loose wire blog

Some guys in California, Mike Outmesguine, John Hering and James Burgess, have managed to connect to an ordinary Bluetooth cellphone from 1 kilometer away, using off-the-shelf stuff, including a high-gain antenna connected to a Class 1 Bluetooth adapter kit. Their conclusion: "A typical unmodified cell phone can be reached at a distance of one kilometer by using slightly modified equipment on only one side of the link. Imagine the possibilities with modifications on both ends of the link!"

Some folk on Slashdot agree. Someone called Carbolic (who may or may not be related to the actual testers), points out the implication: "now it's easy to Bluesnarf without even being near the target phone". (Bluesnarfing is the trick whereby someone else can grab the contents of someone else's phone -- even make calls with it -- using Bluetooth. Some more posts on that here.) I'm no techie, but it does seem to undermine those arguments that we keep hearing that somehow Bluetooth will never be a security issue because it only works within a few metres.

A fair summary of blogs?

Peter Hartlaub, Pop Culture Critic at The San Francisco Chronicle, writes today of the blogging phenomenon at the Democratic convention and, surprisingly, concludes that "for several moments in four days of sleepless and often stream-of-consciousness coverage, the collection of mostly young writers ably explained their existence -- while raising questions about the established media's ability to stay in touch with readers, viewers and listeners".

Quite positive, but I'm not crazy about the other things he says. He seems to think the only valuable blogs are political: "Every Web log hosted by a good writer who can type an interesting account of their day (such as Wilwheaton.net) is matched by 100 that constantly hit up readers for money, link any article that predicts a bright future for Web logs and name-drop other sites that do the same thing. Yes, most bloggers blog about blogs. But the political bloggers, as a breed, are a more focused group."

Hmmm. Are the rest of us interested only in perpetuating our species? I doubt it somehow. It's the typical perspective of mainstream media, I suspect (of which I'm still a member, I guess). Turn it around: Judging blogging by the most inane, self-absorbed blogs you come across is a bit like judging the mainstream media from a selective reading of family newsletters, parish fliers, smalltown rags and Fox. Blogging covers every conceivable topic, and unlike academia and localized publications, breaks out of any geographical or generic boundary. Political bloggers may be more focused, but where's the serendipity in that? OK, so not all bloggers are Renaissance figures but I can think of quite a few who are. Blogging breaks more molds than we give it credit for.

OK, I'm waxing again. I'll stop.

MasterCard, one of several banks discovered to have flaws on their websites that would have allowed a phisher to capture passwords, says it has fixed the problem.

American Banker Online reported (subscription required) last week that MasterCard International "has confirmed finding and fixing a flaw on its web site's 'Find A Card' tool that could have facilitated a phishing scam". The flaw had been discovered by British programmer Sam Greenhalgh and published on his web site on June 28. Greenhalgh lists in a sidebar those web sites that have been fixed or the flawed code removed. It's not yet over: He says that PayPal and several sub-domains of Microsoft.com "remain susceptible".

Besides the failure of some web sites to tackle the problem, a few other things worry me. 

• Why did it take MasterCard three weeks to remove the flawed code? American Banker reports that the tool was removed on July 20. As Greenhalgh writes it's probably a case of closing the door after the horse has bolted. (American Banker quotes MasterCard as saying that "It does not believe that any scams were attempted".)
• Why is no mention made of the flaw or the fix in MasterCard's own 'newsroom'? There are two releases trumpeting MasterCard's own 'fight on phishers' but nothing of its own vulnerabilities.
• How many more vulnerabilities are out there? Did Greenhalgh's discovery trigger a serious audit of all code on such websites, or did they just plug the holes he had found?

Anyway, plaudits should be offered to Greenhalgh (so far I've not seen any from the banking fraternity, but I could be wrong) for his work and others encouraged to hunt for more leaks. Such folk are not troublemakers looking for nits to pick. They perform a very useful service. Phishing has shown that all this is no longer just theory, if it ever was. Every one of these vulnerabilities will be found and exploited if the good guys don't get there first.

Beware The Fear. The blizzard of coverage about phishing (usually involving some awful pun) has done a lot to raise awareness about the problem, but is it enough?

A survey by Insight Express for Symantec of 300 people (no URL available yet, sorry) shows that while three quarters of folk are aware of spyware only a quarter of them have heard of phishing. This cloud of ignorance creates confusion and fear: 44.2 percent of respondents thought they had visited a fraudulent Web site but were not sure. 19.3 percent said they had definitely visited a fraudulent Web site. A little over half are somewhat concerned about online fraud, while 42 percent are 'very concerned'. In other words, nearly everyone is worried.

