The weekly newsletter for Fed2 by ibgames

EARTHDATE: September 30, 2007

Official News page 13


WINDING DOWN

An idiosyncratic look at, and comment on, the week's net and technology news
by Alan Lenton

Not a lot to tell you about this week, but I'm not yet at the stage of resorting to that age old standby of the yellow press - manufacturing stories!

I decided to pass on the iPhone/iBrick stories. I try to avoid making barbed remarks about other people's religions, but there is a URL in scanner if you missed the noise this week.

So here is the rest (or some or the rest) of the news...


Shorts:

There's an interesting report just been published by the Canadian privacy commissioner on the TJX fiasco. (Remember that? 45 million credit cards compromised.) One of the more interesting items in the report is TJX's failure to use proper encryption to protect the card numbers.

However the most interesting item is the information that, 'The investigation found the company did not have a reasonable purpose to collect driver's licence and other identification numbers when unreceipted merchandise was returned.' For a long time now security professionals have been warning companies about the dangers of mindlessly storing information on their customers.

So now we know the result of such behaviour - and the law suites against TJX are soon going to quantify the cost for everyone to see.

http://www.theregister.co.uk/2007/09/27/tjx_data_leak_report/

Ever got really pissed at the crud that new computers come loaded with? Not to mention the 'Microsoft tax' (you pay for Windows whether you use it or not). Dell will pass up putting some of it on, for a price, but if you live in France, you might be able to go one better. A French court just ruled in favour of an Acer customer who didn't want, among other things, Windows XP, Microsoft Works, Power DVD, and Norton AV pre-loaded onto his laptop.

The laptop cost just Euro 599, and the court ordered a refund Euro 311.85 to cover the full cost of the software pre-loaded onto his machine (the Euro is worth about US$1.20). Originally Acer offered Euro 30 to settle, which the court obviously considered derisory, so it also told Acer to pay up another Euro 500 in fees to cover what it described as 'abusive resistance and committed expenses'. That's Euro 811.85 back on a machine that cost only Euro 599! Way to go!

http://www.channelregister.co.uk/2007/09/26/acer_laptop_microsoft_windows_french_ruling/

Red faces at Microsoft this week when it was revealed that Excel 2007 can't do sums. If you multiply 850 by 77.1 the answer is 65,535 - but not if you are using Excel 2007. Try it on the latest version of Microsoft's flagship spreadsheet and you get the answer 100,000! You get the same answer for any other result that should be 65,535.

This sounds to me like a good reason for Microsoft to appeal against the latest EU court ruling confirming the EU Commission's fine. I can just see it now. 'We submit, your honour, that the Commission was using Microsoft software to calculate the fine, and that because they were using software known to be unreliable, the fine should be declared null and void.'

In the mean time, there is a new number for the beast - 65,535.

http://www.theregister.co.uk/2007/09/26/excel_2007_bug/

I guess no one is likely to be surprised when I mention that the US Department of Homeland Security failed to notice that 150 of its computers were hacked. Given the regular slatings it's received form the Government Accounting Office for security failings, compromised computers are almost a given.

The twist in this story, though, is that contractor Unisys is being blamed, apparently because they installed six intrusion protection devices mis-configured.

Wrong people.

The real question is who signed off on the installation without checking it? And who was responsible for not running the equipment and failing to notice that the devices weren't working? Security is a process, there are no one-off silver bullets. And, of course, there is the question of which managers were stupid enough to ignore the warning signs that Chinese (it had to be Chinese, of course) hackers were having a ball in the DHS computers?

http://newsletter.infoworld.com/t?ctl=19A00BC:
215D3E184FC552DCDBB7CBA42D533030EFF29049075316B4

http://www.theregister.co.uk/2007/09/25/unisys_blamed_for_dhs_data_breaches/

In a fascinating move Sweden's Pirate Bay, the world's largest bittorrent tracker, has filed a police complaint against the Swedish subsidiaries of music and movie studios alleging attacks including, 'infrastructure sabotage, denial of service attacks, hacking and spamming'.

