Links

… and they won’t take sensible security decisions, so we have to dumb everything down for them. Or at least, that’s what we whine. So, I have to ask, WTF is this all about?

How is anyone supposed to figure out what to do now? Surely we know which of those three errors it was? So why are we giving the user such appallingly crap feeback?

And I can totally imagine how the conversation with Majestic’s webmaster is going to go…

Me: Hey, I got this error. Apparently you’re either using a CA that’s not in a list I’m not going to give to you, or you screwed up your server config so your certificate is incomplete, or you are a phisher and I’ve just given you my password, or you aren’t a phisher but your cert and website don’t match. Please fix it.

Webmaster: O RLY? Well, I’ve got this email that says your wine order is either in the post, not in the post, cancelled or coming to me instead. Laugh it up, big boy.

I’m having a bit of a run-in with TomTom at the moment. The details are boring, but the short version is I bought a second device, for the car, registered it at their site, and as a result de-registered my existing GPS and associated the add-ons I’d bought for it with the new one. This would be OK except that they are now refusing to let me change it back!

If I want to escalate my complaint about this, here’s what I have to do. What you have to love about this is

TomTom wants to do the following:

• Make it easy for you to raise your feedback

…

If you are not satisfied with any aspect of our service or products, tell us about your concerns by writing us a letter.

Our address is:

TomTom Sales BV
Customer Support – Customer Relations Department
Rembrandtplein 35
1017 CT Amsterdam
The Netherlands

Isn’t that awesome? We want to make it easy, so schlep down to your post office and figure out international postage – that’s so much better than this new-fangled email thing.

Of course, they don’t really want to make it easy – then they might have to investigate some minor complaints, and that would be a waste of their fine minds. They want me to be seriously pissed off before I bother them. And I am, but, thanks to the blogosphere, I can take my complaint to the people that matter: their customers.

EU Justice and Security Commissioner Franco Frattini joins the ranks of the terminally deluded

I do intend to carry out a clear exploring exercise with the private sector … on how it is possible to use technology to prevent people from using or searching dangerous words like bomb, kill, genocide or terrorism

Do you, indeed? Of course, this is going to make a huge difference: Hitler would never have killed all those Jews if we’d managed to stop him Googling for “genocide”, after all, so I can totally see your reasoning here.

I really like that he wants to stop us even using these words. When will they be struck out of dictionaries? And all the books they appear in?

Hmm, if we can’t say “genocide” does that mean that we’ll all be forced to deny the Holocaust? Isn’t that actually a crime in some EU countries?

OpenSSL fixed yet another side-channel attack recently. For those of you not in the know, a side-channel attack is one where process A figures out some aspect of what process B is doing by observing some change in the behaviour of process A. A trivial example of this would be to guess whether process B is running or idle by checking what percentage of the CPU process A is getting.

More advanced versions exploit various tricks CPUs to make things go faster, such as caches and branch prediction. Somewhat surprisingly, these attacks can provide enough information to leak information like RSA keys. This, of course, causes people who are trying to make a name for themselves to get quite excited – if they can claim to be able to steal secret keys, then that is news.

However, this all seems rather silly to me. In order to mount most of these attacks the attacker must be local – that is, they have to be able to run code on the same machine as the machine using the secret key. Now, every good security person knows that if your attacker has the ability to run stuff on your machine, it is game over, so why are we even caring about these attacks? This is security theatre of exactly the type that we geeks like to accuse the TSA of on a regular basis – isn’t it time we started making fun of ourselves, too?

Why don’t we? Presumably for exactly the reasons that governments like security theatre. Its good for business. We make people feel loved and protected. We keep people like CERT in jobs. Security companies can issue updates to products. Staff can spend lots of lovely overtime hours doing QA for the emergency rollout of a security update. The economy benefits!

Isn’t it time we stopped fixing these attacks? It isn’t as if the fixes come for free – they almost always make the crypto slower. And, as I said above, until we have platforms that are actually robust in the face of hostile users that can run code on them, there is absolutely no point in avoiding these attacks.

By the way, OpenSSL is far from being the only crypto library that’s vulnerable to this attack, but the advisory will only be about OpenSSL. Why? Diminishing returns, that’s why – OpenSSL is the most widely used crypto library. Once you’ve broken that, the theatrical value of the others is minimal, so why bother? Because you care about security, you say? I rest my case.

