Friday, June 29, 2007

The Dora Bone Game is back

One morning I surfed to my favorite diversion, the Dora the Explorer bone game on the NickJr site. As video games go it isn't bleeding edge but its better than most of the stuff people paid good money for in the 80s.

Which was exactly what NickJr had in mind. Pay per play at a mindboggling $8 a pop!

You can imagine the conversation in the corporate headquarters as some executive imposed this silly price. "But these games are really popular!", not at that price they are not.

For $10 you can buy bargain basement versions of programs like Tomb Raider III with tens or hundreds of man-year effort behind them. Level after level after level, and every one with more detail than the simple fare at the NickJr arcade. Its not aimed at the same audience, but the parents know what they expect for the price of a movie ticket and its much more than the NickJr arcade delivered.

So now the site is back the way it was before. All mention of the arcade seems to have gone. The ads are somewhat more intrusive than before.

Thursday, June 28, 2007

Judicial activisim - Conservative style

The Conservative faction on the Supreme Court has decided to change the law prohibiting price floors

In a 5-4 decision the court has decided to overturn 96 years of precedent and change the interpretation of existing law.

This should be considered judicial activism. If Congress did not like the interpetation of the law as it stood they should have been the ones to change it. For the court to change the law unilaterally is profoundly undemocratic.

Of course in Conservative world its only 'judicial activism' if they don't like the result. In this case the result comes at the worst possible time for business. There will be a brief period of a few years in which some businesses will act in the most pig-headed fashion imaginable followed by legislation that is far more pro-consumer than the status quo.

Wednesday, June 27, 2007

WiFi Suckage

Windows WiFi does not play nice. In particular the DHCP client interaction is abysmal. Every time the connection is dropped and reset it does a fresh DHCP, even if there was plenty of time on the old lease.

I would put the machine on a static IP address but if I do that I won't be able to connect when I visit Panera.

Windows should allow the IP address settings to be set for each WiFi connection separately.

Tuesday, June 26, 2007

HP LP3065 30" Monitor

If you are looking for a monitor then look no further, this is definitely the one to get. I have had mine for two months now, bigger really is better.

The only problem is that it takes a lot of processing power to drive a four megapixel monitor. You will almost certainly need a new graphics card and quite likely a new computer. If you want more than one display you are going to need a beast.

At the moment there is no scaling chip that works with the 30" displays. What this means is that none of the 30" monitors on the market today can be driven at anything other than full resolution (or in the case of the Dell, a quarter of full resolution). If you select a different resolution in windows the scaling takes place in the video card. The upshot of this is that you cannot plug a laptop into these displays.

Sunday, June 24, 2007

Stupidity of the Week: Massachusetts Registration Renewal

The Massachussets RMV demonstrates the 'Trashform' school of Web usability.

The user enters information into a form, some part is not entered as the system requires. OK throw away all the information the customer just gave you and make them start again.

In this case the missing information was that I entered the renewal fee as $41 instead of $41.00. Again, sloppy programming resulting in discourtesy to the user. There is no reason I should need to enter the fee at all, the RMV has all the information it needs.

They pull the same game again when asking for the credit card information. The RMV does not accept Amex (lame). Instead of telling the user this at the point where they are entering the credit card number they put the logos up at the top of the form and the credit card field is off at the bottom. On my laptop this means that the card logos have scrolled off the top of the screen when I am entering the card #.

There is also a bug in the basic forms processing of typical Web browsers. Standard practice is for a Web browser to often trash the information the user entered when a form is submitted. That should be unacceptable. If I spend time filling out a form that data should be considered the most important information the browser has. It should be given the absolute top priority in maintaining the cache.

Better yet, how about a browser that remembers all the information that a user has entered into forms as the default? Clearly there are privacy issues, perhaps people don't want their spouses to know that they are visiting etc. But these are issues we need to manage anyway.

Saturday, June 23, 2007

BBC: Huge driving test scam uncovered

Some people seem to have made a business out of taking driving tests for others at 500 pounds a time. Some of the crooks have taken hundreds of tests for other people.

I am not generally a fan of biometrics. They work well only in controlled situations where it is not possible to substitute a gel fingerprint or a moistened picture of one as the mythbusters did in a recent episode.

