Archive for the 'Security' Category

Fast police response

October 6th, 2008

The police, both here and in many (most? all?) other countries in the world, provide a short “emergency” phone number. The idea being that it will be easy to remember, work from all phones in all locations, and be fast to dial in case of a real emergency.

The police here in Israel also has such a number, 100.

Except, it would seem, sometimes they just don’t bother answering it.

Last Sunday (28 September 2008) I went with a friend to a restaurant in the Tel-Aviv north harbour area. On the way back to the car (around 22:45) we noticed a large group of kids around two bonfires which they started along the beach[1]. About 5 meters from there stands a large sign with warnings about prohibited activities, and starting fires is explicitly listed there.

Normally I wouldn’t exactly mind, but those kids were loud and annoying; and those fires were quite large, with one of them burning really close to nearby plants. Plus, I was in a, ahem, fitting mood. So I decided to do my civic duty, and call the police to report the fires and the kids.

I dialled 100 on my cellphone. And waited. One ring, two ring, three rings, four rings, nothing. At this point most automatic answering machines would assume nobody’s answering, and pick up. But this is an a police centre that should be manned non-stop around the clock, so I guess they don’t have answering machines[2]. I waited a bit more (1-2 rings) and still nothing. I was very surprised, and hang up.

My friend was also amazed that nobody picked up the phone. So he tried calling them himself, from his own cellphone. He waited for 13 rings. Nothing. Nobody answered.

Nobody tried to call us back to follow up later on, asking if there’s a problem and why we called the emergency police number. None of our cellphone numbers are blocked, so they could have seen these calls on their incoming call logs (if they bother keeping them).

Good things that it, while being something that should be reported to the police, wasn’t really an emergency.

---
  1. well, technically along the bank of the Yarkon river, which connects to the sea at this area.[back]
  2. And, when operating properly, they really shouldn’t need them, I agree.[back]

Release notes should really include the release notes

September 18th, 2007

A new version of the Firefox browser was released today. A minor update from version 2.0.0.6 to version 2.0.0.7.

Even more minor than that, actually, since what came out was just an RC version for testing. Sometime in the past I downloaded an update that was considered a beta or RC, so I’m on the list to keep getting them on the automatic updates.

The problem is that there was no information provided on what exactly the update includes, and what is the purpose behind it. The release notes page did not contain any relevant info (I’m not promising they won’t change the page in the future. It doesn’t contain the info now, and haven’t for quite a few hours so far).

It had lots of other things, the general outline they put on each release-notes page. But the actual release notes, what was changed from the last version, no. Nothing.

There wasn’t even any link to a page where this information could be found. Because, well, in theory it would have been that exact same page.

That’s a very very poor way to roll out an update. If you ask someone to install a new version of a software, and especially if it’s a beta/RC that you want people to test and provide feedback for, you have to tell them why and what has changed.

Seems very sensible to me. Apparently doesn’t seem so sensible to some of the people in the Mozilla foundation. Don’t get me wrong, they’re doing a great job, and Firefox is terrific. But most people don’t follow all the bugs and progress on every single application they use, so it’s far from obvious what an update is for.

I do hope they’ll do better next time. I’m more than willing to install updates, but I need to know why.

In this particular case, if someone is interested, it’s a single fix for a single security vulnerability. Well, a potential whole class of problems, but only a single known point. Which was now actually more of a problem with the Quicktime plug-in (on Windows) and not in Firefox itself, but in this case it’s a good idea to fix it in Firefox as well, to prevent any future problems from the same direction. You can look at the actual bug report for more technical information, if you really want to.

The chickens must be terrified

August 25th, 2007

Who wouldn’t be terrified, discovering they just made it to the list of potential terrorist’s targets? And chickens are, well, chickens. It’s a well known fact.

On the other hand, the only chickens who seem to be attractive to terrorists, so far, are those living in the US. Or, in any case, the US government’s very own DHS are the only one who believes their chickens to be prime targets.

Yep, seems that the US DHS thinks that chicken houses are terrorist targets.

Why?

Because many of them are warmed by propane gas. And propane gas is inflamable. No, it is, really. You blow a bomb near a container of propane, and it will explode and burn.

Burning every chicken in the very close area. Possibly also the house of the farmer raising the chicken, if it’s close enough to the tank.

The rule affects nearly every poultry grower across the Delmarva peninsula, and as many as 20,000 sites across the country, because propane gas is the most popular chicken house heating method.

“The three 1,000-gallon propane tanks at a local grain elevator, or nursing home, or school or campground are not terrorist targets,” said NPGA Senior Vice President Philip Squair in a May 1 news statement. “What DHS is asking is for ordinary homeowners, businesses and farmers to declare themselves terrorist targets because they choose to use propane to heat their houses and businesses.”

Let’s do some guesswork, shall we?

Expected death toll if terrorists blow up the propane gas tank at a chicken house? Probably 0-6 people[1], and some fried chickens.

Expected death toll if the terrorists would take the same amount of explosive and put it near a small house in any small town? 0-6, without fried chicken.

Expected death toll if the terrorists would take the same amount of explosives and put it near the security gate of a mall, where people congregate to pass inside? 4-30? More?

Yes, I can see the terrorists going after the rural chicken houses. Any minute now. Any minute now.

---
  1. depending on how many kids the farmers have, if they’re home, where the gas tank is located, and how competent the terrorists are. How competents are terrorists who go after chickens, I wonder?[back]

Things to avoid when trying to get your prosecutor assassinated

August 22nd, 2007

Say you were sentenced to 30 months in prison for forgery. And say you think it’s the prosecutor’s fault (Because, after all, it can’t really be something you did, right?). What would you do?

That’s right, you’d try to get the prosecutor assassinated, to punish him for not being able to show on trial that you’re not really a dangerous criminal. Makes perfect sense.

Then you need to pick the right hitman. It’s complex. There are, for example, some things you may want to void:

  1. Your first choice of a hitman should not be the judge that tried you. Judges make terrible assassins. And they often refuse these jobs. Go figure.
  2. If you do want to hire the judge to be your assassin, make sure to offer enough money to make this a real offer. For example, a district court judge in Texas would probably expect much more than $5,000[1].
  3. If you do offer the judge the small money, and he turns you down, your next best option is not the lawyer who was your defense attorney during the trial. Lawyers are bad assassins as well. And your defense attorney knows what a slimeball you really are, even if he lied and said nice things about you during the trial.
  4. If you do try for the defense attorney, at least offer him more money then you offered the judge. You should already know that’s not enough money by now. Defense attorneys often don’t earn that much less than judges. Not necessarily even the lousy ones.
  5. Oh, and stick to your target. Don’t change your mind and ask him to actually kill the judge. Yes, it was very rude of the judge to turn down your offer. But killing a judge would cost extra. And besides, the prosecutor is still out there, right?
  6. When you make all these offers, don’t write them on paper with your own handwriting. Don’t touch that paper with your fingers to add your fingerprints to it. Those things are, like, proof, you know? It can get you a much longer jail time than those forgery charges.

All very sensible and sound advice.

Someone didn’t get the memo. Probably didn’t get a lot of working braincells either.

Galveston County District Court Judge David Garner said Connelly, 34, of Santa Fe, was among those defendants who “think outside the box” for allegedly writing a letter offering him $5,000 to kill former prosecutor Donnie Quintanilla, now in private practice in Galveston.

Connelly wrote a second letter to his defense attorney, Houston lawyer Jonathan Cox, offering him $5,000 to kill Garner, special prison prosecutor Alice Gregg said.

