Episode 45: Web development is kind of horrifying

Posted on by Christie Koehler

Download: Episode 45.

This week Audrey and I chat about the impact of Spectre and Meltdown, how easy it is to harvest credit cards numbers in the browser, and Kodak’s new cryptocurrency. Enjoy!

Show Notes

Community Announcements

Now Broadcasting LIVE most Fridays

We broadcast our episode recordings LIVE on most Fridays at 10am PST. Mark your calendars and visit recompilermag.live to tune-in.

We love hearing from you! Feedback, comments, questions…

We’d love hearing from you, so get in touch!

You can leave a comment on this post, tweet to @recompilermag or our host @christi3k, or send an email to podcast@recompilermag.com. You can also leave us an audio comment by calling (503) 489-9083.

Transcript

CHRISTIE: Hello and welcome to The Recompiler, a feminist hacker podcast where we talk about technology in a fun and playful way. I’m your host, Christie Koehler.

Episode 45. This week Audrey and I chat about the impact of Spectre and Meltdown, how easy it is to harvest credit cards numbers in the browser, and Kodak’s new cryptocurrency. Enjoy!

So, it’s Friday, January 12, 2018. Audrey and Christie are here live to record episode 45.

AUDREY: Wow.

CHRISTIE: Which I feel is an unlucky number now.

AUDREY: Yes. But for the podcast, we made it here.

CHRISTIE: I know. We’re almost at 50. That’s pretty cool. And yeah, so what’s going on, Audrey? What’s new with you?

AUDREY: Aside from my neighborhood grocery store closing for good tomorrow? That’s not technology newsworthy, but it is extremely newsworthy in my immediate life.

CHRISTIE: Well yeah. We all need groceries, right?

AUDREY: Yes.

CHRISTIE: And you’ve been posting photos of it and it’s been — it’s basically not a functional grocery store at this moment, right?

AUDREY: No. It hasn’t been a functional grocery store since about the 1st. And they were going to close it on the 20th and they moved it up. So, we are, yeah. It’s already a place where you can’t go buy toilet paper. But they’re closing the pharmacy. That’s the other thing. It’s the only pharmacy within easy walking distance to my house. And this time last year, we were having all of those ice storms and things like that. And for me as a person without a car, it makes a huge difference whether I can walk to someplace in 10 minutes or not when we have a storm and that kind of weather.

CHRISTIE: Definitely. And especially with pharmacy and other critical things like toilet paper and perishables and whatnot.

AUDREY: Yeah. There are some things you can’t skip.

CHRISTIE: How long were they still stocking perishables like dairy and vegetables and stuff like that?

AUDREY: You know, it seemed like the produce section still was getting some stuff restocked even into this week. They marked all of the groceries down some time maybe late Wednesday or Thursday morning. So, they did the final clear-out. But the meat sections looked really thin for a while. The milk, it seemed like they were getting some things back in and not most of it. So, the freezers were getting pretty empty. The coolers are getting pretty empty. You could tell what everyone’s favorite kind of cake mix was.

CHRISTIE: Because that’s what they — was that was what being restocked or that’s what was going away?

AUDREY: That’s where the holes were in the shelf. Yeah.

CHRISTIE: Yeah, okay. Yeah.

AUDREY: Yeah, there’s been some stuffs like that where it’s just kind of funny to go in and see what’s popular. And fortunately, we do have a produce market across the street from there. So, in terms of fresh vegetables, we won’t be in such bad shape. But it’s that trio of toilet paper, cough syrup, and cereal that just won’t be easily accessible.

CHRISTIE: And pharmacy.

AUDREY: Yeah, and prescription pharmacy, yeah.

CHRISTIE: That’s a bummer. Well, hopefully something will move in there. But it’s probably going to be years, right? Because they’re going to have to redevelop it.

AUDREY: Yeah, we’ll be at least a couple of years with this. And it’s just a major hole in my neighborhood. They already put up the chain link fences. And it’s basically an entire city block. You’re in urban Portland that will be inaccessible, completely inaccessible.

CHRISTIE: Does it create a right of way impediment, too?

AUDREY: Not exactly. There’s a couple of shopping places just near there where there is a roadway that goes through. In this case, it just, I don’t know. It’s beyond and eyesore. It’s just sort of a sucking wound. I walk by there constantly.

CHRISTIE: There’s pretty much no way to make a chain link fence look nice.

AUDREY: No.

CHRISTIE: They always look like kind of draconian and yeah.

AUDREY: And there’s a couple of sub-businesses that are getting kicked out of there entirely as a result. The way that the store is structured, there’s a restaurant and a hair salon and a bank inside. But I don’t worry so much about how Chase Bank is doing. But there’s this nice little noodle place that I hope that they got enough support to relocate, because they were using that space, you know? That was their storefront, too.

CHRISTIE: Right. Yeah, and the Fred Meyer near us that we go to all the time isn’t closing, which is very, very well-used. But they closed down one entrance of it, my favorite entrance, and took a bunch of the parking spaces away for this, I don’t know if it’s a ClickList. It’s their e-commerce.

