Biggest Microsoft Security Lapse in Recent History – Skype’s achilles heel

1 Comment

Yet again I come to you with rant, but this time seems like the reason is Microsoft’s huge lapse in basic Skype account security. Probably like mst of you, I have created my Skype account Many years ago.

About a week ago a message popped up on my phone (where Skype is installed also) saying that my account is now suspended. Surprised, I followed their instructions to fill out Microsoft support “Un-suspend form”. That only prompted email 24 hours later requesting an even Bigger un-suspend form for me to fill.

I of course suspected potential Skype account compromise from the beginning, but checking history of access in my Microsoft account showed no unusual activity. I have switched to using my Microsoft user the moment Microsoft started the migration from Skype to Microsoft accounts.

This ridiculous cycle continues now for 3 or 4 times at least. I fill out same Un-suspend form that Skype support emails me, and they email me same form link again 24 hours later, asking me to fill it out. Worse yet, it is clear that they aren’t even trying to read anything I write, as every time they say “be sure to request password reset”, which is not at all what I need! I fully know my password and confirmed that it’s fully secure!

So I took a step back and analyzed things further and the only logical conclusion is that Microsoft is STILL allowing login to Skype using 10 year old credentials that existed before Microsoft accounts! Worse yet, Even for users that already migrated away from using Skype login, the old Insecure password!

I am pretty sure that by now, with so many industry compromises, old insecure passwords some of us used 10+ years back are “Floating” out there for sale or otherwise. For Microsoft to allow that old login to still be active is borderline Criminal! There are no indications in one’s Skype account that old Skype credentials stay active, nor Ever any requests to update/replace that old password yearly. To confirm my theory I in-fact tried to login with those old insecure credentials, only to see that I do still go through and face the evil “Account Suspended” message!!!

Skype provides no customer service phone number to contact, not even Chat support. Their email/forms to fill out only return after 24 hours or so, and as mentioned, no-one even tries to read what I put on that form. Truth is, there isn’t much for me to fill out in that form. It asks what month and year did I open my account – would any of us remember? It also asks about any financial transactions I made with Skype, which I never did (since other VoIP services were always cheaper and more convenient, working from real phones). It asks for date of birth, which I never submitted to Skype as even back in a day I registered I already was concerned with online security. It asks for billing address, which they obviously don’t have because again – I never paid for anything. So that form is fully useless, of course, as seems to be their whole customer service. Sadly, Microsoft is probably paying good money for that “offshore support” (responses always come at night), but obviously they don’t have any iota of understanding how to actually provide it or even when to know to escalate to someone who can help.

I will update this post if something develops, but meanwhile – here’s something you should do Right Now. If you have registered like me, Many Years Ago, go to and see if there is any way to change/disable any old credentials you may have used before switching to secure Microsoft account. If there isn’t any way to disable that old insecure login, at least see if you can change that old password to some jumble of letters and digits, that won’t be easy to crack as our 1999 passwords used to be…

UPDATE: I was finally able to restore my Skype access. It is as I suspected, the old Skype account is still active “underneath Microsoft account”, even if you never use it. Please ensure it has complex or even “random jumble” style password. Furthermore, looks like Skype’s own password policy has been greatly improved over the years and my old password was Not Even Nearly secure enough to meet their current policies. However, there was never an alert to change it, not a single email reminding me that old password is too short or too old. Nor any notice ever came out when new device in Africa logged into my account – not a single email on that. So Skype seriously needs to update their security practices, and so should we all.

Bookmark and Share

SteamBurglar Malware – Theft in the Digital Age

No Comments

My son started screaming few hours back, scaring us half to death. Apparently he reacted this way to what seemed like a virus infecting his computer, after he ignored all long standing advice from me and clicked on nasty link from another Steam user sent via chat.

Indeed this malware is very nasty – somehow it manages to bypass all Chrome guards and download + execute right away, without giving any option to avoid it. I immediately submitted the site to Google for blocking in Chrome. Then I proceeded to submit to Microsoft, since their silly Microsoft Security Essentials continued to insist that no malware/virus found.

Here’s link to analysis: img_012.scr  (MD5: 6e7ccceb2685044d443474ce1efc7bbf)

So, the biggest question is What Does It Do? So far I only saw that it communicates with Steam client, managing to Spam a link to an infected site hosting this malware to ALL of one’s Steam Friends. From reading online, the malware also attempts to steal your Steam account credentials, presumably to steal you Digital Loot, like Game Objects and even complete “Giftable” game copies (if you have any). I couldn’t confirm this as we didn’t see any adverse impacts, but maybe it wasn’t able to fully work. Sadly, since no Antivirus properly detects it yet, it is very hard to tell if it’s fully cleaned. I saw it already submitted to Malware Bytes and they promise to analyze it ASAP – so I recommend you go there first and install that Excellent (and Free) scanner on your PC.