He will get the jailtime, though. And hey, maybe the next judge would be more cooperative, who knows?

---
  1. That’s not even a single month’s salary[back]

Airline security theatre now starring airline passengers in live action

October 6th, 2006

I keep waiting for someone responsible for airline security to sober up, and realize how ridiculous, costly, invasive, and (maybe most importantly) unhelpful for security are all the new and increasing limitations and checks.

But that doesn’t seem to happen.

If anything, things just go worse, with more paranoia, and more pointless regulations being made. All in the name of security, almost all without any real security benefit, and almost all with high costs in terms of time, money, hassles, and privacy.

And now they’re working on a system that would record everything passengers say and do during a flight.

Researchers in Britain and Europe are looking at technology that would see a comprehensive network of microphones and cameras installed throughout the aircraft, including the lavatory, which would be linked to a computer.

Sounds fine for one of those silly reality shows.

But very far from being fine for regular flights. Microphones and cameras everywhere on a plane. Including the toilets.

This computer would be “trained” to pick up suspicious behaviour, said Catherine Neary, of Bae Systems, one of the British participants in a £24 million European Union project

Computers cannot pick up suspicious behaviour. It will be quite some time, many many years, until they will be able to come even close.

Heck, it’s hard enough to train real live people to pick up suspicious behaviour. They think very many things are very suspicious, all the time. And that involves detecting a lot of tiny cues, and requires instincts and experience. A computer cannot do that.

Computers will just be able to follow very crude rules. Meaning that they will miss actual suspicious behaviours, but will have lots and lots of innocent people tagged as acting suspiciously.

Actually, what the heck is suspicious for an airline passenger? And how do you separate the terrorist kind of suspicious from other kinds of suspicious?

Eventually, the computer would be programmed to understand a variety of languages.

Oh, yes, any day now. Because right now computers would be hard pressed to understand even one language. At most you can pre-define a limited set of key words, and have the computer pick up people who say them. And even that will fail on some accents, pitches, and taking speeds.

Not to mention, what words would these be? Will they train the computer to catch whole sentences, like “Let’s blow up the plane now”? Because obviously a terrorist who wants to blow up a plane is going to announce that before doing so, right? And other passengers around will never pick up on that, so it’s good that there will be a super sensitive microphone to do so (yes, I’m being sarcastic).

“Passengers are not being snooped on by humans, but by machines which will process the data, which would not be stored after the flight unless there is an incident,” she said.

But the machines cannot process the data properly, so the next obvious step is to have humans look in at anything the computer will flag as suspicious. And that will have to be almost everything, because it’s better that a human will snoop on a few extra events, instead of letting a terrorist go on undetected, right?

And, well, only keeping the data if there’s an incident? What does that mean, incident? If they mean unless the plane explodes, well, too late to do anything useful with that, no?

Or do they mean unless an incident happens which isn’t as critical? Because these happen these days for right about anything. Creating an “incident” is way too easy.

Heck, there are incidents when people accidentally drop their music players down the toilet. Would that justify a human going through an audio and video records of what everyone did on the plane, including inside the toilet?

It’s an incident when someone prays while on an airplane. Would that justify a human going through an audio and video records of what everyone did and said while on the plane?

It’s an incident when someone wants to drink water from a bottle. Very suspicious, bottles, and failing them around willy-nilly can alarm other passengers, so maybe it can even escalate to a truly serious incident.

Lots and lots of small and minor things can become an incident. Will all of these justify someone watching and listening to tapes from the flight? Why am I not feeling reassured?

“There are likely to be cameras and microphones in the toilet, because that is where terrorists go to assemble bombs.”

Yes, they always do that, don’t they, these terrorists? They go on a plane, then enter the toilet to assemble bombs. Quite an regular habit with them.

The camera could also be trained to detect seemingly harmless items being left in aircraft lavatories that could later be assembled to make a lethal device.

These days small containers with liquids, including… erm… toiletries, are considered dangerous. Liquid binary bombs, and all that. Which pretty much covers anything that can be left in a toilet. Anything that can be spilled in a toilet.

And the people running the system can be fully trusted not to do things like, say, decide to keep personal copies of the films of people (in the toilet, or otherwise) just because the ones filmed may be physically attractive acting somewhat suspicious, right? Nobody would ever do that.

On the bright side, though, people joining the mile high club may now easily obtain photographed proof to show all the doubters.

This is invasive madness. All of it.

Though it does give a new multi-layered meaning to the term security theatre.

AOL’s Active Security Monitor has some big problems

July 25th, 2006

AOL released a new program called Active Security Monitor, which is supposed to help find problems with the security settings of computers. It scans the computer, provides scores in various categories, and suggests ways for improving the security where the score isn’t perfect.

A nice thing to have, if it works. Personally I’m quite good at dealing with my computers’ security by myself, but a tool like that can be useful to point less experienced people to, and for getting a quick baseline.

Except that it doesn’t work well at all. And yes, I know, it’s from AOL, what should I expect, right? It’s a shame that they really don’t do much to improve the reputation they have in these regards, and blew this great opportunity.

So far I ran it on one computer. The computer runs a fully patched and updated Windows 2000 professional, has a fully updated Avast! 4 Home as an anti-virus, no firewall since it’s connected to a small network protected by a properly configured external router, using Firefox 1.5 and Opera 9 for browsers, And with both Spybot S&D and Ad-Aware SE Personal installed.

I downloaded and installed the Active Security Monitor program, and let it scan the computer.

ASM comes with an option to register it for a home network, in order get status on multiple computers at the same time. I didn’t do this, and will run a comparison on a second computer separately later on. No need to create an account for a tool when I don’t know I’ll use it.

After a few seconds of scanning my computer received a total score of… 53. Out of 100. Not a pretty sight.

Let’s start with the good thing first. It detected both Ad-Aware SE Personal and Spybot S&D, and detected that their signature files were not updated. This was all true. I usually keep the computer clean to begin with, and so didn’t run or update any of them for well over a month.

So I run both, updated the data, and repeated the scan. My score in the “Spyware Protection” category jumped all the way to Excellent, and the total score climbed to 57. Still not very impressive.

I also suspect I would have gotten the Excellent score with only one of them installed. Which isn’t enough, since the overlap between what they catch isn’t complete. They’re better together.

On the “Firewall” category my computer is ranked as Poor. Which is totally justified, it doesn’t have a firewall installed. But I took a quick look in the details, and was surprised to see that “A firewall is detected but is not enabled on this PC”.

This is wrong. I don’t have a firewall installed. And since it’s not installed, there is obviously no way to turn it on. Worse, ASM is extremely unhelpful in that it didn’t tell me which firewall it thinks I have and how it thinks I can turn it on.

Instead, the recommendations page had links to pages with general firewall explanations, some marketing hype on how the AOL service comes with full firewall protection (This AOL marketing hype exists on all details pages, whenever there is any sort of a problem, as far as I could see), and a non-detailed “To enable a firewall: Click Start, point to All Programs, and select your firewall”.

Yep, that’s going to be real helpful for anyone who actually needs this tool to know if they have a firewall or not. All those people, the ones who aren’t even sure what a firewall is, would have no problem at all finding it by themselves and running it.

Especially if, like me here, they don’t even have one. That could be a long long search.

It did say that if I would enable my firewall (The one I don’t have installed) it will raise my overall score to 79 (That’s a 22 points improvement).

Next, on the “Virus Protection” category my computer is ranked as Fair. Why just Fair? Because according to it “The anti-virus (AV) program on this computer is not enabled”.

