Home » Archives for October 2005

Month: October 2005

Urban Dead HUD

Published October 29, 2005

I’ve been playing a bit of Urban Dead recently. Urban Dead is a very low-key, web-based MMORPG — you play a 3-minute turn once every 24 hours. It needs some rebalancing and some new features, especially given the organised nature of some of the bigger marauding zombie hordes, but I’m still finding it fun.

To scratch a couple of itches, I’ve written a Greasemonkey user script for UD called the Urban Dead HUD. It adds several nifty features to the user interface:

keyboard accelerator access keys for the action buttons, and your inventory — very handy when you’re attacking an enemy repeatedly;
an on-page long-distance map of the surrounding squares;
a distance tracker, which tracks the distances to “important” locations for you

There’s screenshots on the download page, so you can see what I’m talking about.

Greasemonkey is a fantastic tool, as is Mark Pilgrim’s Dive Into Greasemonkey, which has repeatedly turned out to be an excellent, well-written reference while hacking this. Thanks guys!

trueColor() bug in GD::Graph

Published October 28, 2005

Hacking on a new rule-QA subsystem for SpamAssassin, I came across this bug in GD::Graph. If:

you are drawing a graph using GD::Graph;
outputting in PNG or GIF format;
and the ‘box’ area — the margins outside the graph — keeps coming up as black, instead of white as you’ve specified;

check your code for calls to GD::Image->trueColor(1);, or the third argument to the GD::Image->new() constructor being 1. It appears that there’s a bug in the current version of GD (or GD::Graph) where graphing to a true-colour buffer is concerned, in that the ‘box’ area continually comes out in black.

(Seen in versions: perl 5.8.7, GD 2.23, GD::Graph 1.43 on Linux ix86; perl 5.8.6, GD 2.28, GD::Graph 1.43 on Solaris 5.10.)

False Positive ‘Reports’ != FP Measurement

Published October 26, 2005

John Graham-Cumming writes an excellent monthly newsletter on anti-spam, concentrating on technical aspects of detecting and filtering spam. Me, I have a habit of sending follow-up emails in response ;)

This month, it was this comment, from a techie at another software company making anti-spam products:

When I look at the stats produced on our spam traps, which get millions of messages per day from 11 countries all over the world, I see our spam catch rate being consistently over 98% and over 99% most of the time. We also don’t get more than 1 or 2 false positive reports from our customers per week, which can give an impression of our FP rate, considering the number of mailboxes we protect.

My response:

‘Worth noting that a “false positive report from our customer” is NOT the same thing as a “false positive” (although in fairness, [the sender] does note only that it will “give an impression” of their FP rate).

This is something that I’ve seen increasingly in the commercial anti-spam world — attempting to measure false positive rates from what gets reported “upstream” via the support channels.

In reality, the false positives are still happening — it’s just that there are obstacles between the end-user noticing them, and the FP report arriving on a developer’s desk; changes to the organisational structure, surly tech support staff, or even whether the user was too busy to send that report, will affect whether the FP is counted.

Many FPs will go uncounted as a result. As a result, IMO it is not a valid approach to measurement.’

I’ve been saying this a lot in private circles recently, so in my opinion that’s a good reason to post it here…

Wired on the Motorola ROKR iTunes phone

Published October 26, 2005

Via Cory at Boing Boing, here’s a great Wired post-mortem on how all the corporate vested interests (including Apple!) turned a nice concept for a new, music-playing mobile phone, into a useless, DRM-hogtied, designed-by-committee turd.

That’s worth a read, in itself. However, what really blew my mind was this:

Anssi Vanjoki, executive vice president of Nokia and head of its multimedia group, has bad news for the [music] labels. … He pushes a couple of buttons on the [phone’s] keypad. Up pops Symella, a new peer-to-peer downloading program from Hungary. As the name suggests, Symella is a Symbian application that runs on Gnutella, the P2P network that hosts desktop file-sharing apps like BearShare and Limewire. It was created earlier this year by two students at a Budapest engineering school that for four years has been exploring mobile P2P in conjunction with a local Nokia research center.

