Ben Laurie blathering

28 Jul 2006

O2 Like Phishing

Filed under: Security — Ben @ 18:26

They must do, or they wouldn’t do stupid things like this.

I got an email, looking just like this

We’d like to say ‘thanks’ for being a great customer by offering you either a FREE Pay Monthly handset upgrade OR £100 credit added to your account – provided you haven’t recently upgraded.
And it couldn’t be easier. All you have to do is renew your contract with O2 before 31st August 2006.
If you choose to renew your contract for 18 months, rather than 12 then there’s even more on offer:
  • If you prefer to talk we have a range of Talker plans with Double Minutes each month*. For example, on an Online 500 Talker plan you’ll get 1000 minutes and 150 messages each month for £35.
  • If you prefer to text we also have a range of Texter plans which offer 50% Extra Minutes and Texts each month*. For example, on an Online 500 Texter plan you’ll get 750 mins and 750 messages each month for £35.
To see our full range of handsets and offers and to renew your contract, click here.
And thanks again for choosing O2 .
The information used in this mailing is based on your contract status as at 30th April 2006. Unfortunately, if you upgraded after this date your new contract means you won’t be eligible for these offers. Terms and conditions apply. *Offer subject to ongoing connection to eligible tariff see letter for details. Promotional allowances must be used within the month. Unused allowances cannot be carried over into subsequent months.

OK, I removed some maybe-identifying data from the link, but you’ll notice the link goes to “Oho”, says I, being a suspicious sort, “that’s not O2’s website, I wonder who managed to register it?”

$ whois

Domain name:


Registrant type:
UK Individual

Registrant’s address:
The registrant is a non-trading individual who has opted to have their
address omitted from the WHOIS service.

Registrant’s agent:
MCI Worldcom Ltd [Tag = UUNETPIPEX]

Relevant dates:
Registered on: 01-Aug-2003
Renewal date: 01-Aug-2007
Last updated: 04-Aug-2003

Registration status:
Registered until renewal date.

Name servers:

Hmmm, a non-trading individual who wants to renew my phone contract, eh? Think I’d better check that out – but what a shame, doesn’t actually resolve, so looks like I’m not talking to them. And, oh dear, Nominet are closed until Monday, so that avenue is out, too.

The mail itself, incidentally, purports to come from, a domain which they didn’t even bother to register.

So, fearing nothing, I clicked on the link – which redirects me to Here we go again.

$ whois

Domain name:

AIS Group Ltd

Registrant type:
UK Limited Company, (Company number: 3561278)

Registrant’s address:
Berners House
47-48 Berners St

Registrant’s agent:
Global Registration Services Ltd [Tag = GRS]

Relevant dates:
Registered on: 14-Apr-2005
Renewal date: 14-Apr-2007
Last updated: 27-Jul-2005

Registration status:
Registered until renewal date.

Name servers:

At least this has an address, if I could be bothered to follow up, which I can’t, but this all looks a bit fishy. To compound the fun, I also got a text on my mobile with the same offer, but anyway, I phone O2 customer services. They explain that this cannot possibly be O2, it must be one of their “marketing partners” who will, if I fill in the form, renew my contract with O2, but via them. And, presumably, or maybe not, give me a new phone. I ask where they got my email address and phone number, and the answer is that at some point I left a box ticked that said it was OK for partners to send me stuff.

So, do O2 condone this practice, I ask? The answer is, apparently, that they do. They don’t even mind, it seems, that the website has O2 branding on it.

If O2 is going to allow people they have contractual relationships with to do this kind of thing, how on Earth do they expect consumers to learn what is phishing and what is not?

The House of Lords Doesn’t Lose The Plot

Filed under: Crypto,Security — Ben @ 12:05

Kim Cameron reports on a House of Lords debate on pervasive computing. Baroness Gardner of Parkes appears to totally get it

… transmissions should be encrypted and sent anonymously without reference to the owner …

And I love this gem from Lord Sainsbury of Turville

I do not suppose that the noble Lord ever goes to the back of his local supermarket…

26 Jul 2006

SGC Makes A Comeback

Filed under: Crypto,Rants — Ben @ 14:23

I got snailmail spam a couple of days ago that made me wonder if I’d wandered into a time warp. Verisign are trying to sell me Server-Gated Cryptography – for those who haven’t been around since the Dark Ages, this was a scheme where US export-strength crypto (i.e. damn weak) could be upgraded to full strength if the server had an SGC certificate.

I imagine that almost no-one runs browsers with this restriction anymore – anyone got statistics?

I also love this quote

All VeriSign certificates offer 256-bit SSL encryption when both the server and browser support a 256-bit session.

This is totally meaningless. Its like saying “all ACME seat covers offer 160 MPH where both car and fuel support 160 MPH”.