I double-checked just to be on the safe side, and I can assure you that my copy of Avast! was working perfectly. So if ASM did find Avast! (Though I can’t be sure, maybe it found some phantom AV program, like the firewall) it should also know it’s running.

ASM also claimed that the signature files for my AV program are out of date. Which also wasn’t true, they were updated almost just before running ASM.

The details page contained the same list of not so useful suggestions, such as saying what a great AV protection the AOL service gives, and providing an explanation on how to turn on my AV program. A generic explanation, that is, which was identical to the one on how to turn on my firewall. Nowhere did it say even the name of the AV program it found.

It stated that turning on the AV program would raise my score to 70 (That’s a 13 points improvement). Personally I’m more concerned about why it thinks my Anti Virus protection deserves a Fair score if it believes my AV program isn’t even enabled. A not-running AV program should be just as good as a totally non-existent one.

Next is the “Windows & Browser” category. On this one I received a Good score, with two complaints.

The first was that “The Windows System Restore feature is not turned on”. And it was potentially useful about it, giving detailed instructions on where to find it in order to turn it on… Except that, well, this computer is running Windows 2000, and not Windows XP. And System Restore is a feature of Windows XP. It does not exist on this computer, and so cannot possibly be turned on. And all the places it directs me to go to in order to turn it on, well, they just don’t exist here. Totally dumb, and very unprofessional.

The second complaint it had in this category was that “Internet Explorer (IE) is not configured with encryption”. First of all, I hardly use IE, and as I said the computer has both Firefox and Opera installed on it, something which didn’t interest ASM in the slightest. And second, well, I never disabled any encryption option in IE.

So I went to the recommendation to see how ASM thinks I can turn it back on. Seems like I needed to “Enable Secure Socket Layer (SSL) technology on your browser”, and the way to do it is to go to IE‘s Internet Options, the Advanced tab, and there… to click on the Restore Defaults button.

Let me get this straight… In order to change an encryption setting, they want me to restore all the customizations I did there? Even ones entirely not related? Even ones that actually improve security beyond the defaults? Are they kidding me?

Plus, I checked my settings, and SSL was of course enabled. All settings that had something to do with encryption were right as they should be.

ASM stated that fixing the above two problems would increase my score to 63 (a 6 points increase).

On the “Wireless Security” it didn’t give a score, since the computer isn’t set for wireless access. That’s actually correct, so good job here on at least not thinking I have wireless access but need to turn it on, or something.

It also has a “P2P Software” category. On which I received an Excellent score. Why was it Excellent? Because “A peer to peer (P2P) file sharing program is not detected”. This is wrong on two entirely different levels.

The first one is conceptual. Having a P2P program installed is not a security risk by itself. Some of them are problematical, even very problematical, true. But not all, and not by the definition of being a P2P program. The risk is in what files are transferred with them.

But marking a P2P program as dangerous because you can pass bad programs in it is akin to saying having an email program, a web browser, or a CD drive, is bad for security. All true, but I didn’t see ASM complain about any of those.

The second one is that this computer actually had P2P programs installed. It’s not my main computer, so they’re old, and haven’t been used in many many months. But it has both KLT K++ and SoulSeek installed. Both are P2P programs.

I can forgive it for not finding SoulSeek, it’s not very mainstream. But missing a Kazaa Lite variation? Kazaa is one of the most problematical (from the security and privacy point) P2P programs out there.

And then it has the “PC Utilities” category, where I received an Unknown score because it didn’t find any PC Utility it cared about. Already questionable, since if not having them isn’t a cause for a bad security score, then they shouldn’t improve the security score when they’re there.

It had two points to mention here.

One item on the “PC Utilities” category was that “A PC optimization program is not detected on this PC”. What does that have to do with security? Actually, what is a PC optimization program supposed to do? There are tons of various optimization programs, doing totally different things, and many of them entirely not useful anyhow.

So I clicked their “Lean More” link to see what are they referring to. On the page they mentioned the built-in Windows utilities such as Disk Defragmenter, ScanDisk, and Disk Cleanup. All of which I have, of course, since they come with windows. And mentioned that there are better third-party tools for that.

True, but not relevant for security. This is supposed to be a security tool, so commenting on people not buying expensive programs (and programs most people usually don’t need) is out of place.

The second item in the category was that “A file backup program is not detected on this PC”. Here I can accept the security angle, since having backups is also good security. But the claim is nonsense. Especially considering their added explanation that they basically refer to anything used to backup files in a different location.

I have two different FTP programs installed on this computer, FileZilla and an older copy of SmartFTP. Both can be used, were and are used, for backups. I also have SyncBack installed on this computer, mostly for some test purposes, but it’s there and there’s no way for ASM to know what exactly is the usage pattern. So not finding any backup programs (Hey, ASM, listen up! Just copying files to a remote computer over the network is also a backup!) just indicates that it doesn’t pay attention. I do have backup programs installed.

Worse, one of their recommended solutions to the backup problem is to use “Xdrive: the most trusted provider of secure online storage”. Xdrive was acquired last year by AOL, so their incentive is clear. What’s also pretty clear is that Xdrive is far from being a trusted storage provider.

If I’ll add all the points I didn’t get the security score is an impressive 98 (57+6+13+22=98). Which is a good score. But, well, if I compensate for everything wrong, then why 98 and not a full 100?

I have two more general notes. One is that ASM decided I’m from a roaming location. I’m not. It’s a fixed desktop computer, with a fixed network, and a single active user. No roaming. At all. But since it doesn’t say what makes it believe I’m roaming, I can’t get it to change its mind.

If it can’t get this detail right, why should I trust it to get anything else network related right?

The second general note is that ASM uses IE to open all these additional information pages. It has them installed as HTML files on the hard drive, which is fine. But my default browser, and the program set to open these files by default, is Firefox. Which means ASM runs IE explicitly and on purpose.

Why would a security tool choose to intentionally run the least secure of my three installed browsers?

All in all I’m really not impressed.

I’ll run it again later on, using a second computer with Windows XP Pro, a different AV program, different P2P programs installed, and somewhat different settings. But I don’t count on being surprised by a sudden improvement.

On the bright side, the uninstall program seems to work perfectly…

Out of money, and of common sense

June 14th, 2006

I think copying here the email I just tried to send my bank, “Bank Leumi“, would cover pretty much all the points I want to mention.

Identifiable information replaced here by asterisks.

Hi.

I’m probably sending this to the wrong address, but the Leumi website did not have any more relevant contact address on it. This is also something you may want to attend to, for people wanting to contact the bank on something not directly related to the website.

Last night I was trying to withdraw money from the ATM machine on Leumi’s branch in *** (I think branch ***, but not sure) .

After inserting my card and typing my PIN the machine presented a list of option which did not include the option to draw money.
The main screens, before I started the operation, did not announce that this ATM is out of money. It wasn’t noted anywhere. Only in the inability to withdraw.

The ATM itself seemed to have been changed since the last time I used it to withdrew money, so I was concerned this may not have been a genuine machine, and wanted to contact someone to verify.

The main contact number printed nearby was the *** for Leumi-Call, which wasn’t working at this hour. There was another sticker with a number listed for use in “severe malfunctions” ***, so for lack of a better alternative I called it.

I explained the situation to the person there, who said that while he has no way to verify that the machine was not altered, the behaviour is normal for ATMs who are out of money. I double checked with him that the ATM indeed does not notify in advance that it’s out of money, and he confirmed, saying that it’s because they are used for additional purposes like checking the balance.