AUDREY: Yeah, yeah, the grocery pickup service.

CHRISTIE: Yeah. And so yeah, definitely I’m feeling changes too and it’s not comparable at all. And then that news about the Sam’s Club stores closing. They closed 60 of them and they said that they’re going to repurpose something like a dozen of them for e-commerce distribution.

AUDREY: Oh, interesting. I missed that.

CHRISTIE: Yeah. So, in a way, we’ve talked before about how much you can get on Amazon and that there’s a convenience factor there and even an accessibility factor there. But then the flip-side of that is no, sometimes you need to be able to walk to a grocery store or to your pharmacy, right?

AUDREY: And I feel like my neighborhood is split between people who can use Postmates more and people who really just can’t afford to.

CHRISTIE: Is Postmates the third-party ‘you order stuff and then someone brings it to you’ thing?

AUDREY: Yeah, yeah. You can, like any store that they’ve got listed you can tell them to bring an arbitrary thing. Whether or not you get that exactly, I don’t know how it works for the toilet paper, cough syrup, et cetera. But at least in theory, that’s how you can do it. And for less urgent stuff, there’s Amazon. And so, just looking around at my block, I think some of us probably already do some of that and would potentially do more. Although I hate what it does to my budget. And then there are people in my neighborhood that I just, I would be really surprised. There’s a lot of senior citizens that don’t necessarily speak English as their first language. And I know that they’ve been as dependent to walking to the store as I have been.

CHRISTIE: Right, yeah. Plus also, getting out of your house and walking to the store, there’s some socialization that happens there, whether you want it to or not.

AUDREY: But there’s a health impact and yeah, it’s kind of a neighborhood meeting space in a weird way. And it is part of how I understood who lives in my neighborhood, really got to know that in a better way, and just the amazing diversity of the neighborhood that I live in.

CHRISTIE: Alright. So, we’ve got some topics this week. And we are going to touch upon some of the ongoing impact of Spectre and Meltdown. And one of them — so we talked about how the mitigation for Meltdown would have significant performance impacts. And those are starting to be felt, kind of across the board, I guess.

AUDREY: Yeah, it’s interesting. People are really starting to evaluate it and see just how much of an impact it has. And like we talked about last week, there’s these tradeoffs that all of the optimizations that everybody had become dependent on were also introducing the possibility of this bug. And so, it requires a significant re-architecture to create processors that can do both. And that’s new engineering for people to explore.

CHRISTIE: And let’s see. This one person benchmarked their iPhone6 after the iOS 11.2.2 update which addressed the Spectre thing. And they noticed about a 40% reduction in performance. So, slightly different between the single-core and the multi-core score. And that’s kind of significant.

AUDREY: That seems huge, yeah.

CHRISTIE: Now benchmarking is not the same as your everyday experience of the device, right?

AUDREY: No.

CHRISTIE: And it may or may not be a good proxy. But it does tell you something about the change.

AUDREY: And for some applications, it will probably be pretty apparent, you know. Like I’m thinking games with a lot of rendering and a lot of motion.

CHRISTIE: And maybe cryptography-related things. Computationally expensive, I guess. There was one benchmark that had stood out to me.

AUDREY: Well, even just the HTML5 parsing test. It says -46% here on the multi-core benchmark.

CHRISTIE: Oh, yeah. And -56 on the HTML5 DOM.

AUDREY: So, even if it’s just a matter of websites seeming to stutter a little bit more, that can get noticeable.

CHRISTIE: That’s on the single-core performance. Yeah, okay. And then I started seeing people talk about the increase in their AWS bill, which is something we’d also talked about. And this person, let’s see. “The Meltdown patch (presumably) being applied to the underlying AWS EC2 hypervisor on some of our production Kafka brokers. Ranges from 5-20% relative CPU increase. Ooof.” And they have a graph. And then the person tweeting that said, “Now who will end up paying for this? In our shop, this translates into seven figures in our AWS bill.”

AUDREY: That’s just enormous.

CHRISTIE: This particular problem, yes it’s invoked by Meltdown and Spectre but it’s also already part of Cloud computing, right? In that you’re outsourcing all of your infrastructure to be a service that you buy that you don’t have control over the pricing and that you’re not in control of how you benefit from the economies of scale there. It’s all Amazon that gets to benefit.

AUDREY: Sure.

CHRISTIE: And set the pricing.

AUDREY: Yeah. But at the same time, it doesn’t change so rapidly. It’s usually your mistake if you find that your bill changes enormously like that. And I’m not surprised that people feel like they have some amount of control over that. The pricing structure is reasonably stable. You hope that you can measure your usage.

CHRISTIE: Measure and plan your usage and look ahead a couple of quarters, yeah.

AUDREY: Yeah. This definitely caught a lot of people by surprise.

CHRISTIE: Right. And I think it’s really hard to — okay, people don’t have a choice about applying the patch for lots of reasons. So, what’s the choice? To scale back the performance of your services? That’s usually a no-go proposition. No one wants to slow down their services, right?