Symella doesn’t come installed on the N91; Vanjoki downloaded it from the university Web site. “Now I am connected to a number of peers,” he continues, “and I can just go and search for music or any other files. If I find some music I like and it’s 5 megabytes and I want to download it – the carriers will love this. It will give them a lot of traffic.”

I had no idea the platform was that open, at this stage. It’ll be interesting to see what happens next…

Ouch!

Published October 25, 2005

my new ipod.jpg
Originally uploaded by jmason.

Yep, they really are that easy to scratch, it seems.

UK ATM fraud in the 1990s

Published October 24, 2005

The Register: How ATM fraud nearly brought down British banking. This story is mind-boggling; it claims that UK ATM security had two major issues that have been kept secret since the 1990s:

An insecure data format used for the data on the magnetic stripes in one bank’s cards;
Another bank’s computing department “going rogue”, “cracking PINs and taking money from customers’ accounts with abandon” as the story puts it. Yikes.

The latter problem is scary, but in my opinion the former problem is more interesting from a computer security point of view.

This is a classic example of bad data format design, as it left the PIN and the account details individually rewritable — in other words, an attacker could (and did) change one while keeping the other intact.

This British Computer Society abstract provides more details on the who, how and where:

… it was revealed that UKP 130,000 had been stolen from Abbey National cardholders during 1994 and 1995 with counterfeit cards. Andrew Stone, a bank security consultant who had been advising Which?, the magazine of the Consumers’ Association, was jailed for five and a half years for the theft. This fraud involved spying on Abbey customers as they used their cards in automated teller machines (ATMs) or cash dispensers… [Stone] recorded card details and personal identification numbers (PINs) using powerful video cameras. The details were then encoded on the magnetic strips of other cards.

Finally, another quote from the Reg story:

why is he telling this explosive story now? Because chip and PIN has been deployed across the UK ATM network. “The vulnerability in the UK ATM network was still there to be exploited — if someone had chanced upon it.”

I wonder if other banking systems worldwide are still vulnerable, however? Did any other banks elsewhere license the vulnerable systems from UK banks, without knowing about these vulnerabilities? How long did it take for them to be fixed, if they were fixed?

Avian Flu, Health vs. IP Protection

Published October 22, 2005

Over at O’Reilly Radar, a question came up as to whether Roche’s patent on Tamiflu should be respected if, in the event of a pandemic, people were dying on a large scale due to an inability for Roche to produce Tamiflu in sufficient quantities.

James Love of cptech.org recently pointed out that the WTO made an exception for a situation like this, allowing importation of medicines from foreign countries in violation of local patent licenses in the case of an emergency, in a 30 August 2003 decision:

Your country would benefit from importing generic medicines produced under a compulsory license, in order to build up adequate stockpiles or to obtain needed medicines in the event of a crisis.

However, many developed-world countries have explicitly made a commitment never to use this limited TRIPS waiver, namely the following:

Australia, Austria, Belgium, Canada, Denmark, Finland, France, Germany, Greece, Iceland, Ireland, Italy, Japan, Luxembourg, Netherlands, New Zealand, Norway, Portugal, Spain, Sweden, Switzerland, United Kingdom and the US.

Another 10 countries about to join the EU said they would only use the system to import in national emergencies or other circumstances of extreme urgency, and would not import once they had joined the EU: Czech Republic, Cyprus, Estonia, Hungary, Latvia, Lithuania, Malta, Poland, Slovak Republic and Slovenia.

So there you have it; the trade representatives for many developed-world countries took some kind of ‘strong IP’ high moral stand, and gave up this ability. I’ll bet national health authorities are, right now, wandering government halls around the world, looking for trade representative asses to kick…

‘Internet Stamps’: ‘Sender Pays’ Is Back From The Dead

Published October 22, 2005

Jeremy Zawodny mentions that Tim Bray has proposed something he calls ‘Internet Stamps’ to solve the blog-spam problem; here’s Tim’s description of how it works:

An Internet Stamp is an assertion, signed by a Post Office, that some chunk of text was issued by someone who paid for the stamp. At least one major Post Office will be required by government statute to sell stamps to anyone in the world for either US$0.01 or EUR 0.01, and no stamp-selling organization will be recognized which sells stamps for less than this amount. For this to work, the number of stamp-selling organizations needs to be small and the organizations stable; another reason why Post Offices are plausible candidates.

