Wednesday, June 08, 2005

Book Review: Ken Follett's Hammer of Eden



The Hammer of EdenI just submitted this review to Amazon.

Plot holes big enough to drive a seismic vibrator through

The idea, at first blush, is bold and captivating. A fringe, cult-like group is determined to protect their Northern California commune from developers. To do so, they need a credible means to force the state government to cease their incessant land-grabs. With the help of a geologist who's joined the commune, the cult leader (Priest) determines there may be a way to trigger earthquakes using a sonic mapping device known as a seismic vibrator. Priest intends to blackmail the state using the threat of earthquakes.

Follett's talent is prodigious. He's almost capable of making us believe that this preposterous scenario is remotely plausible. But even his immense talent isn't enough to make up for the succession of plot holes big enough to drive a seismic vibrator through.

Example: At one point, Michael seems to be the only one in the state who hasn't seen Priest's picture on television. Because Michael encountered Priest early on in the story, he should have recognized him on TV and the entire FBI dragnet should have ended a lot sooner.

The puzzle pieces are all there, in formulaic fashion: The cute, female FBI agent. The cute, divorced male geologist Michael. The Manson-like cult leader Priest who, though illiterate, is able to evade the FBI repeatedly while driving a giant seismic vibrator that tops out at about 40 mph. I'm sure you can guess what happens.

If you're stuck inside on a rainy day and you happen to have this laying around (and nothing else to do), certainly go ahead and read it. Otherwise, learn macrame or origami. You'll drive yourself crazy second-guessing the characters and the author in this all-too-predictable bore-fest. Mr. Follett is far too talented to be producing works of this caliber.
 

The Pledge Class


Picture credit: Boston Globe
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueIn conjunction with the Boston Globe's release of John Kerry's college records, the following transcript was recently discovered. It records the conversations that took place at the fraternity house in which various pledge candidates were discussed.

Okay, the kid is a zero. It's true. But think back to when you were freshmen. Boone, you had a face like a pizza with anchovies, right? Everyone thought Stork here was brain-damaged... I myself was so obnoxious the seniors used to beat me up at least once a week. So this kid... is a total loser. Well, let me tell you the story of another loser...


At which point the place erupts into derisory moans, boos and flying glasses.

Photo
Who dumped a whole truckload of fizzies into the swim meet? Who delivered the medical school cadavers to the alumni dinner? Every Halloween, the trees are filled with underwear. Every spring, the toilets explode...


Boston Globe: Yale grades portray Kerry as a lackluster student
 

Least Loved Bedtime Stories



AmazonIn the spirit of James Taranto at Best of the Web (Least-Loved Bedtime Stories - "Harry Potter and 'Deep Throat' " -- headline, CNN.com, June 7), herein the reader may find a list of bedtime stories that they should not read to their kids:

  • The Grinch That Got Tasered While Shoplifting at K-Mart

  • Why Timmy's Parents Stopped Loving Him

  • A Child's First Book of Assault Rifles

  • Puff, the Crack-Addled Dragon

  • One Elvis Two Elvis Skinny Elvis Fat Elvis

  • There's a Rocket in my Pocket!

  • Oh, the Places You'll Go (after a Felony Conviction)

  • How the Littlest Bear Found Out He Was a Mistake

  • Horton Hears a Ho

  • The Cat in the Hat Gets Capped

  •  

    Tuesday, June 07, 2005

    Firefox Flaw


    Picture credit: http://www.detstar.com
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThough the odds of an exploit appear low, this vulnerability in the Mozilla and Firefox browsers just resurfaced after a seven-year hiatus:

    ...For a spoofing attempt to work, a surfer would need to have both the attacker's Web site and a trusted Web site open in different windows. A click on a link on the malicious site would then display the attacker's content in a frame on the trusted Web site, Secunia said. The company advised people not to visit trusted and untrusted Web sites at the same time...


    Here's one way a phisher could exploit this weakness:

  • User visits a malicious site, via emailed hyperlink or equivalent means

  • Cross-site scripting (XSS) could used to expose one or more financial sites that victim has visited

  • Malicious site opens financial website, perhaps as a background window

  • Malicious site feeds bogus sign-in form into financial website

  • User visits financial site window (perhaps later on) and authenticates

  • Authentication data sent to phisher


  • Nefarious, but feasible.

