So Apple is America's most valuable company. They are, like everyone else, betting the company on the cloud. You may be familiar with the cloud, as it's where all your valuable stuff is. The stuff that you may lose access to at any moment.
The most valuable companies have your valuable data in the cloud. We may think the cloud is decentralized, but it's not. It's totally centralized. All the valuable data is now in one place with one password that's connected to your one bank account. We've centralized and simplified fraud and the public pays for it.
I've got email in Gmail, Music in Spotify, files in DropBox, documents in SkyDrive, photos in Flickr, and media and Apps in the Apple Cloud.
I got this email out of nowhere yesterday.
Dear Scott Hanselman, Your Apple ID, scott@hanselman.com, was just used to purchase 明珠三国OL from the App Store on a computer or device that had not previously been associated with that Apple ID. If you made this purchase, you can disregard this email. This email was sent as a safeguard designed to protect you against unauthorized purchases. If you did not make this purchase, we recommend that you go to iforgot.apple.com to change your password, then see Apple ID: Tips for protecting the security of your account for further assistance. Regards, Apple
After confirming the email path via headers and checking all the links as well as the HTML source of the email (seriously, you expect my Mom to do this?) I decided it was legit.
The phrasing of this email is irritating and wrong-headed. Here's why.
They know it's a device they've never seen before.
They let it happen anyway.
They tell me it's for my good in a self-congratulatory way. This email was sent as a safeguard designed to protect you against unauthorized purchases.
But, if I didn't make this purchase, rather than a Dispute button or Fraud link, they recommend I change my password.
Stunning.
I changed my password and went into the Apple Cloud of past purchases via the App Store. Note that it's "Not On This iPhone." It's actually not on any of my devices, because I never bought it.
If you look at the App, you'll note that it's got a sudden rash of negative reviews from folks who have apparently also been hit by this issue. Someone buys this app (no idea how) and then uses in-app purchase to steal money.
The part I can't get my head around is this. My password is/was rock solid. I use a password manager, my passwords are insane and have high entropy. Not to mention that Apples knows what devices I have and still allowed the purchase.
Next, I got a Paypal Email thanking me for my $40 purchase from Apple. As an interesting data point, I haven't received an iTunes receipt for these illicit purchases.
Instead, I look in iTunes. Odd that we have to go into iTunes to see purchase history instead of a website.
And there they are. A whole series of in-app purchases for an App I don't have on a phone that doesn't exist.
I looked into Recent Purchases on my phone and found a bunch of music and videos I never purchased either.
Another data point is that the error I get is "This Apple ID has been disabled," NOT "This Apple ID has been disabled for security reasons." Just search around. Everyone has had this problem. Some folks have told me they reset their password every time they buy an app! Others have just given up. We'll never see this fixed until Gruber gets the error.
According to iTunes I've got 479 apps. I've got movies, TV shows, and music. All this is in the Cloud. You know, that amazing thing where all our stuff is stored so we can get to it from anywhere? The Cloud where everything is moving towards, that utopian future where there's no DRM and unlimited storage. Freedom, commerce, and media for all. Except I can't access the cloud. And I have no idea how to fix it.
Protect your neck, Dear Readers. For now, today, I am here and my things are in the cloud and never the twain shall meet.
Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.
Well, not really. A better title would be "How to Cobble Together NuGet Support for Visual Studio 2008 with External Tools and a Prayer." The point is, there are lots of folks using Visual Studio 2008 who would like NuGet support. I'm exploring this area and there's a half-dozen ways to make it happen, some difficult and some less so. The idea would be to enable some things with minimal effort. It'll be interesting to see if there are folks in the community who think this is important enough to actually make it happen. Of course, the easiest thing is to just use 2010 as it sill supports .NET 2.0, 3.0, 3.5, and 4, but not everyone can upgrade.
Someone could:
Backport the existing NuGet Package References dialog to 2008 using that version's native extensions (not VSiX)
Create MEF (Managed Extensibility Framework) plugins for the nuget.exe command-line to update the references in a vbproj or csproj
Use PowerShell scripts and batch files to get the most basic stuff working (get a package and update references.)