To be on the safe side I went over by the bank today. The ATM worked properly, and everything seemed to be in order.
The whole incident, however, left a bitter taste, and I have some strong recommendations:

1. Have the bank fronts provide a contact number which is more obviously fitting for cases like these. This should be on the bank, from the inside pane of a glass/transparent-door, so it will be obvious it’s a real number and not part of a scamming attempt together with a potentially false ATM.

2. An ATM which is out of money should always announce it on the display, *before* people enter their cards. Yes, the ATM has other uses, but they are comparatively minor, and are a lot less worrisome when not working.

3. If a customer is calling worried about a possible scam or false machine, you should have a way to check that. As far as I know all these ATMs are connected to some central computer, so there should be a log of activity. If the person I talked to would have told me that he sees a record of my card being used in the ATM I would have known for sure what was going on, instead of staying mildly worried till morning. And on cases of a real problem, someone then could have been alerted to it earlier.

Thank you, and awaiting to hear your reply,
Yaron.

P.S. On a non-related issue, but one that also deals with security, having the “information security recommendations” page on your website require running a Flash file is… counter-productive.

Not that the website issues are a big surprise with them, nothing much improved since the last times I actually tried to use their website.

Last minute update: I was just about to post this, when I got back a bounce message from the bank. I sent it to two email addresses listed on their contact page, one for support of their “direct surfing” service (which is basically the website), and one for support of their “premium service” customers.

The only addresses there were those two, and one for help with their monetary trades section, so these two seemed the likelier candidates.

Except that according to their mail server the premium address doesn’t exist, and cannot receive mail.

This is how you know a bank is serious. They treat their regular customers better than they treat premium ones. I love it.

I did send another mail to the first address, telling them about it. This time it’s actually well within the boundaries of what they’re supposed to deal with.

Lottery scam, by real mail

May 19th, 2006

A refreshing change (well, a change anyway) in all those scam attempts (Nigerian 419 types, or otherwise) everyone keeps receiving in email.

My brother received one in the mail. Regular mail. In an elegant envelope, printed on elegant stationary, and everything.

I know that these things also happen, and probably happened for a long time before email became so ubiquitous, but it’s certainly much rarer, and nothing I personally encountered before.

This one was a variation on the lottery scams.

The paper, addressing him by name, claimed to be from the Spanish elGordo lottery. And informed him that he won something like a million Euro.

Of course, not having ever purchased a lottery ticket in Spain, that’s not very likely. But they did have an explanation, this was a lottery done by randomly picking people from around the world as winners. Very convincing, no, to just randomly pick people and give them money, no need to apply?

They also mention that the money is transferred by a third-party, some security/insurance company, and that they’ll need to take 10% of the winning money as a commission for processing it. Another very convincing claim.

And there’s an attached form asking for all sorts of personal questions. Plenty of personal information, quite possibly enough for someone to even get into his bank account, for example, or for other identity-theft related reasons.

And most typical, though what I still find most peculiar about all of those scam attempts, the English was terrible. They did improve on the average by not having many spelling errors. That’s something that’s very rare for the emails. But the syntax and grammar, ouch. It hurt just reading the thing.

I admit, it’s quite possible that some random Spaniard off the street will use that as English, and expect it to be fine. I personally correspond with company clients from abroad who have worse English. But not when what’s written is supposed to be an official letter, sent by a respectable authority, and involving those amounts of money. And lottery foundation that can afford sending millions of Euros as prizes can certainly employ someone with reasonable English skills.

But those scammers apparently never can. Not once. Ever.

Sometimes I think these guys will have much higher success rate if people would only ignore those flimsy scam attempts because they make no sense, and not also because they have terrible grammar. With that language one can hardly even begin to try and take what’s actually written seriously.

And unlike the emails version, sending those real letters cost money. There’s postage, there’s the envelope cost, there’s printing the stationary on quality paper, stamping the paper and envelope with all sorts of official looking stamps. All sorts of stuff. So if they’re sending a large bunch of those, at least paying someone to go over the language would make sense.

Oh, well, can’t complain.

What I did find, however, is that throwing up these absurd amounts of money is actually helpful. It should have been obvious from the get-go that this is a fake. It was obvious from the get-go that this was a fake. But my brother, and my parents, still tried to check, and asked me several times to check, just in case maybe it is true.

They got annoyed when I told them, what they knew, that there isn’t a point in wasting time checking. They insisted. And when I actually checked, and reported back about the numerous reported cases of these scams, and obviously nothing real of the sort, they still kept insisting to maybe check again.

Almost sad to know that I share the same genes…

They got over it eventually. I just became more rude in pointing out all the obvious problems very clearly. But hey, send something that make no sense with a bait of a thousand Euro, and you’ll get instant scepticism. Do it with a million, and you’ll get a higher scepticism, but combined with a higher willingness to ignore it.

Depressing, actually. Even people who are relatively well off, and don’t need it, still get a little silly when the possibility of plenty of easy money comes off…

The supportive argument my brother came up with that most amused me was that they knew his name and address, and how could a scammer know these? Even before addressing the question, this is obviously a pathetic excuse, since by the same measure how would the real Spanish lottery know them, when he didn’t buy a ticket (or ever even been to Spain) ?

Just because something is an official institute doesn’t make it easier for them to know details that “nobody can know” compared to anyone else.

And, naturally, things like names and address are in lots of places. Easy, too easy, to know. It’s a major privacy issue, but also a part of life. Everyone (hermits and total paranoids excluded… sometimes) leaves their information in too many places. Almost any business or service someone interacts with will collect information, which can sometime include address. Plenty of government offices will as well. There are probably so many different registries that contain my brother’s name and address that guessing which one these scammers took the info from will not be possible.

Not for him/us, anyway. The police may be able to. If they get enough complaints, and can cross enough of the people somehow. But that’s doubtful as well, given how prevalent this information is.

At least nothing came off it, except for the amusement value. And the envelope and paper as small mementoes, if the police won’t impound them for investigation…

Stansted airport, and how I didn’t cause a major international incident

May 9th, 2006

My flight to London, this time, was through Stansted airport.

Stansted is located outside and to the north of London. Quite a bit of distance from London, actually. Certainly when compared to Heathrow airport, which is the one I usually associate with London.

Stansted Express adIt’s possible to get to the city with buses or taxis, but because of the distance this is a far less attractive option and the train service, the Stansted Express, are pretty aggressive in advertising their availability there.

I was particularly amused by this huge sign with a very direct message saying “There are 571 traffic lights between here and central London.”, leaving it to the reader to decide that maybe risking standing all those lights (as statistically improbable as it may be) isn’t a good idea.

I landed in the morning, and wanted to make the most of the day, so taking the 45 minutes express train seemed like the preferred option. It cost a little bit more, but spending the extra time in London instead of in transit is probably well worth it.

Passport control and baggage reclaim passed relatively uneventful, except for the usual proofs that this is a very small world and wherever you go you’ll always see someone you know:

  • Somewhat ahead of me in line stood someone who I was friendly with during my military service. A nice guy, but odd (and coming from me that means something). He was even far worse than I am in the whole social business of keeping in touch with people, so it’s not too surprising we didn’t keep in touch.
    We got to talk a bit when the queue twisted in a way that brought us right next to each other (across a separator line). Turns out he was there to proceed to some film festival. And this despite him being in university, and the semester actually being in progress. We chatted a little, and exchanged a few pleasantries, but that was that.
  • Right behind me in line were a few woman who I was pretty sure came from my city, though I wasn’t sure if I know them because I saw them long ago in school, or because they’re patients of my father and I saw them in his clinic. We didn’t talk.
  • Further ahead of me in line was someone who looked, and sounded, exactly like a relatively well known Israeli actress, Liora Rivlin. I didn’t cut through the line, shoving people aside, to ask, so I can’t be sure, but there was a very close resemblance.