    News.com: Spoofing flaw resurfaces in Mozilla browsers
     

    Guantanamo is no Gulag


    Picture credit: http://www.rotten.com
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueCourtesy of OpinionJournal, some remarks on Amnesty International's fraudulent comparisons of Guantanamo Bay with the mass-murdering Soviet Gulags:

    It's good to see that Amnesty International has had to backtrack from its comparison of Guantanamo Bay to the Soviet "gulag." Less than two weeks after making that analogy, Amnesty's U.S. boss issued what amounted to a full retraction on "Fox News Sunday" this weekend.

    "Clearly, this is not an exact or a literal analogy," said William Schulz. "In size and in duration, there are not similarities between U.S. detention facilities and the gulag. . . . People are not being starved in those facilities. They're not being subjected to forced labor." Thanks for clearing that up...

    ...Natan Sharanksy--a man who actually spent time as a Soviet political prisoner--described Amnesty's gulag analogy as "typical, unfortunately," for a group that refuses to distinguish "between democracies where there are sometimes serious violations of human rights and dictatorships where no human rights exist at all."


    OpinionJournal: Amnesty and al Qaeda - The instructive case of Ahmed Hikmat Shakir
     

    Monday, June 06, 2005

    DomainKeys



    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe DomainKeys initiative is designed to dramatically reduce spam. In March, Yahoo! submitted a DomainKeys memo to the IETF in order to spur discussion. Yahoo! has been signing its emails with DomainKeys headers since 2004.

    The goal? To dramatically reduce spoofing of sender email addresses. How many bogus phishing emails from "PayPal" are sent out each day? How many from Bank of America? There's little question that something needs to about the proliferation of spoofed spam messages.

    Just how does DomainKeys work? It relies upon a combination of PKI and DNS. First, a hash is created of the email message contents (using SHA-1 by default). The hash is encrypted using a private-key unique to the sending domain (e.g., "yahoo.com"). The encrypted hash is then converted to ASCII printable characters using base-64. This value is then tacked on to the message headers (under the new SMTP header "DomainKey-Signature").

    The receiving server uses the claimed sending domain to perform a DNS lookup. The returned data now would include the domain's public key. The recipient server may now decrypt the hash value and compare it to its own generated hash of the message content to validate the message. This ensures two things: the message truly was sent by the domain that claimed to have sent it; and the message has not been tampered with en route.

    DomainKeys is covered by a U.S. patent owned by Yahoo! However, the company has released it under a royalty-free patent license designed to be interoperable with a variety of software implementations including freeware and open-source.

    At present, DomainKeys is many things - but one thing it isn't is cheap. BusinessWeek reports:

    ...an e-mail security system with DomainKeys for a mass e-mailer costs $500,000, on average, says IronPort. For a big company, that's not much to stymie forged e-mails that can damage reputations and clog up millions of e-mail accounts...


    The costs are sure to diminish as mailers swarm to this open-source-friendly approach.

    Yahoo! DomainKeys
     

    Inspiration


    Picture credit: http://academic.scranton.edu
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe greatest inspirational speech since Knute Rockne's 'Win one for the Gipper':

    D-Day: War's over, man. Wormer dropped the big one.
    Bluto: Over? Did you say "over"? Nothing is over until we decide it is! Was it over when the Germans bombed Pearl Harbor? Hell no!
    Otter: Germans?
    Boon: Forget it, he's rolling.
    Bluto: And it ain't over now. 'Cause when the goin' gets tough...
    [thinks hard]
    Bluto: the tough get goin'! Who's with me? Let's go!
    [runs out, alone; then returns]
    Bluto: What the f**k happened to the Delta I used to know? Where's the spirit? Where's the guts, huh? "Ooh, we're afraid to go with you Bluto, we might get in trouble." Well just kiss my ass from now on! Not me! I'm not gonna take this. Wormer, he's a dead man! Marmalard, dead! Niedermeyer...
    Otter: Dead! Bluto's right. Psychotic, but absolutely right. We gotta take these bastards. Now we could do it with conventional weapons, but that could take years and cost millions of lives. No, I think we have to go all out. I think that this situation absolutely requires a really futile and stupid gesture be done on somebody's part.
    Bluto: We're just the guys to do it.
    D-Day: Let's do it.
    Bluto: LET'S DO IT!


    Animal House
     

    Sunday, June 05, 2005

    BlueTooth Troubles


    Picture credit: http://www.tomsnetworking.com
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueIsraeli researchers have found a major flaw in many common BlueTooth implementations. Bruce Schneier notes:

    I can't be sure, but I believe it would allow an attacker to take control of someone's Bluetooth devices. Certainly it allows an attacker to eavesdrop on someone's Bluetooth network.