This fear is already having an impact. Three quarters of folk will now only purchase purchase products through secure sites. That's encouraging -- and not bad for business -- but the following figures are: nearly half will not now provide confidential data over the Internet while nearly a third won't use the Internet for online banking. About 15% said they don't trust the Internet.

This fear and distrust is not going to go away. More than half of respondents felt they knew how to protect themselves from online fraud and/or online identity theft, while a bit under half didn't think they knew how to protect themselves. Taken with my own unscientific dabbling and MailFrontier's recent survey which found that 28% of American adults "inaccurately identify phishing emails", I'd say we have a problem. Or in fact several.

First off, many of those people who think they know how to protect themselves are easy prey. They are going to continue to be duped as phishing attacks grow more sophisticated. That's going to keep the problem going, in part because of weak or misleading 'solutions' such as browser tools and software that supposedly 'identifies' fraudulent emails or links. These tools only raise people's comfort levels and lower their guard.

The broader problem is this: As the number of victims rises, the number of people not giving confidential data over the Internet, not using Internet banking, and 'not trusting the Internet', is going to rise. This is already hurting retailers who have found major cost savings by shifting business over to the Internet. A piece yesterday by The Register's John Leyden quotes a recent survey by LogicaCMG as saying that one in five British users would "hesitate about booking trips online because of mistrust of the ability of travel companies to keep their financial and personal details secure". Given it costs a travel agent 40 times more to take a booking by phone than online, this is hitting their bottom line hard. This will only get worse as more victims succumb, and phishing attacks are no longer one of the bad things that happen to other people.

Then there's the banks. It's been suggested to me that banks don't really care about whether people use Internet banking, since if people start going back to their branches to do their business banks will make their money anyway. But, while appealing, that conspiracy theory fails to take into account the link between online commerce and online banking. If people don't trust the Internet to do banking, it's very unlikely they'll buy something online. That will hit credit card business hard, a mainstay of retail banks. Like it or not, the fate of banks is inextricably tied to the fate of online retailing. So banks don't have much choice.

Bottom line: The future of online commerce is not just about whether it's viable for retailers to do some of their business online. For many retailers it is their business, or at least it's the difference between being profitable or not. Phishing is not just an attack on banking and financial sites. It's an attack on the future of online commerce, which, believe it or not, is still vulnerable because it relies on trust. And trust is not just about reassuring customers, or launching vague 'education campaigns' to give people a vague idea about whether they're safe, and what to do to make themselves safer. It's about making transactions secure, policing website registries for fraudulent domains, working together for a better way to communicate between retailer/bank and customer. All of these things, a year after phishing took off, haven't been done. Hence The Fear.

This week's Loose Wire column is about the new release of OneNote:

THE FOLK AT MICROSOFT aren't renowned for innovation, but it's time we took our hats off to them for OneNote. OneNote (www.microsoft.com/onenote) is a note-taking and organizing program that came out last year, and is about to be revamped with a new release due soon. OneNote is a step up for Microsoft in several ways and we, who tend to be somewhat rude about the Redmond crowd, should be big enough to acknowledge it. 

Full text at the Far Eastern Economic Review (subscription required, trial available) or at WSJ.com (subscription required; usually doesn't appear until Monday. Sorry). Old columns at feer.com here.

(Since the column went to press Microsoft has announced they're halving the price.)

Could RFID tags be used by shoplifters?

Robert Lemos of CNET's News.com writes from Las Vegas that a German technology consultant believes the Radio Frequency Identification tags "could be abused by hackers and tech-savvy shoplifters". He quotes Lukas Grunwald, a senior consultant with DN-Systems Enterprise Internet Solutions GmbH, as telling a discussion at the Black Hat Security Briefings that thieves could fool merchants by changing the identity of goods, he said.In time-honored fashion, Grunwald had the tools to prove it, unveiling during the session "a new software tool that he helped create that can be used to read and reprogram radio tags".

The basic idea, it seems, is that such software -- called RFDump, or sometimes RF-Dump -- could be used on a PDA or laptop to mark expensive goods as cheaper items, allow underage folk to bypass age restrictions on alcoholic drinks and adult movies or create confusion in shops by randomly swapping tags.

How much of a threat is this to RFID? On first flush it sounds major. But I suspect that if it is going to be an issue it's going to be more closely related to security than shoplifting. How many doors are already being opened by RFID? How many security passes are RFID? Luggage tags in airports? Of course these are probably encrypted but could these be reprogrammed?

