your fingerprint and password. Anyone remember Dark Knight Rises? In my next piece, I’ll discuss secure email. If you’re not using a PGP key to secure your email, it’s not secure. It’s basically yelling in public. We’ll also discuss adding a VM running off of an encrypted key on a USB stick to really secure your computer.

]]>
https://www.codebelay.com/blog/2019/02/05/building-an-ok-sorta-secure-computer/feed/ 1
Basic Security is Not Secure https://www.codebelay.com/blog/2019/01/30/basic-security-is-not-secure/ https://www.codebelay.com/blog/2019/01/30/basic-security-is-not-secure/#comments Wed, 30 Jan 2019 19:18:15 +0000 https://www.codebelay.com/blog/?p=1460

Let’s say I wanted to do basic security. I want to be able to defend myself against cyber attacks on my laptop, network, phone as well as any peripherals I might use that connect to any of the devices I use. I want to communicate securely. I want to be untrackable or have privacy. Basic security for the purposes of this post will consist of 3 things:

  1. Malicious code barriers & Cyber Defense
  2. Secure communications
  3. Privacy

Let’s tackle the first one. I have a computer that I just purchased from a store. A sales person might even suggest buying anti-virus software with a firewall. It’s guaranteed to protect me from everything except a zero day hack. Well what about this “zero day hack.” Anything on my computer that is listening to the Internet, e.g. notifications, Dropbox, Adobe, GoogleTalk. Ok, we turn these off. Are we still secure? What if the hardware is not secure? In light of recent revelations, we can’t even trust the hardware anymore. We are forced to build are own computer with our components we can trust, but this begs the question of finding a trustworthy component. Back in the days of 6502 processors, it could be possible to know all the contents in memory, and to even know the factory that made all the components. With our global economy such an empirical luxury (if it was ever so enjoyed) is no more. We might as well stop here, and think about what it would take to secure the supply chain of computer components. There’s a suggestion for it in the dystopian, Draka series of novels by S.M. Stirling. All computers are Read Only Memory (ROM), and produced under close government / military scrutiny. What we can conclude is that even on a basic level, we are not secure.

In my next piece, I’ll look at secure communications on an ok, sorta secure computer.

]]>
https://www.codebelay.com/blog/2019/01/30/basic-security-is-not-secure/feed/ 1
A Brief History of Instagram Growth Hacking https://www.codebelay.com/blog/2018/10/24/a-brief-history-of-instagram-growth-hacking/ https://www.codebelay.com/blog/2018/10/24/a-brief-history-of-instagram-growth-hacking/#respond Wed, 24 Oct 2018 07:30:06 +0000 https://www.codebelay.com/blog/?p=1441

In Episode 83 of the now defunct Hashtagged Podcast, Jordan Powers interviews Tyson Wheat, who talked about the early days of Instagram. Back then (2011), he says, “You just needed 10 or so likes within 5 minutes to get onto the popular page.”  When I heard this, I realized Instagram was gamed from the beginning. This isn’t saying that without enough hard work, luck and skill you couldn’t use Instagram in 2011 to launch a career. It’s just that already in 2011, you’re competing in the Tour de France with somebody that’s doping, or you’re in a sport where you’re competing with somebody on steroids. Instagram was never fair. The superb photos that ended up on the popular page back then sure had me fooled, though.

The first screenshot I have of Instagram from October of 2011
The first screenshot I have of Instagram from October of 2011


Hey, spamming likes to gain follows worked back then in 2011


By 2012, you could see that something was wrong in all social photo apps. People were gaming the system.


Hardwork and talent were still wonderfully rewarded on Insta back in 2011/2012.

In 2010, Sean Ellis coined the term growth hacking. Andrew Chen goes on at length in this classic article on what it means to be a growth hacker. For me though, growth hacking is finding flaws in the system and exploiting them in ways very similar to how the Russians tipped the 2016 election using hacking. So how did folks take advantage of the growth hacks on the popular page? In a similar way that diggs got monetized (Remember Digg?) the popular page on Instagram got monetized. According to Phil Gonzalez, a consortium of shady Turkish marketers would report a photo that naturally got to the popular page so it would get taken down, and then replace it with a post that got 100s of artificial likes from fake accounts within minutes.

