Ordinary Nothing

The police, both here and in many (most? all?) other countries in the world, provide a short “emergency” phone number. The idea being that it will be easy to remember, work from all phones in all locations, and be fast to dial in case of a real emergency.

The police here in Israel also has such a number, 100.

Except, it would seem, sometimes they just don’t bother answering it.

Last Sunday (28 September 2008) I went with a friend to a restaurant in the Tel-Aviv north harbour area. On the way back to the car (around 22:45) we noticed a large group of kids around two bonfires which they started along the beach^[1]. About 5 meters from there stands a large sign with warnings about prohibited activities, and starting fires is explicitly listed there.

Normally I wouldn’t exactly mind, but those kids were loud and annoying; and those fires were quite large, with one of them burning really close to nearby plants. Plus, I was in a, ahem, fitting mood. So I decided to do my civic duty, and call the police to report the fires and the kids.

I dialled 100 on my cellphone. And waited. One ring, two ring, three rings, four rings, nothing. At this point most automatic answering machines would assume nobody’s answering, and pick up. But this is an a police centre that should be manned non-stop around the clock, so I guess they don’t have answering machines^[2]. I waited a bit more (1-2 rings) and still nothing. I was very surprised, and hang up.

My friend was also amazed that nobody picked up the phone. So he tried calling them himself, from his own cellphone. He waited for 13 rings. Nothing. Nobody answered.

Nobody tried to call us back to follow up later on, asking if there’s a problem and why we called the emergency police number. None of our cellphone numbers are blocked, so they could have seen these calls on their incoming call logs (if they bother keeping them).

Good things that it, while being something that should be reported to the police, wasn’t really an emergency.

1. well, technically along the bank of the Yarkon river, which connects to the sea at this area.[back]
2. And, when operating properly, they really shouldn’t need them, I agree.[back]

A new version of the Firefox browser was released today. A minor update from version 2.0.0.6 to version 2.0.0.7.

Even more minor than that, actually, since what came out was just an RC version for testing. Sometime in the past I downloaded an update that was considered a beta or RC, so I’m on the list to keep getting them on the automatic updates.

The problem is that there was no information provided on what exactly the update includes, and what is the purpose behind it. The release notes page did not contain any relevant info (I’m not promising they won’t change the page in the future. It doesn’t contain the info now, and haven’t for quite a few hours so far).

It had lots of other things, the general outline they put on each release-notes page. But the actual release notes, what was changed from the last version, no. Nothing.

There wasn’t even any link to a page where this information could be found. Because, well, in theory it would have been that exact same page.

That’s a very very poor way to roll out an update. If you ask someone to install a new version of a software, and especially if it’s a beta/RC that you want people to test and provide feedback for, you have to tell them why and what has changed.

Seems very sensible to me. Apparently doesn’t seem so sensible to some of the people in the Mozilla foundation. Don’t get me wrong, they’re doing a great job, and Firefox is terrific. But most people don’t follow all the bugs and progress on every single application they use, so it’s far from obvious what an update is for.

I do hope they’ll do better next time. I’m more than willing to install updates, but I need to know why.

In this particular case, if someone is interested, it’s a single fix for a single security vulnerability. Well, a potential whole class of problems, but only a single known point. Which was now actually more of a problem with the Quicktime plug-in (on Windows) and not in Firefox itself, but in this case it’s a good idea to fix it in Firefox as well, to prevent any future problems from the same direction. You can look at the actual bug report for more technical information, if you really want to.

Who wouldn’t be terrified, discovering they just made it to the list of potential terrorist’s targets? And chickens are, well, chickens. It’s a well known fact.

On the other hand, the only chickens who seem to be attractive to terrorists, so far, are those living in the US. Or, in any case, the US government’s very own DHS are the only one who believes their chickens to be prime targets.

Yep, seems that the US DHS thinks that chicken houses are terrorist targets.

Why?

Because many of them are warmed by propane gas. And propane gas is inflamable. No, it is, really. You blow a bomb near a container of propane, and it will explode and burn.

Burning every chicken in the very close area. Possibly also the house of the farmer raising the chicken, if it’s close enough to the tank.

The rule affects nearly every poultry grower across the Delmarva peninsula, and as many as 20,000 sites across the country, because propane gas is the most popular chicken house heating method.

…

“The three 1,000-gallon propane tanks at a local grain elevator, or nursing home, or school or campground are not terrorist targets,” said NPGA Senior Vice President Philip Squair in a May 1 news statement. “What DHS is asking is for ordinary homeowners, businesses and farmers to declare themselves terrorist targets because they choose to use propane to heat their houses and businesses.”

Let’s do some guesswork, shall we?

Expected death toll if terrorists blow up the propane gas tank at a chicken house? Probably 0-6 people^[1], and some fried chickens.

Expected death toll if the terrorists would take the same amount of explosive and put it near a small house in any small town? 0-6, without fried chicken.

Expected death toll if the terrorists would take the same amount of explosives and put it near the security gate of a mall, where people congregate to pass inside? 4-30? More?

Yes, I can see the terrorists going after the rural chicken houses. Any minute now. Any minute now.

1. depending on how many kids the farmers have, if they’re home, where the gas tank is located, and how competent the terrorists are. How competents are terrorists who go after chickens, I wonder?[back]

Say you were sentenced to 30 months in prison for forgery. And say you think it’s the prosecutor’s fault (Because, after all, it can’t really be something you did, right?). What would you do?

That’s right, you’d try to get the prosecutor assassinated, to punish him for not being able to show on trial that you’re not really a dangerous criminal. Makes perfect sense.

Then you need to pick the right hitman. It’s complex. There are, for example, some things you may want to void:

1. Your first choice of a hitman should not be the judge that tried you. Judges make terrible assassins. And they often refuse these jobs. Go figure.
2. If you do want to hire the judge to be your assassin, make sure to offer enough money to make this a real offer. For example, a district court judge in Texas would probably expect much more than $5,000^[1].
3. If you do offer the judge the small money, and he turns you down, your next best option is not the lawyer who was your defense attorney during the trial. Lawyers are bad assassins as well. And your defense attorney knows what a slimeball you really are, even if he lied and said nice things about you during the trial.
4. If you do try for the defense attorney, at least offer him more money then you offered the judge. You should already know that’s not enough money by now. Defense attorneys often don’t earn that much less than judges. Not necessarily even the lousy ones.
5. Oh, and stick to your target. Don’t change your mind and ask him to actually kill the judge. Yes, it was very rude of the judge to turn down your offer. But killing a judge would cost extra. And besides, the prosecutor is still out there, right?
6. When you make all these offers, don’t write them on paper with your own handwriting. Don’t touch that paper with your fingers to add your fingerprints to it. Those things are, like, proof, you know? It can get you a much longer jail time than those forgery charges.

All very sensible and sound advice.

Someone didn’t get the memo. Probably didn’t get a lot of working braincells either.

Galveston County District Court Judge David Garner said Connelly, 34, of Santa Fe, was among those defendants who “think outside the box” for allegedly writing a letter offering him $5,000 to kill former prosecutor Donnie Quintanilla, now in private practice in Galveston.

Connelly wrote a second letter to his defense attorney, Houston lawyer Jonathan Cox, offering him $5,000 to kill Garner, special prison prosecutor Alice Gregg said.

He will get the jailtime, though. And hey, maybe the next judge would be more cooperative, who knows?

1. That’s not even a single month’s salary[back]

I keep waiting for someone responsible for airline security to sober up, and realize how ridiculous, costly, invasive, and (maybe most importantly) unhelpful for security are all the new and increasing limitations and checks.

But that doesn’t seem to happen.

If anything, things just go worse, with more paranoia, and more pointless regulations being made. All in the name of security, almost all without any real security benefit, and almost all with high costs in terms of time, money, hassles, and privacy.

And now they’re working on a system that would record everything passengers say and do during a flight.

Researchers in Britain and Europe are looking at technology that would see a comprehensive network of microphones and cameras installed throughout the aircraft, including the lavatory, which would be linked to a computer.

Sounds fine for one of those silly reality shows.

But very far from being fine for regular flights. Microphones and cameras everywhere on a plane. Including the toilets.

This computer would be “trained” to pick up suspicious behaviour, said Catherine Neary, of Bae Systems, one of the British participants in a £24 million European Union project

Computers cannot pick up suspicious behaviour. It will be quite some time, many many years, until they will be able to come even close.

Heck, it’s hard enough to train real live people to pick up suspicious behaviour. They think very many things are very suspicious, all the time. And that involves detecting a lot of tiny cues, and requires instincts and experience. A computer cannot do that.

Computers will just be able to follow very crude rules. Meaning that they will miss actual suspicious behaviours, but will have lots and lots of innocent people tagged as acting suspiciously.

Actually, what the heck is suspicious for an airline passenger? And how do you separate the terrorist kind of suspicious from other kinds of suspicious?

Eventually, the computer would be programmed to understand a variety of languages.

Oh, yes, any day now. Because right now computers would be hard pressed to understand even one language. At most you can pre-define a limited set of key words, and have the computer pick up people who say them. And even that will fail on some accents, pitches, and taking speeds.

Not to mention, what words would these be? Will they train the computer to catch whole sentences, like “Let’s blow up the plane now”? Because obviously a terrorist who wants to blow up a plane is going to announce that before doing so, right? And other passengers around will never pick up on that, so it’s good that there will be a super sensitive microphone to do so (yes, I’m being sarcastic).

“Passengers are not being snooped on by humans, but by machines which will process the data, which would not be stored after the flight unless there is an incident,” she said.

But the machines cannot process the data properly, so the next obvious step is to have humans look in at anything the computer will flag as suspicious. And that will have to be almost everything, because it’s better that a human will snoop on a few extra events, instead of letting a terrorist go on undetected, right?

And, well, only keeping the data if there’s an incident? What does that mean, incident? If they mean unless the plane explodes, well, too late to do anything useful with that, no?

Or do they mean unless an incident happens which isn’t as critical? Because these happen these days for right about anything. Creating an “incident” is way too easy.

Heck, there are incidents when people accidentally drop their music players down the toilet. Would that justify a human going through an audio and video records of what everyone did on the plane, including inside the toilet?

It’s an incident when someone prays while on an airplane. Would that justify a human going through an audio and video records of what everyone did and said while on the plane?

It’s an incident when someone wants to drink water from a bottle. Very suspicious, bottles, and failing them around willy-nilly can alarm other passengers, so maybe it can even escalate to a truly serious incident.

Lots and lots of small and minor things can become an incident. Will all of these justify someone watching and listening to tapes from the flight? Why am I not feeling reassured?

“There are likely to be cameras and microphones in the toilet, because that is where terrorists go to assemble bombs.”

Yes, they always do that, don’t they, these terrorists? They go on a plane, then enter the toilet to assemble bombs. Quite an regular habit with them.

The camera could also be trained to detect seemingly harmless items being left in aircraft lavatories that could later be assembled to make a lethal device.

These days small containers with liquids, including… erm… toiletries, are considered dangerous. Liquid binary bombs, and all that. Which pretty much covers anything that can be left in a toilet. Anything that can be spilled in a toilet.

And the people running the system can be fully trusted not to do things like, say, decide to keep personal copies of the films of people (in the toilet, or otherwise) just because the ones filmed may be physically attractive acting somewhat suspicious, right? Nobody would ever do that.

On the bright side, though, people joining the mile high club may now easily obtain photographed proof to show all the doubters.

This is invasive madness. All of it.

Though it does give a new multi-layered meaning to the term security theatre.

AOL released a new program called Active Security Monitor, which is supposed to help find problems with the security settings of computers. It scans the computer, provides scores in various categories, and suggests ways for improving the security where the score isn’t perfect.

A nice thing to have, if it works. Personally I’m quite good at dealing with my computers’ security by myself, but a tool like that can be useful to point less experienced people to, and for getting a quick baseline.

Except that it doesn’t work well at all. And yes, I know, it’s from AOL, what should I expect, right? It’s a shame that they really don’t do much to improve the reputation they have in these regards, and blew this great opportunity.

