This is a follow up to Kevin’s post on Recomendo regarding using DST adjusting wall clocks. If you have old clocks with mechanical, electrical, or non-functional movements that either don’t work you are tired of correcting for daylight savings time, Klockit.com has a variety of quartz replacement movements for almost any size set of clock hands. These are fairly reasonable cost, quartz crystal based movements with a WWVB receiver that adjusts for DST.

They also have a variety of other clock products from movements, clock hands, plans, to complete kits. I’ve bought their movements to replace old mechanical movements that were irreparable including one with a faux pendulum so that the pendulum swings but the clock still keeps quartz-based time.

-- Marc Goldfarb

Quartex Atomic Clock Movement ($9)

Luke is in the desert and whining.  –  Palette-Swap Ninja

I adore double parodies; they take real skill to pull off well, but the results are so often amazing.  Today’s video, the first in a series of 11, is both the funniest Star Wars parody and one of the cleverest Beatles parodies I’ve ever encountered.  It was called to my attention by Mistress Matisse, and the links above it were provided by Tim Cushing (“nope”, “Loki” and “black”), Grace (“amateurs”), Rick Horowitz (“Star Trek”), and Lenore Skenazy (“lockdown”).

• Not a police state, nope.
• Who did she pray to, Loki?
• NOT FOR ANY FUCKING REASON.
• Amateurs should be licensed and regulated.
• Cops murder teen for riding in car while black.
• Proof that the Star Trek universe will not happen in our timeline.
• Cops force school into lockdown because student took picture of house.

From the Archives

• Why do nuns who aim to “rescue” whores invariably push them into menial garment-related work?
• Judge’s advice to rapists: choose your victim & time of year carefully, and you’ll get away with it.
• Officials invite religious fanatic to speak about her dogma, feign surprise when she does.
• Police state exploits technically skilled but very naive kids to attack whores.
• Cops, idiocracy, Heracles, Ozymandias, Canada, government & much more.
• The “sex trafficking” circus needs victims to die for the crowd’s satisfaction.
• Fanatic finds data disproves “sex trafficking”, concludes we need new data.
• Prohibitionists will believe anything which seems to support their schemes.
• Sleazebag takes it upon himself to persecute strangers for consensual sex.
• PEOPLE CAN TOUCH EACH OTHER WITHOUT GOVERNMENT PERMISSION!
• Vietnamese academic gives up prohibitionism when confronted with facts.
• Buried deep in this prohibitionist screed are some truly dumb statements.
• Can people not see that “sex trafficking” hysteria is rooted in xenophobia?
• Another ridiculous tale of spineless women & pimps with magical powers.
• Luckily, cops can diagnose us as “victims” no matter what we may think.
• As phoned-in a piece of tripe as ever got past a bored, hung-over editor.
• This excellent article about anti-porn hysteria is also very droll at points.
• Articles recognizing “sex trafficking” as hysteria are now more common.
• What would they have said had she been arrested instead of murdered?
• Fetishists trot out more lurid wanking fantasies than usual for the RNC.
• Without the threat of arrest, would escorting become more dangerous?
• Fascism, cops, Nigel Terry, Grace Lee Whitney, Mahna Mahna & more.
• Another example of War on Whores as replacement for War on Drugs.
• “The vast grey market for sexual services in Canada remains…intact.”
• New surveillance weapons are usually used against sex workers first.
• As a 20-year nail salon regular, I tell you Nir is a mere concern troll.
• A basic primer on sex worker rights, focusing on France & Belgium.
• Hawaii comes up with the most grotesque anti-whore shenanigans.
• Can a loving but pragmatic whore/client relationship really work?
• “Anti-trafficking” publicity stunts are growing ever more bizarre.
• Sex worker activists have forced the vile 8 Minutes off the air.
• Anything politicians can agree on is horrible for the citizenry.
• Why are people surprised that old men still have sex drives?
• There can never be too many anti-Swedish model articles.
• “…the pattern of legislating over their heads continued…“
• Argentine prostitutes hand out symbolic invoices.
• Two dommes break the new UK censorship laws.
• This is turning into a full-blown black comedy.
• Whore-murderer seeks early release in Dubai.
• The War on Whores is the new War on Drugs.
• I really love it when they feed on each other.
• The border patrol is rapier than other cops.
• A hectic week, a new hairstyle & a butt pic.
• I officially announce my return to whoring.
• Public opposition to yet another toilet bill.
• Rapist cops of the week.  Plenty of them.
• Another teen’s life destroyed for flirting.
• Another rapist preying on sex workers.
• 15 years in prison for consensual sex.
• It’s impossible to state this too often.
• Georgia strip clubs sue over pole tax.
• Testing a new vertigo remedy.
• Rapist fake-cop of the week.
• R.I.P. Charles Gatewood.
• The McNeill Rule.
• Stop faking!

