WINDING DOWN
An idiosyncratic look at, and comment on, the week's net and technology news
by Alan Lenton
Interesting week, this week. The hyper-wily Steve Jobs sought to deflect attention from Apple's problems in Europe by demanding that the media companies drop Digital Restriction Management from their offerings. At the same time C|Net was publishing material about media business models in a post Peer2Peer world, and the Wall Street Journal was reporting that EMI is in talks with on-line retailers about selling unprotected MP3 music. Interesting times.
Then there was a proposal from a New York State senator that people should not be allowed to cross the road while listening to iPods. The howls of outrage in the blog-o-sphere were predictable.
Those of you who read my piece on Blu-ray v. HD-DVD last week may like to consider an alternative view, for which there is a URL in the Scanner section. And on the subject of the last issue, readers will remember that I did a round up of Windows Vista material. This time round there was just as much, but you can unglaze your eyes, because I haven't mentioned any of it this week! The URLs are in the scanner section for the masochists among you :)
Story: Two factor snake oil
Here in the UK, Chip and PIN credit card readers are in the news. Chip and PIN readers are the machines that the vendor gives you to put your card into, and enter your PIN number. Sounds like a neat way of avoiding fraud, doesn't it? The card isn't out of your sight, and the PIN number is something only you know.
Or is it?
One problem is the difficulty of punching in a four digit number without anyone else being able to see what you are doing - especially in crowded situations, like supermarket tills.
That, however, pales before the other problem now in the news: how do you know it's a legit card reader? it's relatively easy to buy the terminals. How do you know that the electronics inside haven't been ripped out and replaced by facilities to record your card details and the PIN number you've just typed in? And that's exactly what researchers from Cambridge University did, and demonstrated on UK television last week.
I guess it'll be back to the drawing board, but not immediately, and not until a large amount of money has been ripped off. The reason for the delay is that Chip and PIN is an example of the much hyped 'two factor authentication' gravy train.
Let me explain. It's usually considered that you need three things to securely establish the identity of a person:
1. Something you know, which other people don't know - for example a PIN number or a password.
2. Something physical and unique in your possession - for example a credit card, or a mobile phone SIM card.
3. Something that you are, which can't be duplicated - fingerprints, a retinal scans, and DNA supposedly fall into this category.*
Most people, when they log on to their computer use single factor authentication - a password . (Hands up those who haven't set a password, or who have it written on a post-it note stuck to your monitor - zero factor authentication - i.e. no authentication. Naughty.)
When you are using the ATM machine you are using two factor authentication - the ATM card and your PIN number. Note that it's no good having, for instance, two passwords - for two factor authentication you need two things from different categories. Thus, for instance, Egg online bank, who ask for both your password and the maiden name of your mother to log into your account, are still using single factor authentication, even though they are asking two questions.
Two factor authentication has been pushed as the answer to banking - and other - authentication problems by the digital snake-oil industry for some time. For the industry it has proved amazingly successful - just think of how much money they recently made forcing every UK retail outlet to purchase card readers, upgraded till software, even upgraded till hardware. Lotsa spondoolies changing hands there.
How long it will take the bad boys to catch up, I don't know. Not very long I suspect. But never mind - there are plenty more expensive schemes out there for taxpayers and bank customers to fund!
http://www.theregister.co.uk/2007/02/06/card_security_attack/
*It's not generally realised that there is no scientific evidence to show that fingerprints are completely unique to individuals. Indeed what little evidence there is suggests the opposite - for example the US citizen who was arrested because his fingerprints matched those found at the site of the Madrid bombing a few years ago. It was later conclusively shown that he had nothing to do with the bombing. In practice this isn't usually a problem, because in the case of crimes there is usually secondary evidence to back up the fingerprint 'evidence'. Note, though, that technology does now exist to pick up a fingerprint and transfer it to another location.
Retinal scan is a more recent technique, but I'm not aware of any systematic studies on the uniqueness of retinal patterns.
And what about DNA tests - the bright new hope of governments and security forces everywhere? Ah! Well, it's not quite what it seems. There are already public DNA databases available - not to mention private and government ones (is there a hacker in the house?). While you can't exactly whip up a copy of someone's DNA in the proverbial kitchen sink, the technology already exists to duplicate any given sample, and more to the point to create specific DNA from scratch. Not to mention the fact that you can steal something someone else has touched and leave it at a crime scene for the purposes of misdirection. Ooops.
Most of these technologies are currently too expensive and arcane to be worth using on your puny credit card, but over a surprising short space of time they are likely to become much more common, user friendly, and cheap. And then where will our government's much vaunted identity databases be?
Shorts:
The Internet's root computers were under heavy attack this week. The attacks were the heaviest since 2002, but were unable to completely close down the computers targeted.
In recent years, there has been a concerted attempt to spread the load on root servers by more widely duplicating the information they carry. Currently there are 13 root servers (unlucky for some?) but the information they hold is broken up and replicated to many more servers. This means that it is much more difficult to take out a chunk of the Internet by overloading only one or two servers.