    That's certainly how it appears. At its heart, the vulnerability appears to have two primary causes: (a) device manufacturers' use of a four-digit PIN instead of eight digits; and (b) a quirk in the protocol that allows one device to tell the other that it "forgot" the link key. The combination of these two weaknesses? Some serious security deficiencies.

    Photo
    Treo 650 (News.com)

    Where's BlueTooth deployed these days? Lots of places. For instance, Acura automobiles use BlueTooth to provide handsfree integration with certain mobile phones (e.g., Treo phones/PDAs). And the protocol is used in a wide variety of other devices with many, many applications.

    For instance, the HP DeskJet 650 is positioned in the market as a "mobile printer" that can be moved around a SOHO environment. It uses BlueTooth to establish a link with various computers in the home or office.

    BlueTooth is also used in Toshiba's home appliances: microwaves, refrigerators, and washer-dryers. And in medical devices such as the Avant 4000 Digital Pulse Oximetry System. This device relays pulse and oxygen data from a wrist-worn sensor to a central monitor.

    All, told BlueTooth is used in a host of office, home, medical, consumer, and related applications that require close-proximity device connectivity.

    Now consider advanced hacking tools like the BlueSniper Rifle, pictured above. The rifle, a device that can be assembled from a couple of hundred dollars worth of parts, can scan and attack BlueTooth devices from distances exceeding a mile. In fact, when the crew at Flexilis used BlueSniper, they came to some interesting conclusions:

    ...John pointed the BlueSniper at the AON building, which was 0.6 miles (just about 1 km) from our position (this distance was verified by GPS after the shoot).

    It didn't take long for the MAC address of Bluetooth devices to appear on the laptop's screen. After a few seconds, John pointed the gun at the Library Tower / US Bank Building, which is the tallest building in Los Angeles. The building was .75 miles (a little over 1 km) from our position.

    As more Bluetooth devices started appearing, John said, "This building is full of Bluetooth! Look we got some Blackberries!" He also explained that, with multiple guns, it would be possible to track a single Bluetooth device as the person walked around. In less than a few minutes, twenty devices were detected—all at distances over a half mile away!


    When we combine this newly discovered vulnerability, the popularity of BT-enabled devices, and powerful hacking tools like BlueSniper... well, you get the picture. At best, bad guys can wreak havoc -- remotely -- with home, automobile, office, and medical devices. At worst, who yet knows?

    The key question: have device manufacturers considered the necessity of patching their implementations of BlueTooth to address ongoing security issues? My guess, in most cases, is no. I hope I'm surprised to find that they have considered these possibilities.

    Schneier: Attack on BlueTooth
     

    Saturday, June 04, 2005

    The Modern Slave Trade


    Picture credit: http://www.ishr.org
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueIf you strip away Microsoft Word-generated Air National Guard memos, the bogus comparisons of Gitmo to mass-murdering Gulags, the fake but accurate Quran-flushing reports... if you strip away almost all of what passes for news these days, what are we left with?

    The real stories. The important stories. The stories that CBS, Newsweek, and the Gray Lady should be covering. But don't.

    No, it's left up to the Bush State Department, vilified for lo these many years, to expose the vast scope of the modern slave trade. Perhaps the mainstream media hasn't had enough time to research this "real news". After all, this is only the fifth annual Trafficking In Persons Report.

    Look, only about 800,000 people are bought and sold each year, so I suppose Abu Graib, Halliburton, and the occasional, TV-friendly car bomb detonation should have top priority. Surely you don't expect the likes of Maureen Dowd to hoist themselves off their derrieres, do some real investigation, and write about true evil and injustice?

    And, look, it only involves sexual slavery, child beggars, forced domestication, starvation, unreported rapes, beatings, and deaths, so I suppose these miserable souls (who number well under a million) don't deserve any investigative reporting. Leave it up to the State Department! The mainstream media has fake but accurate stories to cover!

    Do me a favor. Click on any of the following search links for 'modern slave trade' at the LA Times, the New York Times, CBS News, or ABC News, just as a little test.

    You see, the modern slave trade really isn't worth covering as news.

    Because investigating this scourge on humanity would require scape-goating parties other than the Bush Administration and the U.S. Military. It would require delving into the true nature of evil. And, goodness knows, the mainstream media doesn't have any time for that.

