Computing woo



Computing woo refers to a range of pseudoscientific practices and urban legends associated with computing, especially computer security.

Technical support
The world of technical support is a magical place. User beliefs include:
 * IT watches everything.
 * IT watches nothing. A weirdly large number of people think it's ok to access porn on their work computers, for instance.
 * Users control their computers and tech support has no responsibility. It's common for tech support and software companies to blame users for how their computers are configured or customised ("The user broke it"), but research shows this is largely the fault of brittle software design (where even the slightest difference from developers' or adminstrators' ideal systems causes disaster) that causes significant problems for businesses.
 * Users do not control their computers, most likely because Russian botnets or IT does. Research has shown users are often excessively paranoid about viruses, hacking, and other attacks on their computers, and will blame innocuous computer behavior on external attacks ("It's running a bit slow, it must have been hacked!"). A 2019 study found that in many cases users and experts were in agreement about causes of common computer problems, but "when users perceived attacks, experts were often likely to disagree".
 * Technicians can understand user requests via telepathy. To be fair, IT often has advanced background information gathering tools and supporting data that is indistinguishable from magic to many users. But often users and IT departments are painfully unable to communicate.
 * Apple Inc. products don't need technical support because they're so easy to use and so reliable.

Programming
Technicians and software developers, many of whom consider themselves rational logical thinkers, are not immune from all kinds of sloppy thinking and superstitions. And among most people there is little conception what's involved in programming, to the point that the moviegoing public can accept the idea that a sufficiently good programmer can write a virus for a completely alien operating system, in a completely alien language, and have it work right the first time.

Heisenbugs
are issues that never seem the same when you attempt to study them. Often it appears that the computer is doing this to spite the programmer or simply following Murphy's Law, but there are sound reasons why sometimes programs work differently in the wild than they do when a programmer is attempting to analyse or debug them: subtle changes in timing caused by software or hardware debuggers, differences between debug and release builds, differences between test systems and the computers onto which the end product is deployed, even changes in the electrical characteristics of hardware when a debugger is attached.

Cargo cult programming
is the style of programming where you do something that worked before without understanding why it worked or indeed any real understanding of programming, software, systems, or technology. In the olden days, people built cathedrals by a variety of informal techniques, including rules of thumb, copying existing buildings, and trial and error (rebuilding if the product fell down), but these days we have civil engineers. Sadly, software is still often developed according to 14th century principles.

"It works on my machine"
Some programmers and IT have a tendency to assume that because code will run on one computer, that if it doesn't run on another one, that the other one is broken. It's usually the opposite. If you have code that runs on your personal computer but not on other machines, it is probably doing something dangerous that should cause segmentation faults or similar, but somehow is being allowed to do it. Alternatively, it may be set up in a way that is peculiar to the settings and file system on your machine.

