Aetheric Research, Ltd.

Apologies for the mangled French title.  The BBC reports that several companies are challenging a French law insisting that they keep a record of users’ real names, telephone numbers, addresses, and–most damningly–passwords, to be turned over to police on demand.

In a proper, competent system, passwords themselves are never stored.  Instead, when an account (and associated password) is created, the password is passed through a complex mathematical function to produce what is called a ‘hash’–much like how reconstructing an order of ham hash into the original ham and potatoes is more difficult than anyone can reasonably be expected to accomplish, reconstructing a password from a hash is intended to be next to impossible.

When the user logs in, their password is passed through the mathematical function again, and the result compared with the entry in the password table.  Since the function is tuned to produce a complex but unique result from each input, if the hashes match then the password has been entered properly.

The recent high-profile crack at Gawker, where the password database was compromised, was only possible because their hashing algorithm was weak and most users’ passwords were also weak.  Indeed, the algorithm itself was not actually reversed–instead, a database known as a ‘rainbow table’ was used, which is the result of passing a dictionary of common passwords through a known hashing algorithm.

This French law completely ignores best-practices.  Besides the obvious privacy concerns, it requires that the companies make passwords available to the police–which means that, rather than a database of the hashes, the companies will be required to keep a database of the actual passwords.

This is an unnecessary and badly thought-out requirement, as it lays every single person in France who uses any of these services open to theft of their accounts should anyone be successful at exfiltrating the associated databases.  Worse, given that real names and addresses are associated with these accounts, it provides very nearly one-stop shopping for any French identity that an attacker could wish to have.  

In essence, no company that engages in anything resembling standard security practises can operate in France unless they irreperably damage standard procedures in order to engage in traffic with that country.

This law is badly thought-out and will irreperably damage France’s status in the EU and on the world stage.  Anyone who wishes for security in their dealings should avoid any companies that provide this data, as these databases will be inherently insecure.

Chase has reported (amongst other companies) that the vendor who handled their email notifications, Epsilon, suffered a security compromise and customer email addresses had been leaked.

While this is unlikely to result in a disclosure of financial information (given that financial information is generally not sent out via email, at least not to unsecured addresses) it does throw into the spotlight the practises of outsourcing IT functions to other companies.

Outsourcing is the practise of contracting with another company for the implementation of some of a company’s business functions.  This allows the business to focus on its core competencies while still maintaining relevance in the marketplace; the company doing the business functions acts, in effect, like a subdepartment of the company.

At least, that’s the theory.

Common outsourcing targets tend to be business functions that the company feels that they can do without the headaches of trying to manage: marketing, for instance, can be contracted out to any number of professional marketing firms (hence the sometimes edgy ads that get retracted now and then).  Customer service is also frequently contracted out to any number of outfits that provide call centers and the requisite infrastructure to maintain the same.  IT is also a frequent target of outsourcing, especially given the usual lack of ability of business majors in the field–it is the confluence of IT and customer service that gave rise to the Indian call centers that have dogged Tier 1 technical services for the past decade or so.

(Note: IT technical support tiers are numbered from Tier 1 to Tier 3, with Tier 1 talking to most customers and Tier 3 being highly technical experts who focus on fixing specific subsets of hardware or software problems)

At the confluence of marketing and IT lies Epsilon and other companies of their sort, that send out notification and solicitation emails to customers.  They are generally provided with a list of names and contact information (email addresses in this case) and serve as a distribution point for status notifications and the like.  Theoretically, the contracted company can manage the large quantities of mail to be distributed without the contracting company needing to manage a datacenter of the mangnitude required.

Unfortunately, this results in an increased attack surface for anyone interested in penetrating the security of the institution; especially for those institutions that deal with financial information.  Any information is good information, as far as attempting to penetrate the defenses of a bank, and commonly-checked email addresses provide two venues of attack.

The first venue is, naturally, phishing attacks.  With a list of known-good email addresses and a context for the attack, significant numbers of phishing emails can be sent to customers purporting to require their immediate intervention in order to ameliorate some problem.  This can result in significant compromise of the customers’ information, as incautions customers (who have not taken email security to heart) may end up providing more than enough information to successfully steal their identities to the persons or organizations who undertook the compromise.