Wired reports:

A group of researchers at the Beijing-based security firm Qihoo 360 recently pulled off the so-called relay hack with a pair of gadgets they built for just $22. That’s far cheaper than previous versions of the key-spoofing hardware. The Qihoo researchers, who recently showed their results at Amsterdam’s Hack in the Box conference, say their upgrade also significantly multiplies the radio attack’s range, allowing them to steal cars parked more than a thousand feet away from the owner’s key fob.

The attack essentially tricks both the car and real key into thinking they’re in close proximity. One hacker holds a device a few feet from the victim’s key, while a thief holds the other near the target car. The device near the car spoofs a signal from the key. That elicits a radio signal from the car’s keyless entry system, which seeks a certain signal back from the key before it will open. Rather than try to crack that radio code, the hacker’s devices instead copy it, then transmit it via radio from one of the hackers’ devices to the other, and then to the key. Then they immediately transmit the key’s response back along the chain, effectively telling the car the key is in the driver’s hand.

Watch this dramatization:

Read more.

(The basis of the Wired article comes from the Chasing Cars: Keyless Entry System Attacks talk given at Amsterdam’s recent Hack in the Box conference; you can find the slides from this talk here (PDF).)

I have had insomnia issues for as long as I can remember. This year, I came across some research that seemed to indicate that blue light caused insomnia in some people. I started experimenting with all sorts of strategies of restricting blue light exposure, and now consider myself cured. The best way I found to block any light that would interfere with sleep was my NoIR laser goggles.

As a bit of scientific background, the pineal gland in the brain reacts to blue or green light received by the eyes, and stops generating melatonin when blue/green light is sensed. In our natural habitat, this would only happen during the day – in the unnatural world we live in, we are exposed to a lot of light with a blue/green component at night. This causes insomnia and poor sleep due to the lack of melatonin.

The frequency of light that affects the pineal gland is blue, green, and (partly) yellow. So, it’s not enough to just block the blue frequency – it’s important to block all light frequencies up to about 550 or so (red). Also, even a little blue/green light will still affect the pineal gland, so the optical density of the glasses has to be high (above 5) – they have to really block all light at those frequencies.

I wear my LaserShields for 2 hours before going to sleep. Because their optical density is so high, they really do not let any blue/green light through. I can use my laptop or my smartphone with no ill effects; I fall asleep immediately afterwards and sleep like a baby.

[Amazon sells laser protection goggles that are much cheaper. This model claims to filter light from 190nm to 540nm and costs $5. It might be worth trying these first. – Mark Frauenfelder]

-- L.M.

NoIR LaserShields
$130

Available from Kry Filter

[Nicky Robinson is an undergraduate whose Junior Independent Work project, advised by Joseph Bonneau, turned into a neat research paper. — Arvind Narayanan]

When you use the Facebook Connect [1] login system, another website may ask for permission to “post to Facebook for you.” But what does this message mean? If you click “Okay”, what can the site do to your profile?