For this type of application they could work pretty well. The number of test centers is fairly limited and a driving license is a document that we might well want to tie to biometric authentication in any case.

Installing a reader at each test center would enable them to prevent any person from taking the test more than once without a significant risk of being caught. That would exclude both the professional crook and the person taking the test for a friend.

Friday, June 22, 2007

Bookmark: Computer Crime Research Center

A useful source of news. I will add it to my blogroll.

IE7 Magnification feature suckage

The IE7 magnification feature sucks.

In theory it would be great if the '125%' button did what you wanted it to - show the current page in the current window with all the text and images scaled to be 25% larger.

The problem is that the Microsoft folk goofed and made the canvas 25% bigger as well. What this means is that no matter what size your monitor is 50% will be outside the window and you will have to do a 2 dimensional pan and scroll to read the page. Try to resize the window so you can see the missing bits and IE7 will re-render the page so you can't.

What I want is to be able to override the style choices of idiot Webdesigners who think 7pt is a good size for a font without losing a quarter of the page off the edge of the window. When I hit the 125% magnification button the browser should render the current page with the text and images scaled up by 125% so that the result still fits inside the original window width.

In other words if the window width is 1000 pixels an I hit the magnify button the page should be re-rendered as if the window width was 800 pixels and then stretched to fit my wider window.

Redering the page for a 1000 pixel window so that 250 pixels worth of data falls off the edge of the screen is not the way to do it.

Thursday, June 21, 2007

France bans BlackBerrys over fears of US intelligence snooping - Independent Online Edition > Europe

The report in the UK Independent that France has banned BlackBerrys over fears of US intelligence snooping is neither surprising, nor tinfoil hat wearing on the part of the French. Unfortunately it may well be something more, the real objection of the French intelligence services may well be that the RIM settup stops them from evesdropping.

The intelligence war between France and the US has been real for some time. Both sides have openly touted intelligence operations designed to give their country a commercial advantage. In particular there has been no end of boasting over intercepts relating to deals involving arms and aircraft.

Some of this is arguably national security related. Who supplies arms to whom makes a big difference. If a country buys its weapons from the US they will be dependent on the US for purchase of spare parts. If they get them from France they will be more likely to toe the French line. Other activities are rather more questionable, particularly when they involve sales of civil aircraft.

Wednesday, June 20, 2007

Bobbleheads on the Bloomberg run

Discussion of Bloomberg's decision to quit the Republican Party is predictably dire: will it help or hurt Hilary or Rudy?

Nobody gives Bloomberg a serious chance of winning the Presidency. I think that this is a mistake, Bloomberg probably has at least as good a chance of winning as the official Republican nominee.

Historically a third party run tends to hurt the administration's party. This was certainly the case with the first Perot and Nader runs which cost Bush re-election and Gore the Presidency. Florida would not have been close if Nader had not run.

Republicans are trying to spin a Bloomberg run as bad for the Democrats. I don't think this claim holds water. The Democratic base is solidly behind the party first and foremost. Whether the ticket is Clinton/Obama or Obama/Clinton they will receive the full backing of the left and much of the center. The Nader experience is fresh in people's minds and the leftwing blogosphere will be solidly behind the candidate.

A third party candidate has an effect only if an election is extreemly close (2000) or it exposes a fault line in one of the major parties. In this case Bloomberg is a Republican who has governed as a Republican and is offering solidly Republican policies on everything apart from social issues and (we presume) civil liberties and Iraq.

Unless the Republican nominee is Hagel or some other war opponent the Republican nominee will be yoked to the success or failure of the war in Iraq. Unless there is a sudden change in the popularity of the war that means that Bloomberg and the Republican nominee will be on opposite sides of two if not three of the major rifts within the conservative base: authoritarianism, social conservatism, Iraq.

Bloomberg's run makes it even more likely that the Republican nominee will not be Giuliani. Far more New Yorkers rate Bloomberg as a success than Rudy. Far more people who have worked with Bloomberg would be prepared to work with him again. McCain's campaign is all but extinct which means that the most likely nominees are Thompson or Romney.

