WINDING DOWN
An idiosyncratic look at, and comment on, the week's net and technology news
by Alan Lenton
Well I staggered back from my course at Oxford to discover that we are still in the middle of the Great Crash of '08... (Grandpa, what did you do in the Great Crash?) Clearly, we're all doomed - or at least that's what the papers tell me. I work in the City of London, and we don't seem to have reached the stage of watching executives fling themselves out of the windows, yet. On the other hand, there do seem to be an awful lot of second hand Ferraris up for sale at low prices!
Looking on the bright side, this week Linux celebrated its 17th birthday. Yes, it's been around for that length of time. I guess that means that in ibgames we've been using it for 15 years - first for development, then slightly later to run our Federation game servers. Happy Birthday Linux :)
Over half the news this week was bad news on the security front. I have the feeling that companies, governments and institutions are trying to bury their screw-ups under the avalanche of financial disaster news. Fear not my faithful readers, I will not fail to drag it out into the light where you can survey the entrails.
Incidentally, if any of the analysts make inane comments about 'light at the end of the tunnel', you should be aware that it's usually the headlamp of a train coming towards you!
So why don't we start with a little helping of security gloom?
Roundup: It's security, Jim, but not as we know it!
The word coming out of Ohio state on the security of electronic voting machines is definitely not good. With the US Presidential elections only a few weeks away, the Secretary of State has confirmed that tests show that the machines lose votes when they are uploading the votes to the central servers. The manufacturer of the system, Premier Elections Solutions, a subsidiary of our old friend Diebold Inc., have confirmed that there is indeed a bug.
Do I hear you cry 'patch it!'? Not a chance. Even if they actually know how to patch it, changing the software means that all the components of the system have to go through the 'independent' certification process again - and there isn't time to do that. So Ohio, and other states that use the same equipment, are going to have to use these flawed machines in the presidential elections. Presumably this is what the political analysts mean when they say that the result is anyone's guess!
I think perhaps someone should investigate the use of Mark I eyeballs, pencils and five-barred gates. In the mean time the URL points to an interesting, if somewhat freaky interview with Ohio's Secretary of State, Jennifer Brunner.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=
9116465&source=NLT_AM&nlid=1
The next item drawn from Pandora's bit box is a report that network equipment vendors are scrambling to fix a set of problems with the venerable TCP/IP network protocol. The problem is that this was invented right at the start of the Internet. At that time there was a perfectly reasonable assumption that the users of the system would all be doing their best to keep it running, rather than trying to knock it over.
Since that time no one has really looked at the protocol, until now. And a whole bunch of problems that could help hackers knock servers offline have been discovered. The details haven't been revealed, but I would expect that the bad guys are already on to it, and it's now a race between the good guys sweating to fix the problem and the baddies hurrying to get an exploit out before the fixes go in. Let's hope this is one race that the good guys win!
http://cwflyris.computerworld.com/t/3719341/121542017/143246/0/
While we are on the subject of basic Internet infrastructure, its crown jewel (so to speak) is a single file with about 300 lines of text in it. This is the Root Zone File, responsibility for which is shared between the US government Commerce Department, the non-profit organisation ICANN, and VeriSign (considered by many net people to be the Internet's equivalent of Microsoft as the fount of all evil).
Over the past year or so the major vendors have been protecting their own zone files with encrypted signatures, which should enable browsers to check that they are being given the correct addresses, and not those of some other, malware, site. Only one problem, in order to check properly you have to follow the links up to the top - the Root Zone File - to check things out. Unfortunately, though everyone else has been working overtime to secure the system, the government hasn't yet got round to arranging for the Root Zone File to be cryptographically signed. This makes everyone else's work useless.
The government is moving with its usual glacial speed. It's just opened a 'comment period' which runs till November 24th, after which it will (eventually) decide what to do.
Which bit of 'Just sign the file' don't you understand, Uncle Sam?
http://blog.wired.com/27bstroke6/2008/10/feds-take-step.html
Do you like playing those little Flash games that sometimes come up in your browser? Think again, next time, because researchers have discovered that they can be used as a new class of malware called 'clickjacking'. Unlike other malware clickjacking not only leads your browser off to dangerous pages, it also fires up your computer's webcam and microphone. So, remember, maybe it's not just big brother that's watching you...
http://www.theregister.co.uk/2008/10/07/clickjacking_surveillance_zombie/
Reports are coming in of a major scam involving credit card machines all over Europe. It seems that certain credit card reading machines made in China have had bugging devices added into them. The wide geographical spread of the affected machines would, I suggest, imply that the devices were inserted during manufacture...