Pirate Bay has been harassed by the big media companies for a long time, but this latest salvo comes after a leak of 700MB of sensitive e-mails from Media Defender, the firm allegedly hired by big media to disrupt Pirate Bay's operations.

Whether the complaint will come to anything or not is a moot point, but it will publicise the e-mails, which show the depths to which the big media companies will sink to try to salvage their failing their business model.

http://www.theregister.co.uk/2007/09/24/pirate_bay_counterstrike/


Story: An inside job

Two US court cases this week highlight a little security problem that is well known by security experts, but not too much talked about in public.

The first case was about a sysadmin at Medco Health Solutions, a major US drugs prescription management company. The sysadmin admitted planting a logic bomb which would delete patient data on 70 servers. Fortunately for Medco, the malicious code was discovered before it went off. He is to be sentenced in January (don't ask me why it takes over three months to figure out how much prison time to give a perp - perhaps they're using Excel 2007).

The second case was about a Cox Communications telecoms worker who hacked into the company's computer systems, causing a crash which took out services - including 911 - throughout Dallas, Las Vegas, New Orleans, and Baton Rouge. He's being sentenced in December, a slight improvement over the Medco case, I guess.

What these cases have in common is that both are cases of insider attacks - hacks by company employees. Security professionals have long known that the biggest threats to corporate computers come from employees, either though ignorance or through malice. However it's easier to sell silver bullets and security snake oil to protect against 'hackers' than to come up with workable ways of dealing with insiders.

Belatedly, companies are starting to understand the problem, but it's going to be a while before they start making inroads into the problem. In the meantime look out for a bunch of high profile court cases in the not too distant future, as things are tightened up.

http://update.techweb.com/cgi-bin4/DM/y/eBDWu0HiOOq0G4V0FXvH0Es
http://www.theregister.co.uk/2007/09/22/sysadmin_logic_bomb_followup/
http://newsletter.infoworld.com/t?ctl=199C9F4:
215D3E184FC552DCCE2D913BB417EDFFEFF29049075316B4


Recent Reading:

The Money Changers by Robert G Williams. Zed Books
I wish I'd had this book when I was designing Federation 2. The international foreign exchange markets handle a staggering $2 trillion a day, and Robert Williams explains how they do it. The book is a series of interviews with, and explanations from, the people who run the markets. It's totally fascinating and very readable.
Highly recommended.

Exploiting Online Games by Greg Hoglund and Gary McGraw. Addison Wesley.
A very pedestrian trudge through the bowels of the sleazy side of World of Warcraft. The book contains little that has not been common knowledge in the MUD community for decades, and WoW players ever since the game started. The book's do it yourself farming bot - pages and page of C++ code - is only of any use to those who are already capable of writing one themselves.
Excellent cure for insomnia.


Scanner: Other stories

Nanotubes help detect, repair wing cracks
http://newsletter.eetimes.com/cgi-bin4/DM/y/eBDWx0FypUC0FrK0FXvy0Eh

Apple warns hacking iPhone may harm it
http://www.physorg.com/news109906726.html

Under the Hood: Silicon in autos driving patent plans
http://newsletter.eetimes.com/cgi-bin4/DM/y/eBDPJ0FypUC0FrK0FXNS0EW

Microsoft relents on XP downgrade
http://www.news.com/The-XP-alternative-for-Vista-PCs/2100-1016_3-6209481.html?tag=nefd.lede

Samsung and Armani team up to develop TVs and mobile phones
http://www.physorg.com/news109748018.html


Acknowledgements

Thanks to readers Barb, DJ and Fi for drawing my attention to material used in this issue. Please send suggestions for material to alan@ibgames.com.

Alan Lenton
alan@ibgames.com
30 September 2007

Alan Lenton is an on-line games designer, programmer and sociologist. His web site is at http://www.ibgames.net/alan.

Past issues of Winding Down can be found at http://www.ibgames.net/alan/winding/index.html


Fed2 Star index Previous issues Fed 2 home page