So far I ran it on one computer. The computer runs a fully patched and updated Windows 2000 professional, has a fully updated Avast! 4 Home as an anti-virus, no firewall since it’s connected to a small network protected by a properly configured external router, using Firefox 1.5 and Opera 9 for browsers, And with both Spybot S&D and Ad-Aware SE Personal installed.

I downloaded and installed the Active Security Monitor program, and let it scan the computer.

ASM comes with an option to register it for a home network, in order get status on multiple computers at the same time. I didn’t do this, and will run a comparison on a second computer separately later on. No need to create an account for a tool when I don’t know I’ll use it.

After a few seconds of scanning my computer received a total score of… 53. Out of 100. Not a pretty sight.

Let’s start with the good thing first. It detected both Ad-Aware SE Personal and Spybot S&D, and detected that their signature files were not updated. This was all true. I usually keep the computer clean to begin with, and so didn’t run or update any of them for well over a month.

So I run both, updated the data, and repeated the scan. My score in the “Spyware Protection” category jumped all the way to Excellent, and the total score climbed to 57. Still not very impressive.

I also suspect I would have gotten the Excellent score with only one of them installed. Which isn’t enough, since the overlap between what they catch isn’t complete. They’re better together.

On the “Firewall” category my computer is ranked as Poor. Which is totally justified, it doesn’t have a firewall installed. But I took a quick look in the details, and was surprised to see that “A firewall is detected but is not enabled on this PC”.

This is wrong. I don’t have a firewall installed. And since it’s not installed, there is obviously no way to turn it on. Worse, ASM is extremely unhelpful in that it didn’t tell me which firewall it thinks I have and how it thinks I can turn it on.

Instead, the recommendations page had links to pages with general firewall explanations, some marketing hype on how the AOL service comes with full firewall protection (This AOL marketing hype exists on all details pages, whenever there is any sort of a problem, as far as I could see), and a non-detailed “To enable a firewall: Click Start, point to All Programs, and select your firewall”.

Yep, that’s going to be real helpful for anyone who actually needs this tool to know if they have a firewall or not. All those people, the ones who aren’t even sure what a firewall is, would have no problem at all finding it by themselves and running it.

Especially if, like me here, they don’t even have one. That could be a long long search.

It did say that if I would enable my firewall (The one I don’t have installed) it will raise my overall score to 79 (That’s a 22 points improvement).

Next, on the “Virus Protection” category my computer is ranked as Fair. Why just Fair? Because according to it “The anti-virus (AV) program on this computer is not enabled”.

I double-checked just to be on the safe side, and I can assure you that my copy of Avast! was working perfectly. So if ASM did find Avast! (Though I can’t be sure, maybe it found some phantom AV program, like the firewall) it should also know it’s running.

ASM also claimed that the signature files for my AV program are out of date. Which also wasn’t true, they were updated almost just before running ASM.

The details page contained the same list of not so useful suggestions, such as saying what a great AV protection the AOL service gives, and providing an explanation on how to turn on my AV program. A generic explanation, that is, which was identical to the one on how to turn on my firewall. Nowhere did it say even the name of the AV program it found.

It stated that turning on the AV program would raise my score to 70 (That’s a 13 points improvement). Personally I’m more concerned about why it thinks my Anti Virus protection deserves a Fair score if it believes my AV program isn’t even enabled. A not-running AV program should be just as good as a totally non-existent one.

Next is the “Windows & Browser” category. On this one I received a Good score, with two complaints.

The first was that “The Windows System Restore feature is not turned on”. And it was potentially useful about it, giving detailed instructions on where to find it in order to turn it on… Except that, well, this computer is running Windows 2000, and not Windows XP. And System Restore is a feature of Windows XP. It does not exist on this computer, and so cannot possibly be turned on. And all the places it directs me to go to in order to turn it on, well, they just don’t exist here. Totally dumb, and very unprofessional.

The second complaint it had in this category was that “Internet Explorer (IE) is not configured with encryption”. First of all, I hardly use IE, and as I said the computer has both Firefox and Opera installed on it, something which didn’t interest ASM in the slightest. And second, well, I never disabled any encryption option in IE.

So I went to the recommendation to see how ASM thinks I can turn it back on. Seems like I needed to “Enable Secure Socket Layer (SSL) technology on your browser”, and the way to do it is to go to IE’s Internet Options, the Advanced tab, and there… to click on the Restore Defaults button.

Let me get this straight… In order to change an encryption setting, they want me to restore all the customizations I did there? Even ones entirely not related? Even ones that actually improve security beyond the defaults? Are they kidding me?

Plus, I checked my settings, and SSL was of course enabled. All settings that had something to do with encryption were right as they should be.

ASM stated that fixing the above two problems would increase my score to 63 (a 6 points increase).

On the “Wireless Security” it didn’t give a score, since the computer isn’t set for wireless access. That’s actually correct, so good job here on at least not thinking I have wireless access but need to turn it on, or something.

It also has a “P2P Software” category. On which I received an Excellent score. Why was it Excellent? Because “A peer to peer (P2P) file sharing program is not detected”. This is wrong on two entirely different levels.

The first one is conceptual. Having a P2P program installed is not a security risk by itself. Some of them are problematical, even very problematical, true. But not all, and not by the definition of being a P2P program. The risk is in what files are transferred with them.

But marking a P2P program as dangerous because you can pass bad programs in it is akin to saying having an email program, a web browser, or a CD drive, is bad for security. All true, but I didn’t see ASM complain about any of those.

The second one is that this computer actually had P2P programs installed. It’s not my main computer, so they’re old, and haven’t been used in many many months. But it has both KLT K++ and SoulSeek installed. Both are P2P programs.

I can forgive it for not finding SoulSeek, it’s not very mainstream. But missing a Kazaa Lite variation? Kazaa is one of the most problematical (from the security and privacy point) P2P programs out there.

And then it has the “PC Utilities” category, where I received an Unknown score because it didn’t find any PC Utility it cared about. Already questionable, since if not having them isn’t a cause for a bad security score, then they shouldn’t improve the security score when they’re there.

It had two points to mention here.

One item on the “PC Utilities” category was that “A PC optimization program is not detected on this PC”. What does that have to do with security? Actually, what is a PC optimization program supposed to do? There are tons of various optimization programs, doing totally different things, and many of them entirely not useful anyhow.

So I clicked their “Lean More” link to see what are they referring to. On the page they mentioned the built-in Windows utilities such as Disk Defragmenter, ScanDisk, and Disk Cleanup. All of which I have, of course, since they come with windows. And mentioned that there are better third-party tools for that.

True, but not relevant for security. This is supposed to be a security tool, so commenting on people not buying expensive programs (and programs most people usually don’t need) is out of place.

The second item in the category was that “A file backup program is not detected on this PC”. Here I can accept the security angle, since having backups is also good security. But the claim is nonsense. Especially considering their added explanation that they basically refer to anything used to backup files in a different location.

I have two different FTP programs installed on this computer, FileZilla and an older copy of SmartFTP. Both can be used, were and are used, for backups. I also have SyncBack installed on this computer, mostly for some test purposes, but it’s there and there’s no way for ASM to know what exactly is the usage pattern. So not finding any backup programs (Hey, ASM, listen up! Just copying files to a remote computer over the network is also a backup!) just indicates that it doesn’t pay attention. I do have backup programs installed.

Worse, one of their recommended solutions to the backup problem is to use “Xdrive: the most trusted provider of secure online storage”. Xdrive was acquired last year by AOL, so their incentive is clear. What’s also pretty clear is that Xdrive is far from being a trusted storage provider.

If I’ll add all the points I didn’t get the security score is an impressive 98 (57+6+13+22=98). Which is a good score. But, well, if I compensate for everything wrong, then why 98 and not a full 100?

I have two more general notes. One is that ASM decided I’m from a roaming location. I’m not. It’s a fixed desktop computer, with a fixed network, and a single active user. No roaming. At all. But since it doesn’t say what makes it believe I’m roaming, I can’t get it to change its mind.

If it can’t get this detail right, why should I trust it to get anything else network related right?

The second general note is that ASM uses IE to open all these additional information pages. It has them installed as HTML files on the hard drive, which is fine. But my default browser, and the program set to open these files by default, is Firefox. Which means ASM runs IE explicitly and on purpose.

Why would a security tool choose to intentionally run the least secure of my three installed browsers?

All in all I’m really not impressed.

I’ll run it again later on, using a second computer with Windows XP Pro, a different AV program, different P2P programs installed, and somewhat different settings. But I don’t count on being surprised by a sudden improvement.

On the bright side, the uninstall program seems to work perfectly…

I think copying here the email I just tried to send my bank, “Bank Leumi“, would cover pretty much all the points I want to mention.

Identifiable information replaced here by asterisks.

Hi.

I’m probably sending this to the wrong address, but the Leumi website did not have any more relevant contact address on it. This is also something you may want to attend to, for people wanting to contact the bank on something not directly related to the website.

Last night I was trying to withdraw money from the ATM machine on Leumi’s branch in *** (I think branch ***, but not sure) .

After inserting my card and typing my PIN the machine presented a list of option which did not include the option to draw money.
The main screens, before I started the operation, did not announce that this ATM is out of money. It wasn’t noted anywhere. Only in the inability to withdraw.

The ATM itself seemed to have been changed since the last time I used it to withdrew money, so I was concerned this may not have been a genuine machine, and wanted to contact someone to verify.

The main contact number printed nearby was the *** for Leumi-Call, which wasn’t working at this hour. There was another sticker with a number listed for use in “severe malfunctions” ***, so for lack of a better alternative I called it.

I explained the situation to the person there, who said that while he has no way to verify that the machine was not altered, the behaviour is normal for ATMs who are out of money. I double checked with him that the ATM indeed does not notify in advance that it’s out of money, and he confirmed, saying that it’s because they are used for additional purposes like checking the balance.

To be on the safe side I went over by the bank today. The ATM worked properly, and everything seemed to be in order.
The whole incident, however, left a bitter taste, and I have some strong recommendations:

1. Have the bank fronts provide a contact number which is more obviously fitting for cases like these. This should be on the bank, from the inside pane of a glass/transparent-door, so it will be obvious it’s a real number and not part of a scamming attempt together with a potentially false ATM.

2. An ATM which is out of money should always announce it on the display, *before* people enter their cards. Yes, the ATM has other uses, but they are comparatively minor, and are a lot less worrisome when not working.

3. If a customer is calling worried about a possible scam or false machine, you should have a way to check that. As far as I know all these ATMs are connected to some central computer, so there should be a log of activity. If the person I talked to would have told me that he sees a record of my card being used in the ATM I would have known for sure what was going on, instead of staying mildly worried till morning. And on cases of a real problem, someone then could have been alerted to it earlier.

Thank you, and awaiting to hear your reply,
Yaron.

P.S. On a non-related issue, but one that also deals with security, having the “information security recommendations” page on your website require running a Flash file is… counter-productive.

Not that the website issues are a big surprise with them, nothing much improved since the last times I actually tried to use their website.

Last minute update: I was just about to post this, when I got back a bounce message from the bank. I sent it to two email addresses listed on their contact page, one for support of their “direct surfing” service (which is basically the website), and one for support of their “premium service” customers.

The only addresses there were those two, and one for help with their monetary trades section, so these two seemed the likelier candidates.

Except that according to their mail server the premium address doesn’t exist, and cannot receive mail.

This is how you know a bank is serious. They treat their regular customers better than they treat premium ones. I love it.

I did send another mail to the first address, telling them about it. This time it’s actually well within the boundaries of what they’re supposed to deal with.

A refreshing change (well, a change anyway) in all those scam attempts (Nigerian 419 types, or otherwise) everyone keeps receiving in email.

My brother received one in the mail. Regular mail. In an elegant envelope, printed on elegant stationary, and everything.

I know that these things also happen, and probably happened for a long time before email became so ubiquitous, but it’s certainly much rarer, and nothing I personally encountered before.

This one was a variation on the lottery scams.

The paper, addressing him by name, claimed to be from the Spanish elGordo lottery. And informed him that he won something like a million Euro.