Internationalization
There are numerous cases where misconceptions about names, time, addresses, maps, gender and more can cause problems. There are many reasons why something which seems reasonable to a white, male, English-speaking programmer near the Greenwich meridian might not work for other people. On the other hand, of course, certain of these supposed "misconceptions" are hard requirements in the context of the software. For example, Icelandic government software may require that Icelandic names are used, as the Icelandic government has that requirement as well, and absolutely reject strings with characters foreign to Icelandic from being used as names.
 * Names. Not everybody has two names, for instance in Indonesia where mononyms are common. Even in western Europe, not everybody has a middle name, while other people have lots. Some names consist of multiple words (Lloyd George, Anne Marie), or start with a lower-case letter (de Witt), or have internal capitals (MacGregor). In many countries family names come before personal names (e.g. Hungary, Japan, China). For the reasons given, sorting names is really hard, and different languages have different alphabetization rules (regarding non-Latin characters, particles like "von" and "de", and which name to sort by). Many names aren't written in the standard Latin alphabet or the official character set of whatever country you're programming in. Some people have two different names (professional and personal, or different names in different languages - even in the UK where some people may use both English and Gaelic forms of their name) or no canonical name. People have commonly-used nicknames. People may be known by a middle name rather than their first name. Some people have really long names but others have single-letter names. Two different people can have exactly the same name. People change names (and this isn't unusual, particularly for women). Parents don't always have the same surname as their children. Any of these is a potential problem with any system that requires you to enter a name in a specific format, which processes names, or which attempts to judge what is a valid name.
 * Gender. These days a binary choice between male and female just won't cut it. And some people even change their gender, which causes problems for systems that were built on the assumption that everybody continues with one of 2 options from birth. It also doesn't pay to make assumptions about sexuality, although this might be limited to crappy dating applications which don't recognise that bisexual people exist.
 * It helps if software can handle multiple time zones, and cases where people move between time zones, as well as daylight saving time (which starts and ends at different dates in different places). Some nations have timezones that aren't a whole number of hours off from GMT (e.g. India). Also leap years and maybe even leap seconds (not important in a diary but more crucial in GPS). And what happens when your program is running when daylight savings time begins or ends? Surely nobody will be using software at 1 in the morning? And tell your grandchildren to remember the Y2K bug in the 2090s.
 * Some organisations such as the US Postal Service attempt to rigidly enforce street address formats. However in other parts of the world there is little standardization, so software which assumes a particular address structure will die horribly. Even in the UK, some houses have only a name not a number or don't have a street (e.g. a farm or other rural property), not all flats (apartments) have numbers (in Scotland elaborate descriptors such as 1F2 for first floor flat 2 can be used), units on industrial estates often have a unit number and a street number, multiple towns have the same name or almost the same name, different sides of the same road have different names, sometimes you get 2 neighbouring villages with the same street, and some addresses have lots of parts or are really long. In other countries where many properties don't have a number or street name it's even worse. And what happens when a new house or postcode district is built?
 * Some people, particularly those born in poorer or war-torn countries, may not know their age or date of birth. This will cause problems if you try to use dates of birth to disambiguate between different people (you have 5 Muhammed Alis all born on Jan 1st?) Not everybody has a social security number or National Insurance number or whatever else you want to use to uniquely identify people; and social security numbers don't map 1:1 with people.
 * Language. Some countries use multiple languages. Conversely, the same language may differ between countries (e.g. UK vs US English), or be written in different ways (multiple rounds of Chinese character simplification in the PRC ignored in Taiwan and elsewhere). Different speakers of the same language have different accents and dialects, which causes problems for speech recognition. The same text translated into a different language is often a different length, a mundane problem that can be a nightmare for programmers and user interface designers. Characters in different languages can be confused for each other and general-purpose international character encoding schemes like Unicode are so complicated that it's pretty much impossible to avoid vulnerabilities, which is a particular problem in URLs where you may end up going to the wrong website and give all your personal information to hackers.

BadBIOS
is firmware malware that was created by Ruiu ... in his head. Individuals like Ruiu are extremely concerned about malicious firmware from hackers and the NSA to the point of literal paranoia.

Origin
According to Ruiu (@dragosr on twitter), BadBIOS is a rootkit that can infect computers without bluetooth, ethernet, or Wi-Fi. Instead it can infect other computers by emitting "ultrasonic sound [...] from the device's loudspeakers". Computers nearby somehow pick up the sound via the speakers and thus get infected. Ruiu suspected his computers were infected with BadBIOS once his computers were acting strange. Ruiu later provided data dumps of his BIOS only to have experts reveal it was normal data. Ruiu then countered stating that the malware probably erased itself whenever he tried to make a data dump. While these claims are not outside the realm of science fiction, Ruiu has not provided a silver bullet, only speculation. Despite this, his reputation seems to be intact somehow.

Years later, Ruiu came to the conclusion that BadBIOS can also contaminate, through some way of knowing...

