Archive for the 'Security' Category

Employee Safety

October 16th, 2005

How do you decrease the chances that someone will enter your store to rob the cash register and the safe? That’s a hard question, which I suppose a lot of stores debate.

One (or actually, many) of the usual means are security. You can hire security guards. You can put visible cameras that potential robbers know will assist in catching them later. All sorts of mundane stuff like that.

This video rental store in Los Angeles (I think it was somewhere next to Sunset blvd.) used two different ideas

The first one is directed at small-time theft. They state that you’re not allowed to enter with bags or backpacks. People are less likely to swipe a few DVD boxes if they can’t quickly hide them. They put it on the same sign forbidding food and drink, which on the one hand are different things since they’re not related to theft but to store cleanliness, but on the other hand this is also meant to prevent damage to inventory so there are similarities.

We were inside for a few moments, browsing the collection, and we both carried bags. V might have even had a small backpack. Nobody mentioned anything, and they didn’t seem too troubled by us being inside violating that sign on the door.

The second one is directed towards robbery. A sign stating that employees do not have keys to the safe. It tells potential burglars that the money isn’t in a cash register but in a safe. And it also tells them that going inside and threatening the employees won’t do them any good, since they can’t open the safe.

Is it true? I don’t know. Someone who work there has to have keys to the safe, otherwise there’s no way to put money in it, or take money out of it. But for someone scoping businesses, trying to decide where to hit, this might serve as a pretty good deterrent. On the chance that it’s true, robbing the place would get only the profits from one day, or maybe not even that. It won’t prevent a robbery, but it would shift it to a different place, which from the store’s perspective is good enough.

I’m just a little surprised that an area heavy with tourists is such a risk for robberies. I don’t have any experience in the field whatsoever, but I’d have expected people to attempt and be more low-profile when robbing stores.

Locked tight

August 22nd, 2005

When shops close down for the night, the owners have an understandable desire to reduce the chances of a break-in. So usually closed stores at night are locked behind solid metal bars, grates, and blinds. And when you go to a commercial center, containing many stores, they all are, one after the other.

So when I went to withdraw money from the ATM the other day, it being located in a cluster of shops, it was not surprising at all to see sights like these:

locked and barred stores locked and grated stores

supermarketWhat was surprising, though, was to find that a supermarket located in the same area, right next to them, only managed to get half the point.

If you look on the left side of the picture, you could clearly see the nice and strong metal grate which covers the entrance. So anyone wanting to enter through the locked sliding doors would be unable to. That’s a wise security measure, just like the bars on all the other shops in the area.

On the other hand, if you’d look at the right side of the picture, the same picture of the same supermarket, what do you see? Yes, you can blink again in disbelief, it won’t change anything. You really are seeing it. A clear glass (well, probably some transparent plastic and not glass, but that’s not really important, is it?) pane. A large and easily accessible clear pane, not protected by anything hard or metallic.

So instead of breaking the door, which is impossible because of the metal grate, anyone so inclined could just break the wall next to it. Very smart, isn’t it? What were they thinking?! Where they thinking?!

Wrong Address

August 18th, 2005

envelope front with sender detailsWhile our postal services generally, sometimes, do their job quite adequately, there are flukes. We do sometime get envelopes addressed to neighbours, or to someone with a similar last name but on a different street.

But the most recent such wrong delivery was more amusing. Because of the sender, the intended recipient, and the type of mistake. You see, this was not sent by a private person, nor was it one of the usual commercial messages. This was an international mail, all the way from Luxembourg. And the sender was NAMSA, a NATO agency.

Yes, NATO. Isn’t that fun? I bet most people don’t get envelopes from NATO at all. I certainly know we didn’t ever. And still, it came. Well, it wasn’t really addressed to us, of course, but those are just details.

The intended recipient, as I said, wasn’t us. Not at all. It was an unnamed acquisition and procurement specialist, in the “IDF technology division”.

envelope back with recipient detailsErr… Except that the IDF doesn’t have anything named “Technology Division”. Instead there’s the “Technological and Logistics Directorate“, better known here as Atal. Or, to be more exact, ATL (in the corresponding Hebrew letters), which is an acronym. A for “Agaf” meaning directorate or division, T for “Technologiot” meaning Technologies, and L for “Logistica” meaning… you got that right, Logisitics. Yes, the base words for Technology and Logisitics are the same in Hebrew, which can give you a clue as to where they were borrowed from. The abbreviation is pronounced as Atal.