Of course, not having ever purchased a lottery ticket in Spain, that’s not very likely. But they did have an explanation, this was a lottery done by randomly picking people from around the world as winners. Very convincing, no, to just randomly pick people and give them money, no need to apply?

They also mention that the money is transferred by a third-party, some security/insurance company, and that they’ll need to take 10% of the winning money as a commission for processing it. Another very convincing claim.

And there’s an attached form asking for all sorts of personal questions. Plenty of personal information, quite possibly enough for someone to even get into his bank account, for example, or for other identity-theft related reasons.

And most typical, though what I still find most peculiar about all of those scam attempts, the English was terrible. They did improve on the average by not having many spelling errors. That’s something that’s very rare for the emails. But the syntax and grammar, ouch. It hurt just reading the thing.

I admit, it’s quite possible that some random Spaniard off the street will use that as English, and expect it to be fine. I personally correspond with company clients from abroad who have worse English. But not when what’s written is supposed to be an official letter, sent by a respectable authority, and involving those amounts of money. And lottery foundation that can afford sending millions of Euros as prizes can certainly employ someone with reasonable English skills.

But those scammers apparently never can. Not once. Ever.

Sometimes I think these guys will have much higher success rate if people would only ignore those flimsy scam attempts because they make no sense, and not also because they have terrible grammar. With that language one can hardly even begin to try and take what’s actually written seriously.

And unlike the emails version, sending those real letters cost money. There’s postage, there’s the envelope cost, there’s printing the stationary on quality paper, stamping the paper and envelope with all sorts of official looking stamps. All sorts of stuff. So if they’re sending a large bunch of those, at least paying someone to go over the language would make sense.

Oh, well, can’t complain.

What I did find, however, is that throwing up these absurd amounts of money is actually helpful. It should have been obvious from the get-go that this is a fake. It was obvious from the get-go that this was a fake. But my brother, and my parents, still tried to check, and asked me several times to check, just in case maybe it is true.

They got annoyed when I told them, what they knew, that there isn’t a point in wasting time checking. They insisted. And when I actually checked, and reported back about the numerous reported cases of these scams, and obviously nothing real of the sort, they still kept insisting to maybe check again.

Almost sad to know that I share the same genes…

They got over it eventually. I just became more rude in pointing out all the obvious problems very clearly. But hey, send something that make no sense with a bait of a thousand Euro, and you’ll get instant scepticism. Do it with a million, and you’ll get a higher scepticism, but combined with a higher willingness to ignore it.

Depressing, actually. Even people who are relatively well off, and don’t need it, still get a little silly when the possibility of plenty of easy money comes off…

The supportive argument my brother came up with that most amused me was that they knew his name and address, and how could a scammer know these? Even before addressing the question, this is obviously a pathetic excuse, since by the same measure how would the real Spanish lottery know them, when he didn’t buy a ticket (or ever even been to Spain) ?

Just because something is an official institute doesn’t make it easier for them to know details that “nobody can know” compared to anyone else.

And, naturally, things like names and address are in lots of places. Easy, too easy, to know. It’s a major privacy issue, but also a part of life. Everyone (hermits and total paranoids excluded… sometimes) leaves their information in too many places. Almost any business or service someone interacts with will collect information, which can sometime include address. Plenty of government offices will as well. There are probably so many different registries that contain my brother’s name and address that guessing which one these scammers took the info from will not be possible.

Not for him/us, anyway. The police may be able to. If they get enough complaints, and can cross enough of the people somehow. But that’s doubtful as well, given how prevalent this information is.

At least nothing came off it, except for the amusement value. And the envelope and paper as small mementoes, if the police won’t impound them for investigation…

My flight to London, this time, was through Stansted airport.

Stansted is located outside and to the north of London. Quite a bit of distance from London, actually. Certainly when compared to Heathrow airport, which is the one I usually associate with London.

It’s possible to get to the city with buses or taxis, but because of the distance this is a far less attractive option and the train service, the Stansted Express, are pretty aggressive in advertising their availability there.

I was particularly amused by this huge sign with a very direct message saying “There are 571 traffic lights between here and central London.”, leaving it to the reader to decide that maybe risking standing all those lights (as statistically improbable as it may be) isn’t a good idea.

I landed in the morning, and wanted to make the most of the day, so taking the 45 minutes express train seemed like the preferred option. It cost a little bit more, but spending the extra time in London instead of in transit is probably well worth it.

Passport control and baggage reclaim passed relatively uneventful, except for the usual proofs that this is a very small world and wherever you go you’ll always see someone you know:

• Somewhat ahead of me in line stood someone who I was friendly with during my military service. A nice guy, but odd (and coming from me that means something). He was even far worse than I am in the whole social business of keeping in touch with people, so it’s not too surprising we didn’t keep in touch.
  We got to talk a bit when the queue twisted in a way that brought us right next to each other (across a separator line). Turns out he was there to proceed to some film festival. And this despite him being in university, and the semester actually being in progress. We chatted a little, and exchanged a few pleasantries, but that was that.
• Right behind me in line were a few woman who I was pretty sure came from my city, though I wasn’t sure if I know them because I saw them long ago in school, or because they’re patients of my father and I saw them in his clinic. We didn’t talk.
• Further ahead of me in line was someone who looked, and sounded, exactly like a relatively well known Israeli actress, Liora Rivlin. I didn’t cut through the line, shoving people aside, to ask, so I can’t be sure, but there was a very close resemblance.

Then I passed customs (Yes, they need those Landing Cards that they give everyone on the plane, and yes, I have to fill in a local address on it, even if I’ll be switching hotels and travelling all the time so the address I give them is essentially only relevant for a single night), bought the train ticket, and proceeded to the train platform.

Where the real fun began.

I had with me my suitcase, and my carry-on bag. The bag is a shoulder bag, which I’m used to carrying pretty much always. The suitcase I naturally never carry around, and is just for travel.

So I stopped on the platform to look at the train routes and stations, to decide where I need to get off. And I left the suitcase for a second to take a pamphlet with the train information. And because the bag was still on my shoulder, everything felt fine, and I went on the train. Without, mind you, noticing that I left the suitcase on the platform.

Yes, I’m an idiot. Can’t explain it any other way.

About 8-10 minutes after the train left, I noticed that I’m missing my suitcase. I had a quick look around, just to make sure (I changed seats a few times after getting on the train, since it was relatively empty and I wanted to see which was most comfortable), but no luck.

This is when all the bad possible scenarios started running through my head. Accompanied by the knowledge that those bad scenarios are actually the likeliest scenarios.

One bad scenario which I actually didn’t think about was that someone may have stolen the suitcase. I was more concerned about the security response. Which makes sense, since the chances of station security noticing, or being alerted to, an abandoned suitcase are much larger than the chance that someone who just got off a plane and has taken the train will see a suitcase and decide to take it.

As for what station security would do with the suitcase, the only model I had to work with was the Israeli one. That’s the one I’m familiar with. And since the British seemed to claim to be on high alert, especially after a few cases of bombings in the trains and underground, it made sense they’ll have a similar model.

Which means that seeing an abandoned suitcase on a train platform, and one in an airport to boot, should make them think it may be a bomb.

Around here, they’ll evacuate the platform, and call the bomb squad. Depending on procedure, and on how worried they are, they may close and evacuate large parts of the airport.

Major incident, certainly newsworthy. Getting my 15 minutes of fame is fine, but I’d really prefer not to have it as the tourist who temporarily shut down a busy airport because he forgot his suitcase. Not to mention the prospect of losing most of the day in answering questions for pissed off police officers and security people.

Not only that, but if they had a really quick response time, and the airport had bomb-squad people on-hand, I may have found that somebody had already tried to put a bullet through the suitcase, or destroy it in some other way.

Hey, they even say so in their Safety and Security information page:

Please make sure your keep your baggage with you at all times and alert staff to any unattended package or bag – abandoned baggage causes security alerts and may be removed and destroyed.

Fun, fun, fun.

I caught the conductor on the train in a hurry, and explained that I left my suitcase on the platform. He asked for a quick description, then called in to the station administrator’s office.

The conversation was shorter than I expected. He didn’t start by asking them if they already found a suitcase, or if there’s a problem, or anything. He started off by saying hi to the guy who answered, and directly telling him that he have with him the owner of the green suitcase and is sending him back.

They didn’t ask what suitcase he’s talking about, which meant he was right in assuming they already found it. This just made me more worried, since if they already found it then they already had the time to do something about it.

Luckily the train had one stop between the airport and London, and I noticed the lack of suitcase a short while before we got there. Otherwise I’d have had to wait all the way to London before being able to return back for my suitcase. As it was the conductor just told me to get off on the station, and pick a train back.

The train back wasn’t due for quite a while (A Stansted Express train goes every 15 minutes, but the ones going to the airport don’t always stop at the same stations as the ones coming from the airport), but I approached a station employee who told me I could get back faster by taking another train a few stations back, then switching there for the following express train.

This went smoothly, and pretty soon I was back on the train platform in the airport, looking for the station administrator’s office. Wondering if I’m in a huge mess or just a big one, and hoping that my luggage is safe.

I reached the location, which was an office with a few uniformed people. One was standing outside the door, and asked me who I was.

I replied that I’m the idiot who left his suitcase on the platform (in pretty much these exact words), and waited to see what sort of a welcome I’d get.

He told me to hold on, went inside the office, and brought my suitcase out (whole). He asked me if this is it, and I replied that it was.

I got a “there you go, bye”, and that was that.

Seriously.

No questions, no complaints, no yelling, no nothing.

They saw the suitcase standing alone on the platform, and all they did was to bring it in to the office, and wait for someone to come and claim it.

On the one hand this is pretty bad security practice. Had the suitcase contained a bomb, or had it been booby trapped, it would have gone off and caught the security people and whatever passengers were nearby.

On the other hand I was, naturally, extremely relieved. The whole episode had cost me only an hour of time, and nothing else besides. And a large amount of other passengers didn’t have to have their plans put in disarray just because I’m an idiot.

I guess that this sort of thing happens often enough that responding in any other way is really not a cost-effective way to handle forgotten luggage.

I got on the next train, double checked that this time all my belongings were with me, and headed on to London.

Apparently the connection between the fingerprint reader and the computer isn’t properly encrypted, so it’s possible to connect to it and read the fingerprint data. Or to send fingerprint data that was recorded earlier.

It’s not really much of a news item, though, because the device isn’t intended for security purposes, and Microsoft doesn’t sell it for security uses. The research was to find why they don’t, because fingerprint readers are pretty much smack down in the category of security and authentication gear. That’s their classic, and most obvious, use (Despite the many problems with biometric, which now is not the time to go into). So the fact that the research found a problem shouldn’t surprise anyone too much.

Even if some customers assumed that it can be used for security despite the manufacturer’s recommendations.

The point I found interesting is this response by the CTO of Digital Persona, the company from which Microsoft licensed the technology for the device:

Digital Persona would not comment on why Microsoft may have turned off the product’s encryption capabilities, but one company official said that this decision is unlikely to affect the security of its users.

“The fact that they turned the encryption off, I would argue, does not in a practical sense open up any security holes,” says Chief Technology Officer Vance Bjorn. “Even with the encryption off, you’re going to have to basically have physical access to the person’s machine to crack into it.”

He claim that it’s not a problem, because it would require physical access to the computer. This is, while accurate, totally silly and besides the point.

Fingerprint readers are intended to be used against people with physical access to the computer the scanner is attached to. That’s the only case in which they work. A legitimate user with no physical access will not be able to have their fingerprint scanned. Physical access is required by design.

So saying security holes are not opened just because it would require physical access, is actually saying that the device is meaningless from a security standpoint. You need physical access to hack into the machine around the fingerprint scanner. But you also need physical access to use the machine by using the fingerprint scanner. Ergo the fingerprint scanner is meaningless.

Which is basically what Microsoft implied to begin with, but entirely not the point the CTO was trying to make here.

In my own army unit they had strict limitations on phone usage. Well, not all that strict, we needed to talk on the phone, and we could. But there was a limit. And if a department strayed from the limit, they noticed. Quickly. And the department was reprimanded. In some cases repeat offenders simply had their phones cut off, or limited to only certain outgoing numbers, for a time.