The subreddit
Yep, /r/badBIOS/ is a subreddit for a malware that probably never existed! Unsurprisingly, it's inhabited by some users who think that one weird thing in a computer means infected malware. These people are generally paranoid, judging by the threads:


 * User thinks hackers infected his ... mp4 file because it got corrupted. OP blatantly states they used a dirty electricity filter to evade hacking. Ironically, his means to evade being hacked is the reason why he thinks he got hacked — having poor connection to an external device can disconnect a device when it's not ready, resulting in corrupted file.
 * A user claims that they're picking up ultrasonic sound ... must be badBIOS! Ultrasonic sound is just high-frequency sound above the human hearing range. There are other (plausible) sources of such frequencies such as bats or some electric appliances, like certain kinds of TV.
 * "Neuroimaging tech will soon be able to decode our thoughts" An example of just how paranoid this subreddit is.

Truth to it
Despite Ruiu's paranoia, there is truth to the madness:


 * Through an "internal NSA catalog", the NSA performs firmware attacks through backdoors thus confirming proof that such attacks do exist. Unlike BadBIOS, these attacks are actually detectable and actually have documentation; however, certain tools in the catalog require tools priced as high as 250,000$USD, something not to be wasted on the average Joe. Despite this discovery, it doesn't confirm Ruiu's brain fart that has no evidence.
 * In the paper Journal of Communication, Michael Hanspach and Michael Goetz showed that BadBIOS is possible but only at 20 bps.
 * It is possible for computers to communicate data via ultrasound. For example, the Cisco Proximity videoconferencing software uses ultrasound to coordinate computers and VTC equipment in conference rooms.

Deep web
Cargo cult paranoid computer security practices are often advocated by naive internet denizens and trolls towards even more naive newcomers. High profile attacks aimed at Tor hidden services as well as large attacks on users such as the FBI's legally dubious network investigation malware has created an association of insecurity and surveillance associated with what is in fact one of the most secure and surveillance-resistant networks ever created.

Prospective explorers often ask if they should put tape over their webcam or use in order to 'safely' explore the dark web. They will fixate on how technological configurations can secure their machines, but are entirely clueless about vectors such as password reuse, identity segregation or how to verify safety of file downloads.

Such common misconceptions stem from limited public understanding of, privacy and practical computer security. As such, there is a massive market for bloggers and YouTube charlatans such as Takedownman to offer off-the-shelf tips which increase the user's feeling of security.

Every day, an intrepid dark web explorer will read that the US Navy funded the initial creation of the Tor network and fancy themselves the next Edward Snowden by disseminating this information.

Hackers and viruses
Due to the low understanding of what hackers do and how viruses and malware works, it has been a relatively accepted trope for someone to claim their account was hacked as a get-out-jail-free card in the event of certain drug-fuelled rants and dramas.

Some computer users will attribute changes to their computer to malevolent forces in a method comparable to astrology when it comes to rationalising changing and intermittent issues.

Of course, in a video gaming context, anyone who is better than you is a hacker.

There is a small number of 'anti-updaters', an anti-vaccination movement-like contingent of people arguing against automatically updating applications due to the misplaced belief that significant numbers of people care to manually review and install all patches. Patches and updates are generally good, except maybe if you're working with the CIA. Yes, there are occasions where an update breaks something that was working before or causes other mischief, but by and large updates are something you want: they fix problems and improve the security of your system.

Cryptography
Depending on who you ask, encryption can be anything from the largest piece of social good modern mathematics has ever produced to a dangerous weapon utilised by terrorists and child abusers in order to evade justice which must be carefully controlled.

In the early days of strong cryptography, the US government attempted to issue export bans, classifying the technology as akin of munitions. While such bans were overturned in 1992, it wasn't until the rise of ubiquitous personal computing that governments would once again characterize mathematics as a dangerous tool.

The 2010s saw an increased call from politicians around the world to common encryption software. From the encrypted-by-default iPhone through to bans on in Brazil and proposed and later withdrawn in the UK, governments around the world remain convinced they can create a secure back door into software to counter criminals; however, it's not like backdoors are only exclusive to government agencies.

Said statements could be considered rhetoric to coerce tech giants deeper into mass surveillance programs, and less charitably as mathematical denialism from senior elected officials.