I'm a fan of Microsoft's OneNote, but a critical one, and one of my gripes has been the price. Now that's all changed, according to Microsoft's Asian PR:

Effective August, Microsoft has announced a price adjustment world wide for OneNote 2003 from US$199 to $99. The price adjustment will begin rolling out today with various retailers offering the new price at different points throughout the month. Volume license customers will also see a discount based on their licensing agreement with Microsoft. Academic pricing thru college bookstores ($49 ERP) and volume license programs will remain the same.

Microsoft is committed to providing the best software for the price. In response to positive customer feedback to the product being offered at $99 in Japan and $99 after $100 mail-in rebate in North America, Microsoft wanted to extend customers worldwide with the opportunity to take advantage of the lower price point.

Too late for my column on OneNote, but good news nonetheless. I felt $200 was just a bit too much for what was effectively a note-taking application.

What is a plog? Seems the term is currently being claimed by at least five groups:

• Project blogs, suggested by MIT's Michael Schrage in this May article on CIO
• Amazon's personalized blog idea, which ClickZ' Pamela Parker quotes Amazon as saying is a beta-testing "diary of events that will enhance your shopping experience, helping you discover products that have just been released, track changes to your orders, and many other things".
• Then, as Jason Calacanis points out, there are plogs, the things you wear on your feet.
• There are plogs the poetry blogs.
• There are plogs the people logs.

It could get nasty agreeing on what a plog is. And I notice that Amazon are trademarking the term, so they're not going to be too happy with other people stealing their name, even if they might not have been the first one there. I personally think they should win, since 'plog' sounds very similar to 'plug' which is clearly what Amazon is trying to do with their products.

Here's how not to use the blog as a promotional tool:

New Media Age reports that Heinz is launching its first ad campaign for baked beans in ten years this week. The campaign, aiming to "reinvigorate the brand with a newer, healthier image" revolves around an "energy-packed 'Superbean' character who will have his own blog on a specially created microsite", heinzbeanz.com. Apart from promoting the, er, nutritional value of baked beans, Heinz is also, gasp, "swapping the plural 's' in the Heinz Baked Beans brand for a 'z', integrating the famous 'Beanz Meanz Heinz' slogan into its first can redesign in Heinz's 135-year history." So now you know.

Sadly, though, the blog itself is a travesty of the genre. It's viewable only in pop-up mode, which I suspect will not work with many browsers. There's some Flash in there (a bean bouncing around a can), and frames to make the material itself virtually unreadable. The blog entries all carry the same date (today) as far as I can see, and are along these lines:

OK, listen, there's something I've gotta share. I'm worried about your salt intake. Hey, the government's worried about your salt intake, you're worried about your salt intake! So what do we do? We cut back on the salt baby. I mean, we ain't gonna tamper with the taste, don't get me wrong. But since 2001 I've reduced my salt content by 30%.

I'm sure this isn't new, but I just saw it and thought it was worth noting: The VW Phaeton's UK site has an interesting 3D Flash sitemap where the pages are viewed in slices, with different coloured dots representing different kinds of content (in this case factory or car):

Clicking on a particular page will highlight it; moving the mouse over a blob will bring up a particular item which you can then access by double clicking on it.

Strictly speaking this layout is too fancy, and the content too specific, for general use, but it's intuitive enough to be a great way to show navigational information in three dimensional form. It might be a nice way to navigate back through old blog material, for example, with different colours for different categories?

Or does this go against the idea of trying to improve content and reduce complexity in design and layout?

I just received an email from a reader of the column who asked:

Ever since the term "Weblog" or "Blog" got coined I have been trying to understand why all the buzz exists.  From what I can tell it is simply a web page, made up of one or more authors, discussing a topic in a manner similar to what I find in Usenet discussions.

What is the big deal?  Why is this so revolutionary?

Any insight would be appreciated because I just don't get it.

It's not the first time someone's asked this, but as ever it's a fair question. I guess my answer would be this, but I'd be very interested in other contributions and corrections:

Blogs took off for a couple of reasons. Firstly, blogs are a little different to Usenet discussions. Blogs are 'owned' by an individual (or occasionally a company, or a group of people, or an institution) which gives them a stake in maintaining, designing and promoting the website. Comments are welcome but secondary to this process of keeping a 'log'. Although there's nothing revolutionary about this, it does involve a slight shift in what people thought of as a website -- more of a bricks and mortar thing, a static flag in the turf of the Web landscape -- and discussion sites, which were more like ad hoc discussions that grew up spontaneously and lasted for a while before expiring. Blogs updated themselves more than ordinary websites or homepages -- indeed a definition of a blog would include the stipulation, I suppose, that entries are dated, and are the main feature of a website.