The British Foreign Office, in comparison, is much more lax on phone usage. It can take them more than a year to notice very excessive charges. To destinations which were not related to operational needs. On phones that were stolen (but they didn’t notice this too, so that may be a good excuse). In Iraq.

It certainly was not part of Britain’s plans to win the hearts and minds of the people of Iraq. But the Foreign Office has been apparently paying for an adult sex chatline in a Baghdad street for 17 months without knowing it.

…

FO officials had already admitted that the lost phones had cost them £594,000 in unauthorised phone bills but it is now bracing itself for an extremely critical report from the Commons public accounts committee on how it came to pay phone bills, which at one stage hit £212,000 in one month, without asking questions.

…

Sir Michael said initial inquiries had revealed a series of blunders. The phones were already activated when they were sent to Baghdad and they were not properly logged in – so no one realised at first that they had been stolen. None of the bills were initially challenged until people realised the phones had gone missing.

This is such a long string of errors and blunders, one after the other, that it would have been really sad if it wasn’t so funny. Or maybe the other way around.

When shipping something abroad, they should track it. Always. If it was sent, and nobody received it, someone should have noticed. Private companies track inventory. Military units track inventory. Why can’t the British FO track inventory? Yes, there are items which aren’t tracked individually, but come on, a mobile phone isn’t exactly a paper-clip.

The fact that they didn’t monitor the billing for those phones is also amazing. The 17 months the article mentions is over a fiscal year. The charges should have been noticed after a month, I think, but not to notice such a bill after a whole year is almost beyond belief. I can’t think of any organization with such a free calling policy.

And these aren’t phones in an office at their HQ. These are phones sent to a foreign country, with all the confusion and potential problems that this entails. How can anyone expect that everything will be alright, and that no monitoring at all will be needed?

Not to mention, they also obviously didn’t screen the phones for permitted and forbidden destination. In an office, in the UK that would have been understandable. Too many places someone may need to call. But in the field, in Baghdad? These phones should have had a pretty limited list of allowed destinations, with a procedure set in order to allow others. And tight monitoring to make sure they’re not used otherwise. I believe those phone sex lines were not officially approved by anyone.

At least that’s one sex scandal that will be duly paid for by the guilty authorities, and in hard currency too.

I don’t smoke, and I hate the stench of smoking. Many people, at least those who don’t smoke themselves, do too.

So for a smoker who craves another cigarette, it is usually considered polite to go outside for that smoke. Smoking a cigarette inside a building is very rude, as the smoke reaches everywhere, takes very long to dissipate, and can get the stench into furniture and clothing. When going outside, most of the smoke disappears into the atmosphere, and when the smoker gets back in they usually don’t carry with them anything more than really bad breath.

This is so common, that for many smokers it becomes automatic. When they feel they need a cigarette, they take one, and head outside. Usually they’re even nice enough not to actually light the thing until they’ve cleared out of the building.

On some cases, though, this habit isn’t always the best idea, though the exceptions are pretty rare:

Sellies was traveling on a Cathay Pacific flight from Hong Kong to the east coast city of Brisbane on Saturday when the incident occurred at the start of a three-week Australian vacation with her husband, the court heard.

She walked toward one of the aircraft’s emergency exits with an unlit cigarette and a lighter in her hand and began tampering with the door, prosecutors said. But a flight attendant intervened and took Sellies back to her seat.

A very simple rule, actually: If you can’t go outside, don’t go outside to smoke. And if you can’t go outside, and can’t smoke inside, don’t smoke.

I’d go as far as to say just don’t smoke ever, in general, but that’s beside the point, and the relevant people won’t listen to me anyway, so I’ll pass.

Defense lawyer Helen Shilton told the court Sellies was terrified of flying and had taken sleeping tablets with alcohol before takeoff.

Shilton said Sellies has no memory of what happened on the flight and that she has a history of sleepwalking.

In her defence, the women probably really was totally drunk at the time. On the other hand, I’m not sure being totally drunk on a flight is such a great behaviour either.

My bank has a website allowing to perform most (though for some reason not all) activities in the account, and see the current status.

Since my income is more or less the same each month, and I have my regular deposit instructions, I rarely have the need to go straighten things out at the site. I do get over to the bank occasionally, so it’s simpler to just step in and talk with the investment consultant (or whatever the official term is) in person.

All this to say that I haven’t used that site in quite a few months. But now I did have a somewhat larger amount of money sitting in my checking account, and I figured it would be simpler to put it on something bearing interest rate through the site, instead of going to the bank in person.

I entered the site, put it my user name and password (OK, it’s a bit more complex than that, I’ll get to it soon), and was surprised to see that they’re not valid. I checked, and it turns out my bank is a believer in the idiotic concept of password expiration. In their opinion just because a few weeks have passed, never mind actual uses of the password or what I did with it, the password is suddenly less secure. And since I wasn’t on the site at the time frame where they would have asked me to replace the password, they just expired it.

Well, off I went to the bank to deal with the money, and while there I also asked them to reset the password. There wasn’t any problem with that, and they gave me one of those automatically printed sealed envelopes with the newly generated password inside. Which like all such bank password is the absolute best (yes, I’m being ironic) in secure passwords, being a short string of numerical digits only. Funny, that.

At home, I tried to log into the site again. Now, most anything password protected has a user name, which is supposed to make sense and be easy to remember, and a password, which is supposed to be non-obvious and secret. They don’t.

They have a user name, but that user name is assigned from the bank, and seems like a short random string of letters and digits with no obvious relation to my name or bank account (and it would have been a better password string than the auto-generated one they gave me).

They have a password. The one I was given, which after signing in I would be prompted to change.

And they have an “identifying field”. Which in my case is my account number, zero padded. I have no idea what’s the point in that, since the whole concept of the user name is to be uniquely identifying per user. Why would anyone need both the user name, and the identifying field? Plus, if the identifying field is so obvious then it serves no practical security purpose.

So I filled in my details on the simple web form, which was, as it should be, SSL encrypted. And I pressed the submit button. Which did nothing whatsoever. Their Javascript sucks, and doesn’t work in Firefox. Effectively the whole site doesn’t work in Firefox. Just in IE. Because banks want to be as secure as possible, and what browser is more secure than IE? Practically all the rest of them, these days, but apparently my bank doesn’t know that.

So I switch browsers, and login. What I expected was to be asked to replace the temporary password with a new one, and this is indeed what happened. Except the form I received wasn’t one for replacing the password. Instead it was titled as new user creation, which is a bit confusing since I was using the exact same user name, and accessing the exact same bank account. Not only that, but I had to enter my same user name and identifying field here, or it wouldn’t accept them. So it was a password change screen, but very wrongly titled and labelled.

I entered my details, and new password. And wanted to log in into the site. I was transferred to a page telling me the site was generating a new key, and then it asked me to install and run an ActiveX control. I refused, and received an error that the key could not be generated, and I cannot access the account. Why would they need an ActiveX control running on my side in order to allow me secure login in beyond me. As I mentioned, their site already supports SSL. Implemented correctly, than more than good enough. Certainly better than whatever proprietary scheme they and their ActiveX control are implementing, which can contain a large number of bugs and weaknesses they don’t know about.

But I did need to access to site, so I tried again, this time giving permission to run an ActiveX control on the page. After a few seconds it happily told me everything went fine, and I was redirected to the main page of the site.

And was confronted with a very large web form, titled as new user registration. Only unlike the previous one that contained only the user-name/identifying-field/passwords, this one contained fields for my real name, address, and lots of other personal details, all on its first part. Its second part had a list of areas of interest, with a field for email address to receive news from the bank about them. The third part allowed me to enter an email address or cellular phone number (for SMS messages), and had a EULA. This legal agreement started off by stating that I’m interested in the bank’s service for receiving various publications on financial services.

I don’t want their news, and I don’t want their services. The whole form, all three parts, had just one “Next” button. Meaning that I either accept everything, or nothing. I could potentially enter my personal details, and leave all the other items unchecked and unselected, to indicate I don’t want them. But that EULA prevents that, as I have to agree to it before proceeding. And I wasn’t willing to do that.

So was I in a problem? Were I unable to register to the site? Not at all. The site menus (Two of them, both at the top of the screen, and at the side) were already there, and I could navigate to other pages without a problem. I could see my account details, and manage my account and money, no problem. Which to me strongly indicates that I’m already registered to the site. So why do they give me, every time I logged in since then, a form titled “Site Registration”?

I went away, to tour the site. Lots and lots of requests, on nearly every page, to run ActiveX controls. And do you know what they seem to do with those controls, that was so complicated that it couldn’t be done with plain HTML, or with some Javascript? Tables. Yep, all those simple data showing tables, they were implemented using an ActiveX control. Idiotic. Stupid. Moronic.

They also use some VBScript on the site, intermingled with the Javascript, but that’s a whole different problem. And since the thing won’t even let you enter if you’re not using IE, then it doesn’t really matter by this point. Except that they also didn’t quite do all that VBScript well enough, as evident by helpful messages I received such as:

Microsoft VBScript runtime error ‘800a0009′
Subscript out of range: ‘[number: 0]‘
/Premium/SPECIFICFILES/Premium/AM_MyAsset1.asp, line 85

The site, BTW, is extremely slow. Very very very slow. Page loads can be in the range of 10, or sometimes double that, seconds. And because it’s all done with those controls, and with frames (Yes, frames. Frames are getting very unpopular everywhere, but this site still loves them dearly), it means that the browser indicated that the page has finished loading rather quickly, with the page still being totally blank, or with gaping white holes. There is no way to know that it’s still getting the page, except to wait in the hope that it’s working and not stuck. Very bad design, that. It’s bad for a quick site, but it’s terrible for a slow site where you have this dilemma on every single page load. And some of the times it really did die (either that, or I was just too hasty in refusing to wait more than a whole minute for page load), so it’s not as if every time I waited enough the page eventually came through.

This is Israel here, and the language is Hebrew. The site was in Hebrew as well. And most of the time everything went fine, giving the browser no problem. The characters were in the correct code page, and in the correct writing direction (Hebrew is RTL, not LTR like English). Except that some page weren’t. Not entirely critical, since it’s possible to select a different code page through the browser, but it’s very unprofessional. And can be quite confusing to computer illiterate users of the site.

And while most of the functionality was there, some pages were clearly broken. Some of the pages, showing certain types of deposits, has a disabled drop-down list of the bank accounts, and no details. This despite the fact that I have deposits of the relevant types. So some parts of my account are not accessible from the site, even though the site is visibly designed to deal with them.

More amusingly, these drop-downs are badly designed. Usually they work simply enough, defaulting to the main account, and allowing to select another one, or some relevant subset. But some pages gave it as a selection, with a “next” button, and the default item was “All Accounts”. Which sounded fine to me. But the “next” button didn’t want to go anywhere. I had to open the drop-down, and select one of the other options, for a specific account. I assume “All Accounts” was not so much an option as the name of what the drop-down list showed, and they should have either eliminated it as an item, or named it “please choose…” like all those standard web forms wanting you to choose a value without a default.

Another interesting design decision was to put access to preferences/settings/options both on the top menu, and the side menu. The one on the top menu even had this cute little icon next to it, and accessible everywhere (the side menu changed based on the area on the site). Naturally I tried the one on the top first. Which, regardless where I pressed its link from, just redirected me to main account details page. The one on the side menu worked well enough, though.

Not that it turned out to be interesting. There was an option to change the password. There was an option to change the identifying field (Did I mention already that I have no clue what is the point of that field?). There was an option to see the system details (running about 3 different ActiveX controls, which do complex things like check if the browser supports Javascript and VBScript). And there was an option to change the disk settings.

What are disk settings, you ask? Good question. In the long long past, when they just went on-line, they also didn’t trust SSL. So they had this external program used to encrypt (hopefully) the communications to the bank. And it kept the encryption key on a diskette. The idea was that you could take the diskette with you, so nobody could access the account without you, and yet you could access it from everywhere. Yes, whoever designed that wasn’t too bright, I agree. But that’s the way it was.