Either way I think that it much more likely that Republicans are going to be prepared to make a protest vote than Democrats. Bloomberg will draw votes from both sides but more votes from Republicans than Democrats. For Republicans the election will be a vote on the future of the Republican party, will it continue to be the party of the 'religious right' and the Rovian wedge issue?

Tuesday, June 19, 2007

Report from the meeting of the New World Order

There seems to be some interest from Slashdot on the events at the Top Secret meeting of the New World Order today and yesterday, otherwise known as the W3C/WSRI Workshop on E-Government.

Since the agenda is online, together with the position papers. Anyone who is interested in really finding out about the discussions can do so.

The short version: E-Government is good, Semantic Web is good, it would be good if E-Government used Semantic Web.

The slightly longer version is that it would be good if we did the above with some thought about security. We need to sign all this data that governments are putting onto the Web if we want people to trust it and in particular if they are going to build Web Services that depend on those data feeds.

For example, HMG publishes The London Gazette every day. The Gazette is important because it is the paper of official record. The Gazette carries notices of personal and corporate bankruptcies, promotions in the armed services, war dispatches and many other pieces of official information. It is the index to the rest of the information government puts out.

Today the Gazette is published without any security at all. Let us imagine that in the new Semantic Web version of the Gazette an insolvency notice is published in a machine readable form. So for example a Webbot can notice that Example Ltd. Reg 12345678 has gone bankrupt. This might then feed a credit reporting service, or a Web Services based transaction system so that the company that has just manufactured 1,000 widgets and loaded them onto a truck which is on its way to Example Ltd. can call the driver and tell them to return the goods to the factory rather than deliver to them to an insolvent customer who is not going to pay up.

This is exactly the type of service that we want to build on top of authoritative government information. Without security we are building ourselves into a serious problem.

Let us imagine that Example Inc. has not gone bankrupt and that Webbot Credit services is downloading the semantic Web version of the Gazette via the Web site. Mallet performs a DNS cache posioning attack on the DNS server that Webbot Credit services depends on (alternatively a BGP injection attack might be used to the same effect). Mallet then provides Webbot Credit services with a fake version of the site where Example Inc. is listed as being insolvent. The goods are not delivered on time, Example Inc. is unable to trade. The result is a denial of service attack that may cost Example Inc. a lot of time and money and cause it to lose business to a competitor.

We already have a serious problem with DDoS based Internet denial of service attacks from criminal gangs running extortion rackets. Lets not create a new set of Semantic Web DoS attacks.

The basic attack can be fixed with a simple SSL/TLS certificate at a trivial cost, turn on SSL on the site, buy an SSL certificate from one of the competative CA issuers.

Since we are talking about Semantic Web though we should also look at the data level attack. Let us imagine that Webbot inc is corrupt and is in fact under the control of Mallet. Information consumers who rely on Webbot inc need to know the provenance of the data. This is exactly what the assertion structure of SAML 1.0 was designed to do, every RDF statement should either be wrapped in SAML or contain a SAML authenticator as a tag.

We have a choice here, either we can build the Semantic Web securely or we can do what we did with the Internet and the Web and build it insecurely despite knowing how to do it right, then wait till the crime problem is epidemic before we go about fixing it.

Last time I was somewhat more passive than I should have been in that debate. This time I am going to be very loud.

Blogging from the New World Order

Just to let you all know that I am currently at the meeting of the New World Order currently being held in Washington D.C. and from which members of the press are expressly excluded.

The assumption underlying the C-Net piece is that allowing media access is the same thing as allowing public access. Certainly this is the traditional assumption but one that the Web expressly rejects. Being told what to think by C-Net or the New York Times is no better than being told what to think by politicians. Having journalists select the 'facts' to present and put their own 'interpretations' on them is not the same thing as transparency.

In this particular case the journalist who was excluded has a particular history of manipulating the story to his own advantage, he admits to being the author of the 'Gore invented Internet smear', a deliberate fabrication that has been exposed numerous times but the establishment media continues to repeat.

What we are actually discussing here is ways in which governments can make information available to the people directly through technolgies such as Semantic Web. Security has a place of course but I was actually speaking on the history of Web politics and my own role setting up the first poltical site on the Web.

Dome of a Home

I saw the HGTV presntation on the Dome Home built out in Pensicola, Florida.

