Saturday, March 22, 2003

Juxtaposition mobile edition!

I just found out some very simple instructions and a sample template to make a parallel WML version of this site for viewing on my mobile phone (I do work for a wireless phone company, after all). Check out the result: Juxtaposition mobile edition

I started by finding this WAP & WML thread at

This discussion pointed me to two solutions for two different problems:

  1. Nicely Toasted Mobile, which generates wml versions on-the-fly for WAP-based mobile devices
  2. Mark Pilgrim's solution which was designed for more intelligent mobile form factors, like the palm. This is how you can create Avant-Go compatible content for offline browsing with tools like Plucker.

I chose the first option as this is the one that I really find lacking right now--the ability to view my own site from my Ericsson t68i. I can view the regular site just fine (with the exception of the style sheet, because Pocket IE does not support CSS...) in my Siemens SX56. But cannot even coax the Ericsson to view the RDF version.

I made just a couple of tweaks to the Nicely Toasted template to customize the content and make it generic enough to be used for any other blog, including: making the Home URL relative, changing the blog name using the tag <MTBlogName>

I think that the next step will be to further customize the template to include hyperlinks to the rest of the story content.

Friday, March 21, 2003

Users tricked into believing a Nokia upgrade hoax

"Nokia 7650 upgrade - hoax

An internet hoax is traveling round the internet that purports to be a
press release from Nokia offering an upgrade for owners of the Nokia
7650 handset to support a series of new features.

The press release says that "Nokia today announced after months of
speculation and rumours that it will be re-releasing it's flagship
Symbian OS phone, the 7650, with the long awaited increased memory

The new 7650 will remain branded as 7650 but will have the added feature
of an MMC expansion bay and support for Bluetooth Audio."

There is a web site address for the press release, that at first look,
does look like a Nokia web site address - but the @ symbol in the middle
of the URL actually causes browsers to ignore everything before it, and
the remainder of the address is a web page on a totally different
server. "

One of the URLs looks like this, so you can see how someone could be easily tricked into believing it as legitimate:

The page no longer works, but you need to be very diligent online and can't trust everything you read. Someone could easily hide this URL in some inocuous text so you would not easily notice the underhandedness: Nokia fake press release

Read more about these same techniques that spammers often use to trick you at Stupid Spam Tricks.

Black-box testing your brain

New Scientist

"The world's first brain prosthesis - an artificial hippocampus - is about to be tested in California."

This is the result of black-box testing the hippocampus--the part of your brain that encodes "experiences so they can be stored as long-term memories". It has proven to be elusive to its exact workings, but by treating it as a black-box and mimicking its response to inputs, scientists were able to devise a mathematical model that they could program onto a chip which could replace a malfunctioning hippocampus.

Some of the ethical issues are discussed in the article as well.

Space Elevators: fact or fiction?

A slashdot article about a book (see below) researching whether the sci-fi Space Elevator could be practically manufactured is out:

This is some of the fruits of ongoing NASA-sponsored research.

What is a Space Elevator, you ask? A superstrong elevator "shaft" stretching from earth and anchored to a geosynchronous satellite in outer space that an elevator would ride upon to carry payloads outside of our atmosphere.

"carbon nanotube fibers are both strong and light enough that a 100,000 km elevator, constructed of a 2m wide carbon nanotube "ribbon," could be constructed in 10 years for a cost of US $6 billion, and be capable of lifting a 13-ton payload to geosynchronous orbit once every few days. If feasible, it would present a stunning breakthrough in space accessibility, and likely usher in a new age of space development and exploration."

Slashdot story

Fuel cells coming to a laptop near you


InfoWorld:�Toshiba prototypes methanol fuel cell for laptops:�March 05, 2003:�By�Gillian Law:�End-user Hardware

SSL Patent suit update: victory for SSL!

A press release on RSA's website announces that a unanimous verdict was reached on all infringement claims in favor of the defendants, RSA Security Inc. and Verisign Inc.