These days they don’t really use those disks any more, but the terminology still involves them (When getting the password, I had to sign a form saying I received a disk, and am agreeing to keep the disk secure. Yet no disk was involved. Seriously). And this page seemed like it allows to choose to actually require the usage of the disk for some sorts of transactions. I didn’t try to make the change, not having a disk and all, so I don’t know whether it actually does something, or just there since they hated to lose the screen after working so hard to design it.

Oh, they also had a page there stating that the site is best viewed under a 800×600 resolution. This may be a good time for me to state, in case anyone doesn’t know it, that most people use 1024×768 or higher. 800×600 is so passée.

Which leaves us just with the fascinating subject of “mail”. See, they have two totally different things. One is messages from the bank (Of which I had none, despite not checking them for months and months). The other is “mail”. Which, as it turns out, includes messages from the bank.

I think the term “mail” refers to the fact that these are the same message they send you in the post if you don’t get to check them in any other way. Since it would eventually become mail if they have to send it, they decided it must be mail in any case.

It did make me hope that maybe they will allow reading them like mail message. Getting them through an encrypted mail server would be both secure and comfortable, since I could easily set my mail program to check it automatically, and to read it comfortably. But no such luck, any relation to Internet mail standards is totally non-existent.

The main menu page shows in the corner the amount of unread “mail” messages. When I logged in there were four. After I read them there were, obviously, none. Yet as I kept navigating the site the number there kept changing. Sometimes I saw there weren’t any unread mail messages, and sometimes it showed there were four. Excellent refresh there.

I went to see the mail. There was this table, with the subjects of the message, the date they were sent at, and the date they were “downloaded” to the computer (which was blank at the first view). It was possible to click on one in order to open a new browser pop-up window with it. And there was an option to mark some of the messages (no “select all”, I had to go one-by-one through the lot of them) and download them to the computer. Downloading them seemed like a good idea, since according to the text on the site if I read them on-line then they won’t send them in the mail, meaning that I’ll have no confirmation of ever seeing those messages. It also means that from now on I’m not checking “mail” on the site.

I pressed the download button, and got to a screen with some explanations on how to read the downloaded messages. Apparently it requires a password. The password consists of the number of the branch of my bank I’m using (not secret, and in the bank’s listings), the digit 0, and my account number (also non-secret, and printed on about any interaction with the bank whatsoever) padded with 0s to eight digits. This is presumably the exact same way a password would be built for any other user on the system. So it doesn’t serve security against any attacker who is even half-serious.

I pressed the download link again. At which case IE showed a message that it blocked downloading an unsafe file. This is IE’s nice way to say that it doesn’t let me download executables, even if I want to, unless I approve them specifically. So I navigated on the short menu to where I can select to allow downloading this file for this time. Except by the time I done that I got redirected back to the main account page of the site, and didn’t get the file.

After a few such futile attempts I realized that the only way to download it would be to add the bank’s site to my secure sites link. Because I totally trust the people who design a site so well, requiring me to run their code on every turn, and even have me download an executable just to read some textual messages.

But that’s the only way to get the file, so that what I temporarily did. I then went to the mail area again, selected all the message again (they all had a downloaded date by now, the site didn’t notice my browser never asked to actually download the file it generated), and went to download them. I read again the password instructions, and pressed the second download button (the password instructions are all you get after the first one).

Stopping to read the instructions may have been a mistake. I started the download, and most of the way though the download hanged. Either they have a really bad connection, or they want to (for security reasons? Such as what?) expire the file quickly after generating it, assuming everyone would download it very fast. In any case all I ended up with was a corrupt file I could do nothing with. I had to clear the browser’s cache and download it again (without clearing the cache I just got back the same corrupt file, since the generated file had the same name).

Finally I downloaded the executable file. It was a self-extracting zip archive. Which, if you run it, is set to automatically create a folder of the same name inside the current folder, open everything into it, and run an exe file inside there. No questions or confirmations asked. Very rude.

The internal executable has the original name “Decrypt”, which had the internal name of “CPExplorer MFC Application”. No request for downloading the MFC libraries was made, so I guess on many computers the thing will just refuse to run. It also shows that possibly the bank didn’t write it, and didn’t think to change the name to something containing their own.

It also came with a DLL file called “DES3dll.dll”, so I guess the encryption they’re using is triple-DES. Though why send their very own implementation is, again, beyond me. Very odd.

In addition, the directory contained lots of HTML files and image files. Just what the site showed when reading those “mail” message. Except that the HTML files were encrypted, and appeared like junk at first glance. Though that didn’t stop them from keeping the html file extension, instead of naming them something else.

When the program was run, it opened a screen asking for the password. This password window did not appear in the task bar (So it’s not as obvious to some people how to switch to it), and did not have a title bar (so couldn’t be moved from the centre of the screen).

If instead of entering the password I pressed the “cancel” button, it closed down, leaving the created directory and files intact. Same if it was run with the password, and later closed. So many of the bank’s users must have lots of these leftover junk files still on their drives.

After entering the password, a window opened with the main html file of the index. A simple table of the messages. Clicking on the link to any of those caused the program to copy it into a temporary folder, decrypt it, and show it.

Except that it didn’t. The file names of the messages were in Hebrew. And since apparently their program isn’t UNICODE, it couldn’t find the Hebrew file names. All I got was an error message that the files cannot be found, with a garbled file name of how the Hebrew name looks like in Western characters.

The solution for that on Windows XP is to change, under regional settings, the default code page of non-UNICODE programs to Hebrew. I have no intention whatsoever of doing that at the moment. Not for this stupid “mail” reader of my bank, in any case.

Bad, bad, bad programming and design all around…

A State audit of Michigan’s Department of Corrections shows that since October 2003 there were 23 prisoners who were released on the wrong date. Well, the audit only found 8, but they caught more when they actually started checking after the audit.

The State audit report shows errors in the release dates of 23 prisoners between October 2003 and March 2005. Some were let out early, while others were let out late. Either way, the computer flaw that led to the problem leaves 1 lawmaker concerned.

Prisoners let out early is a problem, since they don’t serve their time. If you lock someone in jail for a long time, you want them to stay there, not to get out early. That’s understandable. And while no murderers were released, there were still some non-trivial crimes there.

prisoners who were doing time for everything from embezzlement and drugs to bad check writing

But what really surprises me is those that were released too late. These people must have lawyers. And I doubt any of them missed the fact that they’re locked in jail. So when their release date, as set by the original sentence, would have passed without them being released, they should have raised hell.

How could they missed that? Would anyone, would a sentenced criminal, stay in jail for more than they had to? Just because the date on the computer is different from what they, and their lawyer, know it should be? Would that really wait until a state audit was performed before it was found out? Not bloody likely, even though apparently that’s exactly what happened.

The article was also a bit sparse with technical details about the glitch. That they don’t say anything beyond repeating several time that there was some computer glitch or flaw. Generally it probably doesn’t interest most of the potential readers, not nearly as much as the fact that some criminals were released too early, but as a computer programmer I’d still like to know.

The audit reports shows all the details of what happened. A flaw in computer programming caused State jails to release 8 prisoners anywhere from 39-161 days early

At the top of my head I can’t think of any bug that would cause a computer program to make a mistake in that range of days. Though of course that doesn’t mean much, since the article only lists a part of the range of delays, not detailing what happened with the other 15 prisoners beyond the fact that they were released either too late or too early. Not to mention that it’s a rather small sample size of mistake.

With those vague descriptions I won’t be at all surprised if the glitch wasn’t in the… data entry system. And yes, by data entry system I’m talking about the person typing in the dates. That could account for all the mistakes very easily. It’s easy to press the wrong button occasionally. But that would mean someone would have to pay, while if it’s just a computer glitch:

They say they’ve already taken steps to correct the computer glitch and will continue to work until the problem is taken care of.

I was also unable to find a follow-up article, from a few days later, about the subject. Surely a simple date handling routine in a program could be found and fixed in a few days, so there should have been a proud statement about how they fixed it. But no, all’s quiet. No further details on anything. Excellent news reporting.

I also wonder what compensations will people who stayed over-long due to the glitch will receive. Are there any lawsuits about it already? And would the people who were released too early be dragged back to jail, to serve the reminder of their sentence? Treatment should be the same for both sides, no? Either accepting the mistake as is, or trying to come as close as possible to fixing it.

Impressed with their performance?

That audit shows the State Department of Corrections is only moderately effective when it comes to accurate prisoner release dates.

Not the way I would define moderately effective myself. Maybe they work by a different dictionary over there in Michigan’s Department of Corrections…

[Edited 22/11/2005: minor fix of lacking HTML tag, no content was changed]

In Kentucky they take the war against terror seriously, and like to cover all the angles. Terrorist activities need funding. Heck, everything needs funding, and terror is no different. So one of the things to do to fight terror is to try and block their avenues of obtaining funds. And the fine people of Kentucky have started acting in earnest to stop a major gaping hole in the terror-funding blockage: Bingo games

Kentucky has been awarded a federal Homeland Security grant aimed at keeping terrorists from using charitable gaming to raise money [...] The idea is to keep terrorists from playing bingo or running a charitable game to raise large amounts of cash, Holiday said.

Because nothing spells lots and lots of free-flowing money quite like Bingo does. And if the fine people of Kentucky can see it, then it must be just a matter of time until the terrorists do to…

Sure, Bingo games are a way to make money. But it’s not such an amazingly terrific way. So yes, terrorist probably could also raise some money from Bingo games. But they can use all the other methods as well. If someone can make money out of it, so can a terrorist.

What then, you’ll go after each and every single way in which people can potentially raise money? Because if you do, then you should be aware right from the start that there’s only one thing to do. Only one method that can guarantee those nasty terrorists won’t be able to make their money. Only one sure-fire way to guarantee that those terrorist will not have any way to make a dime

Communism. If Kentucky will fully embrace communism, to the fullest, not letting anyone own any private property, then they’ll solve the problem.

The state Office of Charitable Gaming won the $36,300 grant and will use it to provide five investigators with laptop computers and access to a commercially operated law-enforcement data base

I also really wonder how are they going to spend an amount of $36,300 on just five laptop computers. I know laptops are expensive, but this strikes me as rather steep… I think maybe someone there should take a look into ways for law enforcement to make money. Or better yet, ways for them to save money, instead of spending it on all this nonsense. Seriously.

How do you decrease the chances that someone will enter your store to rob the cash register and the safe? That’s a hard question, which I suppose a lot of stores debate.

One (or actually, many) of the usual means are security. You can hire security guards. You can put visible cameras that potential robbers know will assist in catching them later. All sorts of mundane stuff like that.

This video rental store in Los Angeles (I think it was somewhere next to Sunset blvd.) used two different ideas

The first one is directed at small-time theft. They state that you’re not allowed to enter with bags or backpacks. People are less likely to swipe a few DVD boxes if they can’t quickly hide them. They put it on the same sign forbidding food and drink, which on the one hand are different things since they’re not related to theft but to store cleanliness, but on the other hand this is also meant to prevent damage to inventory so there are similarities.

We were inside for a few moments, browsing the collection, and we both carried bags. V might have even had a small backpack. Nobody mentioned anything, and they didn’t seem too troubled by us being inside violating that sign on the door.

The second one is directed towards robbery. A sign stating that employees do not have keys to the safe. It tells potential burglars that the money isn’t in a cash register but in a safe. And it also tells them that going inside and threatening the employees won’t do them any good, since they can’t open the safe.

Is it true? I don’t know. Someone who work there has to have keys to the safe, otherwise there’s no way to put money in it, or take money out of it. But for someone scoping businesses, trying to decide where to hit, this might serve as a pretty good deterrent. On the chance that it’s true, robbing the place would get only the profits from one day, or maybe not even that. It won’t prevent a robbery, but it would shift it to a different place, which from the store’s perspective is good enough.

I’m just a little surprised that an area heavy with tourists is such a risk for robberies. I don’t have any experience in the field whatsoever, but I’d have expected people to attempt and be more low-profile when robbing stores.

When shops close down for the night, the owners have an understandable desire to reduce the chances of a break-in. So usually closed stores at night are locked behind solid metal bars, grates, and blinds. And when you go to a commercial center, containing many stores, they all are, one after the other.