AUDREY: Yeah. You’d have to find ways to hide it. Slow down as many things as you can afford to without the user noticing or you know what I mean? You’d have to look for ways to shuffle the impact.

CHRISTIE: Which may involve purchasing other services. That’s funny.

AUDREY: Sure. Yeah.

CHRISTIE: People are unearthing more papers where this sort of issue was hinted at or talked about, including one as far back as, what, 1995? I didn’t have a chance to read all the way through that. The strange font was making my eyeballs hurt.

AUDREY: Let me open that again. Oh, that just looks old-school.

CHRISTIE: Yes. And my browser is rendering it very poorly. So, I don’t want to read it.

AUDREY: No, I just mean it looks like some of the math textbooks that I’ve had. Yeah. “The Intel 80×86 Processor Architecture: Pitfalls for Secure Systems” It has three authors on it. And it says, “Reported implementation errors in some processor versions render them undesirable for secure systems because of potential security and reliability problems.” And it sounds like specifically speculative execution is one of the topics that they covered.

CHRISTIE: And then I thought this — so, I’m still looking for a really good explanation about how exactly it works, that Meltdown and Spectre can be exploited via JavaScript. And I’m still gathering that stuff up. So, I don’t have anything to report on that. But I did notice this Phabricator which is a code review/ticket tracking/software project management tool written in PHP. And they said, “Phabricator is not affected because it’s written in PHP, a great language with excellent security features which protect it against this kind of attack. Among other advanced capabilities, PHP instructions execute too slowly to allow a runtime program to distinguish between L1 cache access and main memory access.” So, unlike with JavaScript where there’s been a lot of focus and attention on optimizing it and therefore making this attack capable, PHP doesn’t have that. And I thought that was funny.

AUDREY: They just hadn’t bothered. That’s good.

CHRISTIE: I didn’t go and try to track down if hiphop which is the thing that Facebook wrote that compiles PHP down to C or something like that.

AUDREY: Oh, yeah.

CHRISTIE: But, anyway.

AUDREY: You know, there’s one more thing that you had sent me that did talk a little bit more about those JavaScript aspects, breakdown of what Spectre and Meltdown mean for WebKit.

CHRISTIE: Yeah. That was the one I hadn’t had a chance to read through yet.

AUDREY: Oh, okay. Yeah, I also just skimmed it. But it does seem to cover more of these kinds of things about the implementation and why JavaScript is vulnerable in these ways.

CHRISTIE: Yeah. So, we’ll link to that. Have you noticed any slowdown on things you’ve applied the patch for?

AUDREY: No. I don’t think that I’ve been doing anything other than email though. So, probably not going to have a big impact.

CHRISTIE: So, this post on Hacker Noon, which I was very annoyed because I kept trying to login to Medium so I could highlight things and it’s not working. Like I’m logged into Medium but for whatever reason, on the Hacker Noon domain it doesn’t think I’m logged in. I don’t know what’s going on there. “I’m harvesting credit card numbers and passwords from your site. Here’s how.” This was a little flabbergasting to me.

AUDREY: It gets into quite a bit of detail about how these kinds of browser attacks can work in terms of the kind of private data that they can potentially access.

CHRISTIE: And it’s not — this is a little sneaky but it’s also leveraging a convenience we’ve gotten used to in the developer ecosystem. Is that fair to say, do you think? And they admit this thing on a post, so they’re not actually doing this.

AUDREY: Which is good. I think that legally, it wouldn’t be great for that person.

CHRISTIE: Right. So, they say, “In some wise words from Google: If an attacker successfully injects any code at all, it’s pretty much game over,” meaning if they inject any code into the browser space. They say, “Cross-site scripting is too small scale,” and we know how to protect against that. Well, “Chrome Extensions are too locked down.” But then they say, “Lucky for me, we live in an age where people install npm packages like they’re popping pain killers.” And so, npm packages are Node. So, JavaScript packages that you install on your web server to do things, either on the web server itself or in the browser. They can be used for both. And this is interesting to me because JavaScript going in this direction where there was this robust package manager that you can use on server-side and on client-side really changed something about development ecosystem and what people were doing. And I think created a lot more, I don’t know. I don’t know if it created more frontend devs also writing backend code or…

AUDREY: Just sort of intermingled that a lot more than it had been?

CHRISTIE: Yeah. And that community has gotten really big, really fast.

AUDREY: Yeah. I’m realizing that I got out of a lot of frontend work right about as this started to get big. So, it’s not something that I’ve had a lot of personal contact with. But I definitely see friends talking about the work that they’re doing.

CHRISTIE: Definitely. And I also think there’s just a lot of tooling. In the same way that people might have used a Ruby Gem for a static site generator, they’re now using npm for things like that. And yeah, so I think it brought a lot of frontend devs working on backend code and kind of merged the two. Because I think if we correlated the rise of npm with full-stack developer, they’re probably similar. I don’t know. I could be wrong.