I was planning to write about the Professional Association of Teachers (PAT) calling for YouTube to be closed down in order to combat bullying, but there seems little point, since in the same article Emma-Jane Cross of BeatBullying hit the nail on the head

“Calls for social networking sites like YouTube to be closed because of cyberbullying are as intelligent as calls for schools to be closed because of bullying.”

You’ll notice that in the above, I do not link to PAT, nor do I link to YouTube, Emma-Jane Cross or BeatBullying. Normally I would, but as I was about to embark on a session of Googling, I thought “Why do I have to do this? If the BBC had got with the programme there would be links in their article that I could follow.”

Which leads me on to the thought that old media should stop whining about how they are the real journalists and we losers with blogs are just some pale imitation and start, instead, providing a service that is as good as the average blog, instead of a mere transposition of their print columns onto web pages.

The whole point about the web is it allows you to link to your sources, to tangents of interest and to full versions of documents mentioned. But the old media does none of this: they think the web is like paper. If they don’t want to go the way of the dinosaurs they need to drag themselves into the 20th century and start linking.

I am amused to read about an auction site for zero-days. Why am I amused? Not because I think that selling zero-days is cool, but because of the massive hypocrisy by other zero-day vendors.

“How do you know bidders aren’t people with nefarious purposes”

wails Terri Forslof of zero-day vendor, TippingPoint. I don’t know, Terri, but I’ve been wondering how you figure that out for some time.

Companies like TippingPoint and VeriSign’s iDefense both pass along details of vulnerabilities they buy to the affected software vendors, and both withhold public disclosure of the flaws until the vendor has shipped a “patch” to plug the security holes.

Aren’t they nice? They only tell paying customers about the flaws before they’re patched. That’s clearly different from WabiSabiLabi, who only tell paying customers about the flaws before they’re patched. Oh, wait…

This really does amuse me, though

WabiSabiLabi’s founder said the company currently has no plans to notify affected vendors, saying that could ultimately decrease the price buyers are willing to pay for any one vulnerability.

Now, the dodgy geezers at WabiSabiLabi are trying to convince us that they would only sell to well-intentioned people. How can they possibly square that with the idea that buyers will pay more for unfixed vulnerabilities? What possible good motive could such a buyer have?

Of course, I’m having a hard time figuring out why anyone would be buying these vulnerabilities in the first place: perhaps the story is that they will get competitive advantage by being able to claim that they have fewer vulnerabilities? I’m looking forward to the adverts: “XYZ – now with fewer security holes than competitive products! Get it before they outbid us!”.

As we all know, removing access to all undesirable content on the Internet without also removing access to some perfectly innocent (or even crucially helpful) content is impossible. And that’s even before you start worrying about what is meant by “undesirable” and who should decide.

None of this deters our fearless representatives in government, as this exchange shows:

Brian Iddon (Bolton South East, Labour) Link to this | Hansard source

May I draw my right hon. Friend’s attention to a substantial piece of work that Zentek Forensics in my constituency carried out? It showed that it is ever so easy to google one’s way around the firewalls that prevent children from accessing some very undesirable material. That is happening in schools, libraries and children’s bedrooms in the evenings at home. Will my right hon. Friend look at the providers of commercial filters and try to get them to strengthen their firewalls?

Add your comment

Jacqui Smith (Home Secretary) Link to this | Hansard source

I am happy to look at anything we can do to protect children from some of the dangers of the internet. I recognise, of course, that the internet plays an important role in the lives of children and young people—at their schools, in their social lives and in their ability to research. However, it is clearly unacceptable if we cannot put the technical safeguards in place. We have been considering how we can, for example, kitemark some of the products that are involved in filtering and monitoring software. Perhaps, as part of that activity, the company to which my hon. Friend referred could make some progress. However, we take the issue extremely seriously.

Ah, yes, it is “clearly unacceptable” to give children unfettered access to the ‘net. Heaven forfend that parents should actually have to educate them, provide them with any kind of moral compass or, indeed, indulge in parenting. A kitemark will solve all our problems.