It works like this: if you want to buy stamps, you sign up for an account with your Post Office; it works like paper stamps, you buy a bunch at a time in advance, in small amounts like $20 or EUR 10. Then the Post Office offers a Web Service where you connect to a port, authenticate yourself and send along some text; the Post Office decrements your account and sends back the stamp. There are a variety of digesting/signing/PKI techniques that could be applied to implement the stamps; a standard is required but should be easy.

Apparently himself and a few other guys chatted about it at the first Foo Camp, back in 2003. Funnily enough, in the anti-spam community, we were having our own chats about it, but it sounds like our paths didn’t cross for some reason…

We call this idea ‘sender pays’. Earlier in 2003, in June, John Levine published what I’d consider the canonical wrap-up of why it will not work, in ‘An Overview of e-Postage’.

That report demolishes the use of ‘sender pays’ for e-mail anti-spam, on three main counts:

Creating a transaction system large enough for e-postage would be prohibitively expensive. The nearest parallel is the credit card transaction system, which deals with 1% of the transaction volume per day, and with much larger profit margins to make it worth their while.
The true financial, administrative, and social costs of e-postage are completely unknown. What do you do when a ‘bad guy’ steals the e-postage stamps off Aunt Millie’s hard disk, without her knowledge? How much is the Fraud Handling Department going to cost? Is she just going to be out of luck when this happens? Will you need to use whitelisting and a content-based anti-spam filter as well, to filter out the messages sent using valid, but stolen, stamps?
Users hate micropayments. In short, see Andrew Odlyzko’s research.

Now, using it on weblog spam is a little more practical than e-mail spam, for one because it has a lower daily volume of transactions; but these objections still stand, in my opinion.

John Levine is one of the foremost authorities in anti-spam, and this report has been a mainstay of the anti-spam canon for two years. Anyone discussing a new anti-spam concept really ought to know this report backwards and forwards by this stage, and go into some detail as to how their proposal deals with the issues raised, if it’s to be taken seriously.

‘I Go Chop Your Dollar’, the video

Published October 21, 2005

Wow! videos.antville.org (via robotwisdom) came through with the goods. Go check out the video for Nkem Owoh (aka Osuofia) singing “I Go Chop Your Dollar”, which turns out to be pretty catchy!

Here’s the lyrics so all us oyinbos can sing along:

I don suffer no be small
Upon say I get sense
Poverty no good at all, no
Na im make I join this business
419 no be thief, its just a game
Everybody dey play am
if anybody fall mugu, ha! my brother I go chop am

Chorus
National Airport na me get am
National Stadium na me build am
President na my sister brother
You be the mugu, I be the master
Oyinbo I go chop your dollar, I go take your money dissapear
419 is just a game, you are the loser I am the winner
The refinery na me get am,
The contract, na you I go give am
But you go pay me small money make I bring am
you be the mugu, I be the master… na me be the master ooo!!!!

When Oyinbo play wayo, them go say na new style
When country man do im own, them go de shout bring am, kill am, die!
Oyinbo people greedy, I say them greedy
I don see them tire thats why when them fall enter my trap o!
I dey show them fire

Lyrics from here; there’s a few other funny comments there too:

just saw the “i go chop your dollar”……i am glad we are blessed with a natural comedian as good as Nkem Owoh…..thank God say oyibo (sic) no sabi pidgin if not dis song for give them small panic……..

Heh, looks like the ‘small panic’ is now underway ;)

‘I Will Eat Your Dollars’

Published October 21, 2005

An excellent, eye-opening interview with Samuel, an ex-419 scammer.

There’s even a theme tune:

Their anthem, “I Go Chop Your Dollars,” hugely popular in Lagos, hit the airwaves a few months ago as a CD penned by an artist called Osofia:

“419 is just a game, you are the losers, we are the winners.
White people are greedy, I can say they are greedy
White men, I will eat your dollars, will take your money and disappear.
419 is just a game, we are the masters, you are the losers.”