AUDREY: As a sort of job requirement.

CHRISTIE: So, they decided that npm would be their distribution method. And they talked about a really simple package that basically colors the console log output.

AUDREY: Something that people would just install for fun without looking at it very closely.

CHRISTIE: Right. For fun, yeah for fun. You know how I am with color-coding. So to me, it’s not just fun. It’s sort of like…

AUDREY: Sure. It might be a little more of an accessibility thing.

CHRISTIE: Right, right. So, just in defense of lots of color-coding there.

AUDREY: Oh, no what I mean is because it does something that people like that you wouldn’t think of it as a stepping stone or a cornerstone of your implementation, right?

CHRISTIE: And also because it’s useful but also kind of trivial.

AUDREY: Right. That’s what I mean. People won’t look as closely at that kind of code, that kind of package. It’s a smart suggestion, yeah.

CHRISTIE: So, in this fictional scenario, then they submit a pull request to a bunch of different existing packages to say, “Hey, I fixed a bug and added some logging and this PR introduces a dependency on this fictional package.” And so, that’s how they get it into the packages. And then people building web apps using these different npm packages now include this colorful logging tool with its credit card stealing code. It goes up the dependency chain.

AUDREY: And that’s a little bit of social engineering, then.

CHRISTIE: Yeah, definitely. So then they say, “Okay. Some objections you might have,” and they say “Well, I would notice network requests going out.” And then they say, “Well, the code doesn’t send anything when the DevTools are open.” So, we’ve made JavaScript so clever and so cleverly integrated with the browser that you can write code that notices when the DevTools are open and does different stuff. And they say, “I call this the Heisenberg Manoeuvre: by trying to observe the behaviour of my code, you change the behaviour of my code.” And then there’s different aspects of this.

AUDREY: And that’s so funny. You might want to write code that when the DevTools are open does something different so that you can observe it. Maybe it’s not so great that it can observe the other direction and react the other direction.

CHRISTIE: Yeah. The last time I was really doing frontend development is when you still had to do that check if you’re doing console logs. I don’t know. Maybe this is still a thing. But I just remember there was something about if you kept console logs in there but it wasn’t open, the JavaScript would error. I don’t know if that’s still a thing. Anyway, I think I skipped a part where the heart of the malicious code is that it looks for blur events on fields that are named like password and username and does some, basically captures the information in those fields and sends it off to another server when the fields are blurred. I think it’s a blur event. And so, then they basically the whole rest of the article is saying how it’s possible to do this with code that is very obfuscated and not obvious. So, one way is that “Oh, well we would notice this code in the GitHub repo for the npm module.” And it turns out, npm doesn’t — you can send code to npm that’s different than what you put in your GitHub source. And there’s minification and obfuscation of the JavaScript to make it even harder.

AUDREY: Sure, yeah.

CHRISTIE: And then, in this case they’re not even using fetch or XML/HTTP requests which are the, if you were searching for that to say “Hey, is this code calling home anywhere?” because what they’re doing is they’re defining a constant which is the word fetch with one letter shifted and then doing some code on that code and then calling the resultant function. So, these are all things that the language attributes of JavaScript allows you to do.

AUDREY: And I think that we have seen, for the last year and change that we’ve been recording on security vulnerabilities, we’ve seen all of these pieces in effect at some point. What’s interesting is just how far you can go when you put it all together.

CHRISTIE: Right. And the permutations you can do to make it — so, the number of things that you would have to look for is just way greater than you could ever look for. It’s another example of how we really have no way of programmatically determining what software is actually doing.

AUDREY: And that’s before we get into machine learning. Oh yeah. Yeah, and did you read this part off yet? “On any page that collects any data that you don’t want me (or my fellow attackers) to have, don’t use npm modules. Or Google Tag Manager, or ad networks, or analytics, or any code that isn’t yours.”

CHRISTIE: Basically. Yeah, they basically say have a sandboxed iframe that you basically more or less hand-code and don’t even minify the JavaScript. Yeah. That’s if you don’t want to move to a cabin in the woods with no internet.

AUDREY: It looked warm. Toasty.

CHRISTIE: It looks like a good option. It does look damp, though.

AUDREY: Yeah. Web development is kind of horrifying.

CHRISTIE: Well, and this connects back with what we were talking about with Spectre and Meltdown, and maybe thinking about it as a merging of two different kind of job categories. It’s gotten just super complicated. And popularity can have drawbacks, right? All the reasons that has made Node and npm really popular also creates a vulnerability.

AUDREY: Oh, you mean like the way that Flash used to be the main thing that we watch out for.

CHRISTIE: Yeah. And as we’re saying this, I’m thinking how many people are going to anger. We’re not equating the two. We’re just sort of talking about patterns.

