March 2003 Archives

I just found out some very simple instructions and a sample template to make a parallel WML version of this site for viewing on my mobile phone (I do work for a wireless phone company, after all). Check out the result: Juxtaposition mobile edition

I started by finding this WAP & WML thread at movabletype.org

This discussion pointed me to two solutions for two different problems:

1. Nicely Toasted Mobile, which generates wml versions on-the-fly for WAP-based mobile devices
2. Mark Pilgrim's solution which was designed for more intelligent mobile form factors, like the palm. This is how you can create Avant-Go compatible content for offline browsing with tools like Plucker.

I chose the first option as this is the one that I really find lacking right now--the ability to view my own site from my Ericsson t68i. I can view the regular site just fine (with the exception of the style sheet, because Pocket IE does not support CSS...) in my Siemens SX56. But cannot even coax the Ericsson to view the RDF version.

I made just a couple of tweaks to the Nicely Toasted template to customize the content and make it generic enough to be used for any other blog, including: making the Home URL relative, changing the blog name using the tag <MTBlogName>

I think that the next step will be to further customize the template to include hyperlinks to the rest of the story content.

"Nokia 7650 upgrade - hoax

An internet hoax is traveling round the internet that purports to be a
press release from Nokia offering an upgrade for owners of the Nokia
7650 handset to support a series of new features.

The press release says that "Nokia today announced after months of
speculation and rumours that it will be re-releasing it's flagship
Symbian OS phone, the 7650, with the long awaited increased memory
capabilities.

The new 7650 will remain branded as 7650 but will have the added feature
of an MMC expansion bay and support for Bluetooth Audio."

There is a web site address for the press release, that at first look,
does look like a Nokia web site address - but the @ symbol in the middle
of the URL actually causes browsers to ignore everything before it, and
the remainder of the address is a web page on a totally different
server. "

One of the URLs looks like this, so you can see how someone could be easily tricked into believing it as legitimate:

http://press.nokia.com~id=@%31%39%34%2e%31%36%34%2e%32%30%2e%38/release/7650.htm

The page no longer works, but you need to be very diligent online and can't trust everything you read. Someone could easily hide this URL in some inocuous text so you would not easily notice the underhandedness: Nokia fake press release

Read more about these same techniques that spammers often use to trick you at Stupid Spam Tricks.

New Scientist

"The world's first brain prosthesis - an artificial hippocampus - is about to be tested in California."

This is the result of black-box testing the hippocampus--the part of your brain that encodes "experiences so they can be stored as long-term memories". It has proven to be elusive to its exact workings, but by treating it as a black-box and mimicking its response to inputs, scientists were able to devise a mathematical model that they could program onto a chip which could replace a malfunctioning hippocampus.

Some of the ethical issues are discussed in the article as well.

A slashdot article about a book (see below) researching whether the sci-fi Space Elevator could be practically manufactured is out:

This is some of the fruits of ongoing NASA-sponsored research.

What is a Space Elevator, you ask? A superstrong elevator "shaft" stretching from earth and anchored to a geosynchronous satellite in outer space that an elevator would ride upon to carry payloads outside of our atmosphere.

"carbon nanotube fibers are both strong and light enough that a 100,000 km elevator, constructed of a 2m wide carbon nanotube "ribbon," could be constructed in 10 years for a cost of US $6 billion, and be capable of lifting a 13-ton payload to geosynchronous orbit once every few days. If feasible, it would present a stunning breakthrough in space accessibility, and likely usher in a new age of space development and exploration."

Slashdot story

Cool!

InfoWorld: Toshiba prototypes methanol fuel cell for laptops: March 05, 2003: By Gillian Law: End-user Hardware

A press release on RSA's website announces that a unanimous verdict was reached on all infringement claims in favor of the defendants, RSA Security Inc. and Verisign Inc.

RSA Security | RSA Security Wins SSL Patent Infringement Trial

Rob Slade takes an in-depth look at what the National Cybersecurity Strategy is for security education and doesn't really find much. To summarize:

"we [the U.S. Gov't] can't do it alone, so we're not going to do anything"

"How will it happen?"

"Focus or force?"

"Security awareness cannot be promoted by establishing contests where nobody will compete."