The second venue will, in the case of this bank, require a bit more finesse; Chase requires pseudo-two-factor authentication, requiring any device without an identifying cookie set to re-register with the website to login and perform any financial transactions.  However, combined with any information gathered from a phishing attack and a knowledge of typical psychology, educated guesses can be made as to the credentials required to enter both the requisite email account and the bank credentials, in order for more profitable monetary gains to be made.  

Chase’s fraud department is likely to be very busy in the next few weeks.

No information seems to be immediately available on how the compromise at Epsilon was effected, but all the usual recommendations on avoiding phishing–link is above–apply, especially regarding not clicking on any links found in an email and independently checking any recomendations made by an email purporting to be from a financial institution, especially an unsolicited email.

Here’s a bit of Monday morning fun: Slashdot reports that SQL.com was cracked via an SQL injection attack.  

SQL is a very prominent database schema used in thousands of installations around the globe.  An SQL injection is when an attacker bypasses the normal front-end for the database and finds a means of executing their own commands, usually with the aim of either stealing information or of corrupting or changing the database in some fashion.

Cross-site scripting, also mentioned in the article, is a means by which such attacks can take place.  This is a slightly more complex vulnerability–essentially, it occurs when the client, rather than the server, is used to validate requests against the server.  If that is the case, then a sufficiently competent attacker can craft a malicious version of the script produced by the webpage in question and serve that to users (via the usual social engineering methods) in an attempt to gain login credentials, session credentials, or other information about how the resources are generally accessed.

Combining the two can lead to a theft of credentials usable for gaining access to the whole of the database for whatever purpose the attacker wishes–the “pwnage” that many attackers seek to gain.

The vulnerability in the SQL databae was apparently, according to the articles linked above, discovered in January by some enterprising folks out of Romania.  Whether it was reported ahead of time is not known to this author at this time–the original resources are protected behind a policy setting at a Romanian exploit site, and the XSS (cross-site scripting) vulnerability has a publication date of April 1–though this could be January 4, and a dd/mm/yy rather than mm/dd/yy confusion.  

The vulnerability in question appears to be something rather obvious; the actual attack is caused via inserting a “script” html tag in the URL of the resource requested.  

The countermeasures to prevent this sort of thing happening are twofold:  first, of course, is never to click on a URL without knowing what it is you’re clicking on.  Think before you click.  There’s no reason to click on a link with an html tag embedded in it, normally; such uses are endemic for exploiting security flaws, but are not often used by legitimate sites.

Secondly, if you are designing a site, assume that any input coming from the client side is unsafe and must be validated–there’s no point putting the validation mechanism out where it could be changed.  Javascript is inherently open-source because the source must be served to the client machine in order to run; as such, any vulnerabilities present in it will be found eventually.  There’s no way to ensure that input coming to your servers is being sent by the same javascript that was served from them originally; take this into account when designing your sites, and you will not be vulnerable to this kind of attack.

There’s a quote from the early days of the internet that seems to show up fairly often when discussions of censorship, neutrality, and the like appear:”The Net interprets censorship as damage and routes around it.”

The internet was originally conceived by DARPA as a robust network capable of surviving immense disruptions caused by, specifically, nuclear war and other societal disruptions.  The whole point of all the protocols that underlie the internet as we know it today is to get data from point A to point B in as reliable a fashion as possible, and to make sure that the data at point B matches that at point A as closely as possible.  From a technical standpoint, any parts of the network between points A and B that filter out the data as objectionable will be avoided during the routing; even in a naive packet switched network, such a system that ‘damaged’ the transmission of the data would merely slow, rather than stop, transmission.  More intelligent networks with routers set to optimize the routing of their payloads will, in time, actively work to avoid such networks, as the dropping of packets containing censored payloads would be reported by the other endpoint and would, accordingly, count as a failed delivery.

However, the technical solutions aren’t always enough; some countries like, to pick a particularly large example, China, have sought to control their citizens’ access to the internet wholesale–they’ve split off their part of the internet as a sort of walled garden and have employed, to strain the metaphor, enormous guard dogs to examine all ingoing and outgoing traffic for subversive messages.

