The weekly newsletter for Fed2 by ibgames

EARTHDATE: September 21, 2008

Official News page 11


WINDING DOWN

An idiosyncratic look at, and comment on, the week's net and technology news
by Alan Lenton

The first issue of Winding Down hit the presses the weekend before 9/11. Not an auspicious start, but we managed to survive in the changed environment after 9/11. This issue hits the virtual presses after what has been described as the worst week for the stock exchanges since the depression of the 1930s (yet again).

I don't know what the final outcome is going to be, but I suspect that the ramifications will affect most of us in due course, as the capital needed for expansion, upgrading and rolling over existing loans dries up. In the meantime, I'll keep my fingers crossed that my readers aren't going to be too badly hit.

This issue has a definite 'security' flavour to it. That's not because the world security situation has deteriorated (though it may well have done), or because I've suddenly become more paranoid (although that may well be the case...). It's probably because I'm off on a one week security engineering course starting next weekend. I suspect doing the reading for the course have just made me more aware of the subject. Remember, though, just because you're paranoid, it doesn't mean they're not out to get you!

Reminder: Winding Down will not be available on September 28th (next week) and October 5th. Winding down will be back on October 12th.


Roundup:

The Connecticut Attorney General's office has just produced a report on the loss of unencrypted backup tapes from the Bank of New York Mellon earlier this year. It makes grim reading for the citizens of that state. The tapes contained, at a minimum, Social Security numbers, names and addresses, and possibly also bank account numbers and balances. About half a million Connecticut residents are affected by the loss.

I have no idea why banks and such like continue to use the hopelessly compromised Social Security numbers system as identifiers. Perhaps the powers that be should make available a complete list of all Social Security numbers. I'm sure the courts would immediately start dumping liability onto fools who continued to use Social Security numbers as personal identifiers!
http://www.informationweek.com/blog/main/archives/2008/08/bny_mellon_data.html

A German company has come up with a utility that is designed to beat key logging software. A keyboard is drawn on the screen with letters in random positions, and you have to click on each letter of your password. Each time you click on a letter the positions of the letters on the screen change. The screen also redraws itself several times a second to prevent screen capture.

Users indicate that the flickering caused by the redraw is very distracting (and what about the effect on those who suffer from epilepsy?) and slow to use, since you have to hunt for the next letter in the password each time the keyboard changes. It doesn't sound workable to me. Apart from the obvious problem of someone watching you while you click away on an on screen key board (this is known as 'shoulder surfing'), it sounds just too much like hard work for people trying to use it. To be effective security measures must be both secure and useable in a non-intrusive way. Nice try, but no cigar.
http://cwflyris.computerworld.com/t/3624258/121542020/138976/0/

In response to EU rumblings, Google has announced that it will marginally anonymise the data it has collected on users after a mere nine months - as opposed to 18 months. This minimal, and useless, gesture seems to have pacified the ignorant bureaucrats in Brussels. The proposal is that it will remove a couple of (unspecified) bits of the user's IP address (that's the set of four numbers in the form 192.168.22.114) that identifies a user's computer on the Internet. This means that you could be using any of a few dozen computers. Not exactly what most people would describe as anonymous. In any case Google leaves a cookie on your computer which allows it to link you back to the address as soon as you use them again. Yet again Google demonstrates its contempt for its users - I can't wait for a decent search competitor to emerge.
http://news.cnet.com/8301-13739_3-10038963-46.html

We may have problems with ATM fraud and such like over here in the west, but it seems that there are even more problems in the United Arab Emirates (UAE), where hackers have been using counterfeit cards to withdraw funds from cash machines. Banks involved include Citibank, HSBC, Lloyds TSB, the National Bank of Abu Dhabi and Emirates NBD, which indicates that there is a pretty widespread problem. There seem to have been fraudulent withdrawals from both within and outside the UAE.