"Again, this proposal sounds good, but, without details to back it up, I doubt that there will be any impact any time soon"

"Subject to budget considerations. No further comment needed."

"What incentive do those companies have to do so? "

"How about funding?"

"OK, the government doesn't want to help or fund certification, but wants to dictate what the certification is for."

"I imagine AV and firewall vendors will be delighted that the government will be advertising for them"

The document seems to say a lot but does not seem as if it will actually do anything.

Read the full analysis in Risks 22.63, article 1

I recently purchased the one and only vinyl album that I own. I had to do so, even though I do not own a turntable, because it is a 1000 copy limited release single. It contains two versions of the same beautiful song, called Duk Koo Kim, by Mark Kozelek of the Red House Painters. This is one of my favorite RHP songs. Reading the history about Duk Koo Kim makes the song that much more poignant and sad.

Duk Koo Kim - Wikipedia

A tragic turn of events that reads more like Shakespeare than real life. One death leads to several others and radical changes to the world of boxing.

There was voluminous and heated discussion on the cryptography mailing list about the dangers of the paper audit trail for e-voting that is being pushed by the e-voting academic experts. The instigator and perpetuator of the discussion was Ed Gerck.

His main criticism was that the paper audit trail does not address the problems of massive external vote tampering by extortion (vote this way and prove you voted this way or I'll kill you) or vote selling (vote republican, prove it to me, and I'll pay you $$). He is afraid that the paper audit trail will be just the thing that can be photographed as proof of your vote to enable these system.

Rebecca Mercuri replied:

"The whole idea of photographing paper ballots is a straw man. It is akin to saying that people
will just run through red lights anyway so we shouldn't place them at intersections."

This seemed to sum up my thoughts on the complaint. He seemed to be arguing for throwing the baby out with the bathwater, saying "[printing paper receipts] creates problems that are even harder to solve than the silent subversion of e-records"

He included criticism later on that a paper audit trail does not really make e-voting systems any better than existing paper-based systems and seemed to argue that it is academically uninteresting. I think that this is exactly the point though: nobody has yet come up with an entirely electronic voting system that solves the fundamental problem that a paper audit trail solves. It may be unsatisfying, but what I think is far more unsatisfying are the voting districts that are ignoring this academic result and swapping out systems with unverifiable ones. People need to understand the limits and risks of electronic systems.

Rebecca's most interesting statement for me was:

"The salient requirement of Democratic elections is that the voters must be assured that their ballots are recorded and tabulated as cast. If the process is such that it can only be understood by a team of
scientists with Ph.D.'s, the average citizen can have no confidence that their voice is being heard."

She ended her posting with a response to the criticism:

"I have never said that the paper balloting solution is a perfect one, but it provides assurances in a human-accessible format that is a considerable improvement over both the black-box systems and the chad-based ones.If you can devise a system that is equally user-friendly and has the same ability for independent auditing, then please do so."

The discussion ended with that.

This is hilarious. It must be making its rounds on the Internet today. Thought it would bring a bit of levity to the current world situation.

I may have to get this book:

Details from 480BC about painting anti-war sentiment as "disloyalty".

[IP] anti-war == disloyalty

I hope that somebody is guarding the constitution. People seem to be lining up to shred it with war on the horizon.

The Seattle Times: Local News: Suitcase surprise: Rebuke written on inspection notice

Um. Yeah.

Contra Costa Times | 03/15/2003 | Skeptics can carp, but a New York fish is the talk of the town

I will have to check this out. Although, I have several piles of other publications to whittle down first.

"The IEEE Computer Society has created a new magazine called "Security and Privacy" specifically for the security community The magazine intends to present a balanced mix of scientific research and practical security discussion. "

This story about 16M Yen (~$136,000) stolen from someone's CityBank online banking service after the user's password was compromised at an Internet cafe highlights the tremendous risk of insecure client computers. It does not make a darned bit of difference what crypto strength you were to use, it is so trivial to install a keystroke capture device that nobody would ever notice that will catch everything before it is encrypted.

"Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench." -- Gene Spafford

The trend toward SSL-based VPNs and Internet-enabling everything under the sun leads to uncontrolled client-side access that significantly increases this risk. Gartner is "bullish" on these SSL-based VPNs but I'm not convinced that their convenience outweighs the increased risk in many cases. You would need to deploy token authentication at a minimum with these solutions but you would still be at risk of general data compromise. In any company with a large amount of employees, training everyone to not use their personal computer, a library computer, an Internet cafe computer, etc. to access such a solution would be difficult and not entirely effective. Users will choose the convenience over security much (all?) of the time.

Full story below and at CNN.com

From RISKS 22.61.

"A Krispy Kreme doughnut shop in Albuquerque seemingly greased its coffers
while figuratively deep-frying over two dozen customers. Irrespective of
what they ordered, each of 28 customers using a credit card were charged
EXACTLY $84,213.60 for the purchase. "

The PGN comments simply made the posting though:

[These charges were actually APPROVED, and of course also blew the
customers' credit ratings for a few days. Amazing!
``The $84,000 charge, were it legitimate, would have purchased over
170,000 ... doughnuts, enough to stretch over 9 miles if placed
end-to-end.'' ...

BlackBox Voting is reporting on a whistleblower lawsuit filed here in Washington state by a software engineer against his former employer VoteHere. He alleges that he was wrongfully terminated to silence his complaints while third party "certification" of the VoteHere system was being conducted. The lawsuit enumerates many of the system's flaws that he documented in defect reports. It is a must-read.

In other unbelievable news, Santa Clara County, CA and Collins County, TX both voted for electronic voting machines without paper audit trails against all sound advice from experts around the world. Santa Clara County reportedly cited the same kinds of "certifications" as evidence that the system is okay without the voter verifiable audit trail.

I've been compiling a text file with my queue of music to get next and thought that I should share. It would also be much nicer to manage through MovableType with the MTAmazon plugin and the MTMacro plugin.

ABCNews is reporting that several police agencies are under fire for domestic spying. Those of you who think that the government can have all the power it thinks it wants without checks and balances should take heed that this certainly breeds abuses. Read this article. See the trend toward more domestic spying. Be afraid.

I hope that Seattle maintains their current ban on this practice.

ABCNEWS.com : Is Police Spying Back in Fashion?

Just hilarious if this suspect was truly the robber.

"A California man who got away after allegedly sticking up an Aurora Avenue North video store a couple of weeks ago apparently couldn't leave well enough alone."

The Seattle Times: Local News: Robbery suspect nabbed during return visit to store

The Washington Post has a story about the victory for free speech handed down by the 3rd U.S. Circuit Court of Appeals on Thursday. They upheld a lower court injunction blocking the law (COPA) as being too squishy to withstand constitutional muster.

"Previously, the 3rd Circuit had ruled the law unconstitutional on grounds that it allowed the legality of Internet content to be judged by "contemporary community standards."

Also see discussion at
Slashdot | Appeals Court Rejects Child Online Protection Act, Again

See the full decision here. Monitor any future developments at EPIC's site

Note: Updated on 3-12-03 to change content to reflect CIPA to COPA. This law acronym alphabet soup is just as bad as telecom's! A CIPA announcement came out recently but this was supposed to be about COPA...

Many of the attacks described are social engineering attacks and not computer security holes. I can't believe the mumbling attacks--hilarious! Social engineering attacks are very hard to defend against, especially with huge callcenters like AOL must have.

AOL customers beware your privacy. AOL not only makes it easy to get on the Internet, they make it easy for others to get on the Internet as you too!

"Using a combination of trade tricks and clever programming, hackers have thoroughly compromised security at America Online, potentially exposing the personal information of AOL's 35 million users. "

Wired News: Hackers Run Wild and Free on AOL

The March 3 Security Wire Digest and Reuters are reporting that:

"Leon Stambler, who has won financial settlements from companies such as
National Cash Register, First Data and Openwave Systems, seeks up to $20
million in the federal suit, being heard in Delaware. "

"Certicom and Openwave each paid $400,000 plus ongoing royalty fees for their licenses and First Data paid $4 million, he testified. "

He is suing RSA Security and Verisign now, trying to extract money. Ugh.

The companies are arguing that his invention (patented in 1992) is distinct from SSL. SSL was developed in 1994 and patented in 1997, according to the Reuters article.

The Reuters story is here

"Two Alberta men with a passion for locating and mapping wireless
computer networks have come under the scrutiny of Canada's spy agency."