RSA Security | RSA Security Wins SSL Patent Infringement Trial

Analysis of the educational initiatives outlined in the national cybersecurity strategy

Rob Slade takes an in-depth look at what the National Cybersecurity Strategy is for security education and doesn't really find much. To summarize:

"we [the U.S. Gov't] can't do it alone, so we're not going to do anything"

"How will it happen?"

"Focus or force?"

"Security awareness cannot be promoted by establishing contests where nobody will compete."

"Again, this proposal sounds good, but, without details to back it up, I doubt that there will be any impact any time soon"

"Subject to budget considerations. No further comment needed."

"What incentive do those companies have to do so? "

"How about funding?"

"OK, the government doesn't want to help or fund certification, but wants to dictate what the certification is for."

"I imagine AV and firewall vendors will be delighted that the government will be advertising for them"

The document seems to say a lot but does not seem as if it will actually do anything.

Read the full analysis in Risks 22.63, article 1

Thursday, March 20, 2003

Duk Koo Kim


I recently purchased the one and only vinyl album that I own. I had to do so, even though I do not own a turntable, because it is a 1000 copy limited release single. It contains two versions of the same beautiful song, called Duk Koo Kim, by Mark Kozelek of the Red House Painters. This is one of my favorite RHP songs. Reading the history about Duk Koo Kim makes the song that much more poignant and sad.

Duk Koo Kim - Wikipedia

A tragic turn of events that reads more like Shakespeare than real life. One death leads to several others and radical changes to the world of boxing.

E-voting banter between scientists

There was voluminous and heated discussion on the cryptography mailing list about the dangers of the paper audit trail for e-voting that is being pushed by the e-voting academic experts. The instigator and perpetuator of the discussion was Ed Gerck.

His main criticism was that the paper audit trail does not address the problems of massive external vote tampering by extortion (vote this way and prove you voted this way or I'll kill you) or vote selling (vote republican, prove it to me, and I'll pay you $$). He is afraid that the paper audit trail will be just the thing that can be photographed as proof of your vote to enable these system.

Rebecca Mercuri replied:

"The whole idea of photographing paper ballots is a straw man. It is akin to saying that people
will just run through red lights anyway so we shouldn't place them at intersections."

This seemed to sum up my thoughts on the complaint. He seemed to be arguing for throwing the baby out with the bathwater, saying "[printing paper receipts] creates problems that are even harder to solve than the silent subversion of e-records"

He included criticism later on that a paper audit trail does not really make e-voting systems any better than existing paper-based systems and seemed to argue that it is academically uninteresting. I think that this is exactly the point though: nobody has yet come up with an entirely electronic voting system that solves the fundamental problem that a paper audit trail solves. It may be unsatisfying, but what I think is far more unsatisfying are the voting districts that are ignoring this academic result and swapping out systems with unverifiable ones. People need to understand the limits and risks of electronic systems.

Rebecca's most interesting statement for me was:

"The salient requirement of Democratic elections is that the voters must be assured that their ballots are recorded and tabulated as cast. If the process is such that it can only be understood by a team of
scientists with Ph.D.'s, the average citizen can have no confidence that their voice is being heard."

She ended her posting with a response to the criticism:

"I have never said that the paper balloting solution is a perfect one, but it provides assurances in a human-accessible format that is a considerable improvement over both the black-box systems and the chad-based ones.If you can devise a system that is equally user-friendly and has the same ability for independent auditing, then please do so."

The discussion ended with that.

In Happier Times...

This is hilarious. It must be making its rounds on the Internet today. Thought it would bring a bit of levity to the current world situation.

Friday, March 14, 2003

Risks of background checks

There is a trend after 9/11 to perform more background checks on individuals as a requirement for all kinds of things--employment being a major. Data integrity issues are probably the biggest risk with these kinds of checks. Who has your data? Where did they get it from? How do you know it is accurate? How can you correct mistakes?