Here’s some more recommendations if it happens to you – immediately proceed to Steam Guard (in Steam client Settings) and make sure it’s active. Then double check that you don’t have any screen-saver installed (use Personalize and reset Screen Saver to None). Reboot after this – and then proceed to relaunch Steam and select “De-authorize All Computers” under Steam Guard. I would recommend changing password also – and another reboot. Disclaimer: This is new attack so I am not sure this wipes it out. I’ll update this post as I learn more info about this nasty critter.

Since this attack is specifically tailored to attack Steam, the image sandbox PCs virus companies use as honeypot may not be able to fully realize it’s attack as their image would not have Steam client installed and configured.

To be extra safe, we are also going to re-install Steam client – I would recommend that as well, as I was seeing some steam files being updated after this attack, but it may have just been a coincidence also. Since you can have Steam libraries, you can even fully re-install Steam client without having to re-download the games. Ping me in comments if you need further instructions for this – and Good Luck!

Bookmark and Share

The Zeitgeist Movie Series – My Take

Comments Off

Let me open by saying that these movies are a classic definition of Propaganda. They follow the tried and true model of massaging real facts to their own needs, and using strategic omissions or worse. That said, I have long wondered whether monetary system is the best way to organize Planet’s resources at this stage of evolution for our mighty civilization. It is rather clear to me that human race is much further along thanks to invention of Money and evolution of Markets and Banking, but is Monetary System in it’s current form truly the best method to propel us onto the next stage of evolution as a species?

For those not familiar with the series, let me start of with by focusing on particularly ugly misinformation in the films:

  • The films pile Communism along with Capitalism and others as a Monetary system. That is just a complete fib, and if you don’t believe me, just read the first 2 sentences on Wikipedia definition of Communism. In fact The Venus Project and various others like it are just pure Communism solutions, but of course they stay away from being labeled as such, seeing how Communism got nothing but bad publicity in the past.
  • The Evil “Profit” is really not an aspect of Monetary system, but rather a key element of Capitalism. Meanwhile Evil “Interest” is not inherently there to enslave us, but rather an aspect of Monetary system that ensures that Money is properly allocated and remain “active”, instead of piling up idly “in someone’s mattress”.
  • Artificial Scarcity goes hand in hand with Price Gauging and other Capitalism evils that are well known, hence US and most other Western countries have laws to abolish these practices and prosecute anyone engaging in Collusion or Monopoly. Free Market is designed by definition to eliminate scarcity and encourage competition, driving price and the Evil Profit down.
  • The current “Glue” of society, that which guides us as humans, is Money. This is how we got our Technology to progress as far as it has. This is the key principle that allowed us to combine “Human Ingenuity” of many people towards the common goal. Without it, we each would be exploring duplicate or disparate ideas and likely progress would be much slower. Furthermore, without it most likely no-one would take the time to fully educate our children generation to pass on the knowledge collected over time. That knowledge and education is what allows us humans to continue and excel – Standing on the Shoulders Of Giants as we often call it.
  • Ecological impact remains 100% relevant even with Money-Free society. There will always be someone who feels it is fine to dump pollution, as long as it is not in our “city limits”. Or another who is fine mining Lithium, even if it may collapse a mountain where 1 million “other” people grow their crops today? How will we resolve such disputes? Weapons?
  • Problems without monetary gain are “not solved” today – absolute fib, obviously. Society richest people pledging their funds more than ever now, and even large corporations are engaged with philanthropy, more so than ever before. Furthermore, most of humanity’s crippling diseases are being researched on a massive scale, thanks to donations and large R&D budgets of established Pharmaceuticals. This is exactly where Monetary system shines, whereas in pure Communism it is unclear whether we could guide so many of our brightest minds into these important common goals.
  • Planned Obsolescence is presented as big evil also, while I contend that it is actually great positive as our society faces accelerated progress forward. With more and more investment into R&D (mostly to stay competitive, another big positive) there are continuous new discoveries that benefit all kinds of products. Another thing one would learn in business school (ahem), is that various brands position themselves for different durability, which is signaled to consumers in price and generally in brand. I will fully agree that we have big issue with lack of good recycling techniques. There seems to be lack of incentive there, for our economy, but I am seeing increased interest there as well, as we dispose of more and more useful things.
  • Israeli Kibutz is mentioned as non-violent place, which is true. However, I think it is of greater interest as one of the best incarnations of working communism on the planet now, albeit on a small and isolated scale.