Monitoring your Internet usage
How much do your teachers, coworkers, employers, or other people really know about what you do online?

"The Internet" is really an inter-network, or a network of networks. Your home Internet, the free WiFi at a coffee shop, your campus or work networks, etc. are all networks that talk to other networks. When you view a website, check your email, or chat with your friends, your computer achieves that by sending traffic from your network to someone else's, and routing it through every network in between.

Anyone with control of the network can try to figure out what kind of traffic you're sending, where it's going, and what's in it. The modern Internet is moving toward by default, which is an attempt to make things more secure. If your browser reports that your connection is "secure" or "insecure", it's talking about HTTPS specifically. It doesn't mean that there's no chance that anyone can intercept what you're doing. By analogy, you're writing letters to a friend, and passing them through the hands of a series of strangers. By agreement, everyone has agreed not to tamper with the contents of the letter. HTTPS lets you seal the letter from (most) prying eyes, but does nothing to hide which friend you're mailing.

It's important to remember that there are good reasons for network administrators to monitor what goes into or out of their networks. If someone downloads and runs malware from an unsafe site, it puts the whole network at risk. If an employee does something illegal with their computers, their employer might be implicated. Few admins should have any kind of interest in spying on individual users, but every good admin has an interest in a safe and healthy network.

Email security
Who can read your email? Whoever provides you with email services, for starters. Microsoft read a blogger's Hotmail inbox in 2012, suspecting a software leak. Ironically, around this same time, Microsoft was running the ad campaign, attacking Gmail for using inbox contents to serve up targeted ads. It also defended its own right to read your mail.

Email alternatives such as Slack might also expose even direct messages to your boss.

Secure email and instant-messaging tools do exist, but no security system is absolute.

Web filtering
Web filtering is a magical solution to all the world's problems. Simply by stopping people (particularly children, but also library patrons) reaching the wrong website you can prevent sexual depravity bringing about the fall of modern civilisation, and prevent terrorism. Companies including Impero, Future Digital, and Securus sell "anti-radicalisation software" which prevents children reading about Islamist terrorism'. According to online security company Akamai, British law requires schools and universities to consider the use of such software. Whether Akamai is an unbiased source of legal advice is for you to judge.

The traditional use of such software is to block access to pornography online, but such filters are pathetically useless. A British newspaper report complained that one filter blocked searches for "sex education" but allowed explicit searches in Spanish; it concluded they provide false security and could be easily circumvented (as anybody who knows anything about children could tell you). More seriously, anti-porn filters may discourage children from talking to their parents and actually promote porn addiction: "Filters can also encourage secrecy, deception and shame – key conditions for nurturing dependency or even potential addiction." Because the naughtiness is half the reason why porn is appealing. There is also the simple solution of getting around a porn filter by getting a friend to let you watch porn at their house.

Web filters also rarely if ever consider the blocking of pornography or jihadism to be their first priority. The majority of their efforts go to the blocking of websites offering alternative proxies and websites offering translation software. The former because it allows people to easily and perhaps even unintentionally bypass these filters and the latter because they often allow for diverse translations of the thing that people want to be censored and thus increase exponentially the work required to censor everything. Even more worrying is that some have them by default, meaning that no matter what you do, you won't be able to access Babelfish.

You'll be glad to know that the best in the business who have a firm place in the international market are currently selling their software to dictatorships that want to avoid their citizens reading about any information that might potentially harm the way the government is perceived by its citizens. On the plus side, since these governments are spending their time with censoring internet traffic and they will never be able to fully do so anyway, this is often accompanied with a more uncensored traditional press and television. However, one might still question why democratic governments support something that is partially marketed to dictators.

CVE misuse
CVE (Common Vulnerabilities and Exposures) is a system developed to create unique identifier codes to facilitate exact communications about vulnerabilities and to enable the synchronization of different vulnerability databases, as well as to evaluate the interoperability of vulnerability database tools and services. While CVEs are an useful tool for their intended purpose, some laymen sometimes confuse it for a some kind of statistic while arguing for their favorite or against their disfavored software. Some security experts have written public postings against that kind of misuse, citing the heavy of the non-statistic.