    Fox: The Modern Slave Trade and the State Department's 2005 Trafficking In Persons Report
     

    Hate Mail


    Picture credit: http://www.tsn.com
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueFrom Gregg Doyel, a senior writer at CBS SportsLine, comes this sparkling repartee:

    Q: I was at Kansas during the period you talk about. I believe that you are incorrect! Larry Brown did not leave KU with probation issues. He made us mad by saying he was going to UCLA and later leaving to go to the NBA (Spurs pay a lot better than KU), but I do not believe we were ever under investigation or probation for anything Larry did. I think you are a KU hater just making up stuff about Larry. Prove it to me!

    A: Trying to show restraint, trying to show restraining, failing, failing miserably. ... Patrick, if you were at Kansas at the time of Larry Brown, you'd be close to 40 now. How a man of your intelligence survived 40 years is a mystery. Try Google, Patrick. Insert the words "Larry Brown" and "Kansas" and, I don't know, "probation." The results will shock you and your parents, who sure would like you to move out.


    CBS SportsLine: Hate Mail
     

    Friday, June 03, 2005

    Dan Rather on Larry King Live - a Retrospective



    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe revelation that Mark Felt was "Deep Throat" has been a highly entertaining experience. Most notably, it's brought about the nostalgic triumphalism of the mainstream media, wounded of late by the Rather, Jordan, Blair, et. al. affairs.

    In 'celebration' of the Felt disclosure, Dan Rather reemerged from a self-imposed exile by visiting the Larry King Live show. Contrary to conventional wisdom, King didn't just throw softballs at the GIF-impaired journalist. He came to play (Hat tip: Hugh Hewitt).

    My smart-aleck remarks are interspersed throughout.

    KING: Do you think the Republicans, the right-wing Republicans were after you?

    RATHER: No. Again, I'm not a victim of anything. I don't say, no, they weren't. I don't know.

    Ed: Uhmmm, wha....?

    KING: ...what went wrong in your [story] on the Air National Guard story?

    RATHER: Without agreeing with the premise of whether it snapped or not...

    Ed: Oh, Dan... it snapped. It snapped you right out of your anchor chair... and right out of a job. Yes, I'd say it snapped.

    KING: Well, I don't know another word. You might still believe the story, by the way.

    RATHER: Well, without getting into that because the panel, this panel that was chosen by CBS to look into it, they issued their report... I absorbed it...

    The situation that we had and still have is the last line of this has not been written.

    Ed: Oh, for the love of... He still believes that the memos were real. Next, maybe he'll break a story on Elvis' evil twin, who was cloned by Colonel Parker.

    RATHER: ...we don't know whether the documents were fraudulent or not.

    Photo
    The Smoking Memos (LGF)



    KING: Are you saying the story might be correct?

    RATHER: Well, I'm saying a prudent person might take that view.

    Ed: Given that definition, a 'prudent person' might also believe himself capable of hitting a home-run in Yankee Stadium with a breadstick from Olive Garden.

    RATHER: ...This much we know: Journalism is not a precise science.

    Ed: (breaking down in conniption fits of laughter)

    KING: You have been holding a piece of paper in front of you for half an hour, and you better tell me what it is.

    RATHER: Well, I appreciate the opportunity, Larry. That CBS News played a role in this Watergate story -- nothing to compare with "The Washington Post" role...

    ...the whole power of the executive branch was to isolate "The Post," say it's just "The Post." You know, not have it break out to be a national story, and they did not want it on national network television.

    And they almost succeeded in keeping it off. But Dick Salant, who was former president of CBS News, he was president at that time, that he wrote something, and if you had time, it's not a bad way to close the hour...

    "I strongly believe that responsible journalism cannot have as its central objective giving people what they want, or avoiding displeasing them. The objective must not be merely to interest and titillate to grab an audience, but to provide the information they need. And, so, if journalism is to perform the function which a democratic society has a right to expect, there will inevitably be some, usually the most vocal, who will be displeased."

    Ed: Here's another one, Dan. Pay close attention.

    The primary duty of journalists and news organizations is to seek the truth and report it as fully as possible...

    The second guiding principle is Independence. If we are to succeed in our pursuit of truth, we must not be deterred by outside forces that could undermine our professionalism or erode the quality and integrity of our finished product. We must vigorously guard our credibility and insure that we are not unduly influenced by those who might use their power or position to keep us from serving the public.