So when I went to withdraw money from the ATM the other day, it being located in a cluster of shops, it was not surprising at all to see sights like these:

What was surprising, though, was to find that a supermarket located in the same area, right next to them, only managed to get half the point.

If you look on the left side of the picture, you could clearly see the nice and strong metal grate which covers the entrance. So anyone wanting to enter through the locked sliding doors would be unable to. That’s a wise security measure, just like the bars on all the other shops in the area.

On the other hand, if you’d look at the right side of the picture, the same picture of the same supermarket, what do you see? Yes, you can blink again in disbelief, it won’t change anything. You really are seeing it. A clear glass (well, probably some transparent plastic and not glass, but that’s not really important, is it?) pane. A large and easily accessible clear pane, not protected by anything hard or metallic.

So instead of breaking the door, which is impossible because of the metal grate, anyone so inclined could just break the wall next to it. Very smart, isn’t it? What were they thinking?! Where they thinking?!

While our postal services generally, sometimes, do their job quite adequately, there are flukes. We do sometime get envelopes addressed to neighbours, or to someone with a similar last name but on a different street.

But the most recent such wrong delivery was more amusing. Because of the sender, the intended recipient, and the type of mistake. You see, this was not sent by a private person, nor was it one of the usual commercial messages. This was an international mail, all the way from Luxembourg. And the sender was NAMSA, a NATO agency.

Yes, NATO. Isn’t that fun? I bet most people don’t get envelopes from NATO at all. I certainly know we didn’t ever. And still, it came. Well, it wasn’t really addressed to us, of course, but those are just details.

The intended recipient, as I said, wasn’t us. Not at all. It was an unnamed acquisition and procurement specialist, in the “IDF technology division”.

Err… Except that the IDF doesn’t have anything named “Technology Division”. Instead there’s the “Technological and Logistics Directorate“, better known here as Atal. Or, to be more exact, ATL (in the corresponding Hebrew letters), which is an acronym. A for “Agaf” meaning directorate or division, T for “Technologiot” meaning Technologies, and L for “Logistica” meaning… you got that right, Logisitics. Yes, the base words for Technology and Logisitics are the same in Hebrew, which can give you a clue as to where they were borrowed from. The abbreviation is pronounced as Atal.

Normally I wouldn’t be too surprised that someone over at NATO isn’t aware of the exact way things are organized in our military. But if you send envelopes to someone, it means you have some interaction with them. Which in turn means you have to know who it is that you’re interacting with. So I find their “Technology Division” odd.

The address was indeed in the same city we live in, which explains why it got to the same post office branch. But as to why it arrived to us, that’s a mystery to me. There is no name on the envelope, so someone familiar with us at the post office (Yes, that does happen) couldn’t have gotten confused. There is no street address, so nobody could have delivered it to the wrong house on the right street. There is no house number, so nobody could have delivered it to the right house on the wrong street. All it had was a POB number, four digits, of which two are similar to ours. That would rather be, similar to ours and to plenty of other people’s. There’s a huge limit as to how much variance POB numbers can have.

So someone was sloppy.

In any case, we didn’t open the envelope. Likely it’s also not interesting, since it went from one body dealing in logistics to another. On the other hand, it also went from one body dealing in armament procurement to another. So maybe it was interesting. But the point is moot, we returned the envelope to the post office, so they could deliver it to the intended recipient. Or deliver it yet again to a wrong recipient, but that’s their problem, not ours.

Why it didn’t go through the various diplomatic or military channels is beyond me, though. If you have important (The envelope was marked as priority airmail. Which doesn’t necessarily mean anything, but it may) military related material to send, between two military organizations, trusting the usual post seems questionable. And in this case at least was a demonstrably bad idea.

Had there been anything even remotely classified in there, someone might have opened it and read it. The fact that we didn’t doesn’t mean that nobody else would have been curious. And, like I said, we’re not the only people with such a badly matching POB number.

Oh, well…

that’s not exactly what they said, but that’s surely the only way to read it. A security vendor in the UK claims that their statistics of legitimate (i.e. not viruses and spam) emails show a direct relation between the rise in the temperatures and a decrease in email traffic.

A decrease which they attribute to the economy becoming less productive due to the heat (emphasis mine):

Email Systems says that from Monday to Fridays during the most sizzling parts of June, emailing was down by up to 20% on normal levels. It believes this is an accurate way of measuring corporate productivity across the country generally.

“The reduction in legitimate emails clearly indicates that UK businesses have suffered due to the extremes of heat, suggesting perhaps that as an economy we are simply not yet able to cope with the types of summer that experts are predicting in the years to come.”

But most email messages are generated in companies which are more technological. For starters, they have more computers, and more employees who use them. And these places, well, they tend to install Air Conditioning. They really do. But if they have a working AC system, then obviously the heat cannot have an effect on the productivity… If heat does have such a strong effect (and 20% is a lot), then it follows that all those companies don’t have working AC.

Also doubtful is their claim that the amount of email passing through them is indicative of corporate productivity across the country. Email is to some extent an indicator of a company productivity, but not necessarily a direct one, and not for all companies. Many companies simply do not have that much to do with email. Email could only be “an accurate way to measure corporate productivity across the country” if those companies behaved just like companies that live through email and the Internet. And that’s simply not true, though easy to see how a company dealing with computer security could lose sight of that. They’re just not exposed to any corporations who don’t need their services… Then again, maybe their AC broke down, and whoever came up with those claims simply didn’t drink enough and suffered an heatstroke. That would explain everything.

[UPDATE: The free invitation arrived]

A few weeks ago I went to see a movie with a friend, and carried on me my digital camera. Which resulted in a little unpleasantness. I sent an email to the company (Rav-Hen) running that cinema:

A few days ago I went to see a movie, in the Rav-Hen Dizengoff cinema. I had with me a new digital camera, inside a small holster on my belt. This was the first time I ever arrived to a movie carrying a camera with me.

The security guard saw the holster, asked if I have a camera inside it, and when I gave a positive response he informed me that it is not allowed to take a camera into the cinema, and I will need to deposit it with security.

I tried to explain to the guard that this is not a video camera, so I could not use it to make a pirate copy of the movie even if I wanted to, but to no avail. When I asked him what is the problem with carrying cameras, and why are they not allowed, he was unable to answer me, and only said it’s policy, and that he doesn’t understand it either.

Worse, when giving the camera I was not provided with any official deposit form. I was asked for my name, and was given a simple hand-written note on a piece of entirely common note paper, having my name and the word Camera written on it by the women inside the security room.

Had my friend not been there earlier, and saw people giving those paper notes and getting cameras back, I would have made a scene, since it looked entirely unofficial, and made me seriously doubt that I’ll see the camera again. If I wave a simple handwritten paper and claim it’s a deposit receipt, in most places I would fully expect to be told that’s nonsense.

In this case it ended well, I gave back the note, and got back my camera, but the entire experience left me mystified, and was very unprofessional. In addition, no verification of either my personal details or the camera details was done. Anyone standing in the vicinity when I deposited the camera could have easily written their own note, hand it over, and get my camera. The current procedure is entirely open to abuse.

Due to that I wanted to ask you:

1. Why are simple (non-video) cameras not allowed inside the cinema?
2. Why are the security guards are in charge of it? It’s not a security issue, and making other things a part of their duty hurts security.
3. If this is indeed official procedure, why do you not issue proper forms, and trust on simple and sloppy hand-written notes?
4. Why aren’t any checks done to better identify the identity of the people depositing, and withdrawing, the cameras? And that they are getting the right camera?
5. Why are the people in charge of implementing the policy not informed as to the reasons for it?

Thank you for a reply, and for any better explanation about the reasons for this policy, and these procedures, that you could supply.

A couple of weeks passed, nothing happened. I decided to try this one more time, this time sending the message in Hebrew. Could be that they’re used to getting email in Hebrew, and so this one got ignored, or even discarded by some automatic filter.

I sent them what was effectively a translation of the above message, with some few styling changes. And this time, though it took them about a week, they did answer. The reply was in Hebrew, but this is a quick and rough translation:

We confirm receiving your complaint, and this our reply:

Company policy of the Rav-Hen network forbids inserting cameras from all kinds into the cinema halls, in the intention of preventing any sort of photography of the shown film, due to copyright issues. The policy apply to all kinds of photographic equipment, since our people do not have the expertise to observe the different functionality of each camera.

The enforcement of this guideline is increasing these days, mostly due to the problem of piratical distribution of cinematic movies in various ways, which usually start through cinema visitors who film the movie while it is projected, using cameras of different kinds.

Since these guidelines are new, and the scope of the phenomenon is still relatively small, the network did not yet determine the bureaucratic procedure for applying them in the cinemas.

In any case, in these days the final format for forms which will be transferred to the cinema managers, and will replace the currently existing temporary method, is being finalized.

We see very gravely the fact that the cinema staff was unaware of the meaning of the procedures, and following your complaint to us the procedure will be explained again.

They also said that they added to the message a double invitation for a movie in any of the network cinemas (under several limitations which will be printed on the invitation, and which they advise me to pay attention to). This was of course not actually attached to the message, but rather a note there asked me to provide them with a mailing address to send it to. Considering that while it was annoying, the event didn’t technically hurt the viewing of the movie, this is nice of them.

How did this reply answer my actual questions?

1. Simple cameras are not allowed because their people, who do not understand anything about cameras (them being security guards), can’t tell if the cameras are problematical or not. This is actually fair. I suppose that it is quite possible to have video cameras that look small and harmless, and the technology just gets better and smaller. So erring on the side of caution is understandable. Still, I do doubt that a running film, on its third or fourth week of being shown, and after there are already numerous versions available either to download or to purchase piratically, is really a high risk. Even with a video camera, nobody would have a reason to try and shoot the film.
2. No reply as to why the security guards are doing it. And no response about this hurting security. I’m not sure if that’s because they don’t want to talk about it, or that they see it as a non-issue. Bad either way. And has something to do with the lack of professionalism on this angle, since that’s not the field that the security people has to deal with, or understand something about. I assume the real reason has to do with, of course, money. That being that the security guards are already there, and get paid anyway.
3. The procedure seemed haphazard because it was. They decided they don’t want cameras, sent out the instruction to not allow cameras, and only then started to plan how they actually want to do it. Considering that the problem wasn’t critical (as they say themselves), there wasn’t any extreme urgency, so they could have waited until they could do it properly. It has been about a month since the time the incident occurred, so even if I had the luck to stumble on the very first day of implementation, that’s still a whole month for setting a procedure while they already passed the instructions. This is a long time to run blind and without protocol.
4. Taking the camera back is probably under the same category, so I hope this would improve as well once they implement proper procedures. I take it that not too many camera thefts has occurred in the meantime, or I’d have probably heard about it by now.
5. The security guards apparently were supposed to be able to tell me that they have to take the camera because they can’t tell if the camera was a video camera or not. This despite the fact (oh, don’t bother anyone with facts) that the security guard appeared quite aware that the camera was not a video camera, and seemed to even recognize the model.

Still, all’s well that ends well, and this ended well enough. I did get the camera back at the time. They did reply. And they are aware of at least some of the problems, and intend to make the procedure more solid. In the meantime, if for some odd reason I’ll ever go to the cinema with the camera on me, I’ll just put it in my pants’ pocket instead, so nobody will notice it and have any problem (yes, it is that small, my wrongly suspected to be video-camera). Either that, or I’ll try and do it properly, just to see how are they handling it now.

A couple of days ago I was going over some blogs I read, and came on this post by David Weinberger which actually touched on a subject I apparently know much better than him, the Hebrew language. Specifically, a mention he made about the word “chanuka” in Hebrew.

He got it pretty wrong by deciding it means lighten-up, and his first commenter got it mildly wrong by saying it means dedication. The term is more like the “warming” part of “housewarming”, the first acknowledged usage of something new (or at least the time when the usage is declared/acknowledged). It applies to new houses, and public buildings and parks, but also to things like cars, television systems, or even wines. Or, on a different meaning, it is chocked, when related to a female (Hebrew verbs take different forms for each of the two male/female genders).

