Monthly Archives: August 2005

“The Offending Articles Will Be Disposed Of”

Posted on by

Our Saudi allies, displaying their tolerance:

Paper cups with Hebrew writing disturbed both employees and medical staff at King Khaled National Guard Hospital on Saturday. The catering subcontractor for the hospital coffee shops began using them on Saturday after their usual supply ran out.

“We were shocked and angry,” said an employee. “How can Israeli products be allowed and how did they enter this hospital?” he asked.

Arab News contacted Ibrahim Al-Musbah, manager and owner, who said, “I thank you for informing me. I will look into it personally and the offending articles will be disposed of.” He added that the company has a supplier in the Kingdom from whom they buy restaurant supplies. According to Al-Musbah, the supplier might be unaware of the problem.

The paper cups were quickly withdrawn from use but might there not be other, less obvious, Israeli products in our shops and marketplaces?

Indeed. Less obvious Israeli products are, umm, corrupting the morals of their youth, and causing them to fly planes into buildings. Or maybe it has more to do with a culture of intolerance?

Quotes from Arab News, “Made-in-Israel Paper Cups Used in Local Hospital,” via Orin Kerr at Volokh. And mazel-tov to Orion-Rancal for advancing international relations.

The Gulf Coast

Posted on by

The scale of destruction from Katrina is simply staggering. The Red Cross, and other good organizations could use your help. I do wonder if Pompeii isn’t a better analogy than others being brought up, such as the Indian Ocean Tsunami or Hiroshima.

new-orleans.jpg

As an aside, I expect there will be fake charity sites set up, and email campaigns to try to draw you to those sites. Use your favorite search engine, or a bookmark, to find the organizations you’d like to contribute to.

Impressions of Opera

Posted on by

operalogo.gif
Having taken advantage of Opera’s offer (still valid for a few hours!) I must say, I’m impressed. Opera is snappy in a way that Safari (with all the plugins I’ve added) is not. There’s some small bits of things not working as I expect, things that should be controlled differently*, as I move, but there are two big issues that are causing me to consider not moving.

The first is ad management. Safari, by itself, does no better than Opera at this, but Safari has PithHelmet, which does an excellent job of helping me not connect to sites I don’t want to see, and also adds per-site configuration of things like Javascript.

The second is Mac Keychain integration. The Mac has a very nice system for storing and managing passwords, encrypted with your login password, or other password. Opera doesn’t seem to support this. I have literally hundreds of passwords stored in Keychain, and getting them all out and into Opera will be a pain.

It remains to be seen if Opera’s speed is enough to overcome these two hurdles. If anyone has suggestions for either, I’d love to hear them.

[* things that should be controlled differently: One example is skin management: Selecting a radio button for “download new skins” is clear enough, but going and getting new skins should be a different control.]

ParadisePoker.com Blackjack Cracked

Posted on by

An article in the summer 2005 issue of 2600 magazine (“The Hacker Quarterly”) discusses a timing attack on the Paradise Poker Blackjack game. In essence, the game reveals when the dealer’s hole card is a 10, because it takes longer to process that situation. (The article isn’t online, near as I can tell.)

There’s more in “Online Games Are Written By Humans,” via BoingBoing.

(As an aside, bringing the attack out in public is an example of the best of the old hacker ethos. It would probably be fairly easy to turn this to your financial advantage. The new school attackers would program bot armies to play with your credit cards.)

Companies Helping Phishers

Posted on by

Daniel Solove has a good post on “How Companies Help Phishers and Fraudsters.” Companies have trouble being consistent in what they send, and that’s to the advantage of fraudsters. They also have a hard time taking security information from outsiders, however well meaning.

I had an experience with Citi Mastercard. After some problems, I was carefully reconciling bills, and noticed that one of my charges never showed up. That can happen because a merchant is skimming card numbers. To make it harder for Visa and Mastercard to determine where the skimming is taking place, some crime rings will absorb the charges, rather than billing them.

I tried to report this to Citi, and they had none of it. So maybe, rather than talking about training users in “More on Using Email Like a Stupid Person,” I should be talking about training phone support people.

Most people, most of the time, won’t notice problems. Many reported “problems” won’t be security-relevant and real. Even so, the first companies that learn to do this well will have a substantial competitive advantage as we enter into an period of increasing fraud.

Colossus, Anon Blogging, and International Blogging

Posted on by
  • In PGP’s CTO Corner, Jon Callas draws attention to the second world war Colossus computer:

    The Colossus Rebuild Project took 10 years and 6,000 hours of effort. The resulting machine is not a replica of a Colossus, but an actual Colossus that uses some of the actual parts. The team finished a Mark II Colossus in time for the 60th anniversary of the completion of the first Mk II Colossus. They even built it in the very place that Colossus #9 was built, on the same concrete pad.