AUDREY: Sure. No, what I mean is because I use a Mac and even though they’re very popular amongst developers and people who do creative work, most people are still on Windows. Which is fine, because it means that attacks are mostly geared toward Windows. And because I wasn’t using Flash for anything important, I could safely turn it off. Whereas Diana who’s one of the coauthors of our upcoming mesh networks article was talking about doing the no script approach to web browsing and just how terrible it actually is to turn off JavaScript. And I’m sure that I have turned off JavaScript at some point. But 10 years ago. I can’t imagine doing it now because it’s so clear how many components of web pages actually depend on it.

CHRISTIE: And likewise, I think it’s getting that way for if you’re writing a web app. The idea of not using this whole library of libraries available to you through Node, through npm, who wants to do that? Who wants to make life that much harder on themselves?

AUDREY: Sure, yeah. And when you can build things so much faster, you can get so much functionality in and follow good design patterns, you know? It’s not like people are throwing in crud. They’re taking advantage of collective effort to make better software. It just turns out to have this major hole in it in terms of security.

CHRISTIE: Well, and how many times have we told people, “Don’t roll your own crypto.” DRY. Don’t repeat yourself. Right?

AUDREY: Yeah. And it’s not like those things have changed. Again, it’s just that there is no way given what we’re doing now to protect against all of these things.

CHRISTIE: Okay. So, yeah.

AUDREY: Maybe we could just like mail people’s passwords in paper. Have a very slow paper internet.

CHRISTIE: Okay, so I was almost relieved by this WhatsApp and Signal thing because it was just like, it really wasn’t that big of a deal. And has a really pretty straightforward fix. And it was just, I don’t know. Did you have a sense of relief about it?

AUDREY: No. So, it’s group messaging in WhatsApp and Signal having some things that you can still monitor about it, right? And mostly it just made me think about what groups am I using group messaging with and whether we had anything to worry about. I didn’t go [sighs].

CHRISTIE: Yeah. And so, it’s basically that WhatsApp and Signal both uses Signal messaging protocol and researchers found a situation where in the context of group messaging, someone could be potentially added to a group that wasn’t authorized to be added. And the vulnerabilities between Signal and WhatsApp are slightly different and that with Signal, if someone… basically they just — when the app receives a request to add someone to a group message, it doesn’t verify that — hold on. It doesn’t verify that the person saying “Hey, add this new person” actually is authorized to do so. But it would be hard to exploit the vulnerability for Signal because you would already have to know the group key, which is a long chunk of random characters. So, the most obvious way you could exploit that is if you were a former group member and somehow you knew the group key.

AUDREY: Right, yeah. So, if you’re kicking people out of your groups, maybe start over.

CHRISTIE: Right, until they fix this.

AUDREY: Sure.

CHRISTIE: And then WhatsApp, it says, “Unlike Signal, the WhatsApp server plays a significant role in group management, which means that it determines who is an administrator and thus authorized to send group management messages.” Basically the group management messages in WhatsApp are not end-to-end encrypted. They’re sent to and from WhatsApp server using transport encryption but not the actual Signal protocol. And since they’re not signed, a malicious WhatsApp server can add any user it wants into the group.

AUDREY: This seems like good stuff. Like you said, it’s not the scariest thing that we’re hearing about this week and it’s being observed and discussed and fixed.

CHRISTIE: Yes.

AUDREY: While it’s still a relatively minor kind of issue for people to deal with.

CHRISTIE: Right. And it’s eminently fixable without some big performance degradation. So they say in Signal, just make sure that the group management messages come from a legit member of the group and WhatsApp make sure that the group management messages are signed by the administrator, although there’s an asterisk here on that. I didn’t see. What is it? It says “The challenge here is that since WhatsApp itself determines who the administrators are, this isn’t quite so simple. But at very least you can ensure that someone in the group was responsible for the addition.”
I feel like we need to come up with a rating system for these security issues.

AUDREY: We could just use the instant response scale that we have for code of conduct implementation.

CHRISTIE: I was thinking of something more fun, like number of turds outside the cat box or something.

AUDREY: Oh, I see.

CHRISTIE: That’s too gross.

AUDREY: I guess I object to the idea that it’s a fully linear scale.

CHRISTIE: Yeah. We don’t want to make it too complicated. Not too complicated, not too gross. I guess I’ll have to go back to the drawing board on that one.

AUDREY: We could just do how it makes us feel. And then we have emoji for that.

CHRISTIE: Yeah, so, the thing with emoji is I’m pretty much never sure that I’m using the right one. Because some of them, if you can get whatever app you’re using to caption them, sometimes that gives you a clue. But otherwise, you have to interpret — there’s 400 million smileys.

AUDREY: Yes. They’re a lot.

CHRISTIE: I honestly cannot. Yeah.

AUDREY: Smile. Grin. Big Grin. Open Eyes. Long Eyes. Squinty Eyes.

CHRISTIE: Right. And if you don’t caption them — It’s like embarrassed versus blushing because I like you. Those are a little different. And then like sad because someone passed away versus sad because you didn’t get what you want. I don’t know. Maybe I over think it.

AUDREY: So, we’d make a subset of five of them that are appropriate to judging your security problems.