This is where another part of the network comes into play: the people who design and build communications technology.  While certainly there are any number of very competent hardware and software engineers working for the Chinese government to assist them in keeping their citizenry (and netizenry, as it were) with toes to the party line, there are just as many competent people within who want to know what goes on in the outside world–and even more people outside who have a dedication to ensuring that information be freely available to those within the firewall.  This layer of damage may cover layers one through seven of the networking model, but layer 8–the users–can always eventually find a way to route around a faulty connection.  

Several countries already consider internet access–that is, access to the full spectrum of information that the citizenry needs in order to make an educated and appropriate judgement about their affairs, and to participate in human society–as a fundamental human right.  It’s a required part of freedom of speech and of the press–two rights enshrined in the first amendment that recognize only through the free flow of information can an effective democracy exist.

It’s very telling that, during the recent unrest in Egypt, one of the first steps that the former government took to attempt to quash the protests against it was to shut down this information flow–all the ISPs were forbidden to route traffic out of the country, and Egypt more or less disappeared from the map.  Workarounds were available within hours, with network connections being routed to modems and the like; the damaged connections were bypassed–not in the most efficient manner, but bypassed nonetheless–and the flow of information resumed.  This same government that ordered the connections shut down (and, incidentally, harmed the economy of the country greatly, for no economy can exist today without significant information flow) was overturned.

As one means to combat censorship and the like, Google is spending a significant sum to develop a suite of tools that can help to detect various kinds of censorship, to enable layer 8 in making effective decisions about the lower layers of the network.  While Google’s motives may not be entirely altruistic–they’ll doubtless benefit from knowing what networks are most restrictive and the pressure that will be generated on them to open up–they are useful for the internet’s health at large; an undamaged network is an efficient–and useful–network for commerce, for entertainment, and for freedom.

The Las Vegas Sun reports that notable patent troll Righthaven, in it’s crusade to protect the intellectual property rights of the newspapers that it seeks to ‘protect’ by extorting payments from various bloggers and suchlike, may have accidentally reduced the security of those same intellectual property rights.

Righthaven is notable for having been formed for the exclusive purpose of filing lawsuits–they have no other product nor service than to act specificly to quash anyone who uses the intellectual property of the Las Vegas Review-Journal (or, later, the MediaNews Group) in any way.  Much in the same fashion as the RIAA, Righthaven extorts ‘settlement’ payments from anyone found using their property–regardless of fair use or reprint status–without specific license to do so.

When they turned to bigger fish, Righthaven made the news when they demanded as compensation for alleged infringement the Drudge Report name and domain–a demand far out of proportion of the alleged infringement.  

Now, it appears that they’ve managed to end up with a bit of a setback.  Per the court decision handed down by the US District Court in Nevada, Righthaven has inadvertently ended up reducing the protections of the Copyright Act that it sues under.  The case in question is that of a nonprofit organization that reprinted, not excerpts, but the entire story on its website–something that would usually go far beyond fair-use protections and which, under normal circumstances, would likely be taken care of with a phonecall or an email to the site administrators.  Due to Righthaven’s suit, however, and their habitual tactic of filing aggressive and overreaching suits against those who are well within fair-use usages, it appears that the judge in question was of the opinion that, at least in the case of this nonprofit, a reprint of the entire article was within fair usage.

Needless to say, this is not the outcome that Righthaven nor the original owners of the intellectual property that they sue with wanted.

An interesting point has come up in this case, deriving from an argument made by certain opponents of Righthaven–that Righthaven has come to no actual harm due to these infringements, because it has no actual product nor service deriving from the posession of these intellectual property rights.  Because the only use that it has for this IP is to file lawsuits based on its supposed standing as the owner of the properties being infringed upon, any infringement has no actual economic impact on Righthaven’s operations.

This particular argument could be very useful in other areas where patent and copyright law is used more to quash competition than to engage innovation.  eBay v. MercExchange may come into play (mentioned by a poster here) in determining the factors for which to issue permanent injunctions.  In other words, if this decision against Righthaven holds up, other so-called copyright trolls may have their business crushed because, even if people are found to be infringing upon the IP that they hold the rights to, because there is no economic harm to the holder of the IP due to their lack of a product or service that depends upon it.