Normally I wouldn’t be too surprised that someone over at NATO isn’t aware of the exact way things are organized in our military. But if you send envelopes to someone, it means you have some interaction with them. Which in turn means you have to know who it is that you’re interacting with. So I find their “Technology Division” odd.

The address was indeed in the same city we live in, which explains why it got to the same post office branch. But as to why it arrived to us, that’s a mystery to me. There is no name on the envelope, so someone familiar with us at the post office (Yes, that does happen) couldn’t have gotten confused. There is no street address, so nobody could have delivered it to the wrong house on the right street. There is no house number, so nobody could have delivered it to the right house on the wrong street. All it had was a POB number, four digits, of which two are similar to ours. That would rather be, similar to ours and to plenty of other people’s. There’s a huge limit as to how much variance POB numbers can have.

So someone was sloppy.

In any case, we didn’t open the envelope. Likely it’s also not interesting, since it went from one body dealing in logistics to another. On the other hand, it also went from one body dealing in armament procurement to another. So maybe it was interesting. But the point is moot, we returned the envelope to the post office, so they could deliver it to the intended recipient. Or deliver it yet again to a wrong recipient, but that’s their problem, not ours.

Why it didn’t go through the various diplomatic or military channels is beyond me, though. If you have important (The envelope was marked as priority airmail. Which doesn’t necessarily mean anything, but it may) military related material to send, between two military organizations, trusting the usual post seems questionable. And in this case at least was a demonstrably bad idea.

Had there been anything even remotely classified in there, someone might have opened it and read it. The fact that we didn’t doesn’t mean that nobody else would have been curious. And, like I said, we’re not the only people with such a badly matching POB number.

Oh, well…

Statistics show UK hi-tech industry still didn’t discover Air Conditioners

July 4th, 2005

that’s not exactly what they said, but that’s surely the only way to read it. A security vendor in the UK claims that their statistics of legitimate (i.e. not viruses and spam) emails show a direct relation between the rise in the temperatures and a decrease in email traffic.

A decrease which they attribute to the economy becoming less productive due to the heat (emphasis mine):

Email Systems says that from Monday to Fridays during the most sizzling parts of June, emailing was down by up to 20% on normal levels. It believes this is an accurate way of measuring corporate productivity across the country generally.

“The reduction in legitimate emails clearly indicates that UK businesses have suffered due to the extremes of heat, suggesting perhaps that as an economy we are simply not yet able to cope with the types of summer that experts are predicting in the years to come.”

But most email messages are generated in companies which are more technological. For starters, they have more computers, and more employees who use them. And these places, well, they tend to install Air Conditioning. They really do. But if they have a working AC system, then obviously the heat cannot have an effect on the productivity… If heat does have such a strong effect (and 20% is a lot), then it follows that all those companies don’t have working AC.

Also doubtful is their claim that the amount of email passing through them is indicative of corporate productivity across the country. Email is to some extent an indicator of a company productivity, but not necessarily a direct one, and not for all companies. Many companies simply do not have that much to do with email. Email could only be “an accurate way to measure corporate productivity across the country” if those companies behaved just like companies that live through email and the Internet. And that’s simply not true, though easy to see how a company dealing with computer security could lose sight of that. They’re just not exposed to any corporations who don’t need their services… Then again, maybe their AC broke down, and whoever came up with those claims simply didn’t drink enough and suffered an heatstroke. That would explain everything.

Taking a camera to the cinema

June 14th, 2005

[UPDATE: The free invitation arrived]

A few weeks ago I went to see a movie with a friend, and carried on me my digital camera. Which resulted in a little unpleasantness. I sent an email to the company (Rav-Hen) running that cinema:

A few days ago I went to see a movie, in the Rav-Hen Dizengoff cinema.
I had with me a new digital camera, inside a small
holster on my belt. This was the first time I ever
arrived to a movie carrying a camera with me.

