A Way Forward For RSS?

By | November 24, 2011
0 Comment

Here’s an interesting twist to RSS (Real Simple Syndication, a way to channel material into feeds) that shows the format could have a life beyond blogs.

iUpload, “a net-native content management solution provider”, has just introduced a free service that allows companies to avoid the legal pitfalls and technology filters of the spam world to send content to users who want it. MailbyRSS allows the company to send content out by email, which is then converted to RSS, which the subscriber can then add as a feed to his/her RSS feed reader. Benefits? It bypasses the whole blog thing, it is easy to update, it avoids their usual emailings getting caught in spam filters (or in contravention of the new CAN-SPAM Act).

Not a bad idea. Though a wonderful tool, RSS is still stuck in the slow (read: unexploited commercially) lane, but something like this may help push it out there. The great thing about RSS is that control remains with the user, who doesn’t have to hand over any personal data — even an email address — to get a feed, and can pull the plug any time, simply by deleting the feed. It’s the antidote to spam. Now there needs to be a way to build and manage RSS content, something MailbyRSS may help to achieve.

The Hazards Of Being Mike Row

By | November 24, 2011
4 Comments

From the Proof That Microsoft Has No Sense of Humour, Is Appallingly Cheap, But Eventually Gets It Dept:

Paul Thurrott of Windows and .NET Magazine tells the story of a Canadian teenager called Mike Rowe who brought down the full wrath of Redmond’s lawyers when he set up a website called MikeRoweSoft.com. They sent him a 25-page letter demanding that he hand over the domain name. Rowe goes to the press, his site gets massive interest, his case gets lots of support, and suddenly, Microsoft has backed down, issuing an
apology in which the company admitted that it had acted improperly.

As Paul points out, they probably had to go after Mr. Row. According to trademark law, trademark owners are required to defend their trademarks against infringement or risk losing the mark. But, Paul says, few people could argue that Rowe doesn’t have a valid claim for the domain name. “It’s not [Microsoft’s] name,” Rowe recently said. “It’s my name. I just think it’s kind of funny that they’d go after a 17 year old.”

Mind you, the lads at Redmond have a point: If you type MikeRowSoft into Google you get the inevitable question: ‘Did you mean microsoft?’ But did they have to be so grizzly about it? Newspapers say that when Rowe demanded compensation the lawyers offered him US$10 in U.S. funds — what it cost him to register the domain. That was when the 17-year old got mad and asked for $10,000.

Me? I’m going to see whether the following are registered: mycrowsoft.com, microwsoft, mikeroesoft.com, mikerohsoft.com, etc etc.

“Internet Voting Isn’t Safe”

By | November 24, 2011
0 Comment

The e-voting saga continues.

Four computer scientists say in a new report that a federally funded online absentee voting system scheduled to debut in less than two weeks “has security vulnerabilities that could jeopardize voter privacy and allow votes to be altered”. They say the risks associated with Internet voting cannot be eliminated and urge that the system be shut down.

The report’s authors are computer scientists David Wagner, Avi Rubin and David Jefferson from the University of California, Berkeley; The Johns Hopkins University and the Lawrence Livermore National Laboratory, respectively, and Barbara Simons, a computer scientist and leading technology policy consultant. They are members of the Security Peer Review Group, an advisory group formed by the Federal Voting Assistance Program to evaluate a system called SERVE, set up to allow overseas Americans to vote in their home districts. The first tryout is scheduled Feb. 3 for South Carolina’s presidential primary.

The four say that “Internet voting presents far too many opportunities for hackers or even terrorists to interfere with fair and accurate voting, potentially in ways impossible to detect. Such tampering could alter election results, particularly in close contests.” They “recommend shutting down the development of SERVE and not attempting anything like it in the future until both the Internet and the world’s home computer infrastructure have been fundamentally redesigned, or some other unforeseen security breakthroughs appear.”

The authors of the report state that there is no way to plug the security vulnerabilities inherent in the SERVE online voting design. “The flaws are unsolvable because they are fundamental to the architecture of the Internet,” says Wagner, assistant professor of computer science at UC Berkeley. “Using a voting system based upon the Internet poses a serious and unacceptable risk for election fraud. It is simply not secure enough for something as serious as the election of a government official.”

In short, the guys are saying the Internet is just not up to handling something like voting. But they also see the way the SERVE program carries the same flaws as the Diebold and other commercial electronic voting systems that have gotten such bad press in recent weeks (some of the four authors have been in the forefront of exposing those weaknesses). “The SERVE system has all of the problems that electronic touchscreen voting systems have: secret software, no protection against insider fraud and lack of voter verifiability,” says Jefferson. “But it also has a host of additional security vulnerabilities associated with the PC and the Internet, including denial-of-service attacks, automated vote buying and selling, spoofing attacks and virus attacks.”

