WINDING DOWN
An idiosyncratic look at, and comment on, the week's net and technology news
by Alan Lenton
It's pretty quiet here in London. Most of the locals are away on holiday, credit crunch not withstanding, and the tourists are OK, except for their habit of stopping suddenly to take pictures. Fortunately they aren't taking pictures of me, so I won't be appearing on YouTube anytime soon. I'm sorry to disappoint my myriad fans out there.
In the absence of anything happening locally, I was entertained by the sight of Russian tanks rumbling into the outskirts of Savannah, Georgia, USA. At least that's where they were according to Google maps. Actually they were in the South Ossettia province of the former Russian country of Georgia. You know, these days, Google maps has about the same level of accuracy as the WikiPedia's entries on Celtic druids...
There was quite a lot of material this week. Most of it was gloomy, but as usual I've managed to find ways to trivialise it so I can get cheap laughs to cheer you all up!
Round Up: Insecurity
We start with the revelation that the alleged 'ring leader' of the hacking ring that broke into TJX's network and made off with over 45 million sets of credit card details was, in fact, a US Secret Service informer. While passing trivial material to the Secret Service, Albert Gonzalez of Miami was 'masterminding' the biggest reported data heist ever. I say 'masterminding' in quotes because breaking the trivial level of security at TJX wasn't exactly difficult. I wonder what other similar heists they pulled that we've not been told about yet?
Over in Holland, the Dutch police have collared a pair of brothers suspected of running a botnet controlling between 40 and 100 thousand computers. When arrested the pair had just rented out their botnet to a Brazilian based near Rio de Janeiro, for 25,000 euros (about US$38,000) who was also arrested. Once the extradition proceedings are complete, I guess they will all be appearing in a court in the US.
I note that the level of spam I'm receiving hasn't gone down as a result...
Back in the U S of A, an employee of Countrywide Home Financial, one of the world's biggest mortgage lenders, has been arrested for stealing customer profiles. He downloaded about 20,000 customer profiles (including names and social security numbers) virtually every week for several years, and sold each batch for about US$500. All told, he netted a cool US$70,000. One has to ask why it took two years for his employers to notice?
On a smaller scale, but just as important, I spotted a report that the State of Ohio is suing the former Diebold Election Systems for flogging them touch screen voting machines that can't count. This system is being used nationwide, and, hopefully, this action will serve as a wake-up call to those election officials who have a blind faith in the integrity of computer driven voting equipment. Few things are as corrosive towards democracy as the realisation that your vote may have been given to a candidate you didn't vote for.
On an even smaller scale, Yahoo, which reported a massive level of support for its board after they screwed up the takeover discussions with Microsoft, is quietly revising the voting figures for board elections. The recount won't change the outcome, but the unanswered question is how could a snafu like that happen - at least 100 million shares were inaccurately counted - in a high visibility contest like this.
In a piece of late breaking news, a Federal Court judge gagged several MIT students by ruling that they shouldn't present their academic research on vulnerabilities in Boston's transit ticket system at the DEFCON security conference. This is yet another example of the inability of some (but to be fair, not all) judges to see past the boundaries of their own bailiwicks.
The vulnerabilities involved are well known security problems with the RFID chips and magnetic stripes. I've covered them in the past, and only a couple of weeks ago a judge in Europe stamped on an attempt by the chip manufacturer to stop researchers reporting their findings to a conference. The cat is already out of the bag, the horse has left the stable, the bird has flown (add your own animal metaphor here [........................] ).
And to round off the round up, so to speak, let me tell you about an incident at the Black Hat hackers convention. It seems that a couple of French journalists got caught hacking into the press room network. By tradition it's the one network that's off limits to the hackers, and so the journalists involved were unceremoniously booted out of the convention!