Though I will admit that a lot of the nut-drivingness has been taken out of it by Eclipse (even if it is black magyck). So, I’ve been playing with Higgins (btw, teehee!). Or, rather, trying to. It seems Higgins is a pile of different inter-related projects. Which is good, but each one has its own dependencies which it wants to find in a subdirectory called lib. The first issue here is when I discover that something depends on stax-api-1.0.1.jar, what am I supposed to make of that? I can do a bit of googling and discover that there is such a thing out there on the interweb, download it and plug it in. But surely there’s a better way? How do I know I got the right thing? Suck it and see?

And what when the required library is called serialiser.jar? That’s just a teensy bit vague. Now what?

Then there’s the issue that each one of these projects wants its own copies of each library. Which I can do, of course, but it’s tedious! Again, I ask, surely there’s a better way?

Someone please tell me this is a solved problem and I’m a moron for whining about it.

(And I haven’t even started writing Java yet, that’s when the real nuts-drivingness sets in)

I’m slightly amazed to see that O’Reilly, who claim to have invented the term “Web 2.0”, have managed to produce a CFP that doesn’t even mention security. Not hugely surprising, I guess, when you read the rest of the CFP, which has clearly been written by some MBA…

These are just some of the trends and shifts we’ve noticed.

• Web operations, theory and practice: What are the major players up to with their platforms and how do open source and independents play into “web as platform” and “web ops”?
• Global scalability: The Internet is global, your apps need to be global, and they need to scale.
• Going 2.0: How to turn your 1.0 business into a 2.0 masterpiece in less than six months.
• Viral marketing and community evangelism: Start a fire! Learn how to create a meme and let your users tell your story, without spending a fortune.
• SEO & SEM: The science of measurable marketing. Find your keywords, and let your audience discover you, using search engines as the gateway.
• Blogging and Internet PR: The new way to launch a product or service?
• User-generated content: Tagging and ratings and blogging, oh MY!
• Syndication: Don’t be afraid of spreading your content across the Web. It’s free advertising; if it’s good and adds value, your users will come find you.
• Location: Maps and location are now commodities. How can it add value to your app?
• Social networks: Are commonplace–where are they going next?
• Identity: Distributed identity is on the rise. What should you support?
• Data: The importance of data is growing. How can you protect and respect your users by giving them a way out?

Perhaps its just me, but not one of those sounds like a trend or a shift to me – they all sound just like an advert for your contentless conference.

Eben Moglen blogs about the GPLv3 and what a wonderful guy he is. But I’m not going to get into a GPLv3 vs. GPLv2 vs. anything else debate, since I’m a BSD/Apache guy and don’t really care what the GPL crazies’ drug of the month is. However, I do object to this

The release of Discussion Draft 3 has been greeted as warmly as I dared hope: all the recorded outrage has been emitted by Microsoft or its surrogates, which is at it should be.

So, it seems that the fact that at the 11th hour it has been decided, yet again, that the Apache Licence is not compatible with the GPL, despite assurances, to the obvious distaste of the Apache Software Foundation, is not on his radar – despite the fact that the ASF is a client of his company. Perhaps he thinks that

SFLC and its clients will be using the new license before long

applies to the ASF. I think not. In fact, I think it will be a cold day in hell before the ASF has any truck with any likely variant of the GPL.

They don’t work, they cost an arm and a leg, and they create a surveillance state. In short.

Perhaps I don’t get microformats. I keep hearing people wanting to invent their own format for things for which we already have half a dozen known standards. When pressed, the justification is either that it is too complicated, or that they want to “decouple” from whatever-it-is that the existing formats are “supposed” to be for.

Sometimes this is fair comment, but often it seems to me to entirely miss the point. When a standard format is self-contained (that is, it doesn’t rely on being embedded in a whole mess of infrastructure in order to be meaningful) there’s no reason to associate it with its normal environment. Because it is self-contained you can just pick it up and use it elsewhere. There are many formats like this, at all levels of the stack; examples are OpenPGP, iCal, vCard, practically all XML, and, if you get right down to it, most of TCP/IP (witness amusing standards like IP over carrier pigeon – no, really, RFC 1149 – and its even been implemented).

How about complicated? Well, I contend that any widely used standard format has libraries that can parse it, and if it doesn’t, then software engineers need to put their software architect heads on occasionally, dammit.

