WINDING DOWN
An idiosyncratic look at, and comment on, the week's net and technology news
by Alan Lenton
This week's news has a definite security flavour to it. I didn't plan it that way, it's just that a number of things have come together covering RFID, ID theft, bug fixes (or rather lack thereof), pretexting (stupid word that) and democratic elections.
I nearly had a nice relaxing week 'resting', as the acting profession puts it, between jobs. My new job starts tomorrow, and promises to be interesting :) I said 'nearly' because I got a new laptop at the beginning of the week. I've been desperate to get one before Microsoft manages to completely purge all sales of XP machines from the market.
I had to compromise slightly on what I wanted (the processor is a little slower) but now I'm the proud possessor of a brand new Toshiba Satellite Pro P100-208 laptop - dual-core, 17" wide screen, top of the line nVidia graphics, two gig of memory and a 200 gig hard drive. I think the description would be luggable rather than portable! And one of the best features is that it is not Vista certified, this is because it has a facility for playing CDs and DVDs without firing up Windows! Yah! Boo! Sucks! to Microsoft's Digital Restriction Management.
Unfortunately, though, it's taken me the best part of the week to hammer the operating system into a state where it's usable by a normal intelligent human being, rather than a mindless moron who need to be led by the hand. The stress level of transferring all your material to a new computer is almost enough to wipe out the pleasure of owning a new upgraded machine.
But, eventually, I succeeded, though it will be weeks before I nail down all the minor niggles, and this Winding Down comes to you courtesy of my new Toshiba. So. Lights. Cameras. Action!
Shorts:
Last week I mentioned that a demonstration of how to clone RFID chips in door entry systems had been pulled from a security conference. This week there is news of a similar demo in the UK that succeeded in taking place. A security researcher demonstrated that it was possible to take a newly issued UK RFID enabled passport on its way back to its owner from the Passport office, and clone the chip without having to take the passport out of its envelope!
The researcher, Adam Laurie, read the encrypted information from the passport's chip and then reconstructed the key from the information on the address and return labels. It seems that the encryption key in these first generation passports (which will be around for the next 10 years) is made up from the passport number, the owner's date of birth, and the passport expiry date.
The date of birth is not that difficult to find out, the expiry date is ten years from the date of issue - predictable to within a few days, since it's only just been issued, which leaves the passport number to be broken via a brute force attack, which wouldn't take very long on a modern PC unencumbered by a Windows operating system.
Hackers will be laughing all the way to the bank - your bank!
http://www.theregister.co.uk/2007/03/06/daily_mail_passport_clone/
And talking of identity theft, apparently it's starting to become a serious issue in the US. Reading the articles it's difficult to get a really clear picture, because there doesn't seem to be a proper definition of identity theft, so incidents of a credit card being cloned and used for an online transaction are counted, whereas I would consider identity theft to be much more than that.
However that's as it may be, it seems that cases have doubled between 2005 and 2006, according to a report from Gartner, and the problem has now hit 15 million Americans in a twelve month period. Gartner is calling for legislation and regulation to handle it, but it seems to me that there is an easier way - have the Social Security department publish the entire Social Security Number (SSN) database online.
This would rapidly eliminate any use of Social Security numbers as an identifier. You wouldn't need new legislation for a court to make it clear that any company stupid enough to use the SSN as an identifier is immediately liable for any losses caused. Simple, efficient, no legislation needed, and it conforms to the existing legal status quo that SSNs are not to be used as identifiers!
http://update.techweb.com/cgi-bin4/DM/y/e5HS0HiOOq0G4W0E6hX0EC
This week a story broke about a Wal-Mart employee fired for recording phone conversations between the company's PR office and a newspaper reporter, and for intercepting text messages. He should have been working for Hewlett Packard - they would probably have promoted him for his initiative :)
http://www.physorg.com/news92336442.html
Roundup: Microsoft - Pots, kettles, bugs and a line in the sand
Microsoft researchers from all of the world gathered in fortress Redmond this week to share details of the work they were doing. Currently Microsoft has about 750 scientists working for it, and the number is expected to grow to 800 by June. The researchers demonstrated some of the projects they were working on to Microsoft employees.
Sadly, there was nothing in the report of this TechFest about research on how to create bug free software, which brings me on to the next item...
