Nokia’s New Keyboard, And The Limitations Of Bluetooth

Nokia are getting into the keyboard game, clearly hoping their new range of mobile phones are going to replace PDAs (via blueserker)

The Nokia Wireless Keyboard SU-8W uses Bluetooth and will work with the Nokia 7610, Nokia 6260 and Nokia 6630 mobile phones. In the future, Nokia says, more phones may be added to this list. The keyboard is expected to be available in the last quarter of 2004.

Nothing surprising here, except the Bluetooth element. Why won’t the keyboard work with other Bluetooth phones? Some writers have pointed out the keyboard uses the Bluetooth Human Interface Device, or HID, profile, meaning, according to mobileburn.com, ”that it should work with many other Bluetooth devices that also support that profile, such as PCs and PDAs”.

And why, according to Nokia, won’t it work at the same time as a Bluetooth headset? Nokia says, You can only use one enhancement using Bluetooth wireless technology at a time.” Huh? I thought the whole point of Bluetooth was that it would hook up all sorts of gadgets without limit. In my uninformed world, headsets used specific Bluetooth profiles — Handsfree and Headset — while keyboards and whatnot used the HID profile.

Conclusion: Either manufacturers are not implementing Bluetooth properly — intentionally, perhaps, to limit users to their brand and new models — or Bluetooth is not as good as it’s supposed to be. Either way, I hear more warning bells sounding for the future of the wireless standard.

RSSpam, And The End Of A Medium’s Innocence

Will spam kill off RSS?

I’m a bit late spotting this, but I noticed today that Moreover’s RSS feeds contain a lot of ads. 2RSS.com noticed the same thing about a month ago. In fact there’s already been quite a discussion about the phenomenon, since not only Moreover does it. Indeed, there’s some talk that Blogger is actually inserting ads into the news feeds of its users.

What’s worrying is that all this is going on without much thought towards — or the consent of — the end-user. Moreover’s feeds, for example, not only include no AD: prefix that may help the user get a sense of what is actually part of the feed and what is RSSpam, but they also configure the spam so that every time you update your feed — or your RSS reader does it for you — the same piece of spam will pop up. This means, as this example from the Jason Murphy Show illustrates, large quantities of spam per valid item.

All this shows a lack of thought and consideration for what is still a very new medium. If you want to kill off RSS, Moreover has the answer. Of course, there’s also the need for these guys to make money. But this is not the way to do it. Ads are better served within the content, so that, for example, if you click on the item itself so that the full content loads, the ad itself will appear along with the content.

Another point: Folk argue whether ads included in RSS feeds are spam or not. I say anything that’s sent to you without you agreeing to it is spam. (I don’t recall agreeing to it when I included the Moreover RSS feed in my reader, although I’m willing to stand corrected. The only time I’ve had to click on something to acknowledge the existence of a user agreement was with the Telegraph feeds.) Folks need to be consulted before they sign up for a feed that it includes spam.

The bottom line here is that this grapeshot approach to ads in RSS feeds endangers the medium before it’s taken off. Apple are including RSS in a very interesting and imaginative way in their new OS but there aren’t going to be many takers if feeds are polluted by too many ads that aren’t even contextual (I noticed ads for free golf clubs and microdermabrasion, whatever that is, in my Moreover feed on East Timor news). Keep pulling that stunt, Moreover, and you’ll lose everyone’s interest very quickly. RSS was supposed to be the answer to mailboxes full of rubbish, not an alternative means of delivering that rubbish.

‘Hundreds Of Websites Still Infected By Scob Trojan’

Just how many websites have been compromised by last week’s attack of the Scob trojan?

A report released today by Cyveillance, a U.S. based ‘provider of online risk monitoring and management solutions’, concludes that 641 sites were still infected with the JS.Scob.Trojan virus as of June 27, 2004. The company says it used its proprietary Internet monitoring technology to visit all known sites running Microsoft Internet Information Services 5.0 (IIS) — the vulnerable software — and identify which ones were compromised.