Then I passed customs (Yes, they need those Landing Cards that they give everyone on the plane, and yes, I have to fill in a local address on it, even if I’ll be switching hotels and travelling all the time so the address I give them is essentially only relevant for a single night), bought the train ticket, and proceeded to the train platform.

Where the real fun began.

I had with me my suitcase, and my carry-on bag. The bag is a shoulder bag, which I’m used to carrying pretty much always. The suitcase I naturally never carry around, and is just for travel.

So I stopped on the platform to look at the train routes and stations, to decide where I need to get off. And I left the suitcase for a second to take a pamphlet with the train information. And because the bag was still on my shoulder, everything felt fine, and I went on the train. Without, mind you, noticing that I left the suitcase on the platform.

Yes, I’m an idiot. Can’t explain it any other way.

About 8-10 minutes after the train left, I noticed that I’m missing my suitcase. I had a quick look around, just to make sure (I changed seats a few times after getting on the train, since it was relatively empty and I wanted to see which was most comfortable), but no luck.

This is when all the bad possible scenarios started running through my head. Accompanied by the knowledge that those bad scenarios are actually the likeliest scenarios.

One bad scenario which I actually didn’t think about was that someone may have stolen the suitcase. I was more concerned about the security response. Which makes sense, since the chances of station security noticing, or being alerted to, an abandoned suitcase are much larger than the chance that someone who just got off a plane and has taken the train will see a suitcase and decide to take it.

As for what station security would do with the suitcase, the only model I had to work with was the Israeli one. That’s the one I’m familiar with. And since the British seemed to claim to be on high alert, especially after a few cases of bombings in the trains and underground, it made sense they’ll have a similar model.

Which means that seeing an abandoned suitcase on a train platform, and one in an airport to boot, should make them think it may be a bomb.

Around here, they’ll evacuate the platform, and call the bomb squad. Depending on procedure, and on how worried they are, they may close and evacuate large parts of the airport.

Major incident, certainly newsworthy. Getting my 15 minutes of fame is fine, but I’d really prefer not to have it as the tourist who temporarily shut down a busy airport because he forgot his suitcase. Not to mention the prospect of losing most of the day in answering questions for pissed off police officers and security people.

Not only that, but if they had a really quick response time, and the airport had bomb-squad people on-hand, I may have found that somebody had already tried to put a bullet through the suitcase, or destroy it in some other way.

Hey, they even say so in their Safety and Security information page:

Please make sure your keep your baggage with you at all times and alert staff to any unattended package or bag – abandoned baggage causes security alerts and may be removed and destroyed.

Fun, fun, fun.

I caught the conductor on the train in a hurry, and explained that I left my suitcase on the platform. He asked for a quick description, then called in to the station administrator’s office.

The conversation was shorter than I expected. He didn’t start by asking them if they already found a suitcase, or if there’s a problem, or anything. He started off by saying hi to the guy who answered, and directly telling him that he have with him the owner of the green suitcase and is sending him back.

They didn’t ask what suitcase he’s talking about, which meant he was right in assuming they already found it. This just made me more worried, since if they already found it then they already had the time to do something about it.

Luckily the train had one stop between the airport and London, and I noticed the lack of suitcase a short while before we got there. Otherwise I’d have had to wait all the way to London before being able to return back for my suitcase. As it was the conductor just told me to get off on the station, and pick a train back.

The train back wasn’t due for quite a while (A Stansted Express train goes every 15 minutes, but the ones going to the airport don’t always stop at the same stations as the ones coming from the airport), but I approached a station employee who told me I could get back faster by taking another train a few stations back, then switching there for the following express train.

This went smoothly, and pretty soon I was back on the train platform in the airport, looking for the station administrator’s office. Wondering if I’m in a huge mess or just a big one, and hoping that my luggage is safe.

I reached the location, which was an office with a few uniformed people. One was standing outside the door, and asked me who I was.

I replied that I’m the idiot who left his suitcase on the platform (in pretty much these exact words), and waited to see what sort of a welcome I’d get.

He told me to hold on, went inside the office, and brought my suitcase out (whole). He asked me if this is it, and I replied that it was.

I got a “there you go, bye”, and that was that.

Seriously.

No questions, no complaints, no yelling, no nothing.

They saw the suitcase standing alone on the platform, and all they did was to bring it in to the office, and wait for someone to come and claim it.

On the one hand this is pretty bad security practice. Had the suitcase contained a bomb, or had it been booby trapped, it would have gone off and caught the security people and whatever passengers were nearby.

On the other hand I was, naturally, extremely relieved. The whole episode had cost me only an hour of time, and nothing else besides. And a large amount of other passengers didn’t have to have their plans put in disarray just because I’m an idiot.

I guess that this sort of thing happens often enough that responding in any other way is really not a cost-effective way to handle forgotten luggage.

I got on the next train, double checked that this time all my belongings were with me, and headed on to London.

Researcher hacks Microsoft fingerprint reader

March 15th, 2006

Apparently the connection between the fingerprint reader and the computer isn’t properly encrypted, so it’s possible to connect to it and read the fingerprint data. Or to send fingerprint data that was recorded earlier.

It’s not really much of a news item, though, because the device isn’t intended for security purposes, and Microsoft doesn’t sell it for security uses. The research was to find why they don’t, because fingerprint readers are pretty much smack down in the category of security and authentication gear. That’s their classic, and most obvious, use (Despite the many problems with biometric, which now is not the time to go into). So the fact that the research found a problem shouldn’t surprise anyone too much.

Even if some customers assumed that it can be used for security despite the manufacturer’s recommendations.

The point I found interesting is this response by the CTO of Digital Persona, the company from which Microsoft licensed the technology for the device:

Digital Persona would not comment on why Microsoft may have turned off the product’s encryption capabilities, but one company official said that this decision is unlikely to affect the security of its users.

“The fact that they turned the encryption off, I would argue, does not in a practical sense open up any security holes,” says Chief Technology Officer Vance Bjorn. “Even with the encryption off, you’re going to have to basically have physical access to the person’s machine to crack into it.”

He claim that it’s not a problem, because it would require physical access to the computer. This is, while accurate, totally silly and besides the point.

Fingerprint readers are intended to be used against people with physical access to the computer the scanner is attached to. That’s the only case in which they work. A legitimate user with no physical access will not be able to have their fingerprint scanned. Physical access is required by design.

So saying security holes are not opened just because it would require physical access, is actually saying that the device is meaningless from a security standpoint. You need physical access to hack into the machine around the fingerprint scanner. But you also need physical access to use the machine by using the fingerprint scanner. Ergo the fingerprint scanner is meaningless.

Which is basically what Microsoft implied to begin with, but entirely not the point the CTO was trying to make here.

Massive phone blunder for the British Foreign Office in Iraq

March 6th, 2006

In my own army unit they had strict limitations on phone usage. Well, not all that strict, we needed to talk on the phone, and we could. But there was a limit. And if a department strayed from the limit, they noticed. Quickly. And the department was reprimanded. In some cases repeat offenders simply had their phones cut off, or limited to only certain outgoing numbers, for a time.

The British Foreign Office, in comparison, is much more lax on phone usage. It can take them more than a year to notice very excessive charges. To destinations which were not related to operational needs. On phones that were stolen (but they didn’t notice this too, so that may be a good excuse). In Iraq.