CHRISTIE: Right. Or like, the emoji where the lips and cheeks are kind of pursed and they’re turning green. That one is very clear to me, like I’m about to barf, I think. I think, anyway.
That’s a good segue into our next topic which is about — so, Kodak has a bitcoin mining appliance?

AUDREY: I guess so. It sure says this on the website.

CHRISTIE: So, CES happened, the Consumer Electronic Show happened this week. It’s that big trade show in Las Vegas where all the companies release their fancy consumer electronics. So, these are things from home appliances. These are things that people buy that are electronics that they bring into their house.

AUDREY: TVs and music systems.

CHRISTIE: TVs, appliances, yeah stereos, bitcoin mining.

AUDREY: Appliances.

CHRISTIE: Appliances.

AUDREY: It really just looks like somebody shrank one of those game towers and put a Kodak logo on it.

CHRISTIE: For some reason it reminds me of the thing in Back to the Future that carried the plutonium. I don’t know. No, wait, wait, wait. I might actually be thinking of the thing from the original Ghostbusters that traps ghosts? I don’t know. I’m confused.

AUDREY: Yes. I agree that this looks like it could trap ghosts.

CHRISTIE: Okay. So, I first saw the Kodak Cash Miner. And actually when I first — powerful bitcoin miner. When I first saw a picture of this, I really thought it was photoshopped. I thought someone was making up something that would be at CES. And so, I was just like “I don’t have time for goofing around right now.” And then you mentioned it to me when we were planning the show yesterday. And that’s when I realized, no, that’s a thing.

AUDREY: I kind of had to check where I was reading it, too. Like “Okay, we’re not on The Onion and we’re not on one of those other Onion-like things.” No, as far as I know, this is real. Although perhaps I would have to see it in person to believe.

CHRISTIE: And there’s a reason — we’re kind of talking about the cart before the horse, or the horse for the cart, or something like that. But stepping back, Kodak has launched their own cryptocurrency called KodakCoin. And it says, “KodakCoins will work as tokens inside the new blockchain-powered KodakOne rights management platform.” Waa-waa. “The platform was supposedly…” I like how The Verge is like ‘supposedly’.

AUDREY: Until we see the math.

CHRISTIE: Right. “Create a digital ledger of rights ownership that photographers can use to register and license new and old work.” Okay, so they’re trying to do a DRM implementation in blockchain cryptocurrency, basically. And so they say, “KodakCoins will work as tokens inside the new blockchain-powered KodakOne rights management platform. The platform was supposedly…”

AUDREY: “Both the platform and cryptocurrency are supposed to ‘empower photographers and agencies to take greater control in image rights management’, according to the press release.”

CHRISTIE: Yeah. “The digital currency is meant to create a new economy for photographers to receive payment and sell work on a secure platform.” So, they’re basically trying to solve the problem of photographers don’t make any money from their images anymore with cryptocurrency and blockchain.

AUDREY: It just sounds awful. On so many levels. As a photographer, I can’t actually imagine using this.

CHRISTIE: Where’s the one quote where they say — okay, so this is what they think it’s going to be able to do. “We can get a photo, lock it into our blockchain, then we can sort of assign…” This is the quote, folks, “Sort of assign the IP (intellectual property) to the individual, then we can look through the entire internet and find where that photo is being used, and if it’s not being used correctly, then we can reach out to them with an automated system that says, ‘Hey, you might not have known that you’re using this photo without a license, why don’t you get a license to that?’, and then that money comes back and gets paid back to the photographers, and that whole transaction happens with that KodakCoin cryptocurrency.”

AUDREY: This sounds like the slowest possible thing that you could do.

CHRISTIE: Also for some reason, the entire time I was reading this I couldn’t stop thinking about the monkey photograph on Wikipedia. The whole thing where this photographer was — I can’t remember if it’s an actual monkey, or anyway. This photographer had been working for a long time photographing these monkeys. And he started setting up the camera.

AUDREY: And the monkey took a picture?

CHRISTIE: To remote fire and then at one point the monkey picked up the camera and took the photo. And Wikipedia, Media Wiki, Wikipedia Foundation — I can never remember what the — I always mess it up — decided to use this as a way to push issues of copyright. And people started contesting the photographer owning the copyright and said that the monkey owned the copyright. Anyway.

AUDREY: And Sarah Jeong had some great reporting on that particular case because it was kind of amusing.

CHRISTIE: It was. And I just heard a really good podcast about it too, that tells the whole story. I don’t think that was Wikipedia’s best moment.

AUDREY: So, you’re wondering where the monkey goes in this whole blockchain interaction?

CHRISTIE: A little bit. To me, it’s an example of how it’s kind of complicated. And so, the reason for the appliance is that they have to, I don’t know if seed is the right word, but they have to generate. Cryptocurrency has to be generated. It has to be created. And so, they need to basically get people to generate that currency by basically plugging this thing in and giving it access to the internet. And they’re incentivizing that in this weird way. So basically, you lease the box for two years. You get an upfront payment. And then once you’ve had it plugged in for two years and it’s generated a certain amount, then you send it back.