From a bespoke engineering perspective its amazing, a sphere has much more intrinsic strength than a traditional home. The building is built by inflating a large bladder and spraying first foam insulation and then concrete onto it. The concrete is reinforced with rebar that is laid between shooting the foam and the concrete.

From a production engineering point of view the design has tremendous strengths and major disadvantages. The plus side is that raising the bladder, shooting the concrete can all be automated. Building the house frame can potentially become an entirely automatic process.

The down side is that cost savings on raising the structure are likely more than offset by the additional costs of finishing the inside. The curved space means that all furniture resting against the outside walls is going to have to be custom work.

One application that comes to mind would be for monumental public buildings. The building for the Web Science Institute for example, what better than a Sphere?

Monday, June 18, 2007

Things never to say

Never introduce a speaker with the words 'and who beter to speak on this than..'

Regardless of who you are introducing someone you are listening to will immediately think of five people, plus himself that he thinks would have been beter.

Sunday, June 17, 2007

Curmudgeon time

OK so anoyances of the day time.

Microsoft Word: Why on earth did someone think that changing the formatting of the next paragraph was 'smart cut and paste'? I select some text at the end of a section and it automatically extends the selection to the end of the paragraph including the end of paragraph marker. Then when I hit delete the section it removes the whole lot - end of paragraph marker included. This results in the next section heading being demoted to body text and attached to the end of the paragraph. So then I have to undo the edit.

Worse still this idiocy is not something you can turn off. It is assumed that it is soooo good than nobody would ever think that the computer had a better idea of what should be selected than the actual user.

Microsoft Messenger: A newer version is available. so what? Why do you have to tell me more than once? The only thing you are remininding me to do here is to uninstall MSN messenger next time I log in as administrator. Two pestering messages within 15 minutes. No, just got a third while I was writing.

Brother Laser Printer: And for that matter every other printer I have used. Why do you give an irritating beep when I take out the paper tray? I know that the paper tray has been removed. Why did the cretin of a designer think they needed to tell me that?

WiFi: Why is it that every WiFi router is shodily made? Linksys, Netgear, belkin, I have had them all and they all start going flaky afer about six months. In particular the WiFi daemon will crash and not restart. It isn't hard to build good appliances, these systems are built like servers, designed to be tended by an operator.

There is no excuse for an appliance not noticing that a critical part of its function has failed and restartting it.

Friday, June 15, 2007

iTunes pt 3


Ripping the Hallam-Baker CD collection is almost complete, a grand total of around 20Gb. At this point I realize that maybe I should have used the Apple Lossless codec instead of AAC. The original point was to load up the large iPod with everything and play that through the HiFi. Now I am starting to look at a more 'whole house' solution which would be easier with MP3.

I suspect that the actual quality loss will be negligible but the situation still offends the principle that no end user effort should ever be wasted or lost. I only discovered the lossless codec after ripping was almost complete.

Now one way to look at the situation is that I should have known better, but the whole point here was to look at the technology from the point of view of the typical user who does not have a degree in Nuclear Physics. Reading the manual would ruin the point.

The other major issue I am having is managing my collection on the different machines in different parts of the house. I can copy the files across without any trouble, but all the playlist information is lost. All the albums that iTunes has cut up for no particular reason have to be reassembled.

If this was a Google program the catalog at least would be managed through the network and automatically synchronize itself.

This lack of synchronization is a recurring theme, the telephone system has the same issue: every handset maintains a separate address book as if the people I call from the bedroom are different from the ones I call from the office, library, kitchen or living room.

Got to level 3 on LinkedIn

Today I got to 100 contacts on linked in. Apparently this means I am now at level 3 and get my +5 amulet of linkedness.

Seriously, is there any real point to LinkedIn or is it just a video game that folk can play during business hours without feeling guilty?

Thursday, June 14, 2007


"Microsoft Bob Users Group" - Google Search: "Your search - 'Microsoft Bob Users Group' - did not match any documents."

There really should be one.

The Paris Soap Opera Continues

Kevin Drum blogs the latest in the Paris saga. Turns out that yes, she is receiving special treatment, i.e. harsher than the average.

So why no appeal? One possibility is that her lawyers don't think that they can get her released before the hearing so the result will be moot. But it now seems likely that her script writers have decided she has found God.