Technological Utopia (what they call “The Venus Project”) was envisioned years ago, and even subject of one of the original Star-Trek episodes. I still believe that key issues that approach suffers from are still unresolved, including all essential Human Incentive problem, predicting and managing demand/supply and covering all critical “professions” for sustainability. Presence of Money solves all these via signaling mechanism, same one that movie presents as “evil” and “leading to inequality”.
Similar ideas have been tried and failed, so far. Latest example, and perhaps most similar to the series, is the Israeli Kibbutz cooperative. In conclusion, here is an interesting read about how they are faring today.
Although one way to look at money is debt, the true essence that we use it for in our economy is signaling. Here is a simple example where moneyless economy runs into trouble: You have newly designed holocam coming off the manufacturing line. First one is due to ship tomorrow, and both 19 year old gifted woman and 70 year old scientist are interested in it. How do we decide who gets the first one? First come first serve? what if 70 year old scientist happens to be the one who found cure for cancer? What if 3rd person is interested, one who invented faster than light space-travel? How do we measure one contribution against another? Today the answer is pretty much Money.

Bookmark and Share

Tivo Disaster – If it Ain’t Broke, Why Fix It?

Comments Off

It is really basic premise, and I didn’t even invent it. Alas I have to warn other potential Tivo customers, after giving company many chances to make things right and a month of monumental efforts (mostly mine). Also, this is Not an investment advice regarding Tivo Inc (NASDAQ:TIVO).

We are long time Tivo customers and advocates and have 2 units at home which we enjoyed for many years. Recently, after HDMI output on our newer Tivo HD unit broke, we decided to upgrade to latest Tivo Premiere. We were disappointed to learn of increased monthly fee, but we finally decided that even with Many Great alternatives out there, we prefer the time-tested convenience of a Tivo box. Our new Premiere unit arrived as advertised and I promptly began the monumental effort needed to set it up and transfer data from our existing unit.

The manual transfer of previous recording that we didn’t watch yet is long and tedious process which could have easily been automated in about 1 week of effort for average developer IMHO. Instead I have to go through 3 screens of prompts for Every Single Show I have on the box. Few days (literally) later, I finally got that out of the way, so I set to transfer Season Passes. “Luckily” there is a handy Season Pass Manager on, I thought, but this is where the first big disaster hit! After reporting that many season passes cannot be transferred because there are no upcoming airing in the next 2 weeks, even remaining shows that supposedly should transfer did not arrive on the Tivo Premiere. Instead, I was greeted with countless “corrupt, delete me” entries on the Tivo box.

Tivo Fail SmallerAs I tried to recover from this by transferring only few shows at a time, Tivo website went completely nuts. Many reboots, Re-Syncs and support calls later – I was told to stop trying and just manually re-create our 150 passes… Naively I tried that as well, just for a bit, as I quickly discovered that Glee show (in Tivo’s own Top 5 Most Popular list and one of our favorites) Cannot Be Subscribed To! It simply pops up with “No Airings In the Next Two Weeks” error. I guess I naively thought that ability to keep your favorite show subscriptions was Tivo’s big selling point.

Tivo Fail Smaller 2Meanwhile we started noticing many other things wrong with our “shiny new” Tivo. For the first week over 30 channels were completely missing their guide. I went through different troubleshooting steps daily with various Tivo techs, to no avail. Finally, I figured it out all by myself, managing to restore that part of functionality by repeating guided setup steps.

Still, there were many other issues – worse among them is the jumping screen and skipping video, especially if recording on the same channel as watching. Well, after some more calls, one of the techs suggested that perhaps we got a bad one and they will be happy to replace our new purchase. Reluctantly I agreed and another week later we received a Refurbished Tivo premiere unit (What??!?). Being at complete dead-end with options I spent Another Week transferring shows and doing CableCard pairing. Well, today I switched out the units and we were able to confirm most of the same issues on this Tivo Premiere as well.

As you can tell, we are still in shock and not sure where to go from here. It is very hard to justify monthly payment to Tivo when our experience with the unit is so horrid. As an aside, their whole Tivo Stream as a separate Expensive and Intrusive box is just another insult, since Tivo Premiere already comes with high speed network connection, and records everything digitally.