Password strength and bad mathematics
Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.

Most security tips for password work if you're trying to avoid someone discovering it through brute force, that is, trying every combination of letters and numbers, starting at 000000 all the way to ZZZZZZ. Any system whose password is solely composed of numbers will be incredibly easy to brute force. However, as most systems allow passwords with any combination of alphanumeric characters, plus special characters such as empty spaces, exclamation, interrogation, parenthesis, ampersand and others, brute forcing every possible combination of those is mathematically unfeasible, as each character position has 26 lowercase + 26 uppercase alphabet characters + 10 numeric digits + 30 or more special characters. That means that a 6-character long password has a total of 92 ^ 6, or over 606 billion combinations, while a 7-character long one will have over 55 trillion combinations. Amazing numbers, but the reality is different.

Forcing users to mix upper case, lower case, a number and a special character is good in theory, but users are humans, and humans are terrible at remembering things, especially if they're "nonsense". is, under any measure, a very strong and secure password, but near impossible for any human to remember it without writing it down somewhere, not to mention time consuming to type out. Thus, people will often opt for something if not memorable, at least guessable, such as. Coming up with a password that uses all those things is usually frustrating, trying to remember a dozen different ones is even worse, which leads to one very common problem: password reuse. This is the main reason hackers use passwords from previous leaks first, because the chance of them working on at least one account is high. Once the password is cracked, the attacker will use that same combination of username/email + password everywhere they can think of and, in many cases, will successfully invade.

123456 is still the most common password found in leaks and "password" is often in the top 10. Perusing said lists will show a distinct lack of those enforced mixed characters passwords but, when they do show up, they're almost always "easy to remember" or easy to type, because they're either  or   (keyboard walk), as can be seen in this 2017 list of the top 100k most common passwords, compiled by OWASP. certainly looks secure but, in reality, is not, since a quick glance immediately shows how to type it out. It's easy to remember and quick to type and hackers will expect a number of accounts to use that password or some permutation, such as  or , it's easy for a computer to guess every different permutation. Reuse of these types of password will be high for the simple fact that people will prefer to remember only 1 instead of a dozen, and "guessing" which they used for which site.

While  itself is no longer secure, the principle is still valid and more likely to result in a secure password. Using a passphrase instead of a password, allowing all types of character without forcing the user to mix them all, can result in very secure and easy to remember passwords. Unfortunately, many places have an upper limit on how long your password can be, such as no more than 20 characters, while others won't let you use some special characters common in latin languages, such as cedil, which is great for attackers, since it reduces the number of variables they have to consider when attempting to crack.

Misc

 * Internet — The internet is not a big truck. Nor is it literally a — though that's actually not a terrible analogy. Trump could possibly attempt to 'close up' the internet for the US, crippling its economy, but not for the world.
 * Advertising — You're not the site's 1,000,000th visitor, nor you're going to win a last generation iPhone just by answering some generic questions, and that nice Nigerian royal may not be as honest as his introductory email claimed. Also, advertiser technology has not yet predicted pregnancies, though Facebook probably knows if you're gay.
 * Digital Rights Management — you cannot secure information that must leave via the analogue hole.
 * — An established trope in science fiction, many consumers and technologists are eager to replace their passwords with fingerprints in a delusion that this is somehow a more 'futuristic' mode of authentication. When asked what they will do if their fingerprints are leaked (or worse, fingers cut off) their answer is to simply change their... oh.
 * Tech support scammers - scammers will either phone vulnerable people and ask for money and/or access to their computers, or else will display a spurious pop-up message saying there's an error and asking you to telephone them. This is not how computers work. In either case, the goal is to get you to pay them money for services that are unnecessary or don't exist. Scammers usually claim to be connected with Microsoft, and Microsoft specifically warns against this scam.
 * FBI or CIA warning scams - don't believe it if your computer pops up a message or email saying something like "Hey you, we're the FBI and we know you've been looking at naughty websites! Send us money now!" This is not how the FBI operates, but if you're looking at child pornography or are simply feeling a bit paranoid or clueless, it can entice you to click on a dodgy link and download a nasty virus.
 * Laptops make men sterile - a powerful, overheating laptop directly atop your ballsack may temporarily affect sperm production, but it will not make you permanently sterile, and any effects on your testicles will go away once you turn your laptop off.