    So how fast is Colossus? Colossus is fast. It decrypts at 5,000 characters per second…If you wanted to program a modern computer to do what Colossus does, you’d need a 2GHz Pentium to match it. Not bad for a machine made out of 2,500 vacuum tubes, eh?

    And the rebuilt machine may be destroyed.

  • Curt Hopkins has Questions for Bloggers in Focus Areas, who need privacy help.
  • Rebecca MacKinnnon points to World Blog Day 2005, and encourages folks to point cross-culturally.

    In one long moment on August 31st, bloggers from all over the world will post a recommendation of 5 new Blogs, Preferably, Blogs different from their own culture, point of view and attitude. On this day, blog surfers will find themselves leaping and discovering new, unknown Blogs, celebrating the discovery of new people and new bloggers.

Oxford No Longer Accepting “Child Prodigies”

Posted on by

oxford.jpg

Yinan Wang, the 14-year-old Chinese boy who clinched a place at Oxford University last week, will be the last child prodigy to study there under reforms being considered by admissions tutors.

Despite an almost perennial flurry of headlines on children barely in their teens being offered places, the university is considering an unprecedented blanket rule on minimum ages for undergraduates.

‘The admissions executive is in discussions around whether we should introduction a minimum age of 17 for undergraduates,’ confirmed Ruth Collier, a spokesperson for admissions to Oxford. ‘We have been pushed to consider it, not because of concerns about whether it is psychologically healthy for children to study here, but because of child protection laws which have come into play this year for the first time.’

Children can no longer live in student accommodation, because the university could not carry out a criminal record check on every other undergraduate sharing the same premises.

I find these knock-on effects of “background check everyone” laws to be quite troubling. They drive good people away from jobs that require such checks, and they prevent good people from doing things, like going to college early. These costs of liberty are hard to quantify. What’s the cost of a country’s brightest being forced to spend four years in high school, rather than getting one of the best educations available?

(From The Observer, via Boing-boing.)

Cease and Desist, or I Shall Embarrass Myself Some More!

Posted on by

well-sue-you-if-you-buy-this-phone.jpg
It used to be that to mock lawyers sending cease and desist letters, you had to be elite Swedish file traders. (Or Phrack. Phrack used to mock their correspondants, too, before they got all corporate.) But now, even gadget blogs can play, and play Gizmodo does, when some bunch of lawyers sends them a letter about the world’s ugliest phone (pictured.)


Really, I can understand where Sony-Ericsson is coming from. Sony has spent years building brand around stylish products, and then their design department comes out with that? It’s too wide for any human hand, and what’s with the space bar buttons? You’d expect something that ugly from the People’s Democratic Republic of Korea’s Ministry of aesthetics. The thing is an embarrassment, and I’d be ashamed if I was responsible. But I’d suck it up, and say, “guys, it was an April Fool’s joke.” Or blame interns. I certainly wouldn’t be calling in the lawyers. Because this picture is out of the bag, and the firm of “Göhmann Wrede Haas Kappus & Hartmann” is taking Sony-Ericsson to the cleaners sending letters drawing attention to it. Nice work while you can get it, boys.

I reserve the right to publish all comments or email sent to me. If you choose to send me any confidential documents, you are hereby forewarned that I will not respect their confidentiality (unless we have a properly executed non-disclosure agreement).

And I’ll probably mock their contents, too.

ChartOne, 3,851 SSNs+Medical Records, System Administrator

Posted on by

chartone.gif
On Aug. 1, UF was notified that a computer was stolen from ChartOne, a Boston-based firm that the Health Science Center contracts with to help manage medical records. In the laptop’s database were the names, Social Security numbers, dates of birth and medical record numbers for more than 3,000 patients spread over a wide area.

According to [UF Privacy officer] Blair, the problem began in late July, when a ChartOne employee in Gainesville reported trouble with a laptop computer. The company decided to send a new laptop by United Parcel Service, and loaded it with the information from the patient database before it was shipped.

On the bright side, the systems administrator didn’t load all of ChartOne’s customers on there.
From Missing laptop impacts patients of UF physicians in Gainesville.com.

In a letter to affected patients dated Aug. 8, UF Privacy Officer Susan Blair wrote, “Although the risk for anyone gaining access to and then using this information is low, reports of identity theft are often in the news.”

