Sunday, December 31, 2006

A Hot and Happy New Year

I just noticed that, thanks to the wonders of Internet technology, and some good-hearted humans, the ancient annual ritual of the Biggar Bonfire is being broadcast this New Year. Check out the webcam link lower down the page. Seems a nice way to share the spirit of the season and a good excuse to wish everyone around the world a Happy and Prosperous 2007! May your pixels stay bright and your bits not byte.

If you are into this seasonal stuff, there is also a webcam to cover another Scottish seasonal phenomenon, the Maeshowe, a Neolithic monument on Orkney "that catches the last rays of the dying sun each winter solstice." Sorry this posting is too late for this year, but you can put it in your Google calendar for December 21, 2007.

Thanks to Wikipedia, another wonder of Internet technology+good people, you can learn the connections between different Yule celebrations (some of which are very pagan and Norse it would seem). Including your own virtual log fire.

[Updated 1/7/07: Just noticed this additional Christmas+New Year+Yule+fire connection, the Orthodox Christmas celebration, an example of which is here.]

Wednesday, December 27, 2006

Technology and Risk Displacement: Not just a theory

Okay, so this entry is going to be 'big picture' and I don't mean plasma TVs. Basically, it's just some thoughts about technology in a broad sense, beyond just chips and bits, but starting with something specific, a story in the Fort Worth Star-Telegram about toxic chemicals in our homes and in our, well, in us. And if you want a direct connection to the digital world, our computers are one source of these chemicals.

Like a lot of people, I feel strongly about technology. It would be true to say I 'love' technology, at least for a certain definition of 'love.' I'm not talking about the wide-eyed way I sometimes look at my Treo 650 while contemplating the awesome fact that this small and almost perfectly formed object can take dictation, place and receive phone calls, fetch and send email, and, even as it plays one of my 521 most favorite songs, zoom in on satellite imagery of just about anyone's house, anywhere on the planet [courtesy of Google Earth, some restrictions may apply]. That's not love, that's infatuation.

The love relates to the hugely positive changes technology has enabled during my lifetime (early 1950s to circa Now). That includes everything from indoor plumbing to air bags, polio vaccine to organ transplants, jet planes to this here Internet, that sometimes takes the bits and bytes I write out into space and back to earth, in seconds. You get the picture (and my picture, in the upper right-hand corner, viewable from web browsers in just about every country on the planet).

However, I would never advocate unconditional love for technology. My father was an engineer and so I got an up-close education in applied technology from an early age. I remember him pondering the challenge of stopping a jumbo jet after it had landed (he worked for Dunlop, which built the brakes and tires for the 747, which do most of the stopping--he had designed thrust reversers not long after jet engines were deployed in civilian aviation, but they don't do as much to stop planes as you might think). We often pored over blueprints on the kitchen table and I would spend time in his workshop where he 'tinkered' with all manner of tools and materials.

I particularly remember him working with asbestos, which has highly prized engineering properties. Apart from simple insulation, it was used in brake pads and in the handling of molten metals for castings. It was used extensively in ships and my father served as an engineer in the Royal Navy during WWII. He died of respiratory cancer not long after his fiftieth birthday.

Long before I became involved with computers I had formed several thoughts about technology. I decided technology itself was neutral, the classic case in point being nuclear technology, which enables hugely destructive bombs and power generation without fossil fuels. Growing up during the Cold War, the threat of nuclear annihilation was a daily worry, to me at least, particularly after my mother took me on a 'Ban the Bomb' march when I was eight. But England in the 1950s was a very smoggy place, with terrible air quality in most big cities. A lot of air pollution has been avoided by the generation of 'clean' fuel through nuclear reaction. Yet each benefit has an offset. Disposing of spent nuclear fuel is no small problem. And each downside has an upside. For example, since the nuclear bomb has been widely deployed the stand-off inherent in mutually assured destruction means there have been no world-wide armed conflicts.