...Microsoft announced it will be skipping issuing security fix patches this month. Does this mean that there are no security holes in any piece of Microsoft software anymore? Errrm, well, not exactly. Indeed there are nine such known and publicised bugs that need patching, in Microsoft Office and Explorer. The Microsoft 'explanation' was PR waffle saying nothing and implying that the holes weren't important because there were, as yet, no known exploits using the bugs.
Personally, I think the real reason is that the people involved in fixing the bugs were at the TechFest knees up.
In the mean time there was bad news coming in from an unexpected source - US Federal Government departments. First to come out was a memorandum from the Department of Transportation CIO, Daniel G Mintz, dated 19th January 2007, announcing an immediate and indefinite moratorium of upgrades to Microsoft Vista, Office 2007 and Explorer v7 - what you might call Microsoft's crown jewels.
And the reason?
Well I can only quote the document itself. In a masterpiece of brevity and clarity it stated, 'Based on our initial analysis... there appears to be no compelling technical or business case for upgrading to these new Microsoft software products. Furthermore, there appears to be specific reasons not to upgrade...' The reasons included costs and compatibility concerns.
This was bad enough, but it was followed by revelations that the Federal Aviation Authority (FAA) is serious considering shifting from being a Microsoft based organisation to a combination of Google's new online business applications and Linux based hardware.
The question is, of course, are these isolated incidents or is the cash strapped Federal Government drawing a line in the sand for Microsoft? Only time will tell.
And as for Google...
On Tuesday Microsoft launched a major attack on its erstwhile rival over the question of copyright and the rush to grab potentially lucrative content for free. One analyst commented, 'Today it's Microsoft accusing Google and tomorrow it will be vice versa. And in the mean time, copyright holders will lose.'
Difficult to disagree, given Microsoft's policy of the last decade or so of buying up picture libraries, and the number of copyright/patent disputes it has lost in court over the years.
Definitely a case of the kettle calling the pot black!
http://update.techweb.com/cgi-bin4/DM/y/e5Mc0HiOOq0G4V0E6hl0Eq
http://update.techweb.com/cgi-bin4/DM/y/e5Mc0HiOOq0G4V0E66S0Eb
http://www.physorg.com/news92395996.html
http://www.physorg.com/news92422736.html
http://www.dot.gov/ost/m60/morat001.pdf
Homework:
Anyone interested in the democratic process in a digital society should take a look at the talk given to the UK's Association of Electoral Administrators Annual Seminar by Sir Alistair Graham, the Chairman of the Committee on Standards in Public Life. Although the detail is mainly about the UK's electoral system, the overall content is much more widely applicable. It's in Microsoft .doc format, unfortunately, but the content transcends the format!
Here in the UK, the government is desperate to increase the turnout at elections by technical means and is rushing through changes to the way we register and vote. The process started at the last local elections and as a result it is estimated that it's possible in some areas one in seven of the votes cast were fraudulent. Indeed the situation is getting so bad now that a delegation from the Council of Europe is currently considering whether to invoke international monitoring of British elections.
Probably the most telling comment from Sir Alistair was, 'Voters will cast their vote if they think it is worthwhile, if the parties have something to offer, not because they can vote by post or by telephone.'
Absolutely spot on!
http://www.public-standards.gov.uk/upload/assets/www.public_standards.gov.uk/aeafinalweb.doc
http://www.theregister.co.uk/2007/03/08/e-voting_trial_scrutiny/
http://www.theregister.co.uk/2007/02/28/e_voting_rubbished/
Scanner: Other stories
Digital data will increase sixfold by 2010: study
http://www.channelregister.co.uk/2007/03/08/digital_data_explosion/
New hacker trick may expose Oracle databases
http://ct.zdnet.com/clicks?t=32626774-c7c7501e315f199c0a0afb08de29c458-bf&s=5&fs=0
NEC nears laptop-friendly natural light LCD
http://www.reghardware.co.uk/2007/03/08/nec_natural_light_lcds/
Free Software is nothing to fear
http://newsletter.infoworld.com/t?ctl=1688234:215D3E184FC552DC521A270F04B0208CEFF29049075316B4
Acknowledgements
Thanks to readers Barbara, Fi and DJ for drawing my attention to material used in this issue. Please send suggestions for material to alan@ibgames.com.
Alan Lenton
alan@ibgames.com
11 March 2007
Alan Lenton is an on-line games designer, programmer and sociologist. His web site is at http://www.ibgames.net/alan.
Past issues of Winding Down can be found at http://www.ibgames.net/alan/winding/index.html
|