I reviewed a background check service that is used for credit checks mainly and was surprised to see that they offered the ability to check against the _____________________

This is a case of just not doing a very thorough query of the information in the first place. Reminds me of the recent erroneous (and perjurious?) BSA complaint against OpenOffice based on an inaccurate search query and lack of human sanity-checking of the result. "The computer said there was a match. And computers don't lie..."

Date: Thu, 6 Mar 2003 18:14:45 -0800 (PST)
From: Max Power
Subject: Identity mixup: NZ teacher identified as prostitute

Michelle Garforth (Dunedin, NZ) applied to be registered as a teacher, after
finishing four years of training. She was notified that she was "likely" to
be a prostitute convicted on four charges, including two assaults, based on
a computer match of her maiden name and birthdate. Despite going to the
police and submitting to fingerprinting that demonstrated she was not the
person in question, she was not cleared until weeks later -- after her local
Member of Parliament had intervened. [Source: Prostitute mix-up shocks
teacher, by Ruth Berry, 06 March 2003; PGN-ed],2106,2309649a7694,00.html

Thursday, March 13, 2003


New IEEE Security and Privacy magazine

I will have to check this out. Although, I have several piles of other publications to whittle down first.

"The IEEE Computer Society has created a new magazine called "Security and Privacy" specifically for the security community The magazine intends to present a balanced mix of scientific research and practical security discussion. "

Risks of public Internet access terminals

This story about 16M Yen (~$136,000) stolen from someone's CityBank online banking service after the user's password was compromised at an Internet cafe highlights the tremendous risk of insecure client computers. It does not make a darned bit of difference what crypto strength you were to use, it is so trivial to install a keystroke capture device that nobody would ever notice that will catch everything before it is encrypted.

"Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench." -- Gene Spafford

The trend toward SSL-based VPNs and Internet-enabling everything under the sun leads to uncontrolled client-side access that significantly increases this risk. Gartner is "bullish" on these SSL-based VPNs but I'm not convinced that their convenience outweighs the increased risk in many cases. You would need to deploy token authentication at a minimum with these solutions but you would still be at risk of general data compromise. In any company with a large amount of employees, training everyone to not use their personal computer, a library computer, an Internet cafe computer, etc. to access such a solution would be difficult and not entirely effective. Users will choose the convenience over security much (all?) of the time.

Full story below and at

Date: Fri, 07 Mar 2003 00:40:28 +0900
From: Chiaki Ishikawa
Subject: 16M Yen stolen from sniffed bank passwords at Internet Cafe
On March 6th, two men have been arrested for illegally transferring 16
million YEN from someone's CityBank online banking service account to a
third party account and then take the money from it, Tokyo police announced.
>From the descriptions of newspaper articles, it seems that one of the
culprits has installed keyboard sniffer programs on about hundred PCs at a
dozen or so Internet Cafes in Tokyo and Kanagawa prefecture (south of
Tokyo). He has regularly visited the cafes and brought back the recorded
data with him, and searched for ID/password, and other identification
At the charged man's home, the police has found ID/password for 719
accounts, and about a couple of hundred user profiles meant for dating
One such ID/password for a man's City Bank online banking service was used
to transfer 16 million Yen to a different account at another bank from which
the money was withdrawn.
This is the first time that a keyboard sniffer is implicated in a large
scale ID theft in Japan, from what I know.
It beats me, though, why anyone wants to use a PC at Internet cafe for one's
banking service. (We should assume doing something on it, like writing a
memo, for example, is akin to writing on a memo pad on a desk at a public
library under which a carbon paper may be secretly placed to record
information and we never know. For that matter, even without the carbon
paper, we often can see the telephone number, etc. left by the previous user
by looking at the indented marks on the next paper sheet, don't we? )
I think the general public should be taught more about the security
implications of various Internet services, which may look useful and handy
on the surface, but may not be so attractive if the security implications
are taken into account. I think it should be the responsibility for the
service provider to tell such risks, but I am not sure how to go about
writing a law because "risk" is a relative thing.
This has been a busy week for computer security professionals in Japan.
First the computer system for handling nations's flight plans collapsed on
the morning March 1st. Then a large credit card company, Oriental Corp.,
announced the leak of 15,000 user profiles to a member of an underground
gang group who blackmailed the company and was arrested. Then this
I hope the general public will start to pay more attention to the computer
security issues thanks to these high-profile incident. (The ID theft using
keyboard sniffer was the front page head line article in the evening edition
of *Asahi Shimbun*. It occupies about 1/5 of the paper and is very