Reportedly, Lagos inhabitants paint “This House Is Not For Sale” in big letters on their homes, in case someone posing as the owner tries to put it on the market.

Regarding the workings of the scam:

[Samuel] sent 500 e-mails a day and usually received about seven replies. Shepherd would then take over. “When you get a reply [to a 419 spam], it’s 70% sure that you’ll get the money,” Samuel said.

(via Nelson.)

‘Life Hacking’ and Metacity

Published October 17, 2005

The NY Times story on “life hacking” is a pretty good one, and an excellent intro for anyone who hasn’t been religiously reading the changing transcripts of Danny O’Brien’s talk and so on.

This line:

Mann has embarked on a 12-step-like triage: he canceled his Netflix account, trimmed his instant-messaging “buddy list” so only close friends can contact him and set his e-mail program to bother him only once an hour.

Reminded me of something I ran into recently.

Last month, I switched from Sawfish, the venerable UNIX window manager, to GNOME’s Metacity, which is the new(ish) GNOME standard window manager. (I was tired of some long-standing Sawfish crashes, and didn’t want to be the last Sawfish user on the planet, which was seeming increasingly likely.)

One interesting UI change is that application windows no longer ‘pop up’ — if an app wants to notify you of some important change, it instead can only cause its taskbar button to subtly pulse in the corner of your screen.

Initially, this threw me for a loop, and I rudely (albeit accidentally) ignored my friends on IM and suchlike. But I quickly got the hang of glancing at the taskbar once in a while when I wasn’t concentrating on a task; it’s now second nature, and has significantly reduced the number of interruptions I find myself experiencing in a typical day.

BTW, in passing: switching WMs is a big deal, user interface-wise. One of the key gating factors, for me, was a feature I use to control windows without laying hands on the dreaded rodent — namely, a ‘move window to screen corner’ keyboard shortcut. This patch implements it for Metacity.

I implemented this last year for KWin, too, to resounding disapproval and bitchy comments about how I’m using the mouse all wrong. Meh. I fully expect the Metacity maintainers to throw it out, likewise, leaving me hand-patching WMs for a while yet ;)

Update, Nov 2006: they applied it! yay.

The Adelphi Charter

Published October 17, 2005

I’ve just finished Sir John Sulston’s inspiring book about the Human Genome Project, The Common Thread, in which he discusses how he found himself on one front line of the battle between intellectual ‘property’ maximalism attempting to grab ‘property rights’ over the human genome, and the common good, preserving such rights for all humanity and unfettered research. (Thankfully, he — and therefore the latter side — won.)

I’ve been meaning to post a few choice quotes here about it at some stage, but haven’t had the time — I’ve had to just limit myself to correcting the Wikipedia entry for the Human Genome Project instead. ;)

Anyway, Sir John is in the news again, as part of a new international initiative — the Adelphi Charter:

Called the Adelphi charter, it is an attempt to lay out those principles. Central among them are the ideas that policy should be evidence-based and that it should respect the balance between property and the public domain, not eliminate the latter to maximise the former.

Coverage:

Very encouraging to see something taking off at this level. I hope it does well, and I hope Ireland and the EU’s lawmakers take note, since I’ve been hearing a lot of IP maximalist party-line from there recently…

I Agree With Goopy

Published October 12, 2005

shiny do-dad
Originally uploaded by goopymart.

Daniel Cuthbert’s Travesty of Justice

Published October 12, 2005

The Samizdata weblog posts more details about the Daniel Cuthbert case, where a UK techie was arrested for allegedly attempting to hack a tsunami-donation site. Here’s what happened:

Daniel Cuthbert saw the devastating images of the Tsunami disaster and decided to donate UKP30 via the website that was hastily set up to be able to process payments. He is a computer security consultant, regarded in his field as an expert and respected by colleagues and employers alike. He entered his full personal details (home address, number, name and full card details). He did not receive confirmation of payment or a reference and became concerned as he has had issues with fraud on his card on a previous occasion. He then did a couple of very basic penetration tests. If they resulted in the site being insecure as he suspected, he would have contacted the authorities, as he had nothing to gain from doing this for fun and keeping the fact to himself that he suspected the site to be a phishing site and all this money pledged was going to some South American somewhere in South America.