Maybe write a shim to get DTE automation working...
But that's coulds and maybes. Let's talk about the MacGyver solution.
Launch Visual Studio 2008 and go to Tools | External Tools.
Make a new Tool with these values:
Title: NuGet Install
Command (I'm assuming this is in the PATH): nuget.exe
Next, right click in the Tookbar area and create a new Toolbar called NuGet. From Commands, drag in the correct Tools | External Tool button. Right click it and design to taste:
Now, when you click Install Package, you should change your.package.name to whatever the you want is, and click OK. Note the output in the console window below.
At this point, because we are only integrating the command line too, you don't get the references added automatically. And where's the packages? Well, they are here, one directory up under Packages. It's still up to you to add the reference yourself and make sure it's the appropriate one (I refer you again to the wish list above.)
If you are feeling extra fancy, you can even add a few macros and links in your Toolbar to send you to the NuGet site for searching. Here's a Visual Studio 2008 macro that launches your default web browser and takes you to http://www.nuget.org/List/Packages.
Public Module NuGet Sub LaunchNuGetSite() Dim p As New System.Diagnostics.Process() p.Start("http://www.nuget.org/List/Packages") End Sub End Module
Then make toolbar buttons for those extra buttons, like this one for going to the NuGet site and searching:
Thoughts, Dear Reader?
About Scott
Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.
Say what you will about the Ajax Control Toolkit. Some like it, some don't, but it got 1.15 MILLION downloads last year. Is the ACT dead? Not yet, and there's ongoing work around WebForms, jQuery and an ACT style of programming. More on this soon.
There's like 40 different controls in the Ajax Control Toolkit. They continue to be updated and have cross-browser support. The first release this year added IE9 support. This new July 2011 release adds a a new HTML Editor and more complete browser support including (from Stephen Walther's blog):
The HTML Editor Extender works on all modern browsers including the most recent versions of Mozilla Firefox (Firefox 5), Google Chrome (Chrome 12), and Apple Safari (Safari 5). Furthermore, the HTML Editor Extender is compatible with Microsoft Internet Explorer 6 and newer.
How do you use it? Now that the AjaxControlToolkit is in NuGet, it's easy either from the Package Manager Console, or from the GUI.
You COULD register the AjaxControlToolkit at the top of your page:
Although I think the prefix should be "act," so I'll change it. Then, just use the controls on your page in ASP.NET WebForms. For example, here's how you turn a standard TextBox into a Color Picker:
Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.
UPDATE: Jay Radcliffe, the researcher discussed in this post, has emailed me, a little upset. In the interest of transparency I've included our email thread at the end of this post so that Jay's perspective on any inaccuracies may be seen. I encourage you to draw your own conclusions.
Wait till you see what researcher and diabetic Jay Radcliffe cooked up for the Black Hat Technical Security Conference. Radcliffe figures an attacker could hack an insulin pump connected to a wireless glucose monitor and deliver lethal doses of the sugar-regulating hormone.
First, a little on my background. I've been Type 1 diabetic for 17 years. I've worn an insulin pump 24 hours a day, 7 days a week for over 11 years and a continuous glucose meter non-stop for over 5 years. I also wrote one of the first portable glucoses management systems for the original PalmPilot over 10 years ago and successfully sold it to a health management company. (Archive.org link) I also interfaced it (albeit with wires) to a number of portable glucose meters, also a first.
Like something straight out of science fiction, an attacker with a powerful antenna could be up to a half mile away from a victim yet launch a wireless hack to remotely control an insulin pump and potentially kill the victim.
The only thing that saves this initial paragraph is "potentially." The link that is getting the most Tweets is VentureBeat's "Excuse me while I turn off your insulin pump," a blog post that is rife with inaccuracies (not to mention a lot of misspellings). Here's just a few.
"Insulin pumps use wireless sensors that detect blood sugar levels and then communicate the data to a screen on the insulin pump."