AUDREY: Right. So, you’re licensing. You’re not even purchasing a cryptocurrency miner.

CHRISTIE: Yeah. And I’m really curious about the contract around this, because obviously this thing is going to need power and access to the internet. And I’m curious how it lays out the terms about who provides that. If power goes up 800%, does that change anything about the terms? Could you be stuck with this box in your office that’s costing you more than it’s paying you, basically?

AUDREY: And not really be able to afford to unplug it. Yeah, I don’t know.

CHRISTIE: Or be in breach of contract if you do? Right?

AUDREY: Yeah. One of the things that I thought was interesting about this is, obviously this is not Kodak’s area of expertise. And there’s this other company called WENN Digital that seems to have done the actual cryptocurrency work. And it looks a little bit like two organizations glued together a thing from their own silos. And the end result I think is part of why this seems just so weird. There’s a company that had been looking for an opportunity to do something like this and Kodak I guess felt it needed to broaden its approach. And so yeah, the things come together and we get KodakCoin.

CHRISTIE: And Kodak’s stock jumped 60%. I don’t know, which to me is just further proof that the stock market doesn’t know what it’s doing. Or is just very, very fickle and arbitrary at times?

AUDREY: Yeah. Well hey, they’re in the news in a positive light. So, must be something. And from a company or branding perspective, I don’t associate Kodak with rights management. I have bought Kodak film. But there’s nothing about it where I think “Oh, they’re an image management platform” for me or, “They’re a rights management platform that I could use.” So, it just seems like such a weird sideways leap.

CHRISTIE: You’re also not a pro photographer.

AUDREY: No. But I’ve used some of the tools that people make use of.

CHRISTIE: Yeah. I’m just curious what’s known in that industry. I have no idea. This did tip me off to something I had missed which are Etherium-based cryptokitties. Did you know about cryptokitties?

AUDREY: I did know about cryptokitties.

CHRISTIE: How have you not told me about cryptokitties?

AUDREY: Hey, I guess I just didn’t realize it was relevant.

CHRISTIE: “Cryptokitties are generated by code and bred by spending Ether tokens on smart contracts that use two base cats to create a new one. Each resulting cat is unique and persistent, recorded on Ethereum’s public ledger.” I’ll admit that reading those two sentences out loud makes me just want to walk away from all technology whatsoever.

AUDREY: It seems like, I don’t know, one of the best uses you could have for blockchain. Cat generation.

CHRISTIE: Yes. But everything else, it says, “CryptoKitties allowed speculators to make a lot of money if they got in at the right time.” “’A kitty is just another form of a token, like holding another altcoin’ he says, expressing worry that it’s hard to post listings when the network is unstable. ‘I just don’t want to have this much money on CryptoKitties.’” They didn’t create their own cryptocurrency for this. They used Ethereum or Ether. So Ether tokens are on the Ethereum network. And it says, “The game has slowed down the Ethereum network by as much as 11 percent.” And that it’s plagued by network slow-downs. Yeah, okay. Good times. Good job, kitties.

AUDREY: You should definitely link to the cryptokitty article.

CHRISTIE: I will. I will. Oh, I need to put it in our — I have it open here. Let me do that so I don’t forget it.

AUDREY: Maintaining the show notes is very important.

CHRISTIE: It is. Because you think you’re going to remember after the fact, and you know what? At least I don’t. Yeah, so I don’t know if this is — when did Sarah Jeong tweet this? This week? It was this week. So, I don’t know if this is related. She says “Blockchain is an elaborate work-around for a very specific problem: verifying irreversible transfers of value without a centralized authority. In other words, it’s a computationally burdensome way to hate the government.”

AUDREY: That’s a good assessment.

CHRISTIE: Yeah. And it’s part of a whole thread. We’ll link to that.

AUDREY: Yeah, I don’t know. It’s an interesting technological structure. Obviously there are some things that it facilitates, like she’s saying. But in a lot of ways it’s also the same thing as putting the gold bars under your bed. It’s picking something — currency is kind of inherently irrational, I think. I’ve said that before on here. But it’s just picking different way to have an irrational value of something.

CHRISTIE: And one that sucks up electricity.

AUDREY: Yeah. Yeah, well I [inaudible].

CHRISTIE: I don’t mean to obsess over that.

AUDREY: There’s an environmental impact to gold mining, too.

CHRISTIE: But there isn’t necessarily one to having it under your bed.

AUDREY: Probably not. Do you think it’s good insulation?

CHRISTIE: Gold? I don’t know. I don’t think metal is generally like — not from heat. It might be from — does gold absorb radiation? Lead does.

AUDREY: Right.

CHRISTIE: It’s been a long time since I’ve done my physics. Moving along. Everything’s on the internet, I think is where we’re at.

AUDREY: Okay. Oh wait, we don’t want to talk about the robot strippers?