A number of the affected banks have asked their customer to change PINs, and have taken the unprecedented step of freezing the accounts of those who fail to do so! At the moment it's not clear how the fraudsters obtained the card details, but if it was by compromising the banks' internal systems, as seems possible, then the banks have a very serious problem on their hands - especially in the current financial climate.
http://www.theregister.co.uk/2008/09/12/uae_atm_hacking_attack/

The latest issue of the Risks Digest contains an interesting discussion on the dangers of running anti-virus software on safety critical systems. Given that most virus scanners effectively take over all the computer's processing power when they do a scan, it's easy to imagine a pretty horrifying scenario. "Quick, the reactor is going out of control we have 10 seconds to perform an emergency shutdown!" Answer: "I can't, the anti-virus software is updating and it won't allow me to do anything else except reboot the operating system..." BOOM!

It never occurred to me that anyone would put anti-virus software on a real time operating system, but it seems from the discussion that it happens all too often. I wonder how often this has caused problems in the past that we haven't heard about?
[Source: Risks Digest 25-33]

Do you use an Apple iPhone? Did you know that it takes a screen shot of everything you do on your handset and stores it temporarily? Sounds like that could be very useful for a hacker. I wonder how long it will take for an exploit to get out there into the wild? Come to that, I wonder how long it will take Apple to fix the hole once an exploit is out there? One month? Two months? One court case? Any offers?
[Source: Risks Digest 25-33]

And moving from under-reactions to security threats to over-reactions, I note that in Scotland a woman was held for four hours under the Prevention of Terrorism Act because she was walking in a bicycle lane! Yes, really. Apparently the police were so frightened that they sent two cars of police to arrest the woman, who was walking home from work. Still, at least they didn't shoot her dead because they thought she was a terrorist. I suppose we should look on the bright side.
http://www.timesonline.co.uk/tol/news/uk/article579334.ece

Mind you the UK isn't the only place where you get over-reactions to supposed security threats. Take for instance Rockwell County, north Texas, where a homeowner's house burned to the ground because the fire hydrants were turned off after the 9/11 attacks to prevent terrorism! I thought Texans were the sort of no nonsense people who didn't stand for this sort of idiocy...
http://www.wfaa.com/sharedcontent/dws/wfaa/latestnews/stories/wfaa080827_lj_
hawes.1983f2d0.html

http://www.schneier.com/blog/archives/2008/09/turning_off_fir.html

Still in the USA, I note that retailer Forever 21 has managed to compromise the payment card details of something like 99,000 customers. Forever 21 haven't revealed how the breach occurred, but it seems likely that the details are similar to that of the TJX heist revealed earlier this year. Another shop to avoid when I'm in the US, I guess.
http://www.theregister.co.uk/2008/09/17/forever_21_breach/

If you think the Forever 21 breach is bad, pity the poor Norwegians. Their tax department managed to send confidential ID information on nearly all Norwegian adults to nine media groups. As the finance minister said, 'This is extremely serious.' As usual the authorities stressed that a 'secret' code (read password) is needed to view the documents. Somehow, I don't consider that will keep the hackers at bay for very long!
http://www.physorg.com/news140884575.html
http://www.theregister.co.uk/2008/09/18/tax_office_blooper_shocks_norway/

And now for a little light relief. Microsoft is planning to teach us programmers how to write secure code. Apparently it's turned its internal process for designing secure programs from the ground up into something it calls the Microsoft Secure Development Lifecycle (SDL). It plans to unleash this beast onto the unsuspecting programming community later this year. I'm sorry, Microsoft, but every programmer I showed the report to just burst out laughing...
http://www.theregister.co.uk/2008/09/16/microsoft_sdl_initiatives/

There is a lot of talk going on in the business community at the moment about the tendency of the US Customs to snaffle incoming travellers' laptops, following a court ruling in their favour a few months ago. I'm not sure how widespread this is, but the process seems to be pretty arbitrary, and their appear to be no controls on how they do it.