Retailers affected include Tesco - the UK's largest supermarket chain - and the British unit of Wal-Mart. The bugging device phones home once a day with details of the numbers it has collected, and it was by way of this that it was first detected, when an alert security guard at a supermarket noticed suspicious static on his phone. The device is very sophisticated, it can be reprogrammed to tell it what sort of card number to collect - for instance every tenth card, or perhaps only platinum cards. The data, including the card PINs is sent to Pakistan from whence it is transferred to a crime ring for fraudulent use.
There is no outward indication of the presence of the bug, but it does weigh about 4 ounces, so for several months teams of investigators have been weighing thousands of machines all over Europe. Nice to think that a sophisticated scam of this nature can be detected by such a simple technique!
http://online.wsj.com/article/SB122366999999723871.html
I'm sure no one will be massively surprised to hear that the UK's Ministry of Defence (MoD) has managed to lose a hard drive with the names, addresses, passport numbers, dates of birth, and driving licence details of 100,000 serving personnel across the army, navy and air force. It also has data about 600,000 potential applicants and the names of their referees. It might even have contained bank account details as well, but no one seems sure.
And whose fault is it? Well the disk belonged to contractor EDS. Ah yes, EDS, a name to conjure with. A name associated with some of the biggest IT disasters in the UK. And still they can throw the stardust into the eyes of our IT-credulous government. Given all the other things going on at the moment, I suspect EDS will get away with it again.
Incidentally, the Independent story includes a picture of a hard disk drive, which leads me to conclude that its regular readers don't know what one is!
http://www.physorg.com/news142858619.html
http://www.independent.co.uk/news/uk/home-news/mod-stunned-by-massive-data-
loss-957099.html
On Friday Fox News came out with an interesting story about hacker break-ins to the World Bank. According to Fox, hackers have had the run of all the bank's servers for nearly a year. Network security seems to have been incredibly lax, allowing a break-in via its Johannesburg hub. The bank also discovered key loggers on outsourced computers at the Washington HQ. I guess that's one of the less publicised dangers of outsourcing - remember this to use if your company is thinking of outsourcing your job!
The World Bank is denying the Fox story, but then, they would, wouldn't they? Read the Fox story for yourself - it's fascinating - and make up your own mind, I've only skimmed the surface in this brief report.
http://www.foxnews.com/story/0,2933,435681,00.html
Finally, I see the Chinese Government are about to require everyone who sells anything digital in China to disclose the source code for their products. A lot of possible comments occur to me, but this is a family column. I'll just note that this doesn't pose any problems for the open source movement :) Since the Chinese Government doesn't subscribe to open source philosophies, I'll leave it to readers to speculate why the Chinese are setting off down this road!
http://www.yomiuri.co.jp/dy/business/20080919TDY01306.htm
Shorts:
The release of Iron Man on blu-ray disk on October 1st brought Paramount's BD-Live servers to its knees. Apparently, Paramount thought it would be nice to have the blu-ray players connect and download additional material over the Internet. Of course, the servers couldn't cope, and unhappy users were left waiting around while the connection attempt timed out.
A lot of people didn't wait long enough for the time out, and assumed they had a duff disk. This caused an unprecedented number of 'faulty' returns. I bet Paramount are wishing they hadn't tried to be so clever...
http://securityandthe.net/2008/10/04/iron-man-release-brings-down-bd-live-service/
In an interesting move pop and rock musicians in the UK are banding together to try to take back the ownership and control of their work from the record labels. A new group, The Featured Artists' Coalition, has been formed to campaign for artists to keep the rights to the music they create, to get a bigger slice of the takings, and to have a greater say in how their songs are sold. The Coalition have already gained the support of Robbie Williams, Radiohead (no surprise there), The Kaiser Chiefs and The Verve, together with a whole host of other artists. Maybe this will put another nail in the coffin of Big media control of the market. One can but hope. I wish the Coalition every success.