So what next? Perhaps she could intern with Angelina Jolie for a few months. Visit impoverished parts of Africa and so on.

Wednesday, June 13, 2007


Digby has a point.

But the real heat that Bush would face if he were to pardon Scooter early is that the Democrats would stick him in front of Congress and ask him the type of questions he lied about in the first place.

Staying in Iraq

Kevin Drum thinks that the only thing left to do in Iraq is to withdraw immediately and that candidates should be saying this.

While opinion poll after opinion poll tells us that the country thinks that Bush should leave immediately, I don't think we can be certain that they will say the same thing under the next President.

Today we have a President that refuses to acknowledge that he intentionally misled the country when he made the case for war, that Iraq is now in a state of civil war and that most of the Iraqis would have the US leave. It is abundantly clear that the real goals that the Bush administration is pursuing in Iraq require a permanent occupation.

Faced with monumental deception from the administration, withdrawal at the earliest opportunity is by far the best option.

A new administration, particularly an administration that is not led by the war party will not start from the same position. In particular an administration that makes it clear that it is not attempting to establish permanent military bases in the region control Iraq's oil, start a war with Iran or pursue any other objective of the neocons will be vastly less objectionable to all sides in the conflict.

I don't think that the US people will demand an immediate withdrawal of all the troops by a new administration as suggested, provided that the adminitration is believed to be sincere in its efforts to end the occupation.

Tuesday, June 12, 2007

Not only that, its hdeous...

Monday, June 11, 2007

The end of CAPTCHA? - hardly

The NYT has an article predicting the end of CAPTCHAs, or rather their replacement with a new type of test.

I don't think we have seen the end of the CAPTCHA. Like passwords they are easy to implement and have a high ratio of perceived security to cost. Designers like to sprinkle them liberally onto their Web sites as 'magical anti-bot pixie-dust'.

The problem with CAPTCHAs and their replacements is that the problems chosen are hard for computers to solve because until recently there was no incentive to solve them. Back in 2000 there was nobody who was spending their time trying to OCR on text that had been deliberately obfuscated with lines, distortion, etc. Today there are plenty of folk in Eastern Europe and Russia who have become experts at it.

Asking folk to pick out all the cats from a mixture of cats and dogs may appear hard today, but wait a couple of weeks after deployment and see if it is still so hard.

And there is also the systems attack. Methinks that Microsoft do not have a very large catalog of photographs to show to users, maybe a thousand, maybe a hundred thousand. The attackers don't need to build a machine to sort the pictures out, they can have people do that for them. They can use the man-in-the-middle porn site attack or just pay folk to do it for them. All they need to do once the pictures are sorted is to undo whatever obfustication is in place to prevent simple matching of the photographs.

Bruce Schneier often remarks that anyone can design an encryption scheme that they cannot break themselves. In the area of CAPTCHAs I can't do that. I can break every scheme I have seen and I can break every scheme I can think of.

Update: Welcome TPM visitors. Following Josh's link it turns out that the database of pet pictures has two million entries. More significant though is the rate of addition - 10,000 a day. This is an order of magnitude higher than my original guess, but I don't think it invalidates the suggested lines of attack.

The hard part is cataloging the original database - ten man years worth of effort. That is certainly going to cost more than the $5,000 the Kiev gang would charge for breaking a text CAPTCHA. Unfortunately certain organized crime rings have repeatedly demonstrated that they have the necessary level of resources to simply pay people to break the problems by brute force.

Once the main catalog is sorted it is quite easy to keep up as it turns out that Asirra has a 'tell'. If you have 90% of the catalog archived and the images are selected randomly the chances are that you will only be presented with one unknown image per test. Since Asirra requires the subject to be 100% correct a cataloging bot can tell whether the unknown image was a dog or a cat by whether it passed the test or not. A simple way to fix this tell would be to weaken the match criteria so that 9 out of 10 correct answers was sufficient, but this opens up the door to other attacks.

The other weakness I see in the approach is asking image recognition experts to estimate the difficulty of differentiating pictures of cats from pictures of dogs. It isn't the right test. The hidden assumption here is that the best attack is going to solve the problem the way a human would. Thats not the way internet criminals think. Ants solve similar problems every day with 100,000 total neurons.