Given how many people travel with laptops, I suspect that only a very very small percentage are affected. That's not the point though, the real problem is that there is no way you can know how long they will keep the machine, or how you get it back. There isn't even an appeal procedure, short of going to the courts. Legislation to rectify this is in Congress, but it's not likely to have time to get through this session. In the meantime, the advice being given is not to take a laptop with you to the USA. Not particularly useful advice if you need it for your business there.
http://www.infoworld.com/article/08/09/17/38FE-tech-policy-gotchas_1.html?
source=NLC-DAILY&cgd=2008-09-17

http://arstechnica.com/news.ars/post/20080916-new-bill-wants-tighter-rules-for-laptop-
border-searches.html

http://www.theregister.co.uk/2008/09/17/bill_seeks_to_regulate_dhs_laptop_searches/

Finally in this roundup, given the closeness to voting day for the presidential elections, here is the URL to a wryly amusing cartoon from Gocomics:
http://www.gocomics.com/feature_items/printable/379490?feature_id=68


Shorts:

Groan. I thought the days of idiots complaining about people they don't like linking to their web sites was over. But no, not, it appears, in Sheboygan, Wisconsin. It seems the mayor has had the town's legal beagles send cease and desist letters to his opponents if they link to the city site - in this case the police department. I don't know, and like most people I don't care, what the dispute is about, but the case illustrates a total ignorance of modern communications, and if I were a citizen of Sheboyan I would be asking some hard questions about the use of my tax dollars!
http://www.jsonline.com/story/index.aspx?id=786584

I see the Recording Industry Ass of America (RIAA) are at it again. Not content with suing their members' customers, they are now suing one of the lawyers who defends their victims in court. They are suing Ray Beckerman, who also runs a useful blog called 'Recording Industry vs The People'. The RIAA feel that opposing their activities amounts to 'vexatious' litigation. An interesting turn of phrase, since that's exactly how most people would describe the RIAA's legal activities - though perhaps the phrase 'organised extortion' is used more often.

Incidentally, the RIAA filing names Richard Gabriel as the RIAA's lead counsel. Actually, he stopped working for the RIAA some months ago, after he was made a judge in Colorado!
http://blog.wired.com/27bstroke6/2008/09/riaa-decries-at.html

I tried to pay my British Gas bill online last weekend. For my US readers that's gas as in coal gas, rather than gas as in gasoline. I was stunned to receive a message that said - and I quote verbatim - 'Access to the application is currently unavailable. If the time is between 6am - 11pm Monday to Friday, 6am - 6pm Saturday or 8am - 11pm Sunday please try again in a few minutes. Otherwise, please try again between the times outlines above.'

Obviously, they turn off their computers outside of working hours! Mind you, this is the company that when it first set up its online payment system, didn't accept credit card payments. It also called its site 'myhouse' and then couldn't understand why no one could remember the URL to pay their bills. What a bunch of dorks.
[Source: Alan Lenton attempted bill payment]


Homework:

MaximumPC have just published an interview with a senior Microsoftie about what went wrong with Vista and how they fixed it. The interview is remarkable candid. Well to be exact, the first interview was remarkably candid, for the follow-up discussion the Microsoft PR team added a minder who ensured that only the official line was followed. Take a look - it makes interesting reading.
http://www.maximumpc.com/article/features/shattered_dreams_and_broken_promises_
vistas_failure_launch

Ever fancied doing a university computer science, or robotics, course just for the hell of it, rather than for the degree you get at the end of it? Well now is your chance! Stanford University is making ten of their computer science and electrical engineering courses available free on the Internet. The courses cover an introduction to computer science, artificial intelligence, robotics, and a host of other topics.

All the courses come with downloadable video lectures, handouts, assignments, exams, and transcripts, although they aren't useable as credits for a Stanford degree. Congratulations to Stanford's 'Stanford Engineering Everywhere' program for making this material available!
http://www.deviceguru.com/2008/09/17/stanford-frees-cs-robotics-courses/
http://see.stanford.edu/


Geek Toys:

3M have just launched a really nifty mini-projector, which will be launched later this month. The MPro110, which costs US$359, is small enough to fit in the palm of your hand and can even connect to your iPod to project movies onto the wall! It's neat - very neat.
http://www.physorg.com/news140703098.html

And to rest your mini-projector on, what better than an alien table? Just take a look at this little baby, and you will never want to buy a normal table again. It's not recommended for the faint of heart, or if you are prone to stumbling into the house late at night, drunk in the semi-darkness...
http://io9.com/5051340/alien-table-will-spit-acid-and-rip-apart-your-ikea-crap

I see that Microsoft and the remains of the once mighty Cray Computing have got together to bring out a new supercomputer - the Cray CX1 - running Windows HPC Server 2008. I guess Microsoft have finally found something powerful enough to run Vista's Aero interface! I wonder if they are bringing out a new version of Flight Simulator for it?