If this little lot has wetted your appetite for more doom and gloom, then have a look at the 'Homework' section for more material on security.
http://www.theregister.co.uk/2008/08/06/retail_hacking_ring_analysis/
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=
9111670&source=NLT_PM&nlid=8
http://www.physorg.com/news137165100.html
http://www.theregister.co.uk/2008/08/04/dutch_botnet_herders_arrested/
http://www.theregister.co.uk/2008/08/04/countrywide_data_heist/
http://www.dispatchpolitics.com/live/content/local_news/stories/2008/08/07/copy/
state_sues.ART_ART_08-07-08_A1_OLAV6VF.html?adsec=politics&sid=101
http://www.physorg.com/news137169149.html
http://lwn.net/Articles/293457/
http://www.physorg.com/news137392928.html
Shorts:
Those of you with long memories will recall that last week I wrote a piece about Blizzard trying to stop the authors of MMO Glider from making it open source. Reader Mark F, an experienced WoW player, wrote in with his take on issue. I don't have space for all he wrote, but here are a couple of excerpts, which, hopefully, don't distort his position:
"...The problem is the gold farmers from unspecified Asian countries (ok china) that use the bot to continuously farm mobs for loot and gold, they sell the loot on the auction house at outrageous prices, and sell the gold to people, who then buy the overpriced auction house items further crippling the economics of the game. Often times they camp in spots where quest mobs spawn which further adds to the frustration. It's not so much of going after open source either. If it did become open source it would just make it that much harder to try to keep a fragile economy in check. Sure I am positive they could implement some coding into the game to help balance the economy or change it some way that would make gold buying obsolete (to a degree they have by offering daily quests that you can do every day for easy gold), But then again they already have a system in place to stop the bots. So I guess it's just easier that way...
...I also agree that I don't like their "sentry" software sniffing through my processes, but I understand why it does it, so I can't run a bot..."
[Taken from an e-mail sent on 7 August 2008]
While we are on the subject of memory, remember how the band Radiohead allowed downloads of their latest album, 'In Rainbows', for whatever you thought it was worth - even nothing? Well there's an interesting piece just been published that shows that at least 2.3 million people preferred to download it over BitTorrent, even though they could get it free from the 'official' site!
The question is why? Maybe people didn't like giving their e-mail address to the official site. Maybe BitTorrent was more convenient. Maybe people just preferred it! Whatever the reason, the music business isn't going to be happy, because it implies that the likes of BitTorrent will always be preferred over legal download sites, even when those legal sites offer free music...
http://www.theregister.co.uk/2008/08/01/radiohead_rainbows_millions_of_torrents/
Do you play on-line poker? Yes? Then what makes you so sure that the other guys sitting round the table are human? A few years ago I was involved in writing the networking code for a 3-D on-line poker client. Even then poker-bots, still in their infancy, were an ongoing problem. In the last few years the sophistication of such programs has grown out of all recognition. Poker bots are difficult to write because unlike, say, chess programs, they only have partial information to go on.
Nonetheless, the bot authors have been making steady progress and this week saw the release of a pretty sophisticated poker bot into open source. Online poker companies aren't going to be happy. Spotting bots is difficult enough when the bots are closely guarded secrets - remember real money is at stake in online poker - with the source freely available it won't be long before a multitude of different variants are in play.
Just remember that, next time you think about playing a quick few hands of online poker.
http://newsletter.eetimes.com/cgi-bin4/DM/y/eBK2K0FypUC0FrK0GYRU0EI
Thinking of becoming a programmer? You'd be surprised how often I get asked how you become a programmer and earn a fabulous pittance. In fact I get asked so often that I eventually wrote it up and put it on the web. (One of the attributes of a good programmer is that they are too lazy to keep doing the same thing over and over again, and so they figure out a way of reducing the work!)
One of the things I don't deal with in the web article is college programming courses, because at the time I wasn't aware of exactly what was being taught on such courses. Over the years it's become obvious that most colleges have opted to teach computer science undergraduates Java. There seem at first sight to be good reasons for this. In particular, Java's rich collection of libraries allow students to be up and running with (almost) professional looking programs very quickly.
However, I thought it might be time to take a closer look when I saw a quote from Robert Dewar, professor emeritus of computer science at New York University. He said, "...today's Java-savvy college grad is tomorrow's pizza delivery man..." He makes three crucial points in support of this contention. First, the Java that students learn is really only learning how to bolt different libraries together. Second, this is exactly the sort of IT work that is easy to outsource. Third, Java is not used for complex programs, but mainly for simple web based ones.
I think this is an oversimplification of the state of affairs, but it contains enough truth to be worrying. However, one point he does make is that not all colleges teach Java based programming, and that if you go to a non-Java one, then your skills will be in demand, and you will get a job. It's well worth a read.