So first I decided that technology itself is neutral (applied technology not so much). And then I entertained the thought that no single technology produces a net gain. Clean fuel, dirty residue. Increased mobility through automotive transportation, increased pollution. Greater travel, wider spread of disease. Heat resistance, lung disease. Greater access to useful data, greater exposure of private data. You can go on and on. As you do so, you'll probably think of mitigating factors. After all, new technologies are frequently developed that counter or avoid the downside of earlier technologies. No more lead in paint, no more asbestos in brake shoes, and so on. But remember my premise: 'no single technology produces a net gain.'

Take flame retardants. They reduce the risk of fire, the extent of fire damage, and probably save lives. You will find them in clothes, car seat cushions, computer wires, and the dust on your desk. And now we find that traces of potentially toxic flame retardant chemicals are showing up in people, and building up in their blood and tissue. What is more, chemicals long banned are still showing up.

This is risk displacement. It occurs in many areas of life. Consider seat belts. They save lives, right? But some studies have shown that people wearing them drive worse than people who are not. I'm particularly upset with those car commercials where people who are busy chatting away while driving get hit by another car and walk away. Are we doing enough testing of the phenomenon that, the more someone feels that technology makes crashing survivable, the more likely they are to crash?

Risk displacement also occurs in computer security. Closing down an avenue of attack does not in itself reduce the total sum of effort and resources that will going into attacks. The attacks will find a different path. Which brings us back to the big picture. Attacks on computers will only diminish when the general standard of human behavior improves. That is not an impossible goal. The amount of drunk driving going on today is less than it was. That is not a result of changes in technology but of changes in people. The lesson is not to look to technology for answers it cannot provide, and not expect a new technology to be all upside and no downside.

Tuesday, December 26, 2006

Your Tax Dollars at Work: Feds pay Google for dud drug hits?

This is something I may post in several places. It's about politics. It's about America's screwed-up health care. It's about technology. Our beloved federal government is apparently bidding on Google with your tax dollars. The goal? Top the results from searches for certain drugs, like Valium, in order to warn taxpayers that buying such drugs without a prescription could land them in jail.

Check out this screen shot from earlier today. The DEA is sponsoring one result, the US Customs has paid for the other (unless Google is donating these spots, which I doubt very much).

These agencies seem to be bidding for the top spots in several searches, including Xanax, Oxycontin, "pain killers." Does anyone else besides me think this is a just a bit weird. There are many reasons why people search for information about certain drugs. Is it a good use of taxpayer money to pay to deliver this message as a result?

One thing is for sure, the US Customs office is flat out wasting money with all its ads. Why? Because all the ones I clicked led to a 'page not found' message like this:
In other words, every time someone clicks one of those listings paid for by Customs, they get an error. And speaking of clicking...do you think those agencies realize anyone with a grudge against them can sit and click those things all day to run up their Google bill?

I'd sure love to hear from anyone who has inside information on these programs.

Friday, December 22, 2006

No, It's Not My Imagination: Spam is on the rise (again)

I thought it was just my imagination, a big and fairly rapid increase in the amount of spam I've been getting these past few months. I was wondering what I had done to deserve this. But it turns out I was not alone, according to the Washington Post:

More than 90 percent of all e-mail sent online in October was unsolicited junk mail, according to Postini,...Spam volumes monitored by Postini rose 73 percent in the past two months as spammers began embedding their messages in images to evade junk e-mail filters that search for particular words and phrases. In November, Postini's spam filters, used by many large companies, blocked 22 billion junk-mail messages, up from about 12 billion in September.
What a waste of technology! And you know what I'm going to say. First, a more widespread deployment of Symantec's TurnTide technology would reduce that number (and no, I don't make a penny off that technology and I own zero shares in Symantec). Second, someone ought to sue the three companies that could have stopped spam 5 years ago if they had listened to reason and agreed to work with each other: Microsoft, AOL, Yahoo.

p.s. Mr. Gates, are you ready for the one year anniversary of the end of spam (as predicted by you) coming up on January 24, 2007, I believe?