But the popular page really didn’t help that much. I got on it once by posting around 8pm at my silent reading book club back in 2012. A few hundred likes and a score of follows rolled in finally pushing me above 100 followers. I had been stuck at below 100 for a year which is laughable now, but I’d have to say those first 100 followers were all awesome people and really great photographers. Eventually, Instagram would replace the popular page with the explore page, and basically had the algorithm dictate which photos got shown to whom on that page. But crappy photos selling the scam of the week (pills or bitcoin depending on the year) always seemed to find a way there every now and then.

What really helped grow accounts was becoming a suggested user. Instagram could choose anyone and let them be suggested for at least two weeks to years. This meant that when people first signed up, the UI would strongly suggest that they follow the suggested user. You could grow at a rate of 10,000 followers a week as a suggested user.


How’d this dude get suggested on the bottom? His photos are so so.

The second way to grow would be to get a suggested user to follow you. This is where some shady paying for follows came in.

The 3rd way was doing a free for all where you gave photos to people, asked them to do their best edit, and you would choose photos to feature as long as they tagged you in the photo of yours that they posted.

The 4th way, way back in 2012 was botting by using follow and unfollow. Companies like Massplanner which Instagram has now shutdown would sell these services for around 50 to 100 a month depending on how many followers you wanted. It’s not as shady as fake accounts since all you’re doing is suckering someone by following them, and then unfollowing them. Lots of folks have used this strategy from 2012 to 2016 to grow from 0 to 100,000 in a year. The downside is that your engagement is real low, and now that everybody is clued into it, your account just looks fake. The problem is folks who got suggested user back in the day, or coat-tailed off of them look just as fake. What’s even worse is that the algorithm for awhile gave the advantage to folks that botted. Here’s a chart showing that.


In blue @kingy_kings legit working hard to grow; in orange, @jackson.groves doing follow/unfollow by botting. The algorithm has them neck and neck, but then eventually the algorithm fails and rewards the cheater.

However by 2018, the algorithm would actually take away followers for botting, and it did this by feeding the botters to the botters as you can see in the chart below:


@teresa_ on Instagram is the worst. She’s botting and losing followers. lol

From 2016 to 2018 people would try the following to grow:

  • power likes, getting a like from a large account
  • paid features on huge accounts (1 million real followers or more)
  • DM groups – these really help lots with engagement, but sentiment analysis can reveal who uses fake comments. This is true if you don’t shoot bangers. I’ve seen accounts with 1000s of cake photos, and each cake photo is the best cake photo that someone’s ever seen. The idea behind this is similar to the hack Tyson mentioned above. Get 5 or so comments in 15 minutes to get way more likes than if you didn’t get the comments.
  • contests where you have to follow 20 to 40 people in order to enter
  • contests that offered a free camera if you followed them
  • follower networks where people grow multiple accounts to like and follow each other
  • The Gary Vee 2 cent hack; this got killed when the algorithm detects this and just makes sure the Top Page you see is the same as the Recent Page
  • getting a free feature from a large account
  • I’d say that the only strategy that works now is the last one which is just another way of saying “going viral.” Someone prove me wrong here, please.

    The result of all this is that:

    1. people take the same photos as everyone else, i.e. InstaRepeat
    2. people take crappier photos than before
    3. people are taught by Instagram to game the system and society

    This means Instagram is contributing to the downfall of society.

    What should you do if you care about photography? Delete the app. Go back to making zines like I have. If you can’t bear to delete the app, just use it for the DMs.

    ]]> https://www.codebelay.com/blog/2018/10/24/a-brief-history-of-instagram-growth-hacking/feed/ 0 Where’d the year go? https://www.codebelay.com/blog/2017/11/08/whered-the-year-go/ https://www.codebelay.com/blog/2017/11/08/whered-the-year-go/#respond Wed, 08 Nov 2017 19:33:47 +0000 http://www.codebelay.com/blog/?p=1423

    There hasn’t been much tech-wise that’s interested me. I’ve gotten better as a coder, and finally built my own data app that helped me find and track people that follow and unfollow using bots on Instagram. It’s closed source, but I just might get to sell it to an adtech company. We’ll see.

    I first got paid for coding back in 1993. 24 years of coding, and I’m not a manager. I was for awhile in New York and Los Angeles, but in San Francisco where genius IQs are common, I’m just a coder. Now, I don’t have a genius IQ, and don’t take much stock in it, but I test around 125 to 129. My last IQ test I was 129 – 3 points away from Mensa.