I read that and am stunned. Anyone who boots the computer before selling it will find this data. Will that be found by a practitioner of America’s fastest growing crime? Will someone decide to experiment, or just read 3800 medical histories?

There’s a database, which is protected (at best) by a Windows password. There’s probably an icon on the desktop, or at the top of the start menu labelled “ChartOne Medical database.” Proposed laws give companies the power to make bad, media-driven risk assessments like this, and then decide to lie by ommission.

In other encouraging news it seems that “ChartOne Automates Medical Record Requests for the U.S. Social Security Administration” (Press release, PDF).

[Finally, I meant to add that had this involved more people, it would have the potential to be a Choicepoint- or Cardsystems-scale issue. The third-party nature of the data loss by a company that patients have never heard of, combined with the nature of the data, would have turned this into a firestorm.]

Enforcement and Incentives

Posted on by

In “Getting Serious about Smog,” Virginia Postrel writes:

After many years of bureaucratic resistance, California is finally getting serious about air pollution from cars. These days, most cars don’t spew much pollution. But the few that do, account for a lot, and many of them still manage to pass state inspection. Now, the LAT reports, the state is rolling out a serious program to measure tailpipe emissions of cars actually on the road:

In the largest experiment of its kind in California, the South Coast Air Quality Management District plans to use remote sensors and video cameras to measure air pollution from 1 million vehicles as they enter freeways and navigate roads in the counties of Los Angeles, Orange, San Bernardino and Riverside.

If caught, the owners of the most environmentally offensive cars and trucks would receive letters informing them that the government would pay to fix or scrap their vehicles. The South Coast district estimates that 10,000 to 20,000 of the dirtiest vehicles would be detected. Smog regulators lack the authority to order drivers to dump dirty cars, but they can offer incentives…

So, if they can offer incentives, why don’t they? Why are they building a surveillance infrastructure that will monitor all cars, and be “repurposed to fight terrorism” within a few years? (If you think that’s a good idea, fine, we can discuss. But this will turn out to be a bait and switch.)

There’s a tendency amongst government agencies to tend towards the draconian solution, even when offering incentives might be cheaper, more efficient, and more freedom-loving. To catch 20,000 cars, they’re going to be monitoring 980,000 others. Why not take the money to do that monitoring, to do the roadside analysis, etc, and spend it to advertise that the state will buy your car for more than market rates?

WiKID Goes Open Source

Posted on by

WiKID is a two-factor authentication system. It consists of: a PIN, stored in the user’s head; a small, lightweight client that encapsulates the private/public keys; and a server that stores the public keys of the client’s and the user’s PIN. When the user wants to login to a service, they start the client and enter their PIN, which is encrypted and sent to the server. If the PIN is correct, the account active and the encryption valid, the user is sent a one-time passcode to use instead of a static password.

Yesterday, they announced that they’ve open sourced their system. I really like the WiKID system, which transforms your mobile phone into an authentication device. Making it GPL allows anyone to use it.

One fascinating aspect is that the system as originally built took advantage of the (patented, proprietary) NTRU algorithms for speed. Because those are not WiKID’s to open, they’ve replaced them with RSA. But you can use a full version of the system under GPL to test, experiment or deploy to a userbase that’s ok with authentication taking a few seconds, and add a commercial license if you need it to be faster.

I encourage folks to check it out.

“Preserving the Internet Channel Against Phishers”

Posted on by

I’ve updated the concepts first presented in “Don’t Use Email Like a Stupid Person” and “More on Using Email Like A Stupid Person,” to make them more palatable to readers. The new short essay is “Preserving the Internet Channel Against Phishers,” and is designed to be shared with marketing folks without insulting them.

Alternate title: “Don’t title your blog posts like a stupid person.”

Speaking of Hot Knives, Butter

Posted on by

It seems that Zylon “bulletproof” vests are not nearly as effective as Kevlar ones, and the Justice department may pull funding for purchasing them. (All the press releases and reports are at the DOJ site.) They are, however, more effective than not wearing a vest.

I am routinely outraged here by poor technology decisions that apply to the public. Let me be clear that this is equally outrageous. People working in the public interest (including cops and firefighters) deserve to have great, well-tested, effective safety gear. I don’t know if the breakdown here is the same sort of breakdown that leads to things like CAPPS or zippo-banning. But I suspect they’re related, and maybe there’s common cause to be made there between libertarians and police?

See also the New York Times, “A Common Police Vest Fails the Bulletproof Test.”

(As an aside, one of the problems with blog display formats is that you read my latest writings first, where logically, this should come after the Robertson Lies post, so that the title makes sense.)