Way too broad. Pumps don't. Some CGMs (continuous glucose meters) communicate with special integrated pumps. The most popular integrated system is a Medtronic Paradigm. Most other CGM system have a separate "screen" device that's separate from the pump.
"The sensor has to run on a 1.5-volt watch battery for two years."
Nope. The Medtronic receiving sensor needs to be charged ever 3 to 6 days. The pump battery is usually a AAA that lasts a few weeks. UPDATE: The Dexcom receiver is recharged every 3 days but the body transmitter is warrented for a year with a small watch battery.
One useful paragraph in the VentureBeat post points out again that Jerome wasn't able to decode the message. Here, emphasis mine.
Then Radcliffe went through the process of deciphering what the wireless transmissions meant. These transmissions are not encrypted, since the devices have to be really cheap. The tranmissions [sic] are only 76 bits and they travel at more than 8,000 bits per second. To review the signal, Radcliffe captured the signal with a $10 radio frequency circuit board and then used an oscilloscope to analzye [sic] the bits.
He captured two 9-millisecond transmissions that were five minutes apart. But they came out looking like gibberish. He caputred [sic] more transmissions. About 80 percent of the transmissions had some of the same bits. He reached out to Texas Instruments for help but didn’t have much luck. He told the TI people what he was doing and they decided not to help him.
That was as far as he got on deciphering the wireless signal from the sensor, since there was no documentation that really helped him there. He couldn’t understand what the signal said, but he didn’t need to do that. So he tried to jam the signals to see if he could stop the transmitter. With a quarter of a mile, he figured out he could indeed mess up the transmitter via a denial of service attack, or flooding it with false data.
Now, to the security issue. One has to read these articles and blog posts very carefully. It's easy Link Bait to say "A hacker can kill diabetics wirelessly without them knowing it!" (I assume we'd figure it out at some point, though.) While Jerome Radcliffe, the gentleman who did the proof of concept, is no doubt very clever, the folks who are blogging this fear mongering should do their homework and read the details. Jerome is presenting some of his findings at the BlackHat conference. Here's his abstract with emphasis mine. Note also that SCADA means "supervisory control and data acquisition." He's saying that we "cyborgdiabetics" (my term) are human control and data acquisition systems as data-in/control-out controls our health, well-being and ultimately our lives.
As a diabetic, I have two devices attached to me at all times; an insulin pump and a continuous glucose monitor. This combination of devices turns me into a Human SCADA system; in fact, much of the hardware used in these devices are also used in Industrial SCADA equipment. I was inspired to attempt to hack these medical devices after a presentation on hardware hacking at DEF CON in 2009. Both of the systems have proprietary wireless communication methods.
Could their communication methods be reverse engineered? Could a device be created to perform injection attacks? Manipulation of a diabetic's insulin, directly or indirectly, could result in significant health risks and even death. My weapons in the battle: Arduino, Ham Radios, Bus Pirate, Oscilloscope, Soldering Iron, and a hacker's intuition.
After investing months of spare time and an immense amount of caffeine, I have not accomplished my mission. The journey, however, has been an immeasurable learning experience - from propriety protocols to hardware interfacing-and I will focus on the ups and downs of this project, including the technical issues, the lessons learned, and information discovered, in this presentation "Breaking the Human SCADA System."
Just to be clear, Jerome has not yet successfully wirelessly hacked an insulin pump.
UPDATE: See below email thread. Jerome says he can change settings and pause the pump. This may be via the USB wireless interface one uses to backup settings and send their blood sugar to their doctor. That's an educated guess on my part.
He's made initial steps to sniff wireless traffic from the pump. I realize, as I hope you do, that his abstract isn't complete. Hopefully a more complete presentation is forthcoming. I suspect he's exploiting the remote control feature of a pump. This is a key fob that looks like a car alarm beeper that some pump users use to discretely give themselves insulin doses. However, I feel the need to point out as a pump wearer myself that:
Not every Insulin Pump has a remote control feature.
Not every remote-controllable insulin pump has that feature turned on. Mine does not, for example.