As Cyveillance CEO Panos Annastasiadas points out, “this newest form of phishing is far more devious than email-based attacks since a key-stroke logger is installed completely passively on the individual’s computer, without the victim falling for a scam.” Annastasiadas also says “loggers can capture far more personal information than is typically shared with a single phishing site.” That’s an interesting assertion, and I’m not sure it’s completely true. Some phishing sites sought — and presumably got — a wide array of personal information that would not normally be typed into the computer (and therefore not usually caught by keyboard loggers). Of course, the trojan in question may capture more than keystrokes, by, say, probing the hard disk, but I would say a social-engineered phishing attack that lures the victim into entering private data on a kosher-looking web site is going to give the attacker a much more complete picture for the purposes of ID fraud and emptying bank and credit card accounts than random passwords logged and sent back to scammer HQ.

Anyway, Cyveillance says it gathered its data from a previous audit it had conducted of some 50 million web sites, or domains. This audit had revealed some 6.2 million web sites known to run IIS 5.0, the Microsoft software with the hole. It then ran its proprietary technology over those web sites and found 641 confirmed cases. It doesn’t say what those domains were, and 641 doesn’t sound a lot. But given that this test was run several days after the initial attack, probably most of the people running those domains don’t know they’re infected, so that’s still 641 too many.

Phishing Gets Proactive

Scaring the bejesus out of a lot of security folk this weekend is a new kind of phishing attack that doesn’t require the victim to do anything but visit the usual websites he might visit anyway.

It works like this: The bad guy uses a weakness in web servers running  Internet Information Services 5.0 (IIS) and Internet Explorer, components of Microsoft Windows, to make it append some JavaScript code to the bottom of webpages. When the victim visits those pages the JavaScript will load onto his computer one or more trojans, known variously as Scob.A, Berbew.F, and Padodor. These trojans open up the victim’s computer to the bad guy, but Padodor is also a keylogging trojan, capturing passwords the victim types when accessing websites like eBay and PayPal. Here’s an analysis of the malicious script placed on victims’ computers from LURHQ. Think of it as a kind of outsourced phishing attack.

Some things are not yet clear. One is how widespread this infection is. According to U.S.-based iDEFENSE late Friday, “hundreds of thousands of computers have likely been infected in the past 24 hours.” Others say it’s not that widespread. CNET reported late Friday that the Russian server delivering the trojans was shut down, but that may only be temporary respite.

What’s also unclear is exactly what vulnerability is being used, and therefore whether Microsoft has already developed a patch — or software cure — for it. More discussion on that here. Microsoft is calling the security issue Download.Ject, and writes about it here.

Although there’s no hard evidence, several security firms, including Kaspersky, iDEFENSE and F-Secure, are pointing the finger at a Russian-speaking hacking group called the HangUP Team.

According to Kaspersky Labs, we may be looking at what is called a Zero Day Vulnerability. In other words, a hole “which no-one knows about, and which there is no patch for”. Usually it has been the good guys — known in the trade as the white hats — who discover vulnerabilities in software and try to patch them before they can be exploited, whereas this attack may reflect a shift in the balance of power, as the bad guys (the black hats) find the vulnerabilities first, and make use of them while the rest of us try to find out how they do it. “We have been predicting such an incident for several years: it confirms the destructive direction taken by the computer underground, and the trend in using a combination of methods to attack. Unfortunately, such blended threats and attacks are designed to evade the protection currently available,” commented Eugene Kaspersky, head of Anti-Virus Research at Kaspersky Labs.

In short, what’s scary about this is:

  • we still don’t know exactly how servers are getting infected. Everyone’s still working on it;
  • suddenly surfing itself becomes dangerous. It’s no longer necessary to try to lure victims to dodgy websites; you just infect the places they would visit anyway;
  • Users who have done everything right can still get infected: Even a fully patched version of Internet Explorer 6 won’t save you from infection, according to Netcraft, a British Internet security company.

For now, all that is recommended is that you disable JavaScript. This is not really an option, says Daniel McNamara of anti-phishing website CodePhish, since a lot of sites rely on JavaScript to function. A better way, according to iDEFENSE, would be to use a non-Microsoft browser. Oh, and if you want to check whether you’re infected, according to Microsoft, search for the following files on your hard disk: kk32.dll and surf.dat. If either are there, you’re infected and you should run one of the clean-up tools listed on the Microsoft page.