Tuesday, December 5, 2006

Turntide Still Working Away: Not perfect but pretty close

"Not perfect but pretty close" is what this Computerworld article concluded about the anti-spam technology I helped create a few years ago.

It was maybe early 2001 when I was sitting around a table in a basement in Pennsylvania with a couple of friends discussing ways of fighting spam. Back then there were not many people who believed spam would become a huge problem. Many dismissed it as a mere nuisance. Boy, were they wrong.

Anyway, we had been focusing on a way of certifying email as legitimate, so only legitimate email would be allowed to get through to your inbox. This was the inverse of attempts to stop spam by allowing all email in unless it came from a known bad source. Early anti-spam products were emerging that followed the allow-all-but-known-bad model, including some attempts to filter messages on a case-by-case basis according to their content. But a couple of us were skeptical about this approach. It seemed to be based on an anti-virus scanning model (and we all knew how well that was working--not!). Furthermore, when these filter systems produced false-positives that meant valuable messages might be delayed or lost.

So we analyzed spam from the spammers perspective. What was the motive? What would be a dis-incentive? Virus writers were not being deterred by legal penalties and so we doubted that approach would dissuade spammers. But we realized spammers are different from your classic virus writers: spammers are in it for the money.

So we followed the money. What we found was a fairly simple formula. If a spammer can't get X number of messages into network N within Y period of time, the spammer will move on to the next network, N1, and so on. This is because the spammer makes money off such a tiny percentage of responses. To be cost-effective there have to be huge numbers of messages delivered on target within the relatively short period of time that exists before a particular spam site is shut down.

Aha! we said. If only there was a way to slow down messages from spammers. One of us, David Brussin, realized that there was a TCP/IP mechanism for slowing down network response, and we figured out how we could couple that to a spam detector mechanism. The result was a device that sat on the edge of a network, or at an ISP, and slowed down network connections if they appeared to be delivering spam. The first test results were amazing. The device, dubbed "SpamSquelcher" after those knobs on ship radios which tune out noise, literally saved a regional ISP from being overwhelmed by spam.

Selling this idea to end-users was a tough one. The device worked best on larger networks. This was not something you could give away to end-users for free and hope that big companies would pay for licenses. Eventually the product was re-launched as TurnTide and acquired by Symantec which incoporated it into their product line. Today there are a lot of corporate and academic networks using this technology to save bandwidth and protect their networks. If a lot more of them would do the same, particularly ISPs, then the net voume of spam might actually go down.

Saturday, December 2, 2006

Cool Firefox Trick: The "get me out of here" option

I have previously posted about the problems of deceptive URLs, one small aspect of the whole phishing industry. I think I have also noted that one of the reasons I like Eudora as an email client is the warnings it provides when a deceptive URL is present in an email message.

Well, on the left you can see a related feature in Firefox, my browser of choice. It's the "get me out of here" option that appears when you have navigated to a suspect web site. I think it was a stroke of interface genius to provide a simple link that says "Get me out of here!" When you click that link you are indeed taken away from the site, to the Firefox home page. If you opt to "Read more" you will reach a nice little tutorial on phishing and the anti-phishing feature in Firefox.

Nice one Firefox!

Thursday, November 30, 2006

Free Enterprise Security Advice Could Save Thousands in Customer Care Costs

When your company has to notify its customers about a change to online security procedures and decides to use email as part of that notification, make sure that the email message does NOT contain any deceptive URLs. Otherwise the email may confuse a lot of customers who end up contacting your company, putting a dent in the customer service budget and thus the bottom line.