Back To My Big Question Why Mess with what Is Not Broken!? We used Tivo HD and previous Tivo units for years and Never had these issues! This is with same CableCard and Cable connection, so they really can’t blame Comcast here! In fact, many issues are clearly Software Defects! It also becomes obvious that they lost all their good developers once you try their iPad Tivo client. While showing some promise, it promptly underwhelms you with limited features, constant crashes, disconnects and endless “refresh” loops. Tivo Inc’s company appeal over other Cable boxes Always Was their Software! How On Earth would they allow themselves to totally “rewrite” software for this new box and introduce so Many New Bugs and such a Poor User Experience!!?!?

PS: I ordered HDHomeRun Prime now and look forward to posting my experience here

Bookmark and Share

The ‘final’ Frontier in Java

Comments Off

Although this post came about primarily to help my son learn Java, it still amazes me how many professional developers do not understand this basic premise in Java (Programming Language) even after working with it for Years. I am yet to find any Java book that opens with Big Chapter on this very critical topic, instead they mention it in a few hardly intelligible sentences. Meanwhile Java continues to gain momentum as most popular language, primarily because of how easy it seems to use! Let me be the first to tell you that Yes, it is Easy, provided you fully grasp the concepts outlined below.

Quick primer before diving into Java – most operating systems organize memory for a running program as Heap and Stack. These are just designations for areas of memory allocated to your program, but the way they are utilized differs slightly as we’ll see below. And if you don’t know what Object is, for our purposes it’s just a little set of data organized together.

There is fundamental difference in Java between Object variables and Primitive variables. The latter is those built-in types we all grew to love from most languages, like int, long and float. They are actually very high performance as well because they are quickly allocated on the Stack and CPU operates on them via Native commands.

Meanwhile Objects in Java are just Pointers! Let me demonstrate with this simple example:

   1:     public static void main(String[] args) {
   3:        int a = 1;
   4:        int b = a;
   5:        a=3;
   7:        System.out.println("A: "+a+" B: "+b);
   9:        ArrayList aLst = new ArrayList();
  10:        ArrayList bLst = aLst;      
  11:        aLst.add("I Live in List");
  13:        System.out.println(" A List Size: "+aLst.size()+
  14:                           " B List Size: "+bLst.size());
  15:     }

Although lines 3-5 look conceptually similar to lines 9-12, the output is very different:

A: 3 B: 1
A List Size: 1 B List Size: 1

With Primitives we see that assigning a into b truly made a copy, so that when we put 3 into a later, nothing happened to b. Two_Java_Pointers_at_ArrayList_ObjectMeanwhile, assigning aLst into bLst seems to act differently, as modifying aLst makes something magically appear in bLst!

Although our most respected Java Designer Mr. Gosling tried to hide the pointers complexity away from average developer, it still shows through sometimes, especially when calling Methods and passing Objects around:

   1:     public static void callMeMaybe(ArrayList third, int howOften) {
   2:        howOften = 1;
   3:        third.clear();
   4:        third.add("+1 800-555-1212");
   5:     }
   7:     public static void main(String[] args) {
   9:        int a = 800;
  10:        ArrayList first = new ArrayList();
  11:        ArrayList second = first;
  12:        first.add("Unlisted Number");
  14:        callMeMaybe(second, a);
  16:        System.out.println("Our List: "+first);
  17:        System.out.println("A: " + a);
  18:     }

And here is the output, hopefully what you expected by now:

Our List: [+1 800-555-1212]
A: 800

What has happened to our Unlisted Number? And if the evil callMeMaybe method was able to eliminate it, why did we not extract the essential howOften to call information from that same method?Three_Java_Pointers_at_an_Object.jpg

The basic way to understand the difference is to simply remember the Primitives versus Objects distinction. The more complete explanation is that Objects live in the Heap, while pointers to objects (such as first, second and third in our example) live along with Primitives, in the Stack. Each time our program enters a method, new variables (sometimes with copies of values from existing variables) get created on the Stack, and once method is finished, they are released. But even though once callMeMaybe method finishes our third variable gone into the great beyond (along with howOften variable), the object it was pointing to lives on in the Heap, and still available for first to see.

Having understood this we are finally ready to discuss Java’s ‘final’ keyword Winking smile

Simply put, when this keyword is placed on variable definition, you can only give this variable one value in it’s lifetime. A more complete explanation about the use of final keyword can be found on Wikipedia. My personal recommendation is that you avoid using this keyword, except when defining some truly Constant value in all upper case, like so:

public static final int REQUIRED_HOURS_OF_SLEEP_FOR_HEALTHY_HUMAN = 8;

And especially avoid using it when declaring Object referencing variables, since it does Not do what you would expect. As a simple example, if we were to define third variable in example above as final, it would have no impact on our program behavior or output!

While there are few other cases where final should be used, remember that Optimization is Not one of them.

Good Luck!

Bookmark and Share

Older Entries