This week’s column – Not Wired, Just Weird

This week’s Loose Wire column is about some of the more obscure gadgets I found at CommunicAsia Expo in Singapore last week:

WANDERING AROUND last week’s technology exhibition, CommunicAsia, in Singapore, I was struck by the gulf between the big players–with their huge, noisy stands, populated entirely by well-shaped, scantily-clad men and women all under the age of 25–and the somewhat forlorn little booths in the ghettos at the back. I’m sure this is not a phenomenon exclusive to CommunicAsia but it seemed to be particularly acute there. Sure, there were some cool gismos on display among the big boys, but I found the most interesting stuff off the beaten track, most of it in the alleys and byways of exhibition hall 6 (just past the toilets, and turn left.) Here is a selection, some of which may not actually be easily available until the manufacturer finds a local distributor.

Full text at the Far Eastern Economic Review (subscription required, trial available) or at WSJ.com (subscription required). Old columns at feer.com here.

WhenU’s Popup Victory

WhenU, now known as Claria, has won what it calls an “important decision for the entire Internet industry” in its motion to enjoin the Utah Spyware Control Act, passed in March. WhenU had argued the Act “affects legitimate Internet advertising companies and therefore violates the First Amendment and dormant Commerce Clause of the United States Constitution, among other laws”. (Here’s a CNET story on the verdict.)

If I understand the ruling correctly (and this is based largely on Ben Edelman’s assistance), the judge has ruled that, in this particular law, Utah was unconstitutional in trying to limit popups, while it was within the constitution in trying to outlaw spyware — or more specifically, software that is installed without a licence and lack a proper uninstall procedure. As the judge did no want to break the act in half he ruled in favour of a preliminary injunction for WhenU. Ben, who works as a consultant for the Utah government, reckons WhenU could lose on appeal, since under Utah law, the judge “is obliged to regard the act as ‘severable'” — in other words, that he can keep parts and discard parts.

Avi Naider, WhenU’s Chief Executive Officer, meanwhile, is celebrating his victory. “Spyware is a problem and we want to put an end to it,” he says in a press release. “WhenU supports appropriate anti-spyware legislation at the federal level, but unfortunately Utah’s Act also impairs legitimate Internet advertising.”

China’s Static Mobile Phone, And Its Mobile Static Phone

One of the things I noticed at last week’s CommunicAsia expo in Singapore was the range of phones. And not just fancy handhelds touted by dancing, skintight woven women, although that did claim some of my attention. But China, for example, is pumping out machines that run the gamut of needs, including desktop GSM phones.

Guanri, for example, of Shenzhen, sells several phones that use either CDMA or GSM wireless technology for phones that either sit in your office, or work as payphones, both for public places and ‘supervised locations’, which I take to mean shops or kiosks where someone can make sure you don’t run off with the phone and where they rather than the phone takes the money you owe for using it.

I realise this isn’t anything new: Africa and poorer regions do a lot of this kind of thing. But I guess this idea of a GSM phone masquerading as a desktop phone is kind of new, and represents a challenge to China’s quasi mobile market, where a technology originally devised for Japan called  Personal Handyphone System (PHS) uses a Wireless Local Loop (WLL) to offer a sort of mobile access, at least when you’re in range of an antenna.

The idea, I guess is one of applying the principle in reverse — where you can only use the cellphone when you’re near a loop — so that your use of the phone is limited by the fact that it’s physically stuck to your desk. Either way you’re making the most of what is available — a network that is not particularly farflung, but more accessible than a landline for which you’ll have to wait several blue moons.

Poor Man’s WiFi

Further to my piece on WiFi for the masses, here’s another way to cut costs: Make your own WiFi dish out of a Chinese cooking vat scoop, poke a USB WiFi dongle through the mesh, and you can pick up signals more than 10 kilometres away. Total cost: about $40 for the USB dongle, NZ$8 for the dish.