So, neither of these arguments are standing up, as far as I can see. Which leads me to wonder: what are microformats all about? Why do people want to decouple? Are they just lazy? Or do they hate the communities that make the standards so much they want nothing to do with them? Or are they merely misguided?

Or have I totally missed the point, and microformats are actually only used where there’s no existing self-contained standard?

Answers on a postcard, please!

My ex-MP, Clive Soley, has a blog. In it, he displays his usual grasp of the important issues

Fine Dan. You opt out of the NHS system as is your proper right but don’t blame me if in an emergency you don’t get the right treatment quickly enough because they have to ask permission to get your record when your unconscious!

Anyone who has looked into this even a little bit knows perfectly well that A&E aren’t interested in your medical history, apart from any that’s drastic enough to make you carry a warning about your person. For which, of course, a central database is totally not required. Incidentally, I wrote to my GP asking her to opt me and my immediate family, which she did without any fuss (see “Big Brother Knows Best“).
In the same post, amazingly

DNA. Any state system of collecting information is always a balance between the usefulness of the information to the individual (see above) and to society and those aspects have to be set against any dangers to overall freedom. As I have already said collection of DNA seems to me to be fairly easily justified.

The advantages are :

1. A very useful way of avoiding some of the wrongful convictions we have seen in the past:

2. A strong deterrent for crimes of extreme violence especially rape and murder:

3. A way of increasing the speed at which an offender can be caught – think how many murders and rape cases in the past could have been cleared up quickly before further offences could be committed.

Funnily enough, there’s no corresponding list of disadvantages.

It reminds me of the one time I interacted with him as my MP. I wrote to him about trespass, which was, at the time, to be criminalised. His response? “Law-abiding citizens have nothing to fear”. Apart, that is, from the ones that were law-abiding yesterday and are criminals today. He also went on to respond to a number of points I had not raised, presumably because I was being fobbed off with a form letter for a campaign that was running at the time.

I am disappointed (but not surprised) to see Stefan Esser resigning from the PHP Security Team. All my security interactions with PHP have been disappointing, to say the least. Amazingly enough, Zend, who make money from PHP, say

It is not the case, however, that the PHP project is trying to conceal the fact that PHP has been implemented in a very unsafe way. But Suraski [Zend CTO] does think it preferable to produce a patch before publishing any bug report.

Yes, it is preferable, but you have to actually produce the patch. Failure to do so is not a reason to withhold the security flaw – if we follow that path we’re back to the bad old days where security flaws get brushed under the carpet and users suffer. PHP need to get with the program: fix the bugs in a reasonable amount of time, or have the world know what a useless bunch you are.

Esser paints a pretty bleak picture of an institutional head-in-the-sand attitude in the PHP developer community

… as soon as you try to criticise PHP security, you become persona-non-grata in the security team. In addition many of his suggestions were ignored because the developers considered Esser’s choice of words, too abrasive. He says that he had stopped counting the number of times he was called a traitor when he published a bug report on a vulnerability in PHP.

and

… bugs were sometimes not correctly fixed or were re-introduced. This was often not noticed because there was no test-rig for exploits and the idea of having one was categorically rejected.

I’ve always advised against PHP because of its lack of security, but now I know its developers are actually actively campaigning to ensure it is insecure I think its time I worked a bit harder at it.

So: PHP security sucks. Don’t use it.

A long time ago, I wrote about Tipping Point and friends, whose business is selling exploits. Today I read that

Underground hackers are hawking zero-day exploits for Microsoft’s new Windows Vista operating system at $50,000 a pop, according to computer security researchers at Trend Micro.

Presumably I’m supposed to think this is somehow different from (and, naturally, far, far worse than) established businesses hawking zero-day exploits at God-knows-what a pop? Can someone explain why?

Two weeks ago, I wrote to my MP, Andrew Slaughter, using the most excellent WriteToThem. Today, WriteToThem asks me to confirm whether he has responded, which he has not, putting me amongst the majority of his constituents. According to TheyWorkForYou (hah! I wish!) he only condescends to reply to 35-44% within 2-3 weeks. TheyWorkForYou has other interesting statistics – interesting if you want to understand what a complete waste of space your MP is, that is. For example, he has never voted against his party (this statistic originates from yet another great site, The Public Whip).