Motivated by this confusion, we explored Facebook Connect login permissions with the twin goals of understanding what permissions websites are given when a user logs in with Facebook and whether users understand that they are authorizing those permissions. Here is a working draft of our research report.

As it turns out, allowing an app to “post to Facebook for you” allows it do quite a bit. It can update your status, upload photos, upload videos, share things with your friends, check you in at locations, publish your activity on that site, create notes—basically, it can put anything on your timeline.

Facebook Connect provides a plethora of permissions developers can request to allow their website to access various parts of a user’s profile. The majority are for reading information, others are for particularly sensitive areas such as sending text messages. Eight are permissions to publish. But quietly these eight permissions have been combined into one. If a developer requests any one of the eight, they will get them all.

Two blog posts by Facebook (1,2) explain that they “simplified” and “clarified” the permissions process by combining all of the publishing permissions into a single one called publish_actions. However, the other seven more limited permissions (such as a permission to create a note and another to upload a photo) can still be requested. Many apps still request them but now get the full set whether or not they realize it.

We filed a security bug report with Facebook stating that requesting one publishing permission gave access to all of them. Facebook Security reiterated the position from their blogs, stating that “this behavior is by design” and claiming that all-or-nothing write permissions are “easier for users to understand.”

To evaluate this claim, we surveyed hundreds of users to see if they actually understand what sites will be able to post on their profiles when they log in. Respondents were actually significantly worse at identifying what could be posted than if they had just guessed randomly. However, this was not true of read permissions—users were significantly more likely to understand read permissions correctly with their granular model. This suggests that fine-grained permissions may be easier for users to understand.

Percentage of respondents that correctly understood each read permission

Percentage of respondents that correctly understood each write permission

We identified several other major gaps in user understanding of Facebooks’ permissions model. Users generally don’t understand that their privacy settings only affect what other users can see, not what the apps they authorize can see. They also tend to think apps can only perform actions that make sense for that application: they expect Flickr can post photos and TripAdvisor can post checkins, but don’t realize either app can take both actions. This suggests users implicitly have a contextual integrity model of privacy.

Building user interfaces that intuitively reflect user expectations about privacy is always challenging. In the case of all-or-nothing write permissions, however, it appears Facebook is using a model which is much harder for users to understand than the granular system despite claiming publicly that the new model is easier. So why the discrepancy? Facebook may be unaware that their new model is actually more confusing. It’s likely that the consolidation of write permissions is a technical artifact of the ways Facebook has changed. It used to be that uploading a photo and updating your status were distinct actions, but now they’re both posts on your timeline.

A more cynical possibility is that Facebook is intentionally creating vague messages so users do not understand all the permissions they are giving up. This would let developers obtain more permissions to share content without putting off users. Facebook’s own documentation claims that “apps that ask for more than four permissions experience a significant drop off in the number of completed logins.”

Single sign-on systems have the potential to make the web more secure (fewer passwords can mean stronger and more secure passwords). Facebook Connect’s data sharing features allow sites to do some really cool things and have been a major factor in making it the most deployed single sign-on system on the web. But this potential win-win depends on giving users effective understanding and control of the data they’re sharing, as Facebook recognized when launching the system back in 2007.  Our research suggests that there’s still significant room for improvement.

Note: On April 30, after the conclusion of our research and our correspondence with Facebook security, Facebook announced an update to its permissions system which allows users to reject individual read permissions or login anonymously. However, this change does not address our concerns: there is still only one publishing permission and it is still presented with the same vague message.

I would like to acknowledge my coauthor and adviser on this research, Joseph Bonneau.

[1] The system is now officially called Facebook Login and not Facebook Connect. We stick with the latter term which is still more widely recognized.

Adam Pash:

I recently switched from an iPhone to Android, and discovered shortly thereafter that my phone number was still associated with iMessage, meaning that any time someone with an iPhone tried texting me, I’d receive nothing, and they’d get a “Delivered” receipt in their Messages app as though everything were working as expected.