The security guard saw the holster, asked if I have a
camera inside it, and when I gave a positive response
he informed me that it is not allowed to take a camera
into the cinema, and I will need to deposit it with
security.

I tried to explain to the guard that this is not a
video camera, so I could not use it to make a pirate
copy of the movie even if I wanted to, but to no
avail. When I asked him what is the problem with
carrying cameras, and why are they not allowed, he was
unable to answer me, and only said it’s policy, and
that he doesn’t understand it either.

Worse, when giving the camera I was not provided with
any official deposit form. I was asked for my name,
and was given a simple hand-written note on a piece of
entirely common note paper, having my name and the
word Camera written on it by the women inside the
security room.

Had my friend not been there earlier, and saw people
giving those paper notes and getting cameras back, I
would have made a scene, since it looked entirely
unofficial, and made me seriously doubt that I’ll see
the camera again. If I wave a simple handwritten paper
and claim it’s a deposit receipt, in most places I
would fully expect to be told that’s nonsense.

In this case it ended well, I gave back the note, and
got back my camera, but the entire experience left me
mystified, and was very unprofessional.
In addition, no verification of either my personal
details or the camera details was done. Anyone
standing in the vicinity when I deposited the camera
could have easily written their own note, hand it
over, and get my camera. The current procedure is
entirely open to abuse.

Due to that I wanted to ask you:

  1. Why are simple (non-video) cameras not allowed
    inside the cinema?
  2. Why are the security guards are in charge of it?
    It’s not a security issue, and making other things a
    part of their duty hurts security.
  3. If this is indeed official procedure, why do you
    not issue proper forms, and trust on simple and sloppy
    hand-written notes?
  4. Why aren’t any checks done to better identify the
    identity of the people depositing, and withdrawing,
    the cameras? And that they are getting the right
    camera?
  5. Why are the people in charge of implementing the
    policy not informed as to the reasons for it?

Thank you for a reply, and for any better explanation
about the reasons for this policy, and these
procedures, that you could supply.

A couple of weeks passed, nothing happened. I decided to try this one more time, this time sending the message in Hebrew. Could be that they’re used to getting email in Hebrew, and so this one got ignored, or even discarded by some automatic filter.

I sent them what was effectively a translation of the above message, with some few styling changes. And this time, though it took them about a week, they did answer. The reply was in Hebrew, but this is a quick and rough translation:

We confirm receiving your complaint, and this our reply:

Company policy of the Rav-Hen network forbids inserting cameras from all kinds into the cinema halls, in the intention of preventing any sort of photography of the shown film, due to copyright issues. The policy apply to all kinds of photographic equipment, since our people do not have the expertise to observe the different functionality of each camera.

The enforcement of this guideline is increasing these days, mostly due to the problem of piratical distribution of cinematic movies in various ways, which usually start through cinema visitors who film the movie while it is projected, using cameras of different kinds.

Since these guidelines are new, and the scope of the phenomenon is still relatively small, the network did not yet determine the bureaucratic procedure for applying them in the cinemas.

In any case, in these days the final format for forms which will be transferred to the cinema managers, and will replace the currently existing temporary method, is being finalized.

We see very gravely the fact that the cinema staff was unaware of the meaning of the procedures, and following your complaint to us the procedure will be explained again.

They also said that they added to the message a double invitation for a movie in any of the network cinemas (under several limitations which will be printed on the invitation, and which they advise me to pay attention to). This was of course not actually attached to the message, but rather a note there asked me to provide them with a mailing address to send it to. Considering that while it was annoying, the event didn’t technically hurt the viewing of the movie, this is nice of them.

How did this reply answer my actual questions?