    Sounds like you get a big, fat, red F on both counts, Daniel.


    CNN: CNN LARRY KING LIVE - Interview With Dan Rather
     

    End of an Era or End of the line for Java?


    (Picture credit http://www.starwars.jediknights.co.uk)
    Excel-web sharing of spreadsheetsHave you ever wondered why IBM and Oracle have so dramatically thrown their hats in the PHP ring? And why PHP will be such a crucial element in their product roadmaps over the next few years? Or Why Java has fallen from favor so far and so fast among the behemoths of the web application market?

    To get a good sense for why these announcements are coming, fast and furious, you only need review this article from Sun's weblogs, entitled "Easy JBoss Connection Pooling with NetBeans IDE 4.1 and XDoclet".

    Here's an excerpt from the thirteen-step "quick-start guide":

    5) Start JBoss from the IDE. Modify the jboss.home property in servers-build.properties and run the jboss-start target. Run it from inside the IDE (you can create a menu item, toolbar button, or shortcut key for it, as described in earlier blog entries). JBoss starts up and the Output window displays output received from JBoss. You'll see a lot of output and it might take a while. Somewhere near the end you should see something similar to the following (truncated here for easier reading)...

    6) Build the project to the JBoss autodeploy directory. Right-click the project in the Projects window to build it. (You can also build it in the Files window -- choose File > Set Main Project, set the current project as the main project, and click F11 whenever you want to build.) Modify the jboss-deploy target in servers-build.xml so that war.name is used instead of jar.name. Now run the jboss-deploy target. (If you haven't built the project, you'll get errors because the WAR file that the target tries to copy to the JBoss deployment directory hasn't been built yet.) This copies the application's WAR file to the JBoss autodeploy directory. In the Output window you should see something similar to the following...


    Well, you get the picture. The elaborate process is hardly what I would term 'easy' nor, for that matter, intuitive. It makes neurosurgery almost mundane by comparison.

    Information Week comments:

    ...With increasing support among big vendors, it's clear that Java's future is bounded by the scripting languages PHP, Perl, Python and Tcl. These languages are both easier to learn and use than Java 2 Enterprise Edition or C++ or C#. A lot of creativity resides in the hands of these scripting language users. They are less concerned with Java's discipline, which is very good for high-value business functions, such as transaction processing, and more concerned with mixing up what's available in response to individual users on a site.

    Some PHP advocates say there's no reason enterprise applications won't be built with PHP. Indeed, they already are. The Lufthansa E-ticket site runs on PHP programming. Why not your company's E-commerce?

    IBM and Oracle are following, not leading, this movement...


    Well, it's certainly not the 'end of the line' for Java. But this truly marks the 'end of the beginning' for PHP.

    Information Week: End of an Era or End of the line for Java?
     

    Book Review: Numbered Account


    Picture credit: http://www.bonnietoews.com
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueI just posted this review at Amazon.

    Nick Neumann has what, at first glance, appears to be the perfect life. The former U.S. Marine just graduated from Harvard Business School and has joined the fast-paced world of Wall Street. His girlfriend is beautiful, the scion of an incredibly wealthy family. But Nick does have one problem: the unsolved murder of his father weighs heavily on his mind.

    His father, murdered almost twenty years ago, worked for the secretive Swiss bank USB. And so Nick decides to follow in his footsteps: to move to Switzerland, join USB, and determine whether the trail can be followed or whether's it's gone cold.

    Within days of joining USB, Nick finds himself entangled in a nightmarish conflict. The "Pasha", USB's premier client, is moving ever larger sums of money through the bank in seemingly nonsensical fashion. The DEA, investigating large-scale money transfers through USB, begins squeezing Nick for information. And an attractive vice president at the bank seems to be paying very close attention to Nick's activities.

    This is Reich's first book and is, simply put, masterful. While its length (750 pages) is daunting, Reich's firsthand knowledge of the Swiss banking industry is invaluable and enlightening. I can almost guarantee that you'll be swept into this ambitious and fulfilling story: revenge and terror mixed into a near-perfect concoction.

    Christopher Reich: Numbered Account
     

    Thursday, June 02, 2005

    Where were the Senior Managers?


    (Picture credit http://www.cokingcokers.com)
    Excel-web sharing of spreadsheetsI read this a couple of weeks ago. It's an AP article regarding BP, which explains the reasons for a massive explosion at their Texas City plant. The blast killed 15 workers and injured more than 170. You can read the entire thing at your leisure, but here are some telling quotes.