Krispy Kreme grossly overcharges 28 customers

From RISKS 22.61.

"A Krispy Kreme doughnut shop in Albuquerque seemingly greased its coffers
while figuratively deep-frying over two dozen customers. Irrespective of
what they ordered, each of 28 customers using a credit card were charged
EXACTLY $84,213.60 for the purchase. "

The PGN comments simply made the posting though:

[These charges were actually APPROVED, and of course also blew the
customers' credit ratings for a few days. Amazing!
``The $84,000 charge, were it legitimate, would have purchased over
170,000 ... doughnuts, enough to stretch over 9 miles if placed
end-to-end.'' ...

Date: Tue, 04 Mar 2003 19:31:54 -0500
From: "Fuzzy Gorilla"
Subject: 28 Krispy Kreme customers each charged over $84,000
A Krispy Kreme doughnut shop in Albuquerque seemingly greased its coffers
while figuratively deep-frying over two dozen customers. Irrespective of
what they ordered, each of 28 customers using a credit card were charged
EXACTLY $84,213.60 for the purchase. KK blamed Heartland Payment Systems,
which processes their credit-card transactions. [Source: KRQE News 13,
Albuquerque, N.M., 19 Feb 2003; PGN-ed]
[These charges were actually APPROVED, and of course also blew the
customers' credit ratings for a few days. Amazing!
``The $84,000 charge, were it legitimate, would have purchased over
170,000 ... doughnuts, enough to stretch over 9 miles if placed
(But a few days later, the doughnuts might have settled into substantial
paving bricks. Or do Krispy Kremes have a shelf-life of years, like
the bread and chocolate used in Des(s)ert Shield?) Of course, stacked
vertically, they would reach almost 2 miles high.
Somehow, the name ``Heartland'' seems incompatible with the concept of
Krispy Kremes, unless it is related to a hospital with the same name.
[Three sentences back, I have added "(s)" in the archive copy,
inspired by Mike Yuhas. PGN]

VoteHere whistleblower lawsuit and other e-voting madness

BlackBox Voting is reporting on a whistleblower lawsuit filed here in Washington state by a software engineer against his former employer VoteHere. He alleges that he was wrongfully terminated to silence his complaints while third party "certification" of the VoteHere system was being conducted. The lawsuit enumerates many of the system's flaws that he documented in defect reports. It is a must-read.

In other unbelievable news, Santa Clara County, CA and Collins County, TX both voted for electronic voting machines without paper audit trails against all sound advice from experts around the world. Santa Clara County reportedly cited the same kinds of "certifications" as evidence that the system is okay without the voter verifiable audit trail.

Wednesday, March 12, 2003

Music wish list

I've been compiling a text file with my queue of music to get next and thought that I should share. It would also be much nicer to manage through MovableType with the MTAmazon plugin and the MTMacro plugin.

Friday, March 7, 2003

Big brother is all around you

ABCNews is reporting that several police agencies are under fire for domestic spying. Those of you who think that the government can have all the power it thinks it wants without checks and balances should take heed that this certainly breeds abuses. Read this article. See the trend toward more domestic spying. Be afraid.

I hope that Seattle maintains their current ban on this practice. : Is Police Spying Back in Fashion?

Dumb criminal award candidate

Just hilarious if this suspect was truly the robber.

"A California man who got away after allegedly sticking up an Aurora Avenue North video store a couple of weeks ago apparently couldn't leave well enough alone."