After studying the prototype system the four researchers said it would be too easy for a hacker, located anywhere in the world, to disrupt an election or influence its outcome by employing any of several common types of attacks familiar to regular readers:

  • A denial-of-service attack, which would delay or prevent a voter from casting a ballot through the SERVE Web site.
  • A “Man in the Middle” or “spoofing” attack, in which a hacker would insert a phony Web page between the voter and the authentic server to prevent the vote from being counted or to alter the voter’s choice. What is particularly problematic, the authors say, is that victims of “spoofing” may never know that their votes were not counted.
  • Use of a virus or other malicious software on the voter’s computer to allow an outside party to monitor or modify a voter’s choices. The malicious software might then erase itself and never be detected.

The Charting Of An Urban Myth? Or A Double Bluff?

By | November 24, 2011
2 Comments

Here’s a cautionary tale from Vmyths, the virus myths website, on how urban legends are born.

Vmyths says that Reuters News Agency filed a report from Singapore last week quoting anti-virus manufacturer Trend Micro (makers of PC-cillin) as saying computer virus attacks cost global businesses an estimated $55 billion in damages in 2003. That’s a lot of damage. Two spokesmen at Trend Micro have since called Vmyths to “correct” the report. One said it was “wrong.”  Another said Trend Micro “cannot gauge a damage value — because they simply don’t collect the required data”.

Vmyths says the report was later pulled, but without any explanation. I’m not so sure. I can still see it on Reuters’ own website, Forbes, Yahoo, The Hindustan Times, ZDNet, MSNBC, ComputerWorld, The New York Times, etc etc. And the story still sits in Reuters’ official database, Factiva (co-owned by Dow Jones, the company I work for.) I’ve sought word from Trend Micro (I wasn’t able to reach anyone in Taiwan, Singapore or Tokyo by phone and emails have gone unanswered for 10 hours; I guess Chinese New Year has already started. Perhaps the U.S. will be more responsive). Emails to the author of the Reuters report have gone unanswered so far.

As Vmyths points out, it’s great that Trend Micro has tried to set the record straight.  But if the story was wrong, why is it still out there on the web, and, in particular, on Reuters’ own sites? And why hasn’t Trend Micro put something up on its website pointing out the report is wrong? Has Trend Micro done everything it can to get things right? Was the report wrong, or the original data?

This episode highlights how, in the age of the Internet, an apparently erroneous story can spread so rapidly and extensively, from even such an authoritative source as Reuters, and how hard it is to correct errors once the Net gets hold of them. In the pre-WWW world (and speaking as a former Reuters journalist) it was relatively simple process to correct something: overwrite it from the proprietary Reuters screen with a corrected version, withdraw the story, or, in the case of subscribers taking a Reuters feed (newspapers, radio stations and what-have-you), sending a note correcting the story. Proprietary databases could be corrected. So long as the story wasn’t already in print, you were usually safe. Nowadays it’s not so easy.

Vmyths is right: Expect to see the $55 billion figure pop up all over the place. (Of course, until we know for sure, it’s possible that the real myth that comes out of this could be that the story was wrong, when in fact it was right.) Ow, I’m getting a headache.

The Next Step: Anti Phishing Services

By | November 24, 2011
0 Comment

MessageLabs, those hyperactive purveyors of Internet security, have come up with an anti-phishing service for banks and other targeted companies (Phishing is the scam whereby bogus emails entice you to give up your online banking password and other sensitive information), the first of its kind I do believe. It had been available to about 15 banks and is now available to everyone. 

 

The service involves “real-time scanning, expert analysis and authentication, incident response and early notification of suspicious email activity”.  The company uses Skeptic™ Radar (I’m not making this up) technology to scan millions of email messages to detect threats and anomalies. When a scam is identified, analysed and authenticated, the company notifies the targeted company and provides details of the attack. Companies are then able to work with law enforcement agencies to quickly and effectively shut down scammers. (It says here.)

 

MessageLabs says it has been able to alert “in-house IT staff to the problem before they knew of its existence”. In pilot cases it was able to close down fraudulent website within a couple of hours.

 

MessageLabs reckon about “20% of all recipients that receive phishing emails have been duped into providing user names, passwords and social security numbers”. That’s a very high figure; I’d heard 5%. I’ll try to find out where MessageLabs get it from.