It certainly was not part of Britain’s plans to win the hearts and minds of the people of Iraq. But the Foreign Office has been apparently paying for an adult sex chatline in a Baghdad street for 17 months without knowing it.

FO officials had already admitted that the lost phones had cost them £594,000 in unauthorised phone bills but it is now bracing itself for an extremely critical report from the Commons public accounts committee on how it came to pay phone bills, which at one stage hit £212,000 in one month, without asking questions.

Sir Michael said initial inquiries had revealed a series of blunders. The phones were already activated when they were sent to Baghdad and they were not properly logged in – so no one realised at first that they had been stolen. None of the bills were initially challenged until people realised the phones had gone missing.

This is such a long string of errors and blunders, one after the other, that it would have been really sad if it wasn’t so funny. Or maybe the other way around.

When shipping something abroad, they should track it. Always. If it was sent, and nobody received it, someone should have noticed. Private companies track inventory. Military units track inventory. Why can’t the British FO track inventory? Yes, there are items which aren’t tracked individually, but come on, a mobile phone isn’t exactly a paper-clip.

The fact that they didn’t monitor the billing for those phones is also amazing. The 17 months the article mentions is over a fiscal year. The charges should have been noticed after a month, I think, but not to notice such a bill after a whole year is almost beyond belief. I can’t think of any organization with such a free calling policy.

And these aren’t phones in an office at their HQ. These are phones sent to a foreign country, with all the confusion and potential problems that this entails. How can anyone expect that everything will be alright, and that no monitoring at all will be needed?

Not to mention, they also obviously didn’t screen the phones for permitted and forbidden destination. In an office, in the UK that would have been understandable. Too many places someone may need to call. But in the field, in Baghdad? These phones should have had a pretty limited list of allowed destinations, with a procedure set in order to allow others. And tight monitoring to make sure they’re not used otherwise. I believe those phone sex lines were not officially approved by anyone.

At least that’s one sex scandal that will be duly paid for by the guilty authorities, and in hard currency too.

Going out for a smoke

November 26th, 2005

I don’t smoke, and I hate the stench of smoking. Many people, at least those who don’t smoke themselves, do too.

So for a smoker who craves another cigarette, it is usually considered polite to go outside for that smoke. Smoking a cigarette inside a building is very rude, as the smoke reaches everywhere, takes very long to dissipate, and can get the stench into furniture and clothing. When going outside, most of the smoke disappears into the atmosphere, and when the smoker gets back in they usually don’t carry with them anything more than really bad breath.

This is so common, that for many smokers it becomes automatic. When they feel they need a cigarette, they take one, and head outside. Usually they’re even nice enough not to actually light the thing until they’ve cleared out of the building.

On some cases, though, this habit isn’t always the best idea, though the exceptions are pretty rare:

Sellies was traveling on a Cathay Pacific flight from Hong Kong to the east coast city of Brisbane on Saturday when the incident occurred at the start of a three-week Australian vacation with her husband, the court heard.

She walked toward one of the aircraft’s emergency exits with an unlit cigarette and a lighter in her hand and began tampering with the door, prosecutors said. But a flight attendant intervened and took Sellies back to her seat.

A very simple rule, actually: If you can’t go outside, don’t go outside to smoke. And if you can’t go outside, and can’t smoke inside, don’t smoke.

I’d go as far as to say just don’t smoke ever, in general, but that’s beside the point, and the relevant people won’t listen to me anyway, so I’ll pass.

Defense lawyer Helen Shilton told the court Sellies was terrified of flying and had taken sleeping tablets with alcohol before takeoff.

Shilton said Sellies has no memory of what happened on the flight and that she has a history of sleepwalking.

In her defence, the women probably really was totally drunk at the time. On the other hand, I’m not sure being totally drunk on a flight is such a great behaviour either.

Online banking

November 12th, 2005

My bank has a website allowing to perform most (though for some reason not all) activities in the account, and see the current status.

Since my income is more or less the same each month, and I have my regular deposit instructions, I rarely have the need to go straighten things out at the site. I do get over to the bank occasionally, so it’s simpler to just step in and talk with the investment consultant (or whatever the official term is) in person.

All this to say that I haven’t used that site in quite a few months. But now I did have a somewhat larger amount of money sitting in my checking account, and I figured it would be simpler to put it on something bearing interest rate through the site, instead of going to the bank in person.

I entered the site, put it my user name and password (OK, it’s a bit more complex than that, I’ll get to it soon), and was surprised to see that they’re not valid. I checked, and it turns out my bank is a believer in the idiotic concept of password expiration. In their opinion just because a few weeks have passed, never mind actual uses of the password or what I did with it, the password is suddenly less secure. And since I wasn’t on the site at the time frame where they would have asked me to replace the password, they just expired it.

Well, off I went to the bank to deal with the money, and while there I also asked them to reset the password. There wasn’t any problem with that, and they gave me one of those automatically printed sealed envelopes with the newly generated password inside. Which like all such bank password is the absolute best (yes, I’m being ironic) in secure passwords, being a short string of numerical digits only. Funny, that.

At home, I tried to log into the site again. Now, most anything password protected has a user name, which is supposed to make sense and be easy to remember, and a password, which is supposed to be non-obvious and secret. They don’t.

They have a user name, but that user name is assigned from the bank, and seems like a short random string of letters and digits with no obvious relation to my name or bank account (and it would have been a better password string than the auto-generated one they gave me).

They have a password. The one I was given, which after signing in I would be prompted to change.

And they have an “identifying field”. Which in my case is my account number, zero padded. I have no idea what’s the point in that, since the whole concept of the user name is to be uniquely identifying per user. Why would anyone need both the user name, and the identifying field? Plus, if the identifying field is so obvious then it serves no practical security purpose.

So I filled in my details on the simple web form, which was, as it should be, SSL encrypted. And I pressed the submit button. Which did nothing whatsoever. Their Javascript sucks, and doesn’t work in Firefox. Effectively the whole site doesn’t work in Firefox. Just in IE. Because banks want to be as secure as possible, and what browser is more secure than IE? Practically all the rest of them, these days, but apparently my bank doesn’t know that.

So I switch browsers, and login. What I expected was to be asked to replace the temporary password with a new one, and this is indeed what happened. Except the form I received wasn’t one for replacing the password. Instead it was titled as new user creation, which is a bit confusing since I was using the exact same user name, and accessing the exact same bank account. Not only that, but I had to enter my same user name and identifying field here, or it wouldn’t accept them. So it was a password change screen, but very wrongly titled and labelled.

I entered my details, and new password. And wanted to log in into the site. I was transferred to a page telling me the site was generating a new key, and then it asked me to install and run an ActiveX control. I refused, and received an error that the key could not be generated, and I cannot access the account. Why would they need an ActiveX control running on my side in order to allow me secure login in beyond me. As I mentioned, their site already supports SSL. Implemented correctly, than more than good enough. Certainly better than whatever proprietary scheme they and their ActiveX control are implementing, which can contain a large number of bugs and weaknesses they don’t know about.

But I did need to access to site, so I tried again, this time giving permission to run an ActiveX control on the page. After a few seconds it happily told me everything went fine, and I was redirected to the main page of the site.

And was confronted with a very large web form, titled as new user registration. Only unlike the previous one that contained only the user-name/identifying-field/passwords, this one contained fields for my real name, address, and lots of other personal details, all on its first part. Its second part had a list of areas of interest, with a field for email address to receive news from the bank about them. The third part allowed me to enter an email address or cellular phone number (for SMS messages), and had a EULA. This legal agreement started off by stating that I’m interested in the bank’s service for receiving various publications on financial services.