Oh, and a report from the Bureau of Labor Statistics indicates that almost 50,000 IT positions were lost in the US in the last 12 months.
http://www.ibgames.net/alan/technical/programmer.html
http://www.internetnews.com/commentary/print.php/3763871
http://www.infoworld.com/article/08/08/06/Bureau-of-Labor-Statistics-reports-big-
drop-in-tech-jobs_1.html
Homework:
Are you curious to find out exactly what all the Hoo-Haa in the press over Internet 'DNS vulnerabilities' is all about? Well... it's quite complicated, but if you really want to know, and in the process find out how the whole DNS system works, Unix Wiz Steve Friedl has written the best explanation I know of. His illustrated guide is not a light read at about 18 pages complete with coloured diagrams ('...with circles and arrows and a paragraph on the back..', as Arlo Gutherie would have put it!). However, if you want to know, and have the time, this is definitely the best place to look.
http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html
And, incidentally, the latest patch to the Bind DNS software is not the end of the story. It merely buys a small amount of time to take real corrective action. Take a look at this report if you really want sleepless nights...
http://www.nytimes.com/2008/08/09/technology/09flaw.html?partner=rssnyt&emc=rss
For the really paranoid, I'd suggest reading a piece from ZDNet on 'deep packet inspection'. It's a technique being increasingly used by ISPs and law enforcement agencies to pry into the like of people's personal correspondence. It's very clever, and deeply disturbing. Definitely a two edged sword.
http://resources.zdnet.co.uk/articles/features/0,1000002000,39454822,00.htm
Every day when I open the papers (electronically, of course) I see stories of the success of DNA testing in bringing vile criminals to justice. But just how accurate are these tests at spotting matches, and what is the likelihood of two random matches? FBI figures suggest that the likelihood is around 1 in 113 billion, but those figures are based on outdated research on small samples.
The problem is that the FBI are fighting against allowing research in state DNA databases which would give a better idea of the accuracy of the figure. The LA Times has produced an interesting piece on this issue which is well worth a read. I would, though, point out that there are two areas it doesn't cover - the problem of women who are chimeras, and the possibility that someone's DNA could be faked using DNA engineering.
http://www.latimes.com/news/local/la-me-dna20-2008jul20,0,1506170,full.story
The history of the personal computer is well known. Born from the Intel 8008 chip, which was in turn created from the 4004 chip in 1972, the PC went on to conquer the world (or something). Wrong. The story of the PC starts four years earlier in 1968 (that was a good year, I remember it well...), in San Antonio. Interested? Point your browser at the URL for the full story.
http://www.computerworld.com/action/article.do?command=printArticleBasic&
articleId=9111341
Do you manage programmers (aka herding hedgehogs) at work? If you do, then take a look at this piece from ZDNet which contains sensible and level headed advice about how to get the best out of them.
http://resources.zdnet.co.uk/articles/features/0,1000002000,39454844,00.htm
Scanner: Other Stories
Google News has Russian army invading Savannah, GA
http://valleywag.com/5034988/google-news-informs-us-that-the-russians-are-
invading-the-south
Study suggests music industry embrace piracy
http://www.ft.com/cms/s/0/e72884f6-6175-11dd-af94-000077b07658.html
FCC enforces internet anarchy
http://www.theregister.co.uk/2008/08/04/fcc_neutrality_analysis/
IT repair installs webcam spying software
http://www.groundreport.com/Media_and_Tech/Marisel-Garcia-Caught-in-
Webcam-Spy-Hacker-Craig-F
TSA to allow laptops to stay in approved bags
http://www.physorg.com/news137177510.html
COBOL - 180 billion line of code, and counting
http://cwflyris.computerworld.com/t/3409405/250590949/131431/0/
http://cwflyris.computerworld.com/t/3409405/250590949/131432/0/
Acknowledgements
Thanks to readers Barb, Fi, Lois, Mark F
and Slashdot's daily newsletter for drawing my attention to material used in this issue.
Please send suggestions for stories to alan@ibgames.com and include the words Winding Down in the subject line, unless you want your deathless prose gobbled up by my voracious Spamato spam filter...
Alan Lenton
alan@ibgames.com
10 August 2008
Alan Lenton is an on-line games designer, programmer and sociologist. His web site is at http://www.ibgames.net/alan.
Past issues of Winding Down can be found at http://www.ibgames.net/alan/winding/index.html
|
