Tag Archives: programmer

Here Comes the Blog Flood

The power of the history of the Internet? So much feels disposable about the Internet, and blogs haven’t helped. Postings more than a few days old feel like ancient history, and yet at the same time they sit there, a snapshot of a point of view the author can barely remember ever having. Comments added by anyone stumbling along more than a few hours or days later look like stragglers, people who turned up on the wrong day for a party and could do little more than leave their calling card.

But here was a site that struck me differently. It’s just a collection of comments on Peter Gabriel’s ‘Here Comes The Flood’ (one of his best numbers). It’s not a blog, or a web page past its expiry date, although it should be the latter: It was set up in 1994 by a German programmer called Brigitte Jellinek. The last comment attached to the page on Flood is less than a month ago. The first was in February 1996. Amazing, really; more than a decade of simple, sometimes moving thoughts on one timeless song. As Ms Jellinek herself observes on the homepage:

In December 1994 I set up this page to give people on the Web the chance to share what P[eter] G[abriel’]s songs mean to them. I didn’t expect much – from my previous experience with guestbooks I was prepared for idle chit chat and childish remarks. Well, you all proved me wrong. Every time I read some of the comments I am amazed about the quality of the contributions.

There can’t be that many sites from 1994 still so active, so alive (and someone taking such effort to preserve one). Credit to Ms. Jellinek.

Perhaps some blogs have this timelessness too, but the reverse chronological nature of blogs, their emphasis on a log, a journal, and time, perhaps work against this. Posts are time sensitive, more transient, and stumblers on an old post are likely to see their voices lost in the relentless forward march. That’s what makes the Flood page so remarkable — about a song that was originally performed in 1977, if I’m not mistaken — in that the comments may span more than a decade, and yet all share the same address, the same timelessness. A lesson, perhaps, for the design and future of blogs.

Closing The Door After The Phish Has Bolted

MasterCard, one of several banks discovered to have flaws on their websites that would have allowed a phisher to capture passwords, says it has fixed the problem.

American Banker Online reported (subscription required) last week that MasterCard International “has confirmed finding and fixing a flaw on its web site’s ‘Find A Card’ tool that could have facilitated a phishing scam”. The flaw had been discovered by British programmer Sam Greenhalgh and published on his web site on June 28. Greenhalgh lists in a sidebar those web sites that have been fixed or the flawed code removed. It’s not yet over: He says that PayPal and several sub-domains of Microsoft.com “remain susceptible”.

Besides the failure of some web sites to tackle the problem, a few other things worry me. 

  • Why did it take MasterCard three weeks to remove the flawed code? American Banker reports that the tool was removed on July 20. As Greenhalgh writes it’s probably a case of closing the door after the horse has bolted. (American Banker quotes MasterCard as saying that “It does not believe that any scams were attempted”.)
  • Why is no mention made of the flaw or the fix in MasterCard’s own ‘newsroom’? There are two releases trumpeting MasterCard’s own ‘fight on phishers’ but nothing of its own vulnerabilities.
  • How many more vulnerabilities are out there? Did Greenhalgh’s discovery trigger a serious audit of all code on such websites, or did they just plug the holes he had found?

Anyway, plaudits should be offered to Greenhalgh (so far I’ve not seen any from the banking fraternity, but I could be wrong) for his work and others encouraged to hunt for more leaks. Such folk are not troublemakers looking for nits to pick. They perform a very useful service. Phishing has shown that all this is no longer just theory, if it ever was. Every one of these vulnerabilities will be found and exploited if the good guys don’t get there first.

Electronic Voting And The Criminal Connection

The story of electronic voting machines, and the company that makes many of them, continues to roll along. I wrote in a column a few weeks back (Beware E-Voting, 20 November 2003, Far Eastern Economic Review; subscription required) about Bev Harris, a 52-year old grandmother from near Seattle, who discovered 40,000 computer files at the website of a Diebold Inc subsidiary, Global Elections Systems Inc, beginning a public campaign against a company she believed was responsible for a seriously flawed e-voting system., already in use in several states.

Anyway, now she’s turned up more explosive material, it seems. The Associated Press yesterday quoted her as saying that managers of Global Elections Systems “included a cocaine trafficker, a man who conducted fraudulent stock transactions, and a programmer jailed for falsifying computer records”. The programmer, Jeffrey Dean, AP reports, wrote and maintained proprietary code used to count hundreds of thousands of votes as senior vice president of Global Election Systems Inc. Previously, according to a public court document released before GES hired him, Dean served time in a Washington correctional facility for stealing money and tampering with computer files in a scheme that “involved a high degree of sophistication and planning.”

Needless to say this is all somewhat worrying. When I followed the story I tried to concern myself merely with the technological aspects, which were pretty worrying in themselves; The e-voting system being pushed by Diebold seemed to have too many security flaws to be usable in its present state. But Ms. Harris’ digging seems to reveal a company that is, to put it tactfully, less than thorough in its background checks.

So what’s Diebold’s version? AP quoted a company spokesman as saying that the company performs background checks on all managers and programmers. He also said many GES managers left at the time of the acquisition. “We can’t speak for the hiring process of a company before we acquired it”. Acccording to Ms. Harris’ website, however, that’s misleading. Quoting a memo issued shortly after Diebold bought GES in early 2002, Dean had “elected to maintain his affiliation with the company in a consulting role”. Diebold, the memo says, “greatly values Jeff’s contribution to this business and is looking forward to his continued expertise in this market place”. AP said Dean could not be reached for comment Tuesday afternoon and I cannot find any subsequent report online.

It’s hard to see how Diebold is going to recover from what has been a series of body blows to its credibility in such a sensitive field as voting. The same day as Ms. Harris revealed her latest bombshell, the company announced “a complete restructuring of the way the company handles qualification and certification processes for its software, hardware and firmware”. Diebold hopes the announcement will “ensure the public’s confidence that all of our hardware, software and firmware products are fully certified and qualified by all of the appropriate federal, state and local authorities prior to use in any election”.

Clearly the whole fracas has done serious damage to public confidence in electronic voting. But it’s important to keep perspective. There’s nothing wrong intrinsically with e-voting — it’s a sensible way to speed up the process, make it easier for citizens and, perhaps, to extend the use of such mechanisms to allow the population to have a greater and more regular say in how their lives are governed. But like every technological innovation, it’s got to be done right, by the right people, with the right checks and balances built in, and it can’t be done quickly and shoddily. Most importantly, it’s got to be done transparently, and those involved in building the machines must never be allowed to conceal their incompetence by preventing others from inspecting their work and assessing its worthiness.

For details of Ms. Harris allegations, check out her website Blackbox Voting. A summary of the press conference is here, as are the supporting documents (both PDF files.)