The Seattle Times: Local News: Robbery suspect nabbed during return visit to store

COPA ruled unconstitutional!

The Washington Post has a story about the victory for free speech handed down by the 3rd U.S. Circuit Court of Appeals on Thursday. They upheld a lower court injunction blocking the law (COPA) as being too squishy to withstand constitutional muster.

"Previously, the 3rd Circuit had ruled the law unconstitutional on grounds that it allowed the legality of Internet content to be judged by "contemporary community standards."

Also see discussion at
Slashdot | Appeals Court Rejects Child Online Protection Act, Again

See the full decision here. Monitor any future developments at EPIC's site

Note: Updated on 3-12-03 to change content to reflect CIPA to COPA. This law acronym alphabet soup is just as bad as telecom's! A CIPA announcement came out recently but this was supposed to be about COPA...

Tuesday, March 4, 2003

AOL customers: buyer beware

Many of the attacks described are social engineering attacks and not computer security holes. I can't believe the mumbling attacks--hilarious! Social engineering attacks are very hard to defend against, especially with huge callcenters like AOL must have.

AOL customers beware your privacy. AOL not only makes it easy to get on the Internet, they make it easy for others to get on the Internet as you too!

"Using a combination of trade tricks and clever programming, hackers have thoroughly compromised security at America Online, potentially exposing the personal information of AOL's 35 million users. "

Wired News: Hackers Run Wild and Free on AOL

SSL under patent dispute

The March 3 Security Wire Digest and Reuters are reporting that:

"Leon Stambler, who has won financial settlements from companies such as
National Cash Register, First Data and Openwave Systems, seeks up to $20
million in the federal suit, being heard in Delaware. "

"Certicom and Openwave each paid $400,000 plus ongoing royalty fees for their licenses and First Data paid $4 million, he testified. "

He is suing RSA Security and Verisign now, trying to extract money. Ugh.

The companies are arguing that his invention (patented in 1992) is distinct from SSL. SSL was developed in 1994 and patented in 1997, according to the Reuters article.

The Reuters story is here

Wireless hackers invade!

"Two Alberta men with a passion for locating and mapping wireless
computer networks have come under the scrutiny of Canada's spy agency."

"The press release, which also included Mr. Kaczor's name and contact information, featured the tongue-in-cheek headline "Wireless hackers invade Red Deer!""

High-tech hobby falls under CSIS suspicion

Monday, March 3, 2003

Debate on copyright vs. innovation at Stanford

[IP] Pondering Value of Copyright vs. Innovation

"Technology scholars, business leaders and policy makers gathered at California
conferences this weekend to argue whether a mismatch between two different technologies and the legal policies that govern them could inhibit free expression and innovation. "

""We have ceded too much power to copyright owners," said Ms. Lofgren, who plans on Tuesday to reintroduce a bill that would amend the 1998 law. "People are afraid to proceed on innovative measures.""

Outlawing Encryption under PATRIOT II

Among other nasty things, the US government is trying to make the use of encryption while committing a crime over a computer a new crime that would add 5 years onto your sentence, if convicted.

"If you order a book from and fail to pay state tax, the SSL session with Amazon supports a five year felony. [RFF - I'd also include using GSM cell phones with the built-in encryption....]"

The ACLU has a section-by-section analysis for the full dose of insanity.

[IP] Outlawing Encryption under PATRIOT II

Several members of congress have sent an open letter to John Ashcroft chiding him for the administration's handling of PATRIOT II. The Justice Department is being very secretive about this new act, even lying to congress about its existence even though it has been leaked on the Internet.

From the FoxNews story:

"If there's going to be a sequel let's find out what it's going to be" before reading about it in the newspapers, Leahy said, accusing the Justice Department of lying to his staff about whether a new bill was in the works.