    ..."Deeply disturbing" staff errors led to the oil refinery explosion and fire that killed 15 workers, and some employees could be dismissed as a result, plant operators said Tuesday...

    ..."The mistakes made during the startup of this unit were surprising and deeply disturbing"...

    ...Supervisors and hourly workers face discipline ranging from written reprimands to dismissal, Pillari said. He declined to say how many employees would be punished...

    ...The BP investigation determined that fluid level in a tower was 20 times higher than it should have been. Water or nitrogen in the tower when the unit was restarted may have caused a sudden increase in pressure that forced hydrocarbon liquid and vapor into the unit's stack.

    But investigators still don't know what ignited the resulting vapor cloud. Earlier theories have suggested that sparks from a running truck engine could have been to blame.

    Investigators found that supervisors seemed to be absent at times during the unit startup, and crews didn't know who was in charge.

    Also, any of six supervisors had a six-minute window in which they could have sounded an alarm to evacuate the area, but that alarm was never sounded, Pillari said. The decision, he said, denied other workers "the opportunity to get out of harm's way." ...


    I've highlighted what I consider the key phrase. During the startup of an immensely expensive and dangerous refinery, wouldn't senior management have plenty of feet on the ground?

    Sidebar: Ironically, Texas City was also the site of the worst industrial accident in U.S. history. A fire aboard a ship at the city's docks triggered an explosion that killed more than 550 people.
    Supervisors were absent? Where were the refinery managers?

    Crews didn't know who was in charge? Wha...? Where were the refinery managers?

    Pinning this on supervisory and hourly personnel appears, at face value, to be the ultimate cop-out.

    Senior management needs to define strict processes for an operation this complex and then audit those processes to ensure they are followed. This is a failure of senior management, plain and simple.

    AP: BP: Personnel Failures Led to Texas Blast
     

    Wednesday, June 01, 2005

    Making Phishers Solve the Captcha Problem



    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe more I read about Bank of America's solution to the phishing problem, the more I believe it susceptible to man-in-the-middle (MIM) attacks. The Wall Street Journal today described their new system, called SiteKey, in a bit more detail. The BofA site describes it as well.

    As I understand it, if you haven't signed into SiteKey before, you will get a randomly selected challenge question. Once you've answered the challenge successfully, a secure cookie is deposited on your PC. Subsequent authentications from that PC will force you to view a pre-selected image that will confirm you're signing into Bank of America, rather than a spammer's zombie machine in Chung Li, Taiwan.

    Sidebar: isn't it odd that when you go the Bank of America site, you immediately note that the page is presented in cleartext ("http://"), not SSL ("https://). The first step to combat phishers is to provide an SSL connection... first time, every time. Customers need to get used to expecting a secure connection on every BofA page.

    Yes, their sign-in operation itself is secure. I just think it a tad bizarre that every page isn't secure as well. Just for the customer's peace of mind.


    As far as I can tell, there's no way for SiteKey to distinguish a malicious, zombie PC from a user's virgin computer. The zombie PC could present a false BofA store-front to the victim and proxy login information from the user to the bank and any resulting pages and images from the bank to the victim.

    Step 4 of the BofA SiteKey page even states the following:

    If we don't recognize your computer:
    We will ask you one of your secret SiteKey Confirmation Questions.

    After you answer your question correctly, we will show you your SiteKey.


    Sounds like it's completely susceptible to a man-in-the-middle: the classic phisher's false store-front.

    I believe you've got to make phishers solve the captcha problem.

    Photo
    A Blogger Captcha

    You know captchas: they're the odd-looking images representing stretched or melted alphanumeric text that can (presumably) be read by humans, but not malicious bots.

    The example at right is the kind of captcha that Google's Gmail service employs. Mail services require strong captchas to prevent spambots from signing up for their free email services for mass-spam campaigns. We need more spam like GM needs more healthcare costs.

    The challenge for systems like SiteKey is to create a captcha-like problem for phishers. I think I have the seeds of just such a solution. The idea is to make a man-in-the-middle attack bloody difficult.

    Educating the users to expect an "anti-fraud" checklist on the sign-in page is obviously the first order of business. This can be achieved through a snail-mail campaign or equivalent PR effort. Once customers expect the anti-fraud checklist, the next action in the campaign is to:

    Squeeze the man-in-the-middle

    Force the man-in-the-middle (MIM) to present information specific to both the client and the server. After the user has entered a sign-in name, the anti-fraud checklist page depicted above, should appear.