These kind of 'logs' or online diaries had existed before, but what gave them critical mass was probably the fact that, in the late 1990s, a bunch of people who kept them started sharing lists of them, and began calling them the same thing: Weblogs, then wee-blogs, and then blogs. A movement is never a movement until it has a name. By the beginning of 1999, according to Rebecca Blood's history of blogging, there were 23.

What tipped blogging into the mainstream was the arrival of free software, in mid 1999, which made it easy for non-techies to build and maintain them. Suddenly it became very easy to make a nice looking blog. An adjunct to this has been the development of websites dedicated to listing, categorizing and sorting blogs, although this, I think, has been less important to the spread of blogging than the inclusion of lists of other blogs in blogs themselves. Such lists give a fan of one blog immediate access to similar blogs.

What used to be a defining feature of blogs is no longer: The focus on linking to other websites and commentary about those websites. In the early days postings would largely be about other items, and include some analysis, context or comment on the linked material. That's still true of hundreds of sites (indeed, the most popular, I guess) but, as Rebecca points out, there is also another genre of blog that is pure diary or journal. While I don't know of any figures for this, my guess is that these form the bulk of those millions of blogs that don't last very long. Possibly part of the reason for this is the very absence of linking: Links provide the traffic, both in and out, that is the lifeblood of a blog. If you don't link to anyone else, then it follows that few if anyone is linking to you, and the blog will end up unread and isolated. But then again, perhaps some blogs are just so darn well-written and interesting, this does not always apply.

That's a long answer to a valid question. And probably I've left important stuff out. Anyone else want a stab?

WiFi is all very well, but I'd argue it's still too tricky for us ordinary mortals to figure out. I've just spent the best part of a day trying to get a LinkSys WRT54G Broadband Router installed in my home network, and it took my resident genius Akbar to figure out that the cable provider had hardwired our setup so we had to try to trick the router into taking on the old address.

At least, that's what I think happened: All we got from the superfast installer wizard was 'You're not connected to the Internet' as we idly surfed the Web waiting for the wizard to complete its pointless and fruitless checks. Anyway, it's working now, and it's great, but I think LinkSys (and everyone else, for that matter) could do a better job of preparing us for oddities we're likely to encounter.

Is there any truth to the buzz that Mozilla Firefox is gaining ground on Internet Explorer?

EWeek seems to think so, earlier this month quoting WebSideStory and OneStat.com as saying they have seen about a 1% drop in IE usage. The Ziff Davis logs appear to confirm this. But whichever figures you like of those, it still means IE accounts for between 94% and 95% of traffic.

Here are some figures of my own I've found: W3Schools indicates that Mozilla has been gaining steady ground since January 2003, from 4% of visitors then to 13.7% in July. (Some folk have pointed out that this statistic is not useful since the website is geared towards developers.) July also marks the first decline in both versions of IE (5 and 6). Individual sites report similar statistics: Information Research, an electronic journal, reports Mozilla visitors at about 9.3%. Then there's the non-show of hands at BlogOn2004 last week, when no one (some say a few) put up their hands when Microsoft's Channel 9 guys asked the audience how many of them used IE.

As eWeek concludes, this may be hundreds of thousands of users switching to Firefox or Opera or Safari, but it's not going to budge Microsoft. It may, however, mean an opportunity for smaller browser makers. And it doesn't mean an end to security problems, which will doubtless just shift to the more popular (and hence lucrative) usage: Hence the fears that by trying to make itself popular, Firefox may end up making itself vulnerable.

I hope, however, the rise of an alternative will force lazy or incompetent programmers to ensure their websites work on all browsers. It's no longer acceptable for websites to look good, or just function, in IE. We should start drawing up a hall of shame of websites that do this. Sadly, in my experience, banks are the worst culprits. Ironic, really, given that it is mainly security flaws in IE that are sending people to new browsers.

It's been a busy six months for the virus-writing folk.

McAfee says the first half of this year has seen more serious viruses than in the whole of last year (sorry, no URL available yet). A large part of this has been the war between the Bagle and Netsky authors, a war that has seen their viruses appear in 215 countries.

What's perhaps surprising is that this bucks a trend in virus production, where McAfee saw a steady decline in the rate of viruses produced from 2000 to 2003, down to a 5% year over year growth. That seems to be all over, for now at least.

Another weak spot: McAfee noted in the first half of 2004 11 exploits targeting four Microsoft vulnerabilities against 15 exploits targeting seven Microsoft vulnerabilities in the whole of 2003. In other words: More folk making trying to make the most out of fewer holes.