This is potentially very good news for small business people who currently have to worry about whether or not they are infringing patents and suchlike held by larger corporations.  Being able to innovate without the constant worry of whether or not some other entity will force you to stop doing business due to some overly broad patent is an important factor for innovation, and further decisions of this sort may well help to increase these factors.

In the summer of 2007, a rumor appeared in the mainstream press speculating on whether famous airhead heiress Paris Hilton had been disinherited.  This story hit all the right notes for wide distribution–a famous person well into the 15-minutes-of-fame cycle as the lead character; a personal tragedy that seemed to be karmically appropriate; and at one of the slower parts of the year.  

As it happened, the story was entirely fake–Hilton had not been written out of the family will; the story–such as it was–more or less went away after that.  How did this happen?

Journalistic ethics require that sources be cited–anything else is plaigarism and is, when found out, published severely.  Careful reading of the stories when they broke in the US media all linked back to one of several sites in the news.com.au domain.  Looking at those articles and carefully crafting searches to find other articles without the links to news.com.au revealed no other sources–the only source for these rumors was one particular subsite on news.com.au which, when the story was published there, was automatically republished across the other domains held by that site.  The original published article did not cite any sources–no credit was given to a specific publication, no interviews were mentioned, and no mention of even “an unnamed source close to” the person of interest was made.

Leaving aside the complete lack of journalistic integrity evinced by the news.com.au organization for calling this “news”, and leaving aside the complete lack of competence of all the major news organizations who picked up the story and reprinted it without any further investigation, this incident provides an interesting situation for determination of the validity of information.

If information can be traced to only a single secondary source, that information is probably not valid.

This comes into play with the dissemination of urban legends as well–in most cases, urban legends are confabulated from a mixture of half-remembered stories and anecdotes from friends mashed together; there will be no actual friend-of-a-friend who this happened to.  A story is heard and then repeated; the more repetitions it goes through, tthe more likely it is to appear to come from multiple sources–but it is, on the whole, just the same thing spread out, like peas on the plate of a schoolboy.

The counter to being deceived by these sorts of stories is at once obvious and difficult:  trace sources.  When an article appears, look for what sources the article cites; find those sources, and trace the story back to whoever originally broke it.  In most cases, there will be some original interview or other primary source immedately concerned with the event who will be available; at that point, an evaluation on the reliability of the source can be made.

Unfortunately, this is a time-consuming task and one which is not normally possible for most people to carry out regularly; most people do not have the time nor the inclination to spend that time searching through archives (which may be rapidly changing, due to the immediacy of the news cycle, and which may be ‘contaminated’ by later revisions) to find out where information came from.

Developing an organization for the evaluation of news stories in this fashion to determine their reliability would be a definite plus.  Such an organization would very much help journalistic integrity, in that a visible mark of the reliability of a story would encourage a higher standard of journalism.  It would help to neuter certain memetic hazards by nullifying their influence.

It would help to defeat astroturfing as well; marketing organizations hired to push a message must, by necessity, remain consistent on the message that they are pushing; regardless of the amount of variation, certain key phrases will end up being repeated, and those can be traced on a timeline.  Fuzzing the message with synonyms may make the tracing harder, but also much less effectively spread–much of the appeal behind certain messages lies with the specific wording of the slogan.

A lie has time to go around the world before the truth can get it’s shoes on–thus spake Churhill, Twain, and Spurgeon.  Many stories appear appealing on their face, but repeating them without determining the source of their allegations can be very detrimental, as was found out when the US invaded Iraq based on what turned out to be an unverified rumor promulgated by a single source.

Beer, in general, is one of the oldest beverages known to man.  Being the result of spoiled grain, originally, beers have been refined over the ages into various kinds depending on their characteristics–there are lagers and weissbiers on the light end; ales of various sorts in the middle; and then there are stouts.

A stout (there is some overlap with the porters, but given today’s date, Irish stouts are the obvious focus) is a dark, strong beer formed from roasted malts and barley, together with hops, water and yeast.  The term ‘stout’ may have originally applied merely to the strongest of a brewery’s offerings, but present-day brewers have more specific standards as to what does and does not constitute a stout.