    Anyway, if you go here you can see what I’ve made public that I’ve worked on.

    I’m most proud of my Django-screenshots code, which takes a screenshot based on a URL you’ve given the code.

    What’s next? Well, I love coffee. If you’re in San Francisco, I’d love to grab coffee with you.

    ]]>
    https://www.codebelay.com/blog/2017/11/08/whered-the-year-go/feed/ 0
    What happened in the last 12 months? https://www.codebelay.com/blog/2016/07/27/what-happened-in-the-last-12-months/ https://www.codebelay.com/blog/2016/07/27/what-happened-in-the-last-12-months/#respond Wed, 27 Jul 2016 22:07:20 +0000 http://www.codebelay.com/blog/?p=1416

    I’ve been spending most of my free time working on my photography. You can see see some of it at Bracket This, and a ton of it on my Instagram account. Right now though, I’m starting to focus on tech again. I’ve been learning Swift to make an iOS app while working with a really awesome designer, Andi Galpern.

    Anyways, expect to see more posts about Swift and mobile app development.

    ]]>
    https://www.codebelay.com/blog/2016/07/27/what-happened-in-the-last-12-months/feed/ 0
    What is Geonymity? https://www.codebelay.com/blog/2015/06/01/what-is-geonymity/ https://www.codebelay.com/blog/2015/06/01/what-is-geonymity/#respond Tue, 02 Jun 2015 01:03:52 +0000 http://www.codebelay.com/blog/?p=1411

    Geonymity is geo-location based anonymity. Sometimes you want to broadcast your info to everyone like at a bar or a party. Sometimes you want to be low key like at a new airport. Apps with geonymity enabled allow you to automatically determine how much of yourself that you share based on your location.

    ]]>
    https://www.codebelay.com/blog/2015/06/01/what-is-geonymity/feed/ 0
    Switching to Emacs from Vim https://www.codebelay.com/blog/2015/04/23/switching-to-emacs-from-vim/ https://www.codebelay.com/blog/2015/04/23/switching-to-emacs-from-vim/#respond Fri, 24 Apr 2015 00:50:25 +0000 http://www.codebelay.com/blog/?p=1401

    I’ve been looking more and more at Clojure and decided to start coding using emacs.

    Clojure is the language behind many highly performant and concurrent systems. It was used in BankSimple’s early days.

    It’s also used at Akamai, a CDN, which has to serve hundreds of thousands of requests per second, when content rich media is getting “slash-dotted.”

    I think my interest in using emacs has to do with how tightly knit Lisp is to it. It also seems highly customizable in a way that’s different from Vim. It’s highly customizable in a more programmatic way.

    There’s a great “Getting Started” guide for Clojure, and emacs is recommended as the editor to use if you’re new.

    ]]>
    https://www.codebelay.com/blog/2015/04/23/switching-to-emacs-from-vim/feed/ 0
    Day 34: I didn’t do my laundry for a month https://www.codebelay.com/blog/2015/02/26/day-34-i-didnt-do-my-laundry-for-a-month/ https://www.codebelay.com/blog/2015/02/26/day-34-i-didnt-do-my-laundry-for-a-month/#respond Fri, 27 Feb 2015 05:34:44 +0000 http://www.codebelay.com/blog/?p=1398

    And I’m still not doing it. Instead, I’ve gotten into the habit of just hand washing in the morning. I put my cloths into the sink, take a shower, and then dry the clothes and me. 🙂 I don’t have to worry about sucking a huge chunk of my weekend to get clean clothes.

    I didn’t think I’d last this long, because part of the process of quickly drying clothes involves using bath towels that started to get really funky by day 14. The solution is to sometimes rinse your clothes just enough that there’s still a bit of detergent. While you get the excess liquid out by wrapping your clothes with a towel and stomping on it, the soap gets onto the towel. Funk issues cured.

    I just want to highlight that nylon and polyester blends are key to quickly drying clothes. By quick, I mean 4 to 8 hours air drying.

    Also, the polyester blends that have coffee grounds as part of the fabric are very odor resistant. I’ve had my odor resistant hoody for a month and it still smells great.