25 Jul 2006

Writing on Water

Filed under: Toys — Ben @ 13:48

Some crazy people have come up with a way to write on water.


Privacy International Loses The Plot

Filed under: Identity Management,Security — Ben @ 1:57

I’m aghast to read in IT Week (don’t ask) vol 9 no 29 p24 an article entitled “Will industry rescue the identity card?”

I’d hope not. But apparently this view is not shared by Simon Davies, Director of Privacy International, who is quoted as saying

I’ve believed for some time that a ‘white knight’ consortium from industry is needed. Companies that can see the benefits of the ID card idea should approach the government about effectively taking over the project.


It is now all about trust, the government has to restore some faith in the project.

I am at a loss for words.

24 Jul 2006

Kim and Dick Don’t Get It

Filed under: Identity Management — Ben @ 10:34

Dick says

Yes, these are Apples and Oranges. That is the point we are all making. Google and Microsoft did different things. Microsoft is making sure they don’t create an identity silo. Google is deepening the one they have. What Google did make it easier for users to consume Google services from other sites. An Identity 2.0 vision would be great to see.

So, Dick, show me how to do this: if I want to use a Microsoft service, I see no federated mechanism allowing me to do that. You seem to assume that there will be one day – but on what basis? If Microsoft aren’t committed to using their own technology, why do you expect anyone else to be using it?

Kim thinks I had a bad hair day

I dont understand why Ben wants to confuse a service offering like Windows Live ID with a cross platform technology initiative like the Identity Metasystem.

Perhaps things will be easier if I use Kim’s words to explain myself: I don’t understand why Kim, Eric and Dick want to confuse a service offering like Google Authentication with a cross platform technology initiative like the Identity Metasystem.

Is that a little clearer, chaps?

23 Jul 2006

Identity 2.0 – Apples and Oranges

Filed under: Identity Management — Ben @ 16:15

Not surprispingly, my post “Google Account Authentication” attracted some pretty instant responses, as well as comments on the post itself.

On further reflection, comparing Live ID with Google’s authentication is comparing apples and oranges. Live ID may allow people to choose who they accept authentication from, but where does it say that anyone is planning to accept anyone’s word other than their own? In particular, where do Microsoft say they’re going to grant access to Microsoft properties using identity tokens issued by anyone other than Microsoft?

Eric Norlin says: “Lots of people inside of Microsoft now understand *why* they must open the silo, and that learning is precisely because of their experience with Passport.” But is this actually true? What Microsoft appears to have learnt is that it can’t get everyone to accept its credentials. So, what’s the next best thing? Get everyone to use MS technology for accepting credentials. Perhaps that’ll even lead to Passport Mark II where the default is to trust Microsoft. Where does Microsoft’s work on Infocard or Live ID or whatever-the-passport-nom-de-jour is show that Microsoft has any intention whatsoever of opening their silo? What it shows is that they think everyone else should open their silo.

Fred asks: “could you explain why Google shouldn’t allow their accounts system to be accessed by Yahoo credentials?”

All I can say is what I already said: there isn’t a widely used, mature, reliable, secure identity federation mechanism available today. Whether Google wants to do this or not, in practice, they can’t. Such decisions have to wait for standardised mechanisms to emerge, in my view.

Dick is “suprised to see this post given conversations we had”. Well, Dick, if the fact that I don’t always agree with you is surprising, then you’d better stock up on soothing music or something.

22 Jul 2006

Google Account Authentication

Filed under: Identity Management — Ben @ 16:29

I’ve been trying to resist the temptation to comment on posts such as Dick Hardt’s “Google Account Authentication: two steps forward, one step back” and Kim Cameron’s “GOOGLE’S AUTHENTICATION VERSUS MICROSOFT’S LIVE ID” (which is mostly Eric Norlin’s “Google’s authentication vs. Microsoft’s Live ID“), since I work for Google and such comments might be misconstrued. However, bad journalism is bad journalism, even if you’re a blogger and I’m a Google employee, so I’m going to comment anyway. Note that, like everything I blog here, this post does not reflect Google’s views, nor does it use any knowledge I may or may not have as a Google employee.

Firstly, as everyone who pays attention knows, Google doesn’t announce what it’s going to do, only what it’s already done. So, what does it mean to contrast thus (from Eric Norlin’s piece)? “Of extreme importance is the fact that Windows Live ID will [my italics] support WS-Trust, WS-Federation, CardSpace and ADFS (active directory federation server).” vs. “Contrast all of this with Google’s announcement: create Google account, store user information at Google, get authentication from Google — are we sensing a trend?” – well, yes, the trend I’m sensing is that Windows Live ID does much what Google does today. Tomorrow they both may do something different. As of right now, what are the options? Is there any mature, reliable, secure identity federation mechanism that’s widely used? I think not. Note, BTW, that Live ID is currently vapourware, you can’t even get SDKs for it yet, let alone actually use it.