I don’t want their news, and I don’t want their services. The whole form, all three parts, had just one “Next” button. Meaning that I either accept everything, or nothing. I could potentially enter my personal details, and leave all the other items unchecked and unselected, to indicate I don’t want them. But that EULA prevents that, as I have to agree to it before proceeding. And I wasn’t willing to do that.

So was I in a problem? Were I unable to register to the site? Not at all. The site menus (Two of them, both at the top of the screen, and at the side) were already there, and I could navigate to other pages without a problem. I could see my account details, and manage my account and money, no problem. Which to me strongly indicates that I’m already registered to the site. So why do they give me, every time I logged in since then, a form titled “Site Registration”?

I went away, to tour the site. Lots and lots of requests, on nearly every page, to run ActiveX controls. And do you know what they seem to do with those controls, that was so complicated that it couldn’t be done with plain HTML, or with some Javascript? Tables. Yep, all those simple data showing tables, they were implemented using an ActiveX control. Idiotic. Stupid. Moronic.

They also use some VBScript on the site, intermingled with the Javascript, but that’s a whole different problem. And since the thing won’t even let you enter if you’re not using IE, then it doesn’t really matter by this point. Except that they also didn’t quite do all that VBScript well enough, as evident by helpful messages I received such as:

Microsoft VBScript runtime error ’800a0009′
Subscript out of range: ‘[number: 0]‘
/Premium/SPECIFICFILES/Premium/AM_MyAsset1.asp, line 85

The site, BTW, is extremely slow. Very very very slow. Page loads can be in the range of 10, or sometimes double that, seconds. And because it’s all done with those controls, and with frames (Yes, frames. Frames are getting very unpopular everywhere, but this site still loves them dearly), it means that the browser indicated that the page has finished loading rather quickly, with the page still being totally blank, or with gaping white holes. There is no way to know that it’s still getting the page, except to wait in the hope that it’s working and not stuck. Very bad design, that. It’s bad for a quick site, but it’s terrible for a slow site where you have this dilemma on every single page load. And some of the times it really did die (either that, or I was just too hasty in refusing to wait more than a whole minute for page load), so it’s not as if every time I waited enough the page eventually came through.

This is Israel here, and the language is Hebrew. The site was in Hebrew as well. And most of the time everything went fine, giving the browser no problem. The characters were in the correct code page, and in the correct writing direction (Hebrew is RTL, not LTR like English). Except that some page weren’t. Not entirely critical, since it’s possible to select a different code page through the browser, but it’s very unprofessional. And can be quite confusing to computer illiterate users of the site.

And while most of the functionality was there, some pages were clearly broken. Some of the pages, showing certain types of deposits, has a disabled drop-down list of the bank accounts, and no details. This despite the fact that I have deposits of the relevant types. So some parts of my account are not accessible from the site, even though the site is visibly designed to deal with them.

More amusingly, these drop-downs are badly designed. Usually they work simply enough, defaulting to the main account, and allowing to select another one, or some relevant subset. But some pages gave it as a selection, with a “next” button, and the default item was “All Accounts”. Which sounded fine to me. But the “next” button didn’t want to go anywhere. I had to open the drop-down, and select one of the other options, for a specific account. I assume “All Accounts” was not so much an option as the name of what the drop-down list showed, and they should have either eliminated it as an item, or named it “please choose…” like all those standard web forms wanting you to choose a value without a default.

Another interesting design decision was to put access to preferences/settings/options both on the top menu, and the side menu. The one on the top menu even had this cute little icon next to it, and accessible everywhere (the side menu changed based on the area on the site). Naturally I tried the one on the top first. Which, regardless where I pressed its link from, just redirected me to main account details page. The one on the side menu worked well enough, though.

Not that it turned out to be interesting. There was an option to change the password. There was an option to change the identifying field (Did I mention already that I have no clue what is the point of that field?). There was an option to see the system details (running about 3 different ActiveX controls, which do complex things like check if the browser supports Javascript and VBScript). And there was an option to change the disk settings.

What are disk settings, you ask? Good question. In the long long past, when they just went on-line, they also didn’t trust SSL. So they had this external program used to encrypt (hopefully) the communications to the bank. And it kept the encryption key on a diskette. The idea was that you could take the diskette with you, so nobody could access the account without you, and yet you could access it from everywhere. Yes, whoever designed that wasn’t too bright, I agree. But that’s the way it was.

These days they don’t really use those disks any more, but the terminology still involves them (When getting the password, I had to sign a form saying I received a disk, and am agreeing to keep the disk secure. Yet no disk was involved. Seriously). And this page seemed like it allows to choose to actually require the usage of the disk for some sorts of transactions. I didn’t try to make the change, not having a disk and all, so I don’t know whether it actually does something, or just there since they hated to lose the screen after working so hard to design it.

Oh, they also had a page there stating that the site is best viewed under a 800×600 resolution. This may be a good time for me to state, in case anyone doesn’t know it, that most people use 1024×768 or higher. 800×600 is so passée.

Which leaves us just with the fascinating subject of “mail”. See, they have two totally different things. One is messages from the bank (Of which I had none, despite not checking them for months and months). The other is “mail”. Which, as it turns out, includes messages from the bank.

I think the term “mail” refers to the fact that these are the same message they send you in the post if you don’t get to check them in any other way. Since it would eventually become mail if they have to send it, they decided it must be mail in any case.

It did make me hope that maybe they will allow reading them like mail message. Getting them through an encrypted mail server would be both secure and comfortable, since I could easily set my mail program to check it automatically, and to read it comfortably. But no such luck, any relation to Internet mail standards is totally non-existent.

The main menu page shows in the corner the amount of unread “mail” messages. When I logged in there were four. After I read them there were, obviously, none. Yet as I kept navigating the site the number there kept changing. Sometimes I saw there weren’t any unread mail messages, and sometimes it showed there were four. Excellent refresh there.

I went to see the mail. There was this table, with the subjects of the message, the date they were sent at, and the date they were “downloaded” to the computer (which was blank at the first view). It was possible to click on one in order to open a new browser pop-up window with it. And there was an option to mark some of the messages (no “select all”, I had to go one-by-one through the lot of them) and download them to the computer. Downloading them seemed like a good idea, since according to the text on the site if I read them on-line then they won’t send them in the mail, meaning that I’ll have no confirmation of ever seeing those messages. It also means that from now on I’m not checking “mail” on the site.

I pressed the download button, and got to a screen with some explanations on how to read the downloaded messages. Apparently it requires a password. The password consists of the number of the branch of my bank I’m using (not secret, and in the bank’s listings), the digit 0, and my account number (also non-secret, and printed on about any interaction with the bank whatsoever) padded with 0s to eight digits. This is presumably the exact same way a password would be built for any other user on the system. So it doesn’t serve security against any attacker who is even half-serious.

I pressed the download link again. At which case IE showed a message that it blocked downloading an unsafe file. This is IE’s nice way to say that it doesn’t let me download executables, even if I want to, unless I approve them specifically. So I navigated on the short menu to where I can select to allow downloading this file for this time. Except by the time I done that I got redirected back to the main account page of the site, and didn’t get the file.

After a few such futile attempts I realized that the only way to download it would be to add the bank’s site to my secure sites link. Because I totally trust the people who design a site so well, requiring me to run their code on every turn, and even have me download an executable just to read some textual messages.