One of the more widely successful stouts, Guinness, has the distinction of being pressurized not only with carbon dioxide (produced by the fermentation of the sugars in the malt and barley by the yeast–the yeasts consume sugar and release both alcohol and carbon dioxide as byproducts) but with nitrogen.  Together with the specific design of their taps and the type of glass typically recommended for use with the stout, this gives a very distinctive appearance to the product as prepared for use.

Additionally, Guinness is most famous for the phenomenon of the ‘sinking bubbles‘–where the gas bubbles appear to defy expectations and sink to the bottom of the glass rather than rise like they ought.  As it turns out, this does happen in other beers; Guinness just happens to have the right combination of reduced visibility to block out the center column of rising bubbles driving the convection that carries the smaller ones down the outside and contrast in color between the froth and the beer itself to make these bubbles visible.

As an exercise, the reader may wish to carefully examine this phenomenon with a freshly-poured Guinness today.  In the interests of proper investigation, it is advised that a sufficient sample size be obtained for meaningful statistics to be extracted, and that the experiments take place in a safe, controlled environment.  Disposal of the samples after measurements are obtained are, of course, entirely up to the lab director’s discretion.

The foundation of democracy–the foundation of representative government–is the principle of free access to information required to make effective choice.  Without this information, there’s no way to tell, for instance, which of two candidates is most suited for your particular set of causes–other than the words of the candidates themselves, which are neither reliable nor likely to be accurate.  

Accordingly, without this free access to information, the very founding principles of government will be compromised.  Without free access to information, there is no means of remaining properly informed about events in the world and in the country to make an effective choice.  Without free access to information, there is no effective way to keep educated, to remain competitive in the job market.  Without free access to information, we may as well live in a third-world country, overseen by a dictator.

AT&T, a monopoly already broken up once, has decreed that it will impose arbitrary and undocumented usage caps on its “broadband” offerings.

Leaving aside that there is already an intrinsic cap in place–their internet connections are charged by the alleged peak download speed; rate multiplied by time yields amount, as anybody with a fourth-grade education could tell you–these caps and the associated overage fees are clearly an anticompetitive practise aimed at restricting the entertainment options of the subscribers.

AT&T has been pushing their “U-verse” service–a combined internet and TV package–to subscribers for more than a year now.  UVerse delivers content digitally, so the TV shows that they are pushing use the very same connections that the internet services do–however, only the internet service not directly connected to their TV service–TV that they receive advertising revenue for–is capped.

Their excuse is, as always, that a “small population” of users use a “disproportionate” amount of the bandwidth available.  This is the same excuse that has been tried and has been shot down by numerous other ISPs.  There are numerous reasons why this is fallacious, not the least of which is that the technology already exists to ensure continued QoS during peak hours.

AT&T has been happy to market their connections as “unlimited” for years, and to receive new customers on this basis.  Any change now amounts to the most fraudulent sort of bait-and-switch, especially combined with the obvious anticompetitive, monopolistic capping of all competitive services to their in-house TV service.

This is the very sort of thing that net neutrality was intended to prevent–this erosion both of consumer rights to freely consume whatever content they desire, and to obtain the information they require to make effective choices.  Without free access to information, there is no means to accomplish a democracy.

Given the recent 8.9 shock off Japan and the swarm of other earthquakes associated with it, relief agencies have begun raising funds to aid the people in the affected areas.

Unfortunately, as has been seen during the disaster recovery efforts in Haiti and other disasters, various criminals will often take advantage of people’s inclination to help in order to skim off funds for themselves.

Finding a charity that’s both legitimate and helpful is not that difficult a procedure, but it requires some serious thought.  

First, you can go with a recognized name.  The Red Cross has been a watchword for disaster relief for more than a hundred years; they are visibly there doing good work in previous disasters.

Secondly, several ranking services exist for evaluating charities; Charity Navigator has an accessible interface with familiar ‘star’ ratings for various charities.  Looking through the listings for appropriate charities to give to is an easy way to ensure that your funds will end up in legitimate hands.

Third, if you have any friends who are known to be active in social programs like charities, asking their advice on whom to give to before you give may be a good idea.  