Update 2: it appears that the code as implemented, as opposed to the documentation allows one wrong answer out of 12. Turns out that it does not defeat the automatic cataloging attack described earlier as I assumed. In order to use the automatic cataloging trick the attacker would have to present ten correct tries, and one deliberately wrong try together with the unknown picture.

Friday, June 08, 2007

More iTunes suckage

Pt. 1

Some folk have been asking me why pick on iTunes when there are so many worse efforts out there. So far iTunes has only crashed on me a couple of times which is much better than the first Internet jukebox software I used. And iTunes at least looks like a music jukebox, not a flying saucer or the like.

The reason is that I am trying to work out what makes a good user interface and what makes a bad one. And it is much better to start from something that is already good and see what could be improved there rather than something that is so bad that anything would be an improvement.

The weaknesses of iTunes become more apparent as more discs are added to the library. In particular management of playlists. An album or track is added to a playlist through a drag and drop interface. Removal uses a different, inconsistent metaphor.

Again the problem is visibility. A logical way to manage playlists would be to allow the user to open the master catalogue and the playlist side by side and drag and drop from one to the other.

Another recurring problem is abstraction. iTunes always wants to work at the level of the track. It does not really have an 'album' structure. Tracks that have identical album names are considered to be part of the same album. Actually this is not quite true, iTunes has an irritating habit of breaking apart albums where individual tracks have different artists specified. This is a failure of the conceptual modelling. Clearly it makes sense to treat tracks as 'atoms' but albums and playlists are both really the same thing - an ordered assembly of tracks.

I should be able to create a playlist and give it an identifying image in exactly the same way as an album. I should also be able to use Google like tools to sort and search my tracks in sensible ways. Smart playlists may be the way to go, but the interface does not have an entry for keywords and adding them track by track is clunky in the extreeme.

Another irritation is the way the interface skips around without input from the user. If I have just found my place in the catalog I do not want it to suddenly jump away to a completely different place because the next track is playing. Did nobody do any usability testing here? Isn't it obvious that this is a problem?

I suspect the reason for this is that Apple only tested the 'playback' functions of iTunes, not the ripping process.

The Hilton soap opera

I don't think that the Judge is thinking too clearly here. Let us imagine for a moment that he does order Paris back to jail. Her lawyers will immediately appeal and request release on bond pending appeal. If the court refuses they will take it to the appeals court where the legal issues are sufficiently complicated for them to almost certainly get the lower court ruling suspended. By the time the issue actually came to trial Paris would have served the full sentence and the issue would be moot.

There is a separation of powers issue here. The court is not the executive. Paris would not have received a prison sentence for a probation violation if she wasn't a celebrity. The jail is overcrowded and regularly releases prisoners early in this way.

The Sheriff ultimately answers to the Governor of the state, he is not an agent of the court. The court can hardly expect the Sheriff to take himself into custody.

Thursday, June 07, 2007

Gizmo score sheet

More and more I am finding that what I really want to know about an electronic gizmo isn't something the reviewers care about.

Take flat panel LCD monitors for example. When I bought a Viewsonic monitor six years ago I was somewhat annoyed to find that it came with a separate outboard power supply. Pretty lame for a device that cost almost $3K at the time. After a bit of investigation I discovered that Viewsonic still make monitors with power bricks today so I bought an HP.

Worse than the power brick is the cursed plug adaptor which is pretty much guaranteed to come with any type of network gear, particularly the type that covers the slots either side of it on a power strip.

Worst of all is the plug adaptor that plugs into the device by a proprietary socket ensuring that if the adaptor should ever fail the device is useless. I have five Motorola power adaptors for the house and three for the car and none of them work with the only Motorola phone left in the house that still works.

Unless a device is going to be actually worn there is no reason the power adaptor cannot be built into the device itself. Alternatively the gizmo makers should get together, agree on a standard connector for low volt power and let the likes of Belkin sell a power strip with a built in DC converter to power five or six DC devices.

What I am working towards here is a sort of score sheet. A device starts with 100 points and loses points for every annoyance. So an external power brick would cost ten points, a socket hogging power plug twenty points and every proprietary connector on the device an extra fifteen points.