I'm late figuring this out, but WSJ.com is now offering RSS feeds (I found out about it from reading Nick Bradbury's blog). Of course, this is tremendous news.

The feeds number only 13 so far, and will only have headlines for non-subscribers. The good news: Walt Mossberg is available in XML. The bad news: the weekly Loose Wire column of which this blog is a close cousin isn't. Of course, if you all write angry letters they might change their mind.

OK, I promise, that's the last plug I give myself. I hate it when people promote themselves all the time. No, really.

Could spam and viruses kill off email?

Folk seem to think so, if a world-wide survey by Message Labs, the email security people, is anything to go by (no URL available yet, sorry). They found that 6 out of 10 companies would give up email if the threat posed by viruses, spam and other malware is not contained and a viable alternative emerges.

It seems that people's concerns are not identical: More than 20 per cent of respondents indicated that online fraud such as phishing and identity theft will be the greatest threat. Viruses achieved a similar rating (21 per cent). Some 18 per cent rated the leakage of confidential or sensitive information as the main issue, while 15 per cent thought the biggest threat would be the potential for industrial espionage.

On one thing, however, folk do agree: More than 40 per cent predict that levels of junk email will more than double over the next 10 years, and a further 24 per cent expect it to rise by more than 50 per cent. Only four per cent think it will be non-existent.

My tuppennies' worth: Email will get better. It has to, or else spam really will bury us. I think folk should start agreeing on a new system of authentification and a serious way of making it too expensive for people to send bulk email, both financially and legally.

I've been researching Islam and technology for a story due out later this week. There's been some interesting gadgets enter the market place recently aimed at Muslims but what also interested me are the attitudes of Muslims towards technology: Was there any life left in the non-Muslim perception that Islam does somehow not approve of technology? Short answer: No.

Anyway, long introduction to what I hope is just a mere misunderstanding in a piece by Ali Al-Baghli, Kuwait's former oil minister, in the Arab Times last week (thanks to blueserker), who writes an interesting article on the relationship between Muslims and technology. While I think I follow his tack, towards the end I share the confusion of blueserker who says "I'm really hoping there is a translation issue here".

Al-Baghli's main point is that technology can be used for good and bad. While 'fundamentalists' and 'extremists' have long opposed the use of technology, from satellite dishes to mobile phones, it is the extremists, he says, who have also benefitted from this such tools such as the mobile phone "because it can be used to carry out terrorist acts". True: Jemaah Islamiyah relied on the mobile phone to plan and execute the Bali bombing in 2002. (It also led to their capture.)

But I lose him in his last paragraph on Bluetooth: "This device is being used by thousands of people and is most beneficial to engineers and medical staff because of the voice and view facility." Can't disagree so far. However he goes on:

This new device has sent shock waves in Kuwait because some young boys and girls make wrong use of it and the Ministry of Justice was prompt in forming a committee - comprising legal and legislative experts in addition to attorneys - to regulate its use. If what we have heard is right, the reaction is shameful. The Bluetooth is like a knife - you can use it in the kitchen while cooking or to kill someone. It is also like a 'safe sex' tool mostly used by whores to prevent pregnancies. Can we prevent people from using knives and 'safe sex' tools... just because some are making wrong use of it?

I can only assume the former minister is referring to the emergence of Bluetoothing -- the art of picking up partners in public via Bluetooth -- which, according to a comment added to this posting to Geek.com back in April, has been going on for quite a while in Kuwait. I have to confess, however, I'm not sure where the knives come in, and how, exactly, Bluetooth is used in safe sex. Can anyone explain?

Is Bluetooth finally moving out of the world of mobile phones?

The Gadgeteer feels so, highlighting some new toys including two pairs of Bluetooth headphones and a Bluetooth mouse. Here is their review of Bluetake's i-PHONO BT420EX stereo headphones and BT500 Bluetooth Mouse, and here is Sonorix's Bluetooth audio player

What's interesting, too, is that some of these are from Korea (only Bluetake is not, being Taiwanese). Korea and Japan have been slow to adopt Bluetooth, partly, I guess, because few of their companies are part of the Bluetooth consortium, partly because of different usage patterns.

I met a few Korean companies at CommunicAsia trying to change that, in particular SeeCode, which is selling a range of Bluetooth gadgets, not all of them phone-oriented.  None of them appear to be available on their website yet, but (according to their brochure I picked up, which relies on a charming version of English I'm not too familiar with) they include Viasync, which seems to be a sort of Bluetooth conference call device cum VoIP phone cum car handsfree, and the Viodio, which seems to be an MP3 player with a Bluetooth wireless headset (although, somewhat confusingly, the picture shows someone using very wireless-less earphones.)