In this AP article reposted at NPR called Insulin Pumps, Monitors Vulnerable To Hacking they give us more of the puzzle which confirms that Jerome was - in at least one hack attempt - using the optional remote control feature of the pump. A feature that few turn on. Their tech is a little off as well with talk of a 'USB device,' probably an Arduino with an RF shield.
Radcliffe wears an insulin pump that can be used with a special remote control to administer insulin. He found that the pump can be reprogrammed to respond to a stranger's remote. All he needed was a USB device that can be easily obtained from eBay or medical supply companies. Radcliffe also applied his skill for eavesdropping on computer traffic. By looking at the data being transmitted from the computer with the USB device to the insulin pump, he could instruct the USB device to tell the pump what to do.
"A Type 1 diabetic said Thursday that hackers can remotely change his insulin pump to levels that could kill him."
ZOMG! Someone can remotely control my insulin pump? They continue...
"Radcliffe, now 33, explained that all he requires to perpetrate the hack is the target pump's serial number."
Oh, you mean the serial number that I use to pair with the transmitter to use the highly touted remote control function? This is like saying "I can open your garage door with a 3rd party garage door opener. Just give me the numbers off the side of your unit..."
What Jerome has done, however, is posed a valid question and opened a door that all techie diabetics knew was open. It is however, an obvious question for any connected device. Anyone who has ever seen OnStar start a car remotely knows that there's a possibility that a bad guy could do the same thing.
For example, literally last month I personally exchanged emails with a friendly hacker who successfully hacked the web services for the Filtrete Touchscreen WiFi-enabled Thermostat. Harmless? Perhaps, but his hack could successfully remotely control a furnace or AC in the house of anyone with this device. Any control device that's connected to the "web" or even "the air," in the case of insulin pumps, is potentially open for attack.
I appreciate the message that Jerome is trying to get out there. Wireless medical devices need to be designed with security in mind. I don't appreciate blogs and "news" organizations inaccurately scaring folks into thinking this is a credible threat.
We don't know what brand pump was experimented on, and fortunately the gentleman isn't giving away the technical details. If you are a diabetic on a pump who is concerned about this kind of thing, my suggestion is to turn off your pump's remote control feature (which is likely off anyway) and turn off your sensor radio when you are not wearing your CGM. Most of all, don't panic. Call the manufacturer and express your concern. In my experience, pump manufacturers do not mess around with this stuff. I'm not overly concerned.
All this said, I'd love to have him on my podcast. If you're reading this and you're Jerome Radcliffe, give me a holler and let's talk tech.
Of course, all this talk would be moot if we cured diabetes. In encourage you to give a Tax Deductable Donation to the American Diabetes association: http://hanselman.com/fightdiabetes/donate
Also, feel free to show people my "I am Diabetic. Here's how it works" educational video on YouTube with details on how I setup a pump and continuous glucose monitoring system every 3 days. http://hnsl.mn/iamdiabetic takes you right to the YouTube video.
UPDATE: In the interest in full disclosure, here is my email thread with Jay. As I've said, I'm happy to update the article, as am I doing here, with all perspectives. This was as much a blog post about the media and that meta-point as it was about the tech. Given that I had to piece this post together from several other posts and articles just to get an idea of what the big picture is, kind of makes my point about the problems of hyperbole in the media. Again, my concern is more about sensationalism than it is about the tech. I have no doubt a pump CAN be hacked. Any connected device can be hacked.
Here's our thread from earliest to latest:
From: Jerome Radcliffe
I *can* hack an insulin pump. I can suspend it, change all the settings remotely. I did that on stage. I'm quite disappointed that you did not verify any of the information in your article. People do die from hypoglycemia. Is it an extreme example? Yes. It needs to be. These devices need to be researched for security flaws. To talk about why someone might hack a pump misses the point.
From: Scott Hanselman
I'm sorry, I only found the articles I linked to, plus the abstract that said you hadn't. I tried to verify everything to the best of my ability to Google. Would you send me some newer links and I'llr update my post? My post was meant as an analysis of the news coverage more than the attack. Send me new info?
Thanks!