http://news.bbc.co.uk/2/hi/entertainment/7652053.stm
I think Apple is going to have problems with this one - removable batteries in digital equipment. Apple are notorious for producing equipment with no facilities for replacing the batteries. Now, however, the EU is tightening up its rules on the disposal of the sort of batteries used in digital equipment, most of which contain a cocktail of ecologically unsound metals. The new directive specifies that the gadgets must have user removable batteries, which at the moment they don't. If you want to replace the battery you have to send it back to Apple with lotsa cash to have them replace it for you. Or, of course, you can buy a new gadget - Apple's preferred scenario. Of course, user removable batteries will mean that the user can replace Apple's battery with a cheap third party battery when the original one dies - less money for Apple, and fewer Apple gadgets bought. My heart bleeds for Apple.
http://hothardware.com/News/EU-Directive-to-Force-iPhone-Battery-Changes/
I see that there is a new bill being presented to Congress to reign in the abuses of laptop searches at the US border. If it goes through, laptops will only be searchable if border agents have a reasonable suspicion of wrongdoing. Also, if the laptop is kept for more than 24 hours, that would count as a seizure, which requires probably cause. There are also oversight provisions.
I suspect that even if this bill doesn't have time to go through this session, a similar bill will get through in the next year or so. The current situation is so inconvenient for big business that the pressure to fix things will be very high.
http://www.securityfocus.com/brief/832
Homework:
Calling any teachers out there. Want a fresh take on the ancient art of cheating? Then take a look at this fascinating piece in Ubiquity from Donald Norman. Norman argues that what we currently define as cheating is so widespread that it indicates that there is a structural flaw in the system. He argues that the real problem lies in the fact that almost alone of all our institutions academia focuses on individual achievement, whereas nearly everywhere else - especially at work - the focus is on being a team player and working with others to get the job done.
His ideas for resolving this are pretty radical, and I for one can see problems, but they deserve to be considered, and the discussion indicates just how far out of sync with society the lower levels of the academic systems of the Western countries have become. Well worth a read.
http://www.acm.org/ubiquity/views/v6i11_norman.html
Do you like numbers? Then you will be fascinated with Ars Technica's attempt to track down the origin of the numbers 750,000 and US$250 billion. Do these numbers look familiar? They should do. Big media have been using them (exactly the same numbers) for around 25 years for justify tightening up on copyright. The first number is the supposed loss in jobs to the US economy - that amounts to 8% of the current unemployed - and the second is the supposed annual loss to the US economy as a result of 'piracy'. I'm sure you won't be surprised to hear that these figures are completely bogus!
Follow the trail with Ars Technica it's a fascinating tale involving US Customs and Border Patrol, Ronald Regan's Commerce Department, the FBI, the International Anti-Counterfeiting Coalition, the Library of Congress, Forbes Magazine and the US International Trade Commission, to name but a few.
http://arstechnica.com/articles/culture/dodgy-digits-behind-the-war-on-piracy.ars
Scanner: Other Stories
Anti-Terrorist data mining doesn't work very well
http://news.cnet.com/8301-13578_3-10059987-38.html?part=rss&subj=news& tag=
2547-1_3-0-20
House of Lords to attack UK government failings on Internet security
http://www.theregister.co.uk/2008/10/07/lords_security_debate/
Verizon exposes the wrong 1,200 e-mail addresses
http://www.networkworld.com/community/node/33767
IT contractor caught stealing Shell Oil employee info
http://www.theregister.co.uk/2008/10/07/shell_oil_database_breach/
Flexible screens
http://www.telegraph.co.uk/connected/main.jhtml?xml=/connected/2008/10/03/
dlscreen103.xml &CMP=ILC-mostviewedbox
Air Force to re-open pursuit of Cyber Command
http://www.nextgov.com/nextgov/ng_20081007_1366.php
Walmart caves in on DRM server removal
http://www.engadget.com/2008/10/10/walmart-has-a-change-of-heart-decides-to-
maintain-drm-servers/
Acknowledgements
Thanks to readers Barb, Fi, Lois and to Slashdot's daily newsletter for drawing my attention to material used in this issue.
Please send suggestions for stories to alan@ibgames.com and include the words Winding Down in the subject line, unless you want your deathless prose gobbled up by my voracious Spamato spam filter...
Alan Lenton
alan@ibgames.com
12 October 2008
Alan Lenton is an on-line games designer, programmer and sociologist. His web site is at http://www.ibgames.net/alan.
Past issues of Winding Down can be found at http://www.ibgames.net/alan/winding/index.html
|