    What if it gets hot? Well, I learned about Ice Fil which is tech fabric that uses xylitol to cause a cooling, chemical reaction to your body when you sweat. You can be cooled by as much as 5 degrees F. This too also has a strong odor resistant property so after two bicycle rides, I haven’t had to wash my hoody made out of Ice Fil yet.

    ]]>
    https://www.codebelay.com/blog/2015/02/26/day-34-i-didnt-do-my-laundry-for-a-month/feed/ 0
    Day 13: Minimalist Winter Gear https://www.codebelay.com/blog/2015/02/05/day-13-minimalist-winter-gear/ https://www.codebelay.com/blog/2015/02/05/day-13-minimalist-winter-gear/#respond Fri, 06 Feb 2015 03:37:51 +0000 http://www.codebelay.com/blog/?p=1388

    It’s day 13 of my challenge not to do laundry in washing machines and dryers and just hand wash for a month. So far it’s going great. $20 saved which I’ll use for tacos once I finish this post.

    Let’s talk winter gear.

    What’s the least you can wear and still stay comfortably warm? I recently went to Tahoe for work, and had this chart to work off of. The idea behind Clo values is that a Clo value of 1 will keep you comfortable at 70 degrees Fahrenheit without having to move. The colder it gets, the higher the clo value.

    The chart below is the recommended clo values for keeping warm and comfy while not moving.

    clo	degrees F	degrees C
    1	70		21
    1.3	66		19
    1.6	62		17
    2	59		15
    2.3	55		13
    2.6	52		11
    3.2	45		 7
    3.8	27		-3
    

    I was on the slopes and perfectly comfortable thanks mostly to the North Face Thermoball Full Zip Jacket which has a clo rating of 2.08. This jacket packs down to a small 7″ x 4″ rectangle that you can attach to a carabiner on your backpack.

    Also of note is the ExOfficio Trail Crest Flannel that has hollow threads for a high warmth to material ratio, and the ExOfficio Kahve Hoody. Both dry over night in 8 hours after washing and both are warm enough to be the only layers you’d need while walking around when it’s around 40 degrees.

    If you look at the chart below, you’ll see that what’s minimalist is skipping ski pants in favor of a lighter rain pant, and skipping the outer shell. Instead of looking like a stay puff marsh mellow on the slopes, you look lean and mean.

    I was very warm in below freezing weather thanks to the gear below.

    Item				Clo Value
    patagonia long johns		0.35
    exofficio nomad pants		0.2
    LL Bean rain pants		0.28
    briefs				0.04
    exofficio flannel		0.3
    exofficio kahve hoody		0.37
    thermoball inner jacket		2.08
    outershell	
    boots				0.05
    socks				0.1
    gloves				0.1
    scarf				0.1
    hat				0.1
    TOTAL CLO			4.07
    
    ]]>
    https://www.codebelay.com/blog/2015/02/05/day-13-minimalist-winter-gear/feed/ 0
    Handwashing Clothes for a month: Day 3 https://www.codebelay.com/blog/2015/01/26/handwashing-clothes-for-a-month-day-3/ https://www.codebelay.com/blog/2015/01/26/handwashing-clothes-for-a-month-day-3/#respond Mon, 26 Jan 2015 22:28:56 +0000 http://www.codebelay.com/blog/?p=1378

    When I was traveling through Iceland in November, I tried to travel as light as possible. I did this by handwashing my clothes: long johns, shirts, socks and underwear. If I could go 14 days without having to do laundry while traveling, could I go a whole month without doing laundry. This Saturday, I started in earnest and am on Day 3 of doing no laundry and just handwashing.

    Why handwash?

    Laundry can be a negative suck on time and energy. By handwashing items that can dry overnight, I am totally saving time. Instead of having that 2 hour block of time devoted to laundry each week, I can instead, put my clothes to wash in the sink with soap, take a shower, and then dry me and my clothes.

    Here is what I’ll be wearing this month:

    Lots of gear from ExOfficio because this gear can hang dry from anywhere from 2 hours to 8 hours. This is perfect for travel.

    On top of saving time, I’ll also be saving money. I usually spend about $10 / week doing laundry, so by handwashing, I can save $40 per month.

    ]]>
    https://www.codebelay.com/blog/2015/01/26/handwashing-clothes-for-a-month-day-3/feed/ 0