Ari Gets Laughed Out of WH Briefing Room

[IP] Must Read and See: Ari Gets Laughed Out of WH Briefing Room]

Join in laughing Ari Fleischer out of the briefing room. Start at about 30 minutes into the tape when Ari is being repeatedly questioned about US diplomat quotes that some aid packages are being offered to Mexico and Columbia relating to their upcoming UN Security Council votes.

Google removes "illegal" site from its index on request

Seth Finkelstein has details on a troubling case about someone in Chester county in the UK complaining to google about a site run by someone calling themselves "Chester the Molester" as an illegal paedophile site that they found by searching for "Chester Guide" on google. The site, in fact, was not illegal at all but a list of "sick humor" that included a link to a humor article entitled, "Chester's guide to: picking up little girls".

So, all it takes is for someone to make a complaint, for google to not really research it, and you can get someone's site removed from google's cache.

[IP] Google removal - Chester's Guide to Molesting Google

Truth in music on its way?

Senator Ron Wyden (D) from Oregon is pitching a simple idea to lead to a market-driven solution to the DRM problems being imposed on consumers: to require music companies to disclose to consumers the restrictions they will impose on the consumer's use of the product.

"When customers know, for example, that the compact disc they're buying is technologically rigged so they can't rip MP3 files from it for use on a portable player, they won't buy it. Eventually, these informed customers will demand change in the copyright laws."

[IP] Truth in labeling

Senator Seeks Full Copyright Disclosures

Sunday, March 2, 2003

Dell cost cutting with Sun to Linux switch

Wow. This may help spur other cost-conscious companies (perhaps my employer too) into making the switch.

"Currently, our order management, customer transaction information, manufacturing flow, and software downloads (as a part of our build-to-order manufacturing process) all involve Sun-based Unix systems. But that's all being moved to Dell-based systems running Red Hat Linux and Oracle 9iRAC. So far, 14 Sun systems are gone and the plans are to complete the 'Sun setting' exercise this year."

Dell, Sun execs trade jabs over Unix viability

Vespa Madness

A must have: Vespa Screensaver. Windows-only, of course.

Interested in buying one for me? I could handle the platinum, dragon red, or cobalt blue one. The local dealer location

Or, I can at least hope to win one from Starbucks. This is the perfect excuse to buy more coffee :-)

Worm press release template

Keep this handy for the next MS Worm. Posted to RISKS 22.53: .
[From Pete Lindstrom, Spire Security, [email protected]]

*<adjective> Computer Worm <verb> Internet*

In the wee hours of <date>, a <adjective> computer worm spread <adverb>
throughout the Internet. Dubbed <silly name> because <ridiculous reason
that doesn't explain anything about how it works>, and also known as
<another random name> and <another random name>, the worm has infected
an estimated <number> systems within <length of time>. Experts are
calling this worm the most <adjective> since <date in the past>.

The worm exploits a hole in <Microsoft product name> that was first
identified <number> months ago by <security company name>...

In an attempt to secure the planet, <same company> released detailed information about
the vulnerability and how to exploit it. They also mentioned how to fix
it, but apparently <noun> listened. Coincidentally, the worm that
exploited this hole was also first identified by <same company>. Even
more coincidentally, they make a product to protect against <noun>.
"Actually, it's not really a <noun>, it's a <noun>," said <Pete
Lindstrom, or some other person seeking publicity>. " A true <noun>
works by <random filler that nobody will read>."
The worm's payload <verb> every system by <verb ending in -ing> the
<noun>. Comparatively speaking, this is much worse than <another worm>
but not as bad as <another worm>. The computers of <place> were hit the
hardest. Current damage is estimated at <dollar figure more than the GNP
of two-thirds of the world's nations>. " This worm has the potential to
<something or other>," said <Pete Lindstrom, or some other person trying
hard to come up with something interesting to say ;-)>. " It just goes
to show you that <another something or other>."
Though there is no way to protect against this particular bug, experts
recommend trying <longshot one> or <longshot two>, neither of which
matter, since nobody will do it anyway.