Some have argued that Liberty is the answer to this, in that it’s mature, reliable and secure. But it isn’t widely used, partly because of complexity, partly because in its early days it royally screwed over people who might have driven adoption, like the Apache Software Foundation, and partly because of complex IPR issues. At least, I’ve heard, the IPR might be getting fixed. I watch that space with interest.

Dick Hardt: “Google has just released Google Account Authentication. My initial reaction: great technology for rich clients and web sites acting acting on behalf of the user, but deepens the Google identity silo.” What does this mean? How does allowing applications to access a user’s Google services deepen anything? Did Dick actually read what these services do?

“The Google Account Authentication for installed apps is a bold move to standardize an API for working with installed applications. Unfortunate that it is domain centric. The user has to provide their Google credentials. Clearly the easy, safe choice that creates more value for the user’s google credential. Also makes it harder for any identity management technology to manage the Google credential.”


  • Duh, of course you have to provide a Google credential, you’re going to access a Google service. What kind of credential did you expect to present? Your Yahoo login?
  • Why does providing an API to allow applications to use user’s credentials make it harder for software to manage those credentials? I’m obviously missing something, but I can’t see what.
  • Google Account Authentication for Web-Based Applications looks like it is opening up the SSO mechanisms that Google has been using across their various properties so that other properties can get a token to act on behalf of the user.” Hmmm … that sounds just like something an identity management technology could manage. But that problem was from a whole paragraph before, hopefully the reader will have forgotten about it by now.

Its sad to see blogs following the newspaper trend, where the only articles worth writing are critical, regardless of the facts. Readership is king! To hell with accuracy!

19 Jul 2006

Chicken, Almond and Orange

Filed under: Recipes — Ben @ 19:37

I’ve cooked this a few times, its pretty quick and easy, but it tastes nice.

Chop skinned chicken breast into chunks, marinade in soy, ginger, spring onion and orange zest (all chopped smallish, the ginger and orange in strips, the spring onion diced small). While it is marinading fry blanched almonds in a little oil at a low temperature, stirring continuously, until they brown slightly. Note that burning the almonds makes them bitter, so don’t do it. Set aside the fried almonds (I always have to ask for help here, coz I always forget to get a bowl out for them, and if you pause they burn and that’s bad).

Heat oil ’til its smoking (in a wok or a heavy pan) then quickly stir-fry the chicken with its marinade. Ideally do this until it isn’t quite cooked – chicken goes tough quite quickly, so if you want it tender you need to pay attention here. When you were chopping orange and spring onion, you wisely left half of each aside – add them at this point and some chopped coriander leaf (cilantro for the Yanks) [optional] and stir-fry for 30 seconds or so. Add a generous gloop of sesame oil, stir and serve, with rice and a green vegetable (last time I did leeks, pak choy is also good – my host also provided a tomato salad which went rather better than I expected, so give that a try).

18 Jul 2006

Yamaha R6 and Ducati 996

Filed under: Motorbikes — Ben @ 10:52

I just spent a week in Montreal, and rode there and back from Toronto with a friend. I was on an ’02 R6, the friend on a 996. The R6 was surprisingly comfortable for a sports bike, responsive and not twitchy (my friend said it was boringly easy to ride). I still can’t love the way fours behave, though – no power ’til about 7,500 rpm, then a rather sharp increase from there on up. Having to drop three gears to overtake is just annoying.

The 996 (which I rode for around 20 miles) was a totally different experience – loads of low-end torque, very solid feeling, a far less comfortable riding position (but now I know why they cut the tank out like that, the only support you get is from your knees!), a little strange at low speeds (I was, however, carrying a large amount of luggage at the time) and an astonishing amount of heat pumping out around your legs. Great for the winter, not so nice at 35C and high humidity!

Canada has some lovely roads if you have the time to find them. 18 down from Montreal was fun, in a lazy kind of way, and once we got up into cottage country (northeast of Toronto), the roads were fun and the views beautiful.

I’m definitely up for doing that again!

Firefox Plugins I Like

Filed under: Open Source — Ben @ 10:32

Tab Mix Plus, Hash Coloured Tabs (hmm, have a nasty feeling Tab Mix Plus kills this, damn), Viamatic foXpose, Digger, and yubnub – but someone really should write a yubnub plugin that works locally.

Always keen to hear of more useful plugins.

4 Jul 2006

I Really Do Rule The World!

Filed under: General — Ben @ 15:07

Last week’s New Statesman, in an article about digital rights said

We British don’t like to brag about it, but this country is still a home for some of the world’s best open-source coders – Ben Laurie, who coded the security software that deals with most credit card transactions online…

Powered by WordPress