  1. Simple cameras are not allowed because their people, who do not understand anything about cameras (them being security guards), can’t tell if the cameras are problematical or not. This is actually fair. I suppose that it is quite possible to have video cameras that look small and harmless, and the technology just gets better and smaller. So erring on the side of caution is understandable. Still, I do doubt that a running film, on its third or fourth week of being shown, and after there are already numerous versions available either to download or to purchase piratically, is really a high risk. Even with a video camera, nobody would have a reason to try and shoot the film.
  2. No reply as to why the security guards are doing it. And no response about this hurting security. I’m not sure if that’s because they don’t want to talk about it, or that they see it as a non-issue. Bad either way. And has something to do with the lack of professionalism on this angle, since that’s not the field that the security people has to deal with, or understand something about. I assume the real reason has to do with, of course, money. That being that the security guards are already there, and get paid anyway.
  3. The procedure seemed haphazard because it was. They decided they don’t want cameras, sent out the instruction to not allow cameras, and only then started to plan how they actually want to do it. Considering that the problem wasn’t critical (as they say themselves), there wasn’t any extreme urgency, so they could have waited until they could do it properly. It has been about a month since the time the incident occurred, so even if I had the luck to stumble on the very first day of implementation, that’s still a whole month for setting a procedure while they already passed the instructions. This is a long time to run blind and without protocol.
  4. Taking the camera back is probably under the same category, so I hope this would improve as well once they implement proper procedures. I take it that not too many camera thefts has occurred in the meantime, or I’d have probably heard about it by now.
  5. The security guards apparently were supposed to be able to tell me that they have to take the camera because they can’t tell if the camera was a video camera or not. This despite the fact (oh, don’t bother anyone with facts) that the security guard appeared quite aware that the camera was not a video camera, and seemed to even recognize the model.

Still, all’s well that ends well, and this ended well enough. I did get the camera back at the time. They did reply. And they are aware of at least some of the problems, and intend to make the procedure more solid. In the meantime, if for some odd reason I’ll ever go to the cinema with the camera on me, I’ll just put it in my pants’ pocket instead, so nobody will notice it and have any problem (yes, it is that small, my wrongly suspected to be video-camera). Either that, or I’ll try and do it properly, just to see how are they handling it now.

Comment spam, SMTP relays, and chanuka/Hanukkah

June 8th, 2005

A couple of days ago I was going over some blogs I read, and came on this post by David Weinberger which actually touched on a subject I apparently know much better than him, the Hebrew language. Specifically, a mention he made about the word “chanuka” in Hebrew.

He got it pretty wrong by deciding it means lighten-up, and his first commenter got it mildly wrong by saying it means dedication. The term is more like the “warming” part of “housewarming”, the first acknowledged usage of something new (or at least the time when the usage is declared/acknowledged). It applies to new houses, and public buildings and parks, but also to things like cars, television systems, or even wines. Or, on a different meaning, it is chocked, when related to a female (Hebrew verbs take different forms for each of the two male/female genders).

Of course, the holiday Hanukkah is based on the same word, so it’s also possible the entire thing is moot, since I don’t know if “chanuka” in Swahili has a similar sound or not. Just being similarly written is quite meaningless, considering that I know the Hebrew word, at least, doesn’t really sound like an English speaker will tend to pronounce it.

So I decided to be a good little Hebrew speaker, and leave a comment on his blog post.

And couldn’t. I was caught by an overzealous anti-comment-spam device, which is even not suitable to serve against comment spam.

A little aside to the few readers who don’t know what comment spam is. You all know what email spam is, right? Incoming messages you never requested, trying to convince you to do stuff, or buy stuff, that you don’t need. Well, blog posts often have the possibility to leave comments on them. So it was only a matter of time until spammers jumped on the bandwagon, and made automatic bots (computer programs that can do many of repetitive tasks, like sending an email, or filling a form on a web page, quickly) that will leave comments which are not relevant to the post, but contain links to their sites. Often these involve porn, and card games, but the variety is as large as on the email spam.

Meaning that many measures are now tried and used in order to keep comments in blogs free of these comment spam messages. Some more elaborate, some simple. The method I use here is a very simple one, requiring anyone writing a comment to fill in an extra field. This works because those bots are automated to work against the basic and common ways comments work, and do not (yet) try too hard to go around variations.

There are many other methods, but Weinberger decided, IMNSHO, to be too smart for his own good. He tied the comment posting to a system that checks the comment poster’s IP address (The unique Internet address of the computer) against a central database, with a list of bad address used as open SMTP relays.

Another aside, about open SMTP relays. SMTP is basically the communication protocol used to send email messages. So mail servers send messages using SMTP. Spammers (the email spammers this time, not comment spammers) don’t want to use their own mail server, because then it would be easy to block their messages, and so they look for email servers which are open relays. Being an open relay mean that this mail server will accept a message from anyone, without any verification and authentication, and send it onward. This is a bad problem in the age of spammers, and email server operators are encouraged to configure their email servers not to do that.