But that’s the only way to get the file, so that what I temporarily did. I then went to the mail area again, selected all the message again (they all had a downloaded date by now, the site didn’t notice my browser never asked to actually download the file it generated), and went to download them. I read again the password instructions, and pressed the second download button (the password instructions are all you get after the first one).

Stopping to read the instructions may have been a mistake. I started the download, and most of the way though the download hanged. Either they have a really bad connection, or they want to (for security reasons? Such as what?) expire the file quickly after generating it, assuming everyone would download it very fast. In any case all I ended up with was a corrupt file I could do nothing with. I had to clear the browser’s cache and download it again (without clearing the cache I just got back the same corrupt file, since the generated file had the same name).

Finally I downloaded the executable file. It was a self-extracting zip archive. Which, if you run it, is set to automatically create a folder of the same name inside the current folder, open everything into it, and run an exe file inside there. No questions or confirmations asked. Very rude.

The internal executable has the original name “Decrypt”, which had the internal name of “CPExplorer MFC Application”. No request for downloading the MFC libraries was made, so I guess on many computers the thing will just refuse to run. It also shows that possibly the bank didn’t write it, and didn’t think to change the name to something containing their own.

It also came with a DLL file called “DES3dll.dll”, so I guess the encryption they’re using is triple-DES. Though why send their very own implementation is, again, beyond me. Very odd.

In addition, the directory contained lots of HTML files and image files. Just what the site showed when reading those “mail” message. Except that the HTML files were encrypted, and appeared like junk at first glance. Though that didn’t stop them from keeping the html file extension, instead of naming them something else.

When the program was run, it opened a screen asking for the password. This password window did not appear in the task bar (So it’s not as obvious to some people how to switch to it), and did not have a title bar (so couldn’t be moved from the centre of the screen).

If instead of entering the password I pressed the “cancel” button, it closed down, leaving the created directory and files intact. Same if it was run with the password, and later closed. So many of the bank’s users must have lots of these leftover junk files still on their drives.

After entering the password, a window opened with the main html file of the index. A simple table of the messages. Clicking on the link to any of those caused the program to copy it into a temporary folder, decrypt it, and show it.

Except that it didn’t. The file names of the messages were in Hebrew. And since apparently their program isn’t UNICODE, it couldn’t find the Hebrew file names. All I got was an error message that the files cannot be found, with a garbled file name of how the Hebrew name looks like in Western characters.

The solution for that on Windows XP is to change, under regional settings, the default code page of non-UNICODE programs to Hebrew. I have no intention whatsoever of doing that at the moment. Not for this stupid “mail” reader of my bank, in any case.

Bad, bad, bad programming and design all around…

Prisoners released on wrong dates due to “computer glitch”

November 1st, 2005

A State audit of Michigan’s Department of Corrections shows that since October 2003 there were 23 prisoners who were released on the wrong date. Well, the audit only found 8, but they caught more when they actually started checking after the audit.

The State audit report shows errors in the release dates of 23 prisoners between October 2003 and March 2005. Some were let out early, while others were let out late. Either way, the computer flaw that led to the problem leaves 1 lawmaker concerned.

Prisoners let out early is a problem, since they don’t serve their time. If you lock someone in jail for a long time, you want them to stay there, not to get out early. That’s understandable. And while no murderers were released, there were still some non-trivial crimes there.

prisoners who were doing time for everything from embezzlement and drugs to bad check writing

But what really surprises me is those that were released too late. These people must have lawyers. And I doubt any of them missed the fact that they’re locked in jail. So when their release date, as set by the original sentence, would have passed without them being released, they should have raised hell.

How could they missed that? Would anyone, would a sentenced criminal, stay in jail for more than they had to? Just because the date on the computer is different from what they, and their lawyer, know it should be? Would that really wait until a state audit was performed before it was found out? Not bloody likely, even though apparently that’s exactly what happened.

The article was also a bit sparse with technical details about the glitch. That they don’t say anything beyond repeating several time that there was some computer glitch or flaw. Generally it probably doesn’t interest most of the potential readers, not nearly as much as the fact that some criminals were released too early, but as a computer programmer I’d still like to know.

The audit reports shows all the details of what happened. A flaw in computer programming caused State jails to release 8 prisoners anywhere from 39-161 days early

At the top of my head I can’t think of any bug that would cause a computer program to make a mistake in that range of days. Though of course that doesn’t mean much, since the article only lists a part of the range of delays, not detailing what happened with the other 15 prisoners beyond the fact that they were released either too late or too early. Not to mention that it’s a rather small sample size of mistake.

With those vague descriptions I won’t be at all surprised if the glitch wasn’t in the… data entry system. And yes, by data entry system I’m talking about the person typing in the dates. That could account for all the mistakes very easily. It’s easy to press the wrong button occasionally. But that would mean someone would have to pay, while if it’s just a computer glitch:

They say they’ve already taken steps to correct the computer glitch and will continue to work until the problem is taken care of.

I was also unable to find a follow-up article, from a few days later, about the subject. Surely a simple date handling routine in a program could be found and fixed in a few days, so there should have been a proud statement about how they fixed it. But no, all’s quiet. No further details on anything. Excellent news reporting.

I also wonder what compensations will people who stayed over-long due to the glitch will receive. Are there any lawsuits about it already? And would the people who were released too early be dragged back to jail, to serve the reminder of their sentence? Treatment should be the same for both sides, no? Either accepting the mistake as is, or trying to come as close as possible to fixing it.

Impressed with their performance?

That audit shows the State Department of Corrections is only moderately effective when it comes to accurate prisoner release dates.

Not the way I would define moderately effective myself. Maybe they work by a different dictionary over there in Michigan’s Department of Corrections…

[Edited 22/11/2005: minor fix of lacking HTML tag, no content was changed]

The next big terrorist target: Bingo

November 1st, 2005

In Kentucky they take the war against terror seriously, and like to cover all the angles. Terrorist activities need funding. Heck, everything needs funding, and terror is no different. So one of the things to do to fight terror is to try and block their avenues of obtaining funds. And the fine people of Kentucky have started acting in earnest to stop a major gaping hole in the terror-funding blockage: Bingo games

Kentucky has been awarded a federal Homeland Security grant aimed at keeping terrorists from using charitable gaming to raise money [...] The idea is to keep terrorists from playing bingo or running a charitable game to raise large amounts of cash, Holiday said.

Because nothing spells lots and lots of free-flowing money quite like Bingo does. And if the fine people of Kentucky can see it, then it must be just a matter of time until the terrorists do to…

Sure, Bingo games are a way to make money. But it’s not such an amazingly terrific way. So yes, terrorist probably could also raise some money from Bingo games. But they can use all the other methods as well. If someone can make money out of it, so can a terrorist.

What then, you’ll go after each and every single way in which people can potentially raise money? Because if you do, then you should be aware right from the start that there’s only one thing to do. Only one method that can guarantee those nasty terrorists won’t be able to make their money. Only one sure-fire way to guarantee that those terrorist will not have any way to make a dime

Communism. If Kentucky will fully embrace communism, to the fullest, not letting anyone own any private property, then they’ll solve the problem.

The state Office of Charitable Gaming won the $36,300 grant and will use it to provide five investigators with laptop computers and access to a commercially operated law-enforcement data base

I also really wonder how are they going to spend an amount of $36,300 on just five laptop computers. I know laptops are expensive, but this strikes me as rather steep… I think maybe someone there should take a look into ways for law enforcement to make money. Or better yet, ways for them to save money, instead of spending it on all this nonsense. Seriously.