The guy behind this, Kiwi Stan Swan, has previously developed the Sardine Can Antenna. I love the ideas and think he should be marketing them to those parts of the world where WiFi is turning into a bridge from having no communications at all to having Internet and VoIP.

Behind the Akamai DDoS Attack

A bit late (my apologies) but it’s interesting to look at the recent Distributed Denial of Service attack on Akamai, an Internet infrastructure provider.

The attack blocked nearly all access to Apple Computer, Google, Microsoft and Yahoo’s Web sites for two hours on Tuesday by bringing down Akamai’s domain name system, or DNS, servers. These servers translate domain names — www.microsoft.com — into numerical addresses. The attack was made possible by harnessing a bot net — thousands of compromised Internet-connected computers, or zombies, which are instructed to flood the DNS servers with data at the same time. This is called Distributed Denial of Service, of DDoS.

But there’s still something of a mystery here: How was the attacker able to make the DDoS attack so surgical, taking out just the  main Yahoo, Google, Microsoft and Apple sites? As CXOtoday points outAkamai is an obvious target, since “it has created the world’s largest and most widely used distributed computing platform, with more than 14,000 servers in 1,100 networks in 65 countries.”

Indeed, before Akamai admitted the nature and scale of the attack there was some skepticism that this could have been a DDoS: ComputerWorld quoted security expert Bruce Schneier as saying “My guess is that it’s some kind of an internal failure within Akamai, or maybe a targeted attack against them by someone with insider knowledge and access.”

The Ukrainian Computer Crime Research Center says it believes the attack was a demonstration of capabilities by a Russian hacker network. As evidence they point to an earlier posting by Dmitri Kramarenko, which describes a recent offer by a Russian hacker to “pull any website, say Microsoft” for not less than $80,000. The story appeared four days before the DDoS attack.

More On Phishing And Top Level Domains

Further to my posting on top level domains being registered with clear criminal intent (the example I used was paypal.de.com, in ‘How to make a phish look real’) I just received this from Joe Alagna, Manager, North American Markets for CentralNic, the registrar for the TLD in question. Here’s his reply in full:

I wanted to respond to your blog article related to phishing. I am the Manager, North American Markets, for Centralnic and I want to assure you that we are very concerned about the problem of phishing as well.

There are a few issues in your article that concerned me…

1. Although we do not place restrictions on our domains, they are no more prone to phishing use than many regular ccTlds. I have personally received phishing messages based on Chinese, Polish, Czech, and other ccTlds. There are many ccTlds that do not have restrictions and the trend amongst County Code operators is to reduce those restrictions on residency, etc.

The reason for this is that ccTld operators have found that their sales increase when they reduce restrictions. It’s a double edged sword; more sales, more potential abuse.

My point however, is this… You are correct about our domains being easy pickings for phishers, but I think it is unfair to have singled us out because of one example (which we will investigate).

2. Centralnic would like to make it known that we are very willing to help if someone thinks that our domains are being used for fraudulent purposes. We do manage a live whois registry which can be viewed by the public and by the authorities to determine registrant details and which can be queried by any anti-phishing tool. Our whois data can be publicly viewed here.

3. Regarding your contention on registrar responsibility, there are ongoing actions within the registrar/registry community to fight fraud and phishing. The most important of which is verifying whois authenticity. You can read about some of the ongoing work here (PDF).

The problem is that with over 60 million domains registered world-wide, it is very difficult to know that each registrant is real. The industry is trying to get better at that.

4. Finally, we work with a few world renowned brand managers like MarkMonitor.com who regularly try to educate financial institutions about these problems. Companies like Bank of America have registered most all of our domains to protect their customers. It’s a little expensive, but definitely a bargain when it comes to the cost of fraud and phishing. See here.

Financial institutions have the largest risk and responsibility in this. I just want to assure you that they are not in this fight alone and that Centralnic is very sensitive to the problem.

Articles like yours are very important because when all is said and done, the best protection is an educated end-user. I just want you to know that Centralnic is committed to the important battle against this type of fraud.

Thanks for the comment, Joe. I notice the website in question has been removed.