    The key element of the page is a GIF or JPEG image, dynamically created like a captcha, consisting of the three checklist items depicted at the top of this article.

    Photo
    The MIM gets squeezed by changing fonts

    Why is this checklist so difficult for a MIM to present?

    Checklist item 2: In a normal situation (with no MIM involved), the bank's server should be able to deduce the client's general location through IP-address geo-mapping.

    For the MIM to present the correct location data, it will have to use an IP-address-to-geographic-location mapping algorithm and deduce it on its own.

    Checklist item 3: The server has non-sensitive information about the customer (e.g., a check number that recently cleared) that can be presented on the page. This is called a "shared secret" that only the customer and the bank should know.

    And for the MIM to retrieve a valid shared secret, it will have to screen-scrape the third line of the checklist from the image the bank has presented.

    Captcha problem: Once the MIM has accomplished numbers two and three, it now has to somehow merge the images in a way that looks consistent. But the fonts are changing, the font sizes are changing, and the colors are changing. They're selected randomly.

    Without some serious artificial intelligence, the MIM is trapped having to solve a classic captcha-style problem. And I, for one, thinks that's a hard road to hoe for the phishers.
     

    Another Phish Tale


    (Picture credit http://www.samsung.com)
    Excel-web sharing of spreadsheetsI received another phishing email that purports to be from PayPal. Let's just make the blanket statement that you should spam filter anything that even mentions PayPal. Anyhow, the source of the message reads, in part:

    Please follow the link below and login to your account<br> and renew your account information<p><b> <a target="_blank" href="http://211.189.88.200/~wcconst/www.paypal.com/us/cgi-bin/webscr=cmdxpt/cps/
    clickthru2/Billing-Verification=CookieId=4801de10f2194572779a171135820269/" >https://www.paypal.com/cgi-bin/webscr?cmd=_login-run</a></b></p> <p>Sincerely,<br> Paypal customer department!</td>


    A tracert of 211.189.88.200 yields:

    9 110 ms 119 ms 113 ms unknown.Level3.net [63.215.71.10]
    10 122 ms 114 ms 111 ms ge-2-0-0.0.cjr02.lax001.flagtel.com [62.216.140.77]
    11 221 ms 229 ms 224 ms so-1-1-0.0.cjr04.tok002.flagtel.com [62.216.128.130]
    12 261 ms 244 ms 244 ms so-0-3-0.0.ejr03.seo002.flagtel.com [62.216.128.18]
    13 253 ms 248 ms 251 ms 62.216.147.82
    14 249 ms 254 ms 259 ms user7.s148.samsung.co.kr [203.241.148.7]
    15 244 ms 249 ms 244 ms 211.189.88.200


    Hmmm... the user7 portion makes it almost appear that the next-to-last link in the chain is a typical workstation inside Samsung. Probably not the case, but interesting...
     

    Mimicking is more persuasive


    (Picture credit http://www.mmjp.or.jp)
    Excel-web sharing of spreadsheetsInteresting results from a Stanford study. A computer-generated sales agent was programmed to mimic a human prospect's facial movements in a "conversation". Sales agents that mimicked the prospect's movements (with a four second delay) were considerably more successful than agents programmed with pre-recorded facial movements:

    ...Researchers at Stanford University's Virtual Human Interaction Lab strapped 69 student volunteers into an immersive, 3-D virtual-reality rig, where test subjects found themselves sitting across the table from a "digital agent" -- a computer-generated man or woman -- programmed to deliver a three-minute pitch advocating a notional university security policy requiring students to carry ID whenever they're on campus.

    The anthropomorphic cyberhuckster featured moving lips and blinking eyes on a head that nodded and swayed realistically. But unbeknownst to the test subjects, the head movements weren't random. In half the sessions, the computer was programmed to mimic the student's movements exactly, with a precise four-second delay; if a test subject tilted her head thoughtfully and looked up at a 15-degree angle, the computer would repeat the gesture four seconds later...

    ...The results, to be published in the August issue of the journal Psychological Science, were dramatic... The remaining students liked the mimicking agent more than the recorded agent, rating the former more friendly, interesting, honest and persuasive. They also paid better attention to the parroting presenter, looking away less often. Most significantly, they were more likely to come around to the mimicking agent's way of thinking on the issue of mandatory ID...