On no account should you respond to an email nor a telephone call, especially one that arrives unsolicited.  Yesterday’s article on phishing applies heavily here; several phishing scams raked in–sadly–significant dollar amounts during the Haiti earthquakes.  The best way to avoid being taken in is not to grant the opportunity: make the first and only contact from you to the charity, and give directly.  

Heinlein once wrote:  

 A human being should be able to change a diaper, plan an invasion, butcher a hog, conn a ship, design a building, write a sonnet, balance accounts, build a wall, set a bone, comfort the dying, take orders, give orders, cooperate, act alone, solve equations, analyze a new problem, pitch manure, program a computer, cook a tasty meal, fight efficiently, die gallantly. Specialization is for insects.

This was during the 20th century, before the beginning of the so-called “Information Age.”  At that time, computers were in their infancy and the vast floods of information that would be generated as a result of widespread capacity to easily store and replay this information were still in the future.  The Library of Congress was only composed of printed matter–the archiving of movies and such had not yet begun–and what data storage technology there was could handle a few megabytes, at most.

Today, the Internet Archive, a project built to act as a record of how the Internet has grown and changed, has a capacity of just under 4 petabytes.  To put this in perspective, the sum total of a human’s experiences throughout their life may equal 1 petabyte.  

This is not to say that Heinlein’s ideal of a broad knowledge-base is no longer fulfillable, but that expectations may need to be revised in some fashion.  Given that the Internet Archive only holds a snippet of existing human knowledge–there’s little in there from scientific journals, for instance, or from other specialized documents.  Hundreds of times as much information remains locked away in various corporate archives–chip designs, calculations for auto efficiency, rocket and satellite schematics, and other proprietary secrets.  Governments, too, have a vast knowledgebase–intelligence, engineering of secret projects, valuable historical documents and footage of various sorts.

However, this same interconnection that has fostered an explosion of knowledge has also enabled a unique opportunity to both fulfil and reject Heinlein’s standards for human knowledge:  given the ability to ask for, and receive, reasonably-accurate information on a moment’s notice from a vast body of users–many of whom may very well be the specialists that Heinlein decries as insect-like–one can retain one’s own specialization without giving up the access to the body of knowledge that represents humanity.

There’s a joke about a chemist, a physicist, and an engineer who are all given a red rubber ball and asked to determine the elasticity.  The physicist performs a simple experiment with a meter-stick to determine a known drop height.  The chemist does an analysis of the rubber compound to determine energy storage.  The engineer pulls out his Pocket Ref and looks up the entry for “Ball, Rubber, Red.”

Three very different approaches–the first two depend on primary knowledge, while the third takes the sum of accumulated knowledge and accesses it when it’s needed.  This is similar in many ways to how information access works in this age of interconnection:  there are those who perform the actual measurements, and there are those who combine and manipulate those data.

Overspecialization is still crippling, though:  the old adage about hammers and problems still comes into effect if you’re so specialized as to forget that there are other tools–the method of statistical analysis that was published in a biological journal that amounted to a rough approximation of integrals comes to mind–and end up reinventing the wheel.  Even worse, if there is a lack of cooperative information available–for our academic society is often antagonistic rather than cooperative, with ‘publish or perish’ being the byword–the same ‘discovery’ may end up being made independently many times over, and the litigation over who stole what from whom further distracts and detracts from our progress as a species.

That’s not to say that our progress has been entirely hindered by antagonistic scholars, though; this self-same antagonism, this constant sniping at others’ work, is necessary: it provides the requisite evolutionary pressures for our body of knowledge to grow and change.  As philogiston gave way to energies of combustion; as the luminiferous aether and the crystal spheres gave way to Kepler’s orbits and, then, to Einstein’s modifications, so too will today’s ideas be subject to future revision as hungry researchers and scientists look to make a name for themselves.

The key is, here as everywhere, to strike a balance:  to keep these researchers hungry enough to progress, but sated enough not to obstruct others’ access to their material.  Research needs to be shared to be useful; the only way an insect can be a man is if he can access the specializations of all the other insects well enough to do whatever needs to be done, and in the most efficient way possible.