Anyway, the point of this post is not so much to moan about my MP but to point out that if you (unlike my MP) want to get more involved in democracy in the UK there are some fantastic sites out there to help you. And guess what? Not a single one is run by the government, and they are all free.

I found this report on an Apple European Analyst Event, whatever that is. Apple, apparently, say

The fastest way to get to open standards (our commitment) is through open source.

So far, so good. They go on to say

We’re a major contributor to Jabber, mySWL, modperl, php, OpenLDAP, Apache, python, SQLite, Rails, CalDav, FreeBSD, freeRadius, SpamAssasin, SquirrelMail, ApacheAnt, OpenSSL etc

Well. I don’t know about the rest of them, but I do know about OpenSSL and Apache. I’ve been working on OpenSSL since it began, and I don’t remember any contribution from Apple. I just checked the CHANGES file – not a single mention of Apple. Also, I know for a fact that Apple have spent a good deal of energy trying to remove OpenSSL from their stack.
I was going to say the same holds true of Apache but my friend Fred Sanchez has worked on Apache forever and also works for Apple. To what extent his contributions to Apache were effectively Apple’s and not his own, I don’t know. Apart from Fred, though, I’m not aware of any Apple contributions there, either.

I wonder if the rest of their “contributions” are equally fanciful?

I just read a paper by Ann Cavoukian, Information and Privacy Commissioner of Ontario, called “7 Laws of Identity”. If you’ve been paying attention, you’ll know that this is likely to be quickly followed by a recommendation to use Windows Vista and Cardspace (like, ahem, this, perhaps?).

So that’s fine, if Ontario wants to waste money by buying from Microsoft, rather than using, say, open source solutions, such as Higgins or OSIS, then that’s their taxpayers’ lookout, not mine.

What does annoy me, though, is the complete bullshit in the paper, apparently endorsed by Kim Cameron – who should know better.

This paper recognizes and is inspired by the “7 Laws of Identity” formulated on an open blog by a global community of experts through the leadership of Kim Cameron, Chief Identity Architect at Microsoft.

and

Because these Laws were developed through an open consensus process among experts and stakeholders, they reflect a remarkable convergence of interests, and are non-proprietary in nature. As a result, they have been endorsed and adopted by a long and growing list of industry organizations, associations, and technology developers.

This just isn’t true. Kim’s 7 laws were sprung fully-formed on experts and stakeholders – at least, the experts and stakeholders I know. So, Kim, who are these experts and stakeholders? And where was the open process?

Then there’s this…

By allowing different identity systems to work together in concert, with a single user experience, and a unified programming paradigm, the metasystem shields users and developers from concerns about the evolution and market dominance of specific underlying systems, thereby reducing everyone’s risk and increasing the speed with which the technology can evolve.

What? Cardspace maybe allows you to use different kinds of certificates, but I don’t see it doing any other protocol than Cardspace’s own. And yeah, at this point Kim will say, “no, no, the metasystem is something different, Cardspace isn’t the metasystem”, but, as usual, he only says that when he’s challenged. The rest of the time he’s happy to see “the identity metasystem” (whatever that is) conflated with Cardspace.

None of which is to say Kim’s 7 laws are wrong or bad. They’re really quite good, apart from being way too verbose and hard to read – unlike my 3 laws.

I use Norton AntiVirus, for no particular reason, mainly because its cheaper to keep paying the subscriptions than it is to figure out what to use instead.

Today the time rolled around again to renew the update subscription. Firstly the built-in renewal thing didn’t work, says it can’t contact the server. I guess they didn’t think it was worth testing that bit. OK, so I can go via the website. Seems I can get an upgrade for only a fiver more than an a subscription, so I decide to do that.

Then they want me to buy something more expensive, y’know, firewall and all that stuff. I decline. Mildly irritated by this point. Then they’ve added an option, for six quid, to download what I’m just about to buy from them (saving them money on packaging, I might add) for a year. More irritated, I remove this option – if my machine dies enough to need a redownload, it won’t be Symantec’s products I’ll be downloading. Now it wants my credit card info. And my phone number, apparently. OK, so I invent one just for them, and it says

We’re Sorry.

The information you provided us is either incomplete or incorrect.
Please use your “back” button to review the previous page and try again.

Error Number: 30016017 – 0

28 Aug 2006