Before you say something like "My company would never use a deceptive URL" be sure you know what deceptive URLs are and how they arise, because they can seem innocent enough. Indeed, I have seen them slip under the quality control radar at big companies like Bank of America and Countrywide that do at least have quality control. Typically a deceptive URL is created by or within html email. Here is an example:








Note that I edited the screen shot above to obscure the name of the company that sent this particular message (about new security measures) and my own email address is also edited to something bogus.

Basically this part of the email is inviting recipients to log in to the company web site. The URL of the site is spelled out rather than just being a click here type link. People often spell out links in order to make it clear to the user where the link leads. In text-only email a URL has to be spelled out in order to work (in most email clients). But the above message is html and so the link text is actually within an href=URL tag. This means that the apparent URL can be different from the actual URL in the link, a fact that phishing scams have been exploiting for years. For example, you might see a link to www.paypal.com in a message that appears to be from PayPal, but in fact the link leads to:
http://202.78.2.22/.paypal/secure/login/webcsr/cmd=_login-submit/index.htm
or
http://0x44.0xec.0xb3.0xd0/www.paypal.com/index.htm
both of which are bogus web sites that are in no way connected with the real PayPal.

How do you know where a link goes before you click it? One way is to view the source code of the message, something that is easy enough to do in most email clients (in Eudora, for example, you just right click anywhere within the message and select "View Source"). However, viewing email source, while easy, is laborious, and so a good email client will reveal the URL of a link when you put your mouse pointer over it, then warn you if the link you are about to click is deceptive (i.e. does not match the text of the link). Eudora has this capability and provides further detail like this:
And here you see the problem this poses for an otherwise legitimate company. Good old Countrytom wants you to go to a special page at countrytom.com, but presumably did not want to put that great big [but genuine] URL in the text of the email. So they obscured it but in so doing set off the deceptive URL alarm. As email clients and web browsers get more aggressive in the fight against phishing this sort of thing is likely going to show up more often, thereby confusing more customers. And everyone in enterprise-land knows that more confused customers = increased customer service burden.

So what is the solution. Here is the real money tip in this free security advice: use a simple URL. Could it be that simple? Yes. There is no reason, other than a lack of imagination, for Countrytom to use that great big long URL for a response to email. Sure, marketing would like to track where responses are coming from, and IT might balk at some extra work with redirects and site structure, but a simple phrase and a few lines of code could fix that, as in any of these URLs that could easily appear in the text of the email AND the URL so as not to be branded as "deceptive" by the email client:
www.countrytom.com/confirm
www.countrytom.com/login112306
www.countrytom.com/112306
www.countrytom.com/no34

None of these strikes me as a turn-off for recipients and I bet they generate less customer confusion than the pesky but otherwise very helpful deceptive URL flag.

Sunday, November 19, 2006

Ubuntu Progress Continues Here

As promised...this is where the Ubuntu thread continues from the original "Cobbon blog."

Ubuntu is now installed on the 1999 Compaq Presario 305 and the 2000 iMac G3. The trick with older machines that have less than 200 megabytes of RAM is to a. use a lot of patience, b. use the prompted alternate install method, which uses the files located here:

ftp.ussg.iu.edu/linux/ubuntu-releases/6.06.1/

What you want to download are the image files called "alternate" like: ubuntu-6.06.1-alternate-i386.iso

These don't boot a full graphical Ubuntu, but they will lead you through a text-based install that does remarkably well at hardware detection, including the graphics card, sound system, and network interface (a Buffalo WiFi card in the Compaq and the built-in Ethernet on the Mac). The patience is required for the lengthy wait between stages.

You will also need some patience once these installs complete as the default Ubuntu desktop is not the fastest. Next step with these older machines is to change the desktop.

Thursday, November 16, 2006

Here Begins "Cobb on Tech"

So, I decided I need a separate place to keep all my tech-related thoughts (to be honest, I didn't realize I was going to have so many).

Some of them will be migrating here from "Cobb On" and "scobb's non-blog."

If there is something specific in the hi-tech space that you would like me to comment on, let me know.