While we are at it, unnecessary LEDs, particularly the type that blink are becomming an annoyance. I don't much mind them in my office, I do mind them in a room I am sleeping in. The lights on the Palm Treo and Plantronics headset are particularly anoying because they flash briefly about once a second. The Treo light is particularly stupid as it continues to flash regardless of the state of the phone, it even continues to flash after a hard crash (which happens about once a day). So minus five for LEDs that can't be turned off and minus ten if they flash slowly.

Another dimension that gets less mention than it should is noise. The VooDoo has water cooling but it is still an amazingly noisy beast.

Interview with a Phisher web application security lab - Archive » Phishing Social Networking Sites

Poisoned pet food

Having lived through the UK BSE in beef scare which essentially destroyed a large part of UK agriculture within a couple of years I find the reaction from regulators to the poisoned pet food scandal incomprehensible.

If company sells a billion dollars of pet food a year its brand is on the line with every tin that leaves the production line.

In the BSE episode the Tories made every effort to avoid enforcing regulations that would put costs on farmers. At every turn they tried to explain the problem as irrelevant, minor. Ministers made categorical statements about the safety of the beef that were clearly false because it was obvious that nobody knew whether the beef was safe or not.

When attempts to avoid regulation failled the new policy was essentially to shoot every cow in the country.

It does not take a great deal to learn from recent history. Why are politicians so incapable of doing so?

Tuesday, June 05, 2007

Alienware: Hangar18

I have been blogging on the collision between the computer industry and the consumer electronics industry for some time. Alienware's Hangar18 represents one of the most serious shots in that battle to date. There are plenty of premium media PCs on the market, and these days plenty that come in an appropriate form factor. This one is different, it has the receiver/amplifier built in.

Not sure that they have hit a home run however, looks to me as if they are more than a little light on connectivity. I don't see where I plug in my HDDVD, BluRay or DVD players. Where is the slot for XM or Sirius? And when will one of these devices come that is satellite TV capable?

How iTunes sucks

iTunes is not that bad as a music player but there are features that are distinctly substandard.

In particular the Windows version makes no attempt to provide Windows look and feel. Mac people whine incessantly about the lack of Mac look and feel on programs targetted at their platform, Apple should take the same pains when supporting Windows that they expect other to take for the Mac.

The Apple style Chrome looks distinctly ugly under Aero. More significantly the tab for setting prefferences is under 'Edit' on the far left rather than 'Settings' on the right. Until I managed to find preferences my list of complaints was rather longer.

The other principal gripe I have is that iTunes thinks in terms of tracks, not albums. In most cases this does not matter, but whenever a disk has tracks with multiple artists they end up fragmented in the display.

Another aspect of this problem is that none of the browser interfaces gives me a grid of album covers to choose from. Dealling at the track level may have made sense when 1Gb was a large collection, I have 10Gb and I am not done ripping yet. None of the current displays will show more than about five albums at a time. That is not a good use of my 4 million pixels of screen real estate.

Don't give me a shitty 'coverflow' whizbang display, not unless you have the basics done first. The coverflow display shows me fewer covers at a time, not more, 4 million pixels an I get to see 6 covers, only one front on. My monitor can easily show 200 cover icons at once, use that capability.

One of the main uses for such a view would be to fill in the missing covers after a ripping session.

Another thing I would like is a better way to handle the occasional rip that ends up damaged for some reason, perhaps the disk is dirty or scratched. I don't want to have to deal with these by checking each one after the fact, just keep track of the number of errors and let me search for disks with problems after doing a batch rip.

Idiots in action

CNN demonstrates how America has become the land of the lawsuit.

High school principals seem to be particularly prone to this type of autocratic idiocy. They spend their time dealling unfairly with children who can't complain, then they deal with the parents in the same way.

Tends not to be the sort of thing that happens to white middle class folk like myself who clearly have the means to impose an expensive lawsuit on the school if they can't get their way by complaining to the state representative, mayor etc.

The ACLU may not see a free speech issue, but there are plenty of claims that can be made, in particular defamation.

Monday, June 04, 2007

Slashdot | GPLv2 Vs. GPLv3

Stallman is touting the purpose of the GPL 3.0 changes as being to prevent the 'Tivoization' of software, to ensure that people have the ability to change code on appliances they buy.