Of course, the holiday Hanukkah is based on the same word, so it’s also possible the entire thing is moot, since I don’t know if “chanuka” in Swahili has a similar sound or not. Just being similarly written is quite meaningless, considering that I know the Hebrew word, at least, doesn’t really sound like an English speaker will tend to pronounce it.

So I decided to be a good little Hebrew speaker, and leave a comment on his blog post.

And couldn’t. I was caught by an overzealous anti-comment-spam device, which is even not suitable to serve against comment spam.

A little aside to the few readers who don’t know what comment spam is. You all know what email spam is, right? Incoming messages you never requested, trying to convince you to do stuff, or buy stuff, that you don’t need. Well, blog posts often have the possibility to leave comments on them. So it was only a matter of time until spammers jumped on the bandwagon, and made automatic bots (computer programs that can do many of repetitive tasks, like sending an email, or filling a form on a web page, quickly) that will leave comments which are not relevant to the post, but contain links to their sites. Often these involve porn, and card games, but the variety is as large as on the email spam.

Meaning that many measures are now tried and used in order to keep comments in blogs free of these comment spam messages. Some more elaborate, some simple. The method I use here is a very simple one, requiring anyone writing a comment to fill in an extra field. This works because those bots are automated to work against the basic and common ways comments work, and do not (yet) try too hard to go around variations.

There are many other methods, but Weinberger decided, IMNSHO, to be too smart for his own good. He tied the comment posting to a system that checks the comment poster’s IP address (The unique Internet address of the computer) against a central database, with a list of bad address used as open SMTP relays.

Another aside, about open SMTP relays. SMTP is basically the communication protocol used to send email messages. So mail servers send messages using SMTP. Spammers (the email spammers this time, not comment spammers) don’t want to use their own mail server, because then it would be easy to block their messages, and so they look for email servers which are open relays. Being an open relay mean that this mail server will accept a message from anyone, without any verification and authentication, and send it onward. This is a bad problem in the age of spammers, and email server operators are encouraged to configure their email servers not to do that.

One of the things that happened is that there are several central repositories, like the Distributed Sender Blackhole List, which contain IP addresses of mail servers which are suspected of being badly behaved in that regard. This allow other mail servers to check every incoming mail message they receive against that list, and refuse to receive messages from the suspected servers, since those message may very well be spam.

This of course has very little to do with comment spam, since those mail servers are usually not the same computers used by comment spammers to run their bots. So telling me that my own computer’s IP address is on the list, and that therefore I cannot leave a comment, is irrelevant here. Had I been trying to directly send an email messages, that would have been a different matter, but I didn’t.

There is of course another problem there, that my personal computer’s address was on the list. This is because we get from our ISP a dynamic address, meaning that it changes from time to time, and goes to other users while we get a different one from the pool. It’s possible to get a static address, but this costs more, and isn’t necessary unless you are running a server that people on the outside need to be always able to find. Or simply put, the address was blocked because someone else on the past (They had one incident, logged at February 2004) sent an email message he shouldn’t have…

Overall, like I said, a very real problem, but a very wrong solution. I sent him an email message about this, but due to his big problem of comment spam (his blog is high profile, so a very popular target) he feels that using this is justified. He was nice about it, and offered to go and take my address of the list himself. But I can talk to dsbl myself if I want to. And I don’t want to. Both because this is a dynamic address, and because it’s a non-issue. Apart from his blog this only prevents me from running my own mail server. I have no intention of running my own mail server in the foreseeable future, though. So I declined the offer, explained my position again, and that was that.

A special committee has recently served the Minister of the Interior with its recommendations on ways to prevent violence in bars and clubs. The committee members come from the Ministries of the Interior, Justice, Education, Welfare, and Transportation, from local authorities, and from the Police. I read the article on the highlights (The full article is in Hebrew. there’s a much shorter version in English, which sadly lacks almost all of the interesting bits) of their recommendations, and overall I’m not impressed.

Bars/pubs and clubs will not be allowed to sell alcoholic drinks after 3AM. This is in order to “dissipate the effect of alcohol on those late for the ball“. Whatever that may mean in this content. I don’t recall any study pointing that alcohol has a stronger effect if imbibed after 3AM. Maybe they know something I don’t. The way I see it, even if most of the violence cases occur later than that, people will just get the same amount of alcohol sooner. Worse, since there’s a deadline, they will get it at a higher concentration as it comes near, since they know they won’t be able to order another drink later.

Club owner will be forced to install CCTV systems, and put someone to monitor it. So it will be easier for them to notice if… something… was going on. So there will be a cost for the clubs to install the surveillance cameras, and to hire people to monitor them. And since most of these places aren’t very large, it will still not provide a much better observation than simply putting someone inside the club to watch using their own eyes. Like, here’s a new thought, having the bartenders pay a little attention and call security if they see a problem. This won’t do much to help, but will raise costs which will of course fall on the customers. Not to mention that people tend to feel a lot less comfortable when they know they’re being photographed, and maybe recorded on film. Having fun, and being self concious, don’t quite go together, so this will cost the clubs plenty of customers

Those same CCTV cameras are to be placed on the entrance to the toilets. Which is supposed to help, how? Is the person observing it supposed to memorize everyone who comes in, and get worried if they stay there too long? Do they really want to bust in every time someone is having number two? No. So it won’t help. Unless they want to put the cameras inside the bathroom, since the claim on the article is that some of the violence occurs there. And this is going to be such a huge success, once people find out that the bathroom is on tape. Right.

Separate bathrooms for men and women. I don’t quite get it, since many people already have those. Some places do have some sort of a single entry/waiting chamber leading to both, but the costs of rebuilding this, or rebuilding totally different facilities for the places which don’t have these, are prohibitive. And I assume the problem they think they have (Doesn’t sound like violence, per se, but more as using the opportunity for the sake of not having people make-out over there. Something which is outside their mandate) is caused by people of different genders willingly going in together. Having different bathrooms wouldn’t stop it in that case.

Forming a group of paid cops/detectives/security-guards who will patrol in the area of the clubs, paid for by a toll the municipality will charge from the clubs. So in addition to their own security, bar owners will need to pay to people who generally patrol the street and supposedly provide security for the entire area? That’s very nice for other business and private homes nearby, I think. Not so nice for the bar owners. Or for their customers who will have to pay for it. Mostly, the problem is that those who will pay will not have any control or guidance over the actions of these rent-a-cops, they just pay the bill, and someone else will give the orders. This is never good. Hey, if having more people patrolling the neighbourhood is a good thing that customers are willing to pay for, then make such decisions public, and let the business compete by publishing how seriously they take it. Let the customers decide if they want to pay for it. But don’t put another tax on these businesses without them having anything to say about it.

Modifying the law forbidding selection, to allow selectors to prevent entry to people who may “endanger the public safety”. It was deemed unfair, prejudicial, or whatever, to allow pubs to put employees outside who will decide that they don’t want some people as customers. I don’t really get it, since it’s their business, and being far from monopolies they should certainly have the right to refuse customers, but that’s the way it is. So now they want to allow this practice, but only for people that they think are dangerous. This is far worse than either having no selection, or having full selection. First, the costs issue again, since this is in fact just a job of another trained security guard, that the bar will need to pay, but who will not provide the value that a proper selector does. Second, people who will be denied entry will raise the exact same complaints they did before. Instead of being told that they don’t look cool enough (or whatever the criteria may be) they will be told that they’re dangerous. This will certainly raise again all the ethnic discrimination issues, just as before. But people will be even more offended, because instead of just being told they don’t fit in with the rest of the crowd, they will be told they’re dangerous. This is very insulting if you don’t see yourself as dangerous, and could actually encourage violence if you really are dangerous.

Classify laughing gas as a dangerous drug. Yes, they want to change the law defining dangerous drugs to also include laughing gas. Why? Because they discovered that sometime criminal elements tend to sell laughing gas outside clubs. And this is supposed to be relevant how exactly? Making something a controlled and legally dangerous substance, just because some criminals sometime sell it near areas where sometime there is violence, strikes me as an enormous overkill and out of all proportions. As well as totally outside the scope of what those drug laws are supposed to deal with. Not everything sold by criminals is a dangerous drugs, and being sold by criminals is certainly not a reason to do classify anything as such.

People with criminal history will not be allowed to own, or be partners in, a club or bar. On the surface, this could make sense, since these people may be more likely to allow criminal activity in the premise. Is this criminal activity directly related to the violence, though? Or just people being drunk and stupid? Because most of the article implies that it’s the latter (after all, this committee was formed to deal with violence, not a crime problem with a side-effect of violence). And so this is outside their mandate again. Not only that, but officially serving prison time is supposed to be the punishment, and people who are released are supposed to be given the option to reform. And this is an explicit discrimination against ex-cons.

I saw another version of the article, on a print paper, which also mentioned something about placing cops who will measure the breath alcohol levels of people leaving bars and pubs. Which makes absolutely no sense whatsoever, since being drunk is legal. So unless someone parked right in front of the bar, and they stop them from entering the car (All of which is nice, but again totally outside their mandate on the violence issue), this doesn’t help. The exception being if they want to put a cop who will follow every single drunk person leaving the bar on foot, to make sure they don’t drive, or get involved in violent acts, until they sober up a bit. That’s totally unrealistic, and is also not legal, so that can’t be it as well. For now I just prefer to believe that this particular tidbit may have been a mistake of the paper I read, but given the other recommendations above I’m afraid I’m not so sure.

That same printed article also mentioned showing educational films about the dangers of violence in those clubs. The popularity of which is bound to skyrocket the amount of people who will actually go there to have fun.

Overall, like I said, I’m not impressed. Or rather, I am impressed, by how badly done this is. And they intend to turn everything into laws and regulations during the next three months…

All of a sudden, several hours ago, some of my email accounts (oh, alright, one of my email accounts, so far) started to get a large amount of odd spam messages, in German. Which made very little sense to me since, well, I don’t really speak (or read) German. So I had no idea what the heck did they want from me, and what could anyone possibly have expected to gain from it.

Some of the messages came with subject lines in English, but the content was either some long text with a link to articles in Spiegel magazine (Don’t ask me. I don’t read German, remember?), or just a long list of links to sites with one or two lines of text describing them.

All in German. I don’t read German, did I mention that already?

In any case, a little search indicates that this is indeed a recent phenomenon, where a network of zombie computers infected with the Sober virus is being used to send neo-Nazi messages related to some election next week…

I think this is the first time I’m getting spam messages which are politically, rather than commercially, oriented. Instead of trying to sell me Rolex watches, increase my whatever, and lower my mortgage, they’re now trying to get me to vote Nazi??

Good luck with that guys, you’ll certainly need it. I don’t live in Germany, so I can’t vote in your election. Not only that but, while I’m very much not religious, I’m a Jew. Which statistically speaking is a very strong indication I’m not going to be very sympathetic to the Nazi agenda. Seriously.

And to the masses of careless computer users out there: Secure your computers! Install security patches, use a firewall, run an anti-virus program, and don’t open email attachments you’re not explicitly waiting for. Because if you continue to let every worm and virus out there to get control of your computer, then the terrorists Nazis have won.

In the recent year my company started to sell a certain system worldwide. One of the systems went to a rather large company, L, which can also act as a reseller for our system as part of their own production line. And which also intended to also use if for presentation purposes, in exhibitions and the likes, as part of their product lines and solutions. L asked for a discount price, and due to the fact that we were trying to push the system, and the fact that this would also provide publicity for our own system, my boss decided this would be a good investment, and gave them a nice discount.

Fast forward to last week. My boss met with the head of a different company, G, who was also interested in purchasing such a system. And started the discussion by asking for the same price we gave L. When my boss asked what price he was talking about, the guy from G pulled out a printed copy of the email that my boss sent in the past to L’s representative.

My boss explained to the person from G that the price cut there was an investment, and that now we are also not so avid to push the system, since it’s not so new and we have sales. And that due to that we cannot sell him a system at such a low price (which is break-even, or even a loss for us. I’m not entirely familiar with the cost analysis, but it would in any case not allow us to make any profit from the sale).