From: Jerome Radcliffe
I understand your position. but as a blogger/journalist there is a certain level of responsibility to publishing facts. You come off as hypocritical blaming the media for being inaccurate on diabetics being killed by pumps, and write a piece riddled with inaccuracies on my research. 1. There is a CGM that runs on a 1.5v battery for two years. You state that my research is wrong. It is not. 2. Check CBS in las Vegas's web site. They have a video of the demo. Several media outlets reported that demo. My name is fairly unique and my email address is easy to acquire. I would have rather you contact me for clarification rather then publish a critique of my research that is far from accurate.
From: Scott Hanselman
A random blogger and a trained journalist are certainly different things, I'm sure we can agree on. I do certainly want to improve the post and add the facts and am more than happy to do so. I'm not sure where I said "your research is wrong" in my post, but I will re-check it. Again, most of my post is quotes from actual journalists who presumably interviewed you and I quoted them. I also quoted your black hat abstract. I searched twitter for Jay and Jerome Radcliffe but didn't find you and wasn't able to find your blog, I suppose because of the flood of new links and stories. This CGM runs for 2 years without recharging? Perhaps I'm confused about semantics. I've had a number of CGMs, some 1.5V and all the ones with embedded batteries needed recharging. I'll check around. Again, however, my assertion wasn't against you at all, rather the journalists whose stories were inaccurate. I feel like we are getting off on the wrong foot here. I thought I wrote a post about how other journalists and bloggers were sensationalistic and inaccurate in their coverage. My post isn't meant as, nor should it read as, a personal attack on your hard work. As I said earlier, I'm more than happy to make updates and edits and fall on my sword with any inaccuracies. I'm even happy to post our email exchange. Be well!
From: Jerome Radcliffe
Anytime you publish, blog or newspaper, you should be responsible for the content. There is no difference between a trained journalist and a blogger. You can't duck your own criticism of responsible reporting because you feel like your [sic] just a random blogger. The fact you are so critical of my work, you have been getting a lot of press. Your article was in the Slashdot headline, which is one of the most popular sites on the Internet. The fact is your article was highly critical of my work, and highly inaccurate. Even after I specifically told you about the inaccuracies in your writing you have not corrected them. It's really hard for me not to be offended in this case. For the last three days I have had to answer people's questions, many have cited your article based from the Slashdot coverage.
Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.
First, a disclaimer. I work for Microsoft on the Web Platform team. That said, I don't know anyone in hardware. My opinions are my own. I don't have any vested interest in this mouse and I paid for it myself. In fact, I pre-ordered it in February.
I'm a hardware fanboy. I've tried dozens of keyboards and mice, and many webcams. Getting a new mouse or a new keyboard is a great inexpensive way to fundamentally change your computing experience. It's like a new pair of pants. Sometimes it just makes you happy to refresh the stuff you use every day.
I REALLY want to like the Microsoft Touch Mouse. The idea is a great one. Take a mouse that works like you'd think a mouse should, then add a number of multi-touch gestures so your mouse is everything a mouse is PLUS basic gestures you use with a touchpad or phone.
Packaging and Hardware
The packaging and OOBE (Out of Box Experience) is cherry. It's really nice to see Microsoft getting packaging right in a way that isn't a copy of Apple's packaging. The package opens up with a multi-fold lid like a treasure chest to expose the mouse beneath a clear cover. There's even a little magnet to hold the lid down. Inside the lid is directions on how to use the primary gestures.
You open the box by pulling the lid all the way off and releasing the mouse from it's stand. There's a nano receiver and batteries are included. While the nano receiver has a home inside the base of the mouse for storage, it's unfortunate that there isn't an option for using Bluetooth as I need another nano receiver like I need a hole in the head. All up, the packaging is primo.
The mouse itself is pleasingly heavy. I suspect if I opened it up I'd find a small lead weight inside to give it just a smidge of heft.
Tracking
The tracking uses the newer BlueTrack system rather than the Red-light system most of my mice use. It's also extremely responsive and tracks on darn near anything. I don't need to use a mousepad with this mouse, but I always use a WowPad because they make any mouse work better. It really tracks perfectly, as it should. I haven't have any issues with poor tracking mice in the last several years since the optical-super-laser-whatever technology came out and this mouse is no exception.