CHRISTIE: Well, we’re approaching time. Do you want to talk about the robot strippers real quick?

AUDREY: Oh, it’s just a short thing that — one of the CES stories that I’d seen. Everyone went “Oh no, there’s a party with robot strippers and weird exploitation.” Blah, blah, blah. And somebody from a blog called ‘Tits and Sass’ actually went and met the artist that created these and talked to the people at the club where they were being used. And it just turned out to be a way more interesting story than I thought. And a little bit about how art gets funded and where these things come from anyhow.

CHRISTIE: Cool. Is that enough of a teaser and we’ll link to it in the show notes?

AUDREY: I think so, yeah. I think it’s worth linking to.

CHRISTIE: Okay. Cool. So, not everything is as awful as it seems on the surface. Sometimes there’s a good story behind sexy robots, stripper robots at a trade show.

AUDREY: I think the consensus of the article is that they are not sexy. They’re interesting, but they’re not sexy.

CHRISTIE: Yeah. They look kind of like Johnny Five’s cousin. They’re not very human-looking at all. So, that is not your favorite thing on the internet.

AUDREY: No.

CHRISTIE: You have another thing.

AUDREY: I do have another thing. It’s a video.

CHRISTIE: It’s a video. I’m going to open it.

AUDREY: Okay. So, we’ve talked before about Janelle Shane and her fun neural network experiments. I think we read of some of the types of cake that she generated a while ago but on a previous podcast. So, somebody decided to take a similar list of pies, neural network generated pies, and pick a couple of them to cook. And then they made a video about how that went.

CHRISTIE: Now, was this a case where it was just the name of the pies?

AUDREY: Right, right, yeah. It wasn’t a full recipe. They just took the name of the pie and decided to interpret what that could be.

CHRISTIE: Okay. And how did some of this work out?

AUDREY: Well, they were edible. They were both edible even though one of them involved spinach.

CHRISTIE: Well, I’ve had savory spinach pie. That’s pretty good.

AUDREY: This was not a savory spinach pie. Yeah, I don’t know. You really just have to watch the video because it’s fun how they figured out how to make a pie that matched those descriptions. It’s funny why the person who made the video didn’t like the pies. And there’s just something about seeing these custards that get stirred.

CHRISTIE: Oh, god. Yeah, I’m just clicking through and seeing the different stills from the video. It looks like she roped some people into taste testing.

AUDREY: Yeah. I think that it’s an ongoing video series. And these are some of the regular participants. But yeah, I don’t know. I looked at it over my tea this morning and I laughed a lot. And if you enjoy very silly ideas for pies, then maybe you’ll like this.

CHRISTIE: Awesome. Okay. Neural Network Pies. I always feel like I’m cheating when I have tweets. But sometimes, that’s the unit of information I am digesting in a given day. It’s not really any more than a tweet. So Audrey, the link is in the Etherpad. I can also Signal to you. But it says, “Cat that has never been so insulted in all nine of its lives of the day.” And it’s a black cat which makes me smile because it makes me think of Phoebe, who, they’re like — they’re definitely making a stink-eye. And in front of them is a pile of their, presumably their own cat fur.

AUDREY: Arranged into a cat silhouette.

CHRISTIE: Yes. With two…

AUDREY: With googly eyes.

CHRISTIE: With two googly eyes. This also I think gets an award for excellent use of googly eyes.

AUDREY: Yes. Yeah, this is adorable.

CHRISTIE: I’m pretty sure we have some googly eyes right here. I kind of want to reproduce this.

AUDREY: If you do, take pictures.

CHRISTIE: I will. I will. And if any of you listening reproduce it too, tweet at me. Tweet at us. Maybe we can get a whole collection going. That would make me very happy. I’ve been trying to get enough dog hair together too, to do it. Dogs probably are not insulted by such things like cats are.

AUDREY: Your dogs, I don’t think, would be insulted.

CHRISTIE: No, they’re not like serious dogs at all. Okie dokie. I think that’s our show for the week. I guess we’ll talk again next week and see what security vulnerability is out there.

AUDREY: What other computational hell we can explore.

CHRISTIE: Definitely. Alright, thanks everyone for listening and we’ll talk to you again soon. Bye.

And that’s a wrap. You’ve been listening to The Recompiler Podcast. You can find this and all previous episodes at recompilermag.com/podcast. There you’ll find links to individual episodes as well as the show notes. You’ll also find links to subscribe to The Recompiler Podcast using iTunes or your favorite podcatcher. If you’re already subscribed via iTunes, please take a moment to leave us a review. It really helps us out. Speaking of which, we love your feedback. What do you like? What do you not like? What do you want to hear more of? Let us know. You can send email feedback to podcast@recompilermag.com or send feedback via Twitter to @RecompilerMag or directly to me, @Christi3k. You can also leave us an audio comment by calling 503 489 9083 and leave in a message.

The Recompiler podcast is a project of Recompiler Media, founded and led by Audrey Eschright and is hosted and produced by yours truly, Christie Koehler. Thanks for listening.