You can log on to Cray and purchase one with your credit card (make sure you've got at least US$25,000 available though). I had a play with configuration - I was fascinated to find that the power cord costs extra! It was good fun though. I wonder if they would ship me a review copy? Only one problem, though, apart from the price. If you were buying a supercomputer, would you really want to run Windows on it?
http://blogs.zdnet.com/microsoft/?p=1589

Hmm - this sounds useful. A USB stick cum bottle opener. It's from TrekStor and comes 1, 2, 4, 8, and 16 GB sizes (that's data, not the number of bottles...). Good, but not quite as good as my Simpsons talking bottle opener!
http://www.reghardware.co.uk/2008/09/17/flash_drive_bottle_opener/


Recent Reading:

Working Effectively with Legacy Code by Michael Feathers. Prentice Hall

The biggest single problem I had when I moved from working for myself as a programmer back to the mainstream was dealing with other people's code. For nearly twenty years I only had to deal with my own code. Suddenly I had to understand and change other people's code. It was quite a culture shock, and one of the most difficult things I've done.

I wish I'd found Michael's book earlier, it would have helped ease the transition. Of course, not everyone else's code is legacy code, but even if you are not handling true 'legacy' code, this book will help you deal with the problems you face.

The book is in three parts. The first is a discussion of how you go about changing software that is badly structured and has complex interactions and side effects. Where do you start, and how do you make sure that you don't break things further down the convoluted chain of dependencies. The answer to the latter, of course, is testing, testing, testing, and the author makes a good enough case to persuade even the most sloth like to get into the testing mode.

The second part of the book is organised almost like an FAQ with chapters devoted to common problems like 'I don't understand the code well enough to change it'. This one crops up all too often, and is an excellent example of how the author doesn't avoid difficult questions. The final part of the book is a useful catalog of mostly pattern based techniques that can be used to break dependencies.

The book is well written and features clear examples that are written in either C++, Java, C and C#, and the problems caused by the different features, or lack of them, available to the different languages are discussed and workarounds suggested. I enjoyed reading this book.

Highly recommended!


Scanner: Other Stories

ITU plan to stop DOS attacks could end net anonymity too
http://cwflyris.computerworld.com/t/3624258/121542020/138981/0/

Lenovo drops web sales of Linux machines
http://www.channelregister.co.uk/2008/09/12/lenovo_linux/

Spam filter blamed for suit dismissal
http://www.nbc10.com/news/17465764/detail.html?dl=headlineclick

Hurricane Ike snuffs out Galveston webcam - final pictures...
http://www.theregister.co.uk/2008/09/15/ike_webcam/

Web communities for money management start to gain credibility
http://www.physorg.com/news140694925.html

Ad hoc malware police besiege net neutrality
http://www.theregister.co.uk/2008/09/15/online_crime_vs_censorship/

To purge or not to purge your data
http://www.computerworld.com/action/article.do?command=viewArticleBasic&
articleId=9114882&intsrc=hm_ts_head


Acknowledgements

Thanks to readers AdmRose, Barb, Fi, and Lois and to Cryptogram, Risks Digest, and Slashdot's daily newsletter for drawing my attention to material used in this issue.

Please send suggestions for stories to alan@ibgames.com and include the words Winding Down in the subject line, unless you want your deathless prose gobbled up by my voracious Spamato spam filter...

Alan Lenton
alan@ibgames.com
21 September 2008

Alan Lenton is an on-line games designer, programmer and sociologist. His web site is at http://www.ibgames.net/alan.

Past issues of Winding Down can be found at http://www.ibgames.net/alan/winding/index.html


Fed2 Star index Previous issues Fed 2 home page