The bigger problem was that the email was a private one. As a rule, individual price quotations are not something which companies are supposed to pass along to other companies. Not as a general rule, and certainly not when it is clearly specified that this is a one-time offer and is a special discount under special circumstances, as that email did specify. So G should never have seen that email.

My boss called the guy from L, to complain, and asked him why did he give the owner of G this message. The guy from L was stunned, claiming that he never did passed along that email…

As it turns out, the G boss was visiting L’s headquarters for business, a short while ago. And for some time they left him alone in the office, going to check for some data. And he used that time to open their file cabinets, browse through folders, and photocopy documents. Which included a printed copy of that email.

This was a senior of a rather large international company, during business meetings with another large international company… Lesson learned: Do not leave anyone in an office unattended, no matter how respectable he may seem.

Needless to say, he won’t be getting that discount.

A friend of mine is now in the process of passing a security clearance procedure for some company he is applying for a job at. As part of the process they require details of some friends, and he called me, which reminded me of the security clearance I had to go through myself before joining my army unit in the past.

So one quick comment about my friend’s forms, and then I’ll go on to my own story. As part of the friends’ details, they also ask the name of the father, and of the grandfather on the father’s side. That’s it. They don’t care about the mother, they don’t care about grandmothers, and they don’t care about the grandfather on the mother’s side. Don’t ask me why.

OK, back to my story. First, no, telling a few minor things about the procedure is not a security breach, and does not include revealing classified info. Everything there, after all, is shown to people who don’t yet have any clearance. So as long as I talk about impressions, and thought I had at the actual time, there isn’t possibly any problem. I will of course not mention any further things that may, or may not, have been done during the service.

Now, like any good bureaucratic and public (i.e. government managed) organization does, the forms that I was given to fill out needed to be submitted in multiple copies. Except that the usual method of putting copy paper between the pages was not allowed. I had to fill all copies by hand. And my memory is a bit vague on this, but I think it wasn’t in triplicates, but seven copies. By hand, with a pen, repeating the same info.

Worse, every field without an answer (Like the long table for family members, of which I have far less than the table had rows) had to be filled in, not left empty. And just striking it out wasn’t good enough, I had to write something. Don’t remember what it was by now, but it was the equivalent of "N/A", or "Nothing".

Multiply the several copies by the many many different fields. For example, on each of these rows on the family members table, the first name, surname, date of birth, and so on and so forth,  were all different fields and needed separate N/A. That took a lot of time, and that’s just on the parts where I didn’t have anything to write.

One of the parts was educational history. There was room for university, but I didn’t have that at this point. But they also wanted a listing of all of my schools, all the way from kindergarten. And they wanted the names of the teachers. The way lower schools work, beside the "professional" teachers for specific aspects, each class had an "educator" doing general stuff and trying to instil some general values. So they wanted the names of them all.

No, I did not remember the names of the teachers from my first, or second, or third (…) grades. This will come up later.

Another very important aspect is recommendations. People who are not direct friends, and who can recommend you and say what a wonderful and reliable person you really are. Anyone want to guess how they are picked? Simple enough, you just go over all the people your parents know, that have seen you a little bit, and call the ones who held the highest ranks in the military among the lot, or who have a solid position in the public sector. Can’t see what this gives anyone, but that’s the requirement, and that’s what everyone does with it.

And they wanted a list of friends, with all this personal info about them as well. Felt silly asking my friends for their date of birth, or the exact dates their parents may or may not have immigrated to the country. Plus, are they really going to get any info from that? This only helps them if I name a well known communist activist, or an Arab person, or something which is on the short list of disqualifies. But what sane person wanting to get a clearance would do that? Unless they’re so unpopular that they can’t even find the required 3-5 friends…

After all the forms has been filled, I had to come to an interview. The interviewer spent some time going through the forms, and started with the hard questions.

For starters, he scolded me that I didn’t mention the name of my first grade teacher. To which I of course replied that I don’t remember it. He was surprised as to how can I possibly not remember it. The facts that I was 5-6 years old at the time didn’t seem like good enough a reason, and neither did the fact that I haven’t see her in over 10 years. I should have remembered. He made me sit there for several minutes trying to dredge up the name. As if.

More interesting was the questions about drug usage. When asked if I was using drugs, I answered (totally truthfully) that I wasn’t. So he started to explain that he doesn’t mean just hard drugs, but also things like marijuana, and do I want to change my answer in light of that? I didn’t. He then proceeded to try and make it clear to me that in this particular case they’re also not only asking if I’m a general user, but want to know of any single use. Did I take drugs only once? Maybe at a party? Driven for a one time experiment by peer pressure, and never tried it again? I didn’t and that’s what I told him.

He went on to assure me (An assurance that could only have worked if I was on drugs at the time, and maybe even then not) that I can admit it. Because it doesn’t matter. They won’t disqualify me for it. They don’t really care. They just want to know. If I’m a light user, or used in the past, or even using now but it’s nothing critical, then it’s no problem with them… Riiiight. In any case, I stuck to my denial.

After the interview came the long part, where they have their own people doing background checks. This could take months.

During that time they also interview some of the people listed on those forms, like our friends, and tell them not to tell us about it. Which works great, since 18 years old kids are just terrific at being grilled about a friend by big guys with sunglasses, and then not telling about it to anyone.

In any case, they didn’t mess up too badly in this case, since I passed. Even though one of the friends got confused, and gave them a different answer than I did, about how long have we known each other and when did we first meet (Yes, that was on the form as well. Those things are thorough).

Hotmail occasionally send to members (Hotmail mailboxes) these notification messages explaining the many virtues of their new offerings, and miscellaneous stuff.

This time I noticed a part of the message giving some tips under the heading of “Telltale Signs of Identity Theft Scams“, including this one:

Scroll over the URL. If you see lots of numbers, or a different URL, it’s probably fake.

Which is, by itself, quite sensible. It isn’t foolproof, and there are legitimate addresses that look like that, but can usually serve as a decent indication for people without too much technical knowledge. And a little below they provide a link for more information, with the text:

For more information, go to http://safety.msn.com.

And, well, guess what shows up when you scroll over the URL? Let me tell you, the URL showing up on the status bar is http://g.msn.com/3HMHEN/1892

And, as you may notice, it is a different URL (g.msn.com instead of safety.msn.com). I know it’s the same domain, but it may not be entirely obvious to the average Joe who actually needs those explanations. More than that, it has some odd letters and numbers that don’t make sense, which the same average Joe could clearly identify as lots of numbers.

So someone paying attention would have to conclude this is an attempt at identity theft…

I got a phone call today. The women presented herself as working for my credit card company. According to her, details of credit card numbers, including my own, have leaked from a certain business establishment.

She wasn’t very forthcoming about the business involved, claiming that they cannot provide more information at this time regarding it. But the card needs to be cancelled.

I asked if they think my credit card details leaked because someone made suspicious purchases with it, or because they know for sure that there has been a leak from a certain place. She assured me that as far as they know my card was not used, yet, but that the details are out.

She then read to me the last two transactions made with the card, yesterday, and asked me to verify that they’re indeed my own. Which they were.

This had the added benefit, though I’m not sure if it was intentional from her point, to let me know she is probably legit. The two orders where made from different places, using different payment methods, so anyone with access to the data is either from the credit card company, or has access to my own computer.

All the information she asked, in order to verify the person she called is really me and so authorized to cancel my card, was my date of birth. And by the reasoning of the above paragraph, I knew this wasn’t a phishing attempt, since anyone with her data already has access to this information as well.

This isn’t that bad a verification method from her point too, since while anyone trying to pretend to be me would have that info, she made the call herself from a number they have for a long time. A wrong number wouldn’t have been able to give a date and pull a prank, and intentionally planting my phone number at their database is too much work for someone just so they could cancel my credit card after stealing its details.

So we cancelled the card, and I’ll have to survive the weekend without. According to her it would take three business days to issue a new one. Hopefully, by Monday next week I could actually buy stuff, or withdraw money. She did ask if I had enough cash on me, or want a slight delay to go withdraw. But I have some cash, so I told her to cancel straight away.

This left me curious as to where the information got out from.

And seconds later, I received an email, from a second-hand book store here in Israel, letting me know that:

We just got a notice from our hosting service that some of the information on transactions from our site may have been tampered with.

Because we can’t confirm the extent of the damage at the present time, we feel obliged to inform you of this current situation.

We notified the credit card companies and we suggest you do the same and act according to their recommendations.

We apologize for any inconvenience and are sorry that things such as these can happen.

Feel free to phone us for additional information or questions

Which is very honest of them. And rather prompt, at least assuming the credit card company didn’t wait too long with it.

Their website is currently down. I assume they switch hosting, and using the opportunity to clean everything up. Time will tell.

Sometimes the rampant paranoia of the Americans amazes me.

Pilots are instructed not to fly near nuclear power plants. But they are also not allowed to be told where are the plants located.
Yes, they are not allowed to fly near areas which are not specified to them. Nice and easy to do, isn’t it?

So they decide to find out by themselves, run some searches on publicly available data, and publish it among themselves. Only to be told that they’re not allowed to reveal those secrets. And back to square one.

Oh, yes, and it seems that it’s really not that hard to find those power plants.

And crash is quite literal when you talk about cars…

Where did anyone come with the idiotic idea of making Bluetooth enabled cars ?!
Is it any surprise that now cars can get computer viruses ?!

Sticking an embedded computer into everything, a standard CPU that can run a standard OS, I can understand. It makes development, changes, additions, and fixes much easier.

But any OS would have all the problems of that OS, and would likely be able to run other programs that were designed to run on it.
Including viruses or other malware.

So the one thing you don’t do, is make it very easy for anyone at all to insert external programs to run on your embedded computer. For example, if there is no very compelling reason to do so, you don’t add Bluetooth support in. Actually, you wouldn’t add any common wireless protocol. But if you do, you should at least try for a standard that includes some sort of authentication. And authentication is far from being Bluetooth’s strong side.

On the other hand, maybe some people want to give full control over their car to bored kid on any street they happen to drive along?

And I thought making Bluetooth enabled ski jackets was stupid… I wonder what will they add connectivity to next…

I actually still remember the outrage from locksmiths (well, what I remember is the reports and discussions about it in the computer security circles, but still) when a couple of years ago Matt Blaze published a paper about a security weakness in mechanical locks with master keys. Those people believe in the misguided notion of security by obscurity, so got understandably upset when someone removed some obscurity and showed actual problems that nobody bothered to address.

In any case, he recently published another paper, about security of physical safes this time. And unlike the previous paper, his attitude was pretty positive about many aspects.

Still, the paper includes some explanations and pictures, so the locksmiths are up in arms again. Sending many angry, and sometimes abusive, messages both to him and to the administration of his university. Not nice, but part of the deal.

What I found particularly amusing in his report is that some of them went to the direction of suggesting he is guilty of copyright violations, by publishing pictures of safes with the paper.

While Penn’s support for the basic principles
of academic freedom would protect me even if these officials agreed
that my paper was somehow inappropriate, some of the letter writers
seem to have unwittingly stumbled upon a weapon that could potentially
be very effective (in other contexts) at silencing Internet-based
debate.  They have accused me of copyright infringement.

My paper is heavily illustrated with photographs of safe locks and
their components.  Several letters have (accurately) pointed out that
these photographs are protected by copyright and that by distributing
my paper I’m also distributing copyrighted material.This, I must
admit, is entirely correct.

That’s not the amusing part, yet. The poor US has a very serious problems with their copyright legislation. They’re getting totally out of whack, and it often gives the impression that violating copyright in the states will be considered only a little bit worse than murdering someone. I do hope they’ll straighten themselves out soon, before the attitude will get exported too much…

What amused me was that in this specific case:

But I created every one of the images
myself, in my own studio, and with my own materials, cameras and
computers.  I arranged the subjects, lit them, and photographed them.
The results are copyrighted, to be sure, but I hold the copyrights.

And as he’s well aware, he was still lucky that his university bothered to speak to him before removing the material out of the fear of lawsuit. The common response this days by ISP’s and date hosts is to cover their asses be careful and remove anything that may make them liable, even if they didn’t spend the time to check the facts

Go read his whole story, it’s interesting.