"The press release, which also included Mr. Kaczor's name and contact information, featured the tongue-in-cheek headline "Wireless hackers invade Red Deer!""

High-tech hobby falls under CSIS suspicion

[IP] Pondering Value of Copyright vs. Innovation

"Technology scholars, business leaders and policy makers gathered at California
conferences this weekend to argue whether a mismatch between two different technologies and the legal policies that govern them could inhibit free expression and innovation. "

""We have ceded too much power to copyright owners," said Ms. Lofgren, who plans on Tuesday to reintroduce a bill that would amend the 1998 law. "People are afraid to proceed on innovative measures.""

Among other nasty things, the US government is trying to make the use of encryption while committing a crime over a computer a new crime that would add 5 years onto your sentence, if convicted.

"If you order a book from Amazon.com and fail to pay state tax, the SSL session with Amazon supports a five year felony. [RFF - I'd also include using GSM cell phones with the built-in encryption....]"

The ACLU has a section-by-section analysis for the full dose of insanity.

[IP] Outlawing Encryption under PATRIOT II

Several members of congress have sent an open letter to John Ashcroft chiding him for the administration's handling of PATRIOT II. The Justice Department is being very secretive about this new act, even lying to congress about its existence even though it has been leaked on the Internet.

From the FoxNews story:

"If there's going to be a sequel let's find out what it's going to be" before reading about it in the newspapers, Leahy said, accusing the Justice Department of lying to his staff about whether a new bill was in the works.

[IP] Must Read and See: Ari Gets Laughed Out of WH Briefing Room]

Join in laughing Ari Fleischer out of the briefing room. Start at about 30 minutes into the tape when Ari is being repeatedly questioned about US diplomat quotes that some aid packages are being offered to Mexico and Columbia relating to their upcoming UN Security Council votes.

Seth Finkelstein has details on a troubling case about someone in Chester county in the UK complaining to google about a site run by someone calling themselves "Chester the Molester" as an illegal paedophile site that they found by searching for "Chester Guide" on google. The site, in fact, was not illegal at all but a list of "sick humor" that included a link to a humor article entitled, "Chester's guide to: picking up little girls".

So, all it takes is for someone to make a complaint, for google to not really research it, and you can get someone's site removed from google's cache.

[IP] Google removal - Chester's Guide to Molesting Google

Senator Ron Wyden (D) from Oregon is pitching a simple idea to lead to a market-driven solution to the DRM problems being imposed on consumers: to require music companies to disclose to consumers the restrictions they will impose on the consumer's use of the product.

"When customers know, for example, that the compact disc they're buying is technologically rigged so they can't rip MP3 files from it for use on a portable player, they won't buy it. Eventually, these informed customers will demand change in the copyright laws."

[IP] Truth in labeling

Senator Seeks Full Copyright Disclosures

Wow. This may help spur other cost-conscious companies (perhaps my employer too) into making the switch.

"Currently, our order management, customer transaction information, manufacturing flow, and software downloads (as a part of our build-to-order manufacturing process) all involve Sun-based Unix systems. But that's all being moved to Dell-based systems running Red Hat Linux and Oracle 9iRAC. So far, 14 Sun systems are gone and the plans are to complete the 'Sun setting' exercise this year."

Dell, Sun execs trade jabs over Unix viability

A must have: Vespa Screensaver. Windows-only, of course.

Interested in buying one for me? I could handle the platinum, dragon red, or cobalt blue one. The local dealer location

Or, I can at least hope to win one from Starbucks. This is the perfect excuse to buy more coffee :-)

Keep this handy for the next MS Worm. Posted to RISKS 22.53: .
[From Pete Lindstrom, Spire Security, petelind@spiresecurity.com]

*<adjective> Computer Worm <verb> Internet*

In the wee hours of <date>, a <adjective> computer worm spread <adverb>
throughout the Internet. Dubbed <silly name> because <ridiculous reason
that doesn't explain anything about how it works>, and also known as
<another random name> and <another random name>, the worm has infected
an estimated <number> systems within <length of time>. Experts are
calling this worm the most <adjective> since <date in the past>.

The worm exploits a hole in <Microsoft product name> that was first
identified <number> months ago by <security company name>...