Freedom to tinker is a justifiable goal, the problem is that the GPL3.0 changes go much further, in particular they prohibit the implementation of any form of trustworthy computing controls.

This is at best short sighted. Freedom to tinker means that I get to tinker with my machines, not the authors of spyware, keyboard loggers and other malware. Freedom to tinker does not mean freedom to bypass copyright protection controls.

We need to take a deeper look at how the technology works here to understand that the issue is not the ability to run code, it is the ability to access particular decryption keys. All trustworthy computing does is provide a hardware subsystem that gates access to particular pieces of information to code running in a particular operating system partition that has software protections to control the executables that can run.

What the open source community should be asking for is not what Stallman is demanding: a complete prohibition on trustworthy computing technologies. That demand has far more to do with Stallman's own peculiar political views.

Instead the open source community should demand that open source systems allow other code to be run, albeit not necessarily have access to the encryption keys. So someone could take the Tivo code, recompile it, add features and run it on the Tivo box. But the modified code would not then be able to access the keys used to control access to protected content.

Slashdot Insurance

I can't read the Slashdot Story New Fuel Cell Twice As Efficient As Generators. Its been Slashdotted.

Which is a pity because in the scope of things the bandwidth required to support a Slashdotting is a significant but temporary quantity that most ISPs or hosting providers can easily withstand, particularly if the site is running on a virtual host.

Golfers used to buy 'hole in one' insurance to pay for the cost of buying a round of drinks should they score one. We need the same for Slashdot. Hosting companies would simply add a 'Slashdot' box to their order form and for a few cents more the blogger could ensure that they can continue to be seen in the case of a sudden (temporary) increase in popularity.

What Larry Flynt is looking for

Larry Flynt has put out another of his million dollar offers for evidence of sexual scandal in Washington D.C.

Reports in the Establishment media suggest that Flynt is on a simple fishing expedition. It seems more likely that his objective is to join the dots between the Washington DC madam scandal and the Abramoff/Wilkes/GOP corruption scandal.

In particular it has been alleged in a number of indictments in the Cunningham/Wilkes corruption scandal that Wilkes and Wade entertained senior members of Congress in the WaterGate hotel at parties where poker, alcohol and prostitutes were provided.

Quite a few people have wondered if there is a link here to the ongoing Palfrey 'D.C. Madam' case. Did she provide the prostitutes? It appears that prosecutors might think so.

Of course the total lack on interest in this particular story by the Establisment media raises questions itself. The allegations are made in federal court indictments in cases that have already led to Congressman Cunningham going to jail for taking $2.5 million in bribes. Instead we are told about how much Democratic candidates have spent on haircuts.

Saturday, June 02, 2007

How terrorists can bypass immigration

Like many Canadian airports it is now possible to pass through US immigration in Dublin when flying to the states. But unlike the Canadian scheme the Irish one does not cover customs.

This leads to a major security problem on arrival in Chicago. The airport is built for only two types of arrival: domestic and international. There is no third category for passengers who have passed immigration but not customs.

So when passengers from Ireland arrive at Chicago they mix with the other passengers who have not passed through immigration and then present their stamped customs declaration form to bypass the queues at immigration.

The customs form has no binding to the passenger presenting it. So all it takes to bypass immigration is to arrange to fly to Chicago on an international flight which is scheduled to arrive before a flight from Ireland, hang out in the rest rooms until the Irish flight is in, then present a customs form with a fake stamp to bypass the immigration desk. Alternatively put a passenger with a US passport on the flight from Ireland, on arrival in Chicago they pass their customs form to the terrorist and then pass through immigration as normal.

It would probably cost something to refit Chicago and other airports to handle this situation securely. But the costs are small compared to the $22 billion or so that RealID is going to cost.

Dan Froomkin - 50 More Years in Iraq? -

By comparing Iraq to Korea, Bush has effectively admitted that the situation is a stalemate and neither side can expect victory.

As far as the US polity is concerned anything short of victory is a defeat.

The statement has effectively made McCain, Romney and Giuliani unelectable. Even the likes of Rush Limbaugh are not going to argue for fifty more years of war in Iraq.