Things that are not computing woo
Whilst common computing misconceptions are numerous, often too many serious issues are written off as such including:

Government mass surveillance capabilities
Government capabilities have been revealed by the likes of Edward Snowden, particularly with regards to the NSA in the US and GCHQ in Britain. The US government has incorporated backdoors and vulnerabilities in servers and routers exported from the US overseas, while warning about the danger in products from Chinese tech companies. Multiple backdoors allowing access by government agencies have been found in Cisco networking products, some apparently put in place at the request of the CIA, some allegedly (according to Cisco) without Cisco's knowledge.

However not all these stories are true. There is a lot of paranoia about what Chinese companies ZTE and Huawei might do to hack or monitor western telecoms networks, but little evidence that they have done anything (although there is legitimate concern that their programmers are idiots). In 2018 financial news service Bloomberg ran a series of stories about Chinese companies putting a tiny secret hacking chip on computer mother boards, but these stories rapidly unraveled with no evidence of any specific product that was actually affected.

Backdoors
Insecure backdoors into software and operating systems pose a serious threat. Some politicians, particularly in the UK Conservative Party, have repeatedly called for communications software such as WhatsApp to include a backdoor that allows governments to decrypt and view all communication for purposes of fighting terrorism and other crimes, despite warnings from civil liberties and computer securities experts that this is a very dangerous thing to do. Such schemes risk introducing vulnerabilities due to their complexity, and there is also the danger that an encryption key meant for trusted governments could become available to criminals or foreign states. If a repressive government was able to read all communications it would allow a massive crackdown on dissent and free speech.

The debate is complicated by erroneous claims that software such as WhatsApp already incorporates backdoors (in reality it generally incorporates bugs rather than intentional backdoors).

Financial based cybercrime
For example, online banking fraud, and much more.

Child pornography
The online trade in child pornography, which unfortunately is very real.

Sextortion
based cybercrime, where users are blackmailed based on explicit photographs, which can be obtained by hacking computers to gain control of webcams ; stealing existing photos from computers, secure online file storage sites, or email services; or social engineering (e.g. pretending to be a sexy person of the appropriate sex and getting someone to send nudes or do things on webcam). This has been the subject of myths about surveillance and calls for everybody to tape over their webcams, but the government and other people can't access your camera remotely assuming you follow good computer security practices. You have to actually do something stupid like visit a dodgy website or download questionable software, but sometimes there is reason to cover your webcam.

Passwords
The dangers of password reuse, a mundane but fundamental flaw with password-based computer security. A 2018 report suggested business employees in some sectors could have up to 191 passwords needed for different services, and if they reuse them across multiple services, then if one system is compromised, all the rest with the same password are compromised too. The problem is, people can't remember 191 different passwords.

Darknet
Darknet commercial operations selling a large amount of drugs, a lot of stolen data and a small amount of weapons.

Smart appliances listening in
Your 'smart' TV, Barbie , console smart phone assistant recording your conversations.

Ransomware
, where hackers take control of a computer system and claim they will release it upon receipt of a ransom (often in the form of Bitcoins), is an increasing problem, even for US state governments.

Data privacy
Tech giants selling your data to advertisers

Cyberwarfare and cyber espionage
and see military operations, spycraft, and propaganda carried out online rather than through traditional channels. Russia is a pioneer but other countries are trying hard to catch up. Including:
 * Fake news - not only will have you believing nonsense, but is an established vector for malware delivery.
 * Election hacking
 * Election hacking