Attempts are still going on to find the source of the attack. Early indications are that South Korean computers were heavily involved in the attack, but I suspect it's unlikely that an attacker would use computers predominantly from their own country to launch an attack. I would look for a country where there was a suspicious absence of participants...
http://www.physorg.com/news90007159.html
http://www.theregister.co.uk/2007/02/07/root_server_attack/
Patent trolls Rambus fell foul of the Federal Trade Commission (FTC) this week. Rambus, which has no microchip production facilities of its own, is a firm that specialises in filing patents and then licensing computer memory technologies. This week the FTC laid down the basis on which it can collect royalties on its latest set of patents.
The FTC is taking an interest because the Rambus Patents in question are for JEDEC-compliant products. JEDEC is an industry standards body. Rambus took part in the discussions on standards for SDRAM memory without revealing that it was in the process of patenting key parts of the standard being discussed. Once parts conforming to the standards started to appear on the marked, Rambus revealed its patents and demanded royalties.
According to the FTC Rambus is in violation of section 2 of the Sherman Antitrust Act, and practiced deception that violates section 5 of the Federal Trade Commission Act.
It's not all one sided, though. Those of you with a taste for schadenfreude might be interested to know that during investigation of Rambus the FTC discovered evidence of price fixing against an earlier Rambus patented product, RDRAM, by some of those who complained about Rambus's behaviour. That discovery has resulted in a string of fines for memory chip manufacturers - Infineon US$160 million, Hynix US$185 million, Samsung/Micron US$300 million, and the latest, Elpida US$85 million. Well, after all, the US Federal government has to try to balance its budget somehow!
http://newsletter.infoworld.com/t?ctl=
161F966:215D3E184FC552DC05CD010D2BFF3EA7EFF29049075316B4
http://www.channelregister.co.uk/2007/02/05/ftc_sets_rambus_royalties/
Homework:
The C|Net web site has three rather thought provoking (and short) pieces on it this week.
The first is an interview with the president of RSA Security, Art Corviello. His view is that the industry cannot continue to rely on the static securing of the perimeters of the systems on which data is stored. With 200,000 variants of malware out there, providing signatures to spot them all is virtually impossible. Corviello suggests that the way forward is to provide data with its own security that travels with it, wherever the data goes.
http://ct.news.com.com/clicks?t=29614696-18a32f6148453f76b7d88f6b914d69a0-bf&s=5&fs=0
The second piece looks at possible ways forward for the music business given the prevalence of file sharing, which is now no longer the province of geeks and anarchistic types. Add to that the belated realisation that the business term 'captive audience' does not mean trying to jail all your customers. What you get is a genuine attempt at new types of business plans based on customer wants and needs by at least some of the media corporations. Some interesting ideas.
http://ct.news.com.com/clicks?t=29614697-18a32f6148453f76b7d88f6b914d69a0-bf&s=5&fs=0
Finally there is a brief look at the problems of communications in the emergency services. The events of 9/11 highlighted the fatal lack of compatible communications equipment for first responders in emergency situations. Sadly, not a lot has changed, with the different services still lacking the ability to contact one another. A disturbing round up.
http://ct.news.com.com/clicks?t=29614698-18a32f6148453f76b7d88f6b914d69a0-bf&s=5&fs=0
Scanner: Other stories
Apple: Record labels should drop DRM
http://www.physorg.com/news90007630.html
iPod street ban
http://www.informationweek.com/news/showArticle.jhtml?articleID=197004221
EMI in Talks With Retailers to Sell Songs as Unprotected MP3s
http://dmwmedia.com/news/2007/02/09/wsj-emi-in-talks-with-retailers-to-sell-songs-as-unprotected-mp3s
French students to get Open Source software on USB key
http://newsletter.infoworld.com/t?ctl=
1623E37:215D3E184FC552DC0A3478E8F8DF5BE5EFF29049075316B4
British Telecom wins £36m NHS deal
http://www.theregister.co.uk/2007/02/08/bt_wins_nhs/
Is Sony's Blu-ray porn stance repeating Betamax blunder?
http://newsletter.eetimes.com/cgi-bin4/DM/y/e4Jp0FypUC0FrK0E3BF0Ed
Tech firms tangle with Tories on ID cards
http://www.theregister.co.uk/2007/02/08/davis_spanks_higgins/
.eu a hit with users, but a mystery to others
http://www.theregister.co.uk/2007/02/05/dot_eu_perceptions/
Microsoft Roundup:
Microsoft Word XML standardisation
http://www.groklaw.net/article.php?story=20070123071154671
Microsoft's own antivirus fails to secure Vista
http://ct.zdnet.com/clicks?t=29201475-c7c7501e315f199c0a0afb08de29c458-bf&s=5&fs=0
Vista Review
http://www.pcadvisor.co.uk/news/index.cfm?newsid=8287
Security watchers lambast Vista
http://www.theregister.co.uk/2007/02/05/vista_security_criticisms/
Acknowledgements
Thanks to readers Barbara, Fi, DJ, Fancy and Lois for drawing my attention to material used in this issue. Please send suggestions for material to alan@ibgames.com.
Alan Lenton
alan@ibgames.com
11 February 2007
Alan Lenton is an on-line games designer, programmer and sociologist. His web site is at http://www.ibgames.net/alan.
Past issues of Winding Down can be found at http://www.ibgames.net/alan/winding/index.html
|