Gestures and Software
The software is a new tab called Touch within the Mouse control panel. It's got a nice side-car window with a lopping video showing you how to do each gesture. It's a little subtle, but you can play each video with the little blue play button on the left (they look like bullet points.)
Gestures supported are:
One finger scroll pan (vertically and horizontally)
One thumb swipe - A forward/back gesture, just like the thumb forward and back buttons on most mice (and many keyboards!) these days. Works in browsers, Outlook, OneNote and any other software that listens for forward/back.
Two finger swipe - This is really useful, in fact. Up is maximize, down is minimize, left and right are snap to the sides.
Three finger swipe - Gives you an "exposé" style super dashboard of all your applications. They call it "instant viewer." More on that in a second.
Here's a look at the software:
Instant Viewer is what you get with a three finger swipe. It looks like this. The idea is, swipe, click to task switch, and it works great, it just is a little awkward to three finger swipe. Fortunately, 4 fingers or basically the whole hand works too, so a big swipe up is much more comfortable.
Scrolling
Here's the part I'm having trouble getting past. Sometimes the scrolling just doesn't register. Often it registers on the second or third flick. I can't tell if this is hardware or software, but it's not cool. Maybe it's me. Things that you touch, whether they are phones, touchpads or mice should always work, every time, exactly. I think that one of the reasons that iPhones and capacitive screens are so successful is because of their responsiveness. Early PDAs suffered from that, tap, tap, tap, react cycle. Sometimes unresponsiveness is perceived unconsciously and other times it finds its way into your conscious brain. I was/am far too aware of scrolling gestures not registering far too often.
That said, the other gestures (two and three fingers) work EVERY time. I've really tested it with gentle touch, hard touch, etc and the two finger gestures ALWAYS work. I suspect there is some kind of scrolling driver bug going on here as the hardware seems very reliable. I'd love to hear from someone on the team if there is a known scrolling issue.
The other issue with scrolling is that you have to move your finger about a 1/2 cm before a scroll registers. I think this is to make the mouse not be too jittery. If it scrolled every time you moved at all, I suspect that would be irritating. That said, this should absolutely be a setting I can control.
This might very well be "be design." But when you make something called a "Touch Mouse" in a world where iPads and Windows Phones have pixel-perfect scrolling, the comparisons will be drawn. I want to casually touch and scroll without thinking. Perhaps even a few pixels. The illusion is broken when a touch has to be a half-flick.
The scrolling also has built in inertia. If you flick it fast, it'll scroll fast and then slow down. This is nice because it feels like a tablet device where you can "throw" a browser page and it'll accelerate and decelerate in a natural way. This "inertial scroll" could really be the killer feature if the actual first touch that starts the scroll was more reliable.
Limitations
I assumed that the middle area of the mouse would register as a Middle Click. It doesn't, so this is a 2 button mouse. This is almost a deal breaker for me because I use the middle click all the time when browsing to open new tabs in the background or to close a tab without switching to it. If you rely on the middle mouse button (not everyone does) then be aware. You may not miss it until it's gone.
Conclusion
This is a multitasker's mouse. If you have a great mouse that you like, should you switch? No. But if you are in the market for a mouse AND you are a person with MANY windows open or a person with multiple monitors I can see how the window management features would be really useful.
However, for me, I'm on the fence if this scrolling issue is a deal breaker or not. If there's an upcoming driver update that really nails the scrolling sensitivity down then I'll recommend this mouse wholeheartedly. Until then, I think I'll alternate between this one and my trusty and wonderful Microsoft Arc Mouse, which rocks completely.
Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.
Stunning.
I looked into Recent Purchases on my phone and found a bunch of music and videos I never purchased either. 
_3.png "External Tools in Visual Studio")
_2.png "NuGet in Visual Studio 2008")
Now, to the security issue. One has to read these articles and blog posts very carefully. It's easy 
Finally, another piece of the puzzle is found at SCMagazine's scary "