    Wired: AI Seduces Stanford Students
     

    The Israeli Trojan Horse Affair... and Ad Agencies


    (Picture credit http://www.momentum-design-house.com)
    Excel-web sharing of spreadsheetsThe Israeli corporate espionage affair is spreading from firm to firm like wild-fire. An interesting aspect: ad agencies were reportedly infected with trojans, presumably to glean strategic marketing information on competitors.

    A question for senior managers: do your ad agencies (or other partners) possess your company's strategic data? If so, your legal team should be writing infosec process into your contracts... and your infosec team should be performing due diligence on their systems.

    ...Tel Aviv Police District Fraud Unit investigators yesterday raided the offices of international calls carrier Bezeq International Ltd., and detained for questioning its VP marketing and a strategic researcher. The company is suspected of obtaining from private investigators business information of Golden Lines International Communication Services Ltd. by uploading a Trojan Horse into computers of ad agency Shalmor-Avnon-Amichay Young and Rubicam...


    Car importer Jacob Shachar questioned in Trojan Horse affair
     

    WSJ: "Nightline" needs an enemies list


    (Picture credit http://as.wn.com)
    Excel-web sharing of spreadsheetsThe Wall Street Journal features an op-ed on Nightline's broadcast of the honor roll of American troops who died serving in the war on terror:

    ...Much energy has been spent on the debate over whether Saddam actually backed al Qaeda, or merely spent some of his billions purloined out of the United Nations Oil for Food relief program in supporting such folks as Palestinian suicide bombers and buying the kinds of conventional weapons used to kill the troops whose faces we just saw on "Nightline." The larger point is that nations export to our globalizing world whatever it is they specialize in. Saddam specialized in terror. His legacy includes a roster of Iraqi dead so vast that it would take weeks if not months to read the full list of names, if anybody even knew the list. That is the kind of rule, or grotesque misrule, he brought to the international table--corrosive to all, and dangerous even to the great American superpower. Which is why, after 17 failed U.N. resolutions, our troops had to go to Iraq.

    Second on the list of who killed our troops would be those who abetted Saddam's regime and continue to help his successors today. Topping that list would be the Baathist regime of Syria's dictator, Bashar Assad, and the totalitarian ayatollahs of Iran--backing what is too often called an "insurgency" and would better be termed a fight for the resumption of tyranny.

    Also on the list would be the corrupt and craven crew at the U.N., who hid the rebuilding of Saddam's resources, who preferred to give Saddam an 18th chance. It is important to understand that while the U.N.-approved investigation into Oil for Food, led by Paul Volcker, has focused narrowly on questions of whether anyone administering the program violated U.N. procedure, the deeper horror was the assurance of the U.N. that all was well--while Saddam skimmed billions... to buy weapons and restock the war chest [that] ...is very likely funding terror in Iraq today.... [T]wo unnamed high-ranking UN officials [are] alleged to have taken bribes from Saddam; this is a matter not only of venal and corrupt behavior among those entrusted with serving the public good, but of U.N. officials with blood on their hands...

    ...In thinking about the context for the past year's honor roll, however, I found there was another American president who also came to mind: Abraham Lincoln, who, as America struggled to shed its own evil of slavery, commemorated the dead at Gettysburg with a statement that holds true today. These Americans died "that government of the people, by the people, for the people, shall not perish from the earth."


    Claudia Rosett: Never Forget - "Nightline" needs an enemies list
     

    Corporate Espionage and Trojan Horses


    Picture credit: http://www.emich.edu
    Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueVia Arik's blog, an excellent recap of the Israeli corporate espionage scandal.

    * [Some] ...very prominent Israeli companies were infected by a trojan. Foreign companies may have been victims as well, but names of those were not provided.
    * The trojan was targeted specifically at those companies by the perpetrator, and more specifically at key people in those companies and PR companies working for those companies.
    * The trojan was targeted at Windows machines.
    * The attack vector was social engineering, using e-mail and CD-ROMs sent to the victims as ‘a business proposal’.
    * Data proliferated from some of the infected machines includes (but is not limited to) the ‘My Documents’ folder and screen captures.
    * The stolen data was sent to “FTP servers” both out and inside Israel. The protocol used for the actual transfer was not disclosed.
    * The trojan was never detected within the infiltrated companies until the police looked for it...


    Saar Drimer also states, "...the police’s own computers were compromised by the very method they were investigating!"

    Arik's blog: Trojan horses abound