The first test he used was the (dot dot slash, 3 times) http://taint.org/ sequence. The ../ command is called a Directory Traversal which allows you to move up the hierarchy of a file. The triple sequence amounts to a DTA (Directory Traversal Attack), allows you to move three times. It is not a complete attack as that would require a further command, it was merely a light ‘knock on the door’. The other test, which constituted an apostrophe (`) was also used. He was then satisfied that the site was safe as his received no error messages in response to his query, then went about his work duties. There were no warnings or dialogue boxes showing that he had accessed an unauthorised area.

20 days later he was arrested at his place of work and had his house searched.

(His actions were detected by the IDS software used by British Telecom.)

In my opinion, this is a travesty of justice.

His actions were entirely understandable, under the circumstances, IMO. They were not hostile activities in themselves — they might have been the prelude to hostility, in other cases, but, as his later activity proved, not in this one.

Instead of making parallels with “rattling the doorknob” or “lurking around the back door of a bank”, a better parallel would be looking through the bank’s front window, from the street!

If only law enforcement took this degree of interest in genuine phishing cases, where innocent parties find their bank accounts emptied by real criminals, like the unprosected phisher in Quebec discussed in this USA Today article!

Appalling.

Harpers: The Uses of Disaster

Published October 12, 2005

In this month’s Harpers — The Uses of Disaster contains a passages that rings bells, post-Katrina:

You can see the grounds for that anxiety in the aftermath of the 1985 Mexico City earthquake, which was the beginning of the end for the one-party rule of the PRI over Mexico. The earthquake, measuring 8.0 on the Richter scale, hit Mexico City early on the morning of September 19 and devastated the central city, the symbolic heart of the nation. An aftershock nearly as large hit the next evening. About ten thousand people died, and as many as a quarter of a million became homeless.

The initial response made it clear that the government cared a lot more about the material city of buildings and wealth than the social city of human beings. In one notorious case, local sweatshop owners paid the police to salvage equipment from their destroyed factories. No effort was made to search for survivors or retrieve the corpses of the night-shift seamstresses. It was as though the earthquake had ripped away a veil concealing the corruption and callousness of the government. International rescue teams were rebuffed, aid money was spent on other programs, supplies were stolen by the police and army, and, in the end, a huge population of the displaced poor was obliged to go on living in tents for many years.

However, there’s a happy ending there:

That was how the government of Mexico reacted. The people of Mexico, however, had a different reaction. ‘Not even the power of the state,’ wrote political commentator Carlos MonsivÃ¡s, ‘managed to wipe out the cultural, political, and psychic consequences of the four or five days in which the brigades and aid workers, in the midst of rubble and desolation, felt themselves in charge of their own behavior and responsible for the other city that rose into view.’ As in San Francisco in 1906, in the ruins of the city of architecture and property, another city came into being made of nothing more than the people and their senses of solidarity and possibility. Citizens began to demand justice, accountability, and respect. They fought to keep the sites of their rent-controlled homes from being redeveloped as more lucrative projects. They organized neighborhood groups. And eventually they elected a left-wing mayor — a key step in breaking the PRI’s monopoly on power in Mexico.

Photo Update

Published October 12, 2005

Photoblog! We recently ticked off another of California’s national parks with a trip to Joshua Tree, and saw this:

Scary desert people. Also, I got to be in a fractal:

Beardy progress continues, as you can see!

In other pics, Catherine cooked me an amazing birthday cake:

Also: I ate the most sacrilicious food ever — mochi that tastes like green-tea-filled Eucharist wafer!

Ah, the blessed sacrament of the (green tea) body and (red bean) blood. The textural resemblance really was phenomenal; I guess it never came up in product taste tests. Quite funny. Very tasty too, by the way.