One of the things that happened is that there are several central repositories, like the Distributed Sender Blackhole List, which contain IP addresses of mail servers which are suspected of being badly behaved in that regard. This allow other mail servers to check every incoming mail message they receive against that list, and refuse to receive messages from the suspected servers, since those message may very well be spam.

This of course has very little to do with comment spam, since those mail servers are usually not the same computers used by comment spammers to run their bots. So telling me that my own computer’s IP address is on the list, and that therefore I cannot leave a comment, is irrelevant here. Had I been trying to directly send an email messages, that would have been a different matter, but I didn’t.

There is of course another problem there, that my personal computer’s address was on the list. This is because we get from our ISP a dynamic address, meaning that it changes from time to time, and goes to other users while we get a different one from the pool. It’s possible to get a static address, but this costs more, and isn’t necessary unless you are running a server that people on the outside need to be always able to find. Or simply put, the address was blocked because someone else on the past (They had one incident, logged at February 2004) sent an email message he shouldn’t have…

Overall, like I said, a very real problem, but a very wrong solution. I sent him an email message about this, but due to his big problem of comment spam (his blog is high profile, so a very popular target) he feels that using this is justified. He was nice about it, and offered to go and take my address of the list himself. But I can talk to dsbl myself if I want to. And I don’t want to. Both because this is a dynamic address, and because it’s a non-issue. Apart from his blog this only prevents me from running my own mail server. I have no intention of running my own mail server in the foreseeable future, though. So I declined the offer, explained my position again, and that was that.

How to reduce violence at bars and clubs. Maybe.

May 17th, 2005

A special committee has recently served the Minister of the Interior with its recommendations on ways to prevent violence in bars and clubs. The committee members come from the Ministries of the Interior, Justice, Education, Welfare, and Transportation, from local authorities, and from the Police. I read the article on the highlights (The full article is in Hebrew. there’s a much shorter version in English, which sadly lacks almost all of the interesting bits) of their recommendations, and overall I’m not impressed.

Bars/pubs and clubs will not be allowed to sell alcoholic drinks after 3AM. This is in order to “dissipate the effect of alcohol on those late for the ball“. Whatever that may mean in this content. I don’t recall any study pointing that alcohol has a stronger effect if imbibed after 3AM. Maybe they know something I don’t. The way I see it, even if most of the violence cases occur later than that, people will just get the same amount of alcohol sooner. Worse, since there’s a deadline, they will get it at a higher concentration as it comes near, since they know they won’t be able to order another drink later.

Club owner will be forced to install CCTV systems, and put someone to monitor it. So it will be easier for them to notice if… something… was going on. So there will be a cost for the clubs to install the surveillance cameras, and to hire people to monitor them. And since most of these places aren’t very large, it will still not provide a much better observation than simply putting someone inside the club to watch using their own eyes. Like, here’s a new thought, having the bartenders pay a little attention and call security if they see a problem. This won’t do much to help, but will raise costs which will of course fall on the customers. Not to mention that people tend to feel a lot less comfortable when they know they’re being photographed, and maybe recorded on film. Having fun, and being self concious, don’t quite go together, so this will cost the clubs plenty of customers

Those same CCTV cameras are to be placed on the entrance to the toilets. Which is supposed to help, how? Is the person observing it supposed to memorize everyone who comes in, and get worried if they stay there too long? Do they really want to bust in every time someone is having number two? No. So it won’t help. Unless they want to put the cameras inside the bathroom, since the claim on the article is that some of the violence occurs there. And this is going to be such a huge success, once people find out that the bathroom is on tape. Right.

Separate bathrooms for men and women. I don’t quite get it, since many people already have those. Some places do have some sort of a single entry/waiting chamber leading to both, but the costs of rebuilding this, or rebuilding totally different facilities for the places which don’t have these, are prohibitive. And I assume the problem they think they have (Doesn’t sound like violence, per se, but more as using the opportunity for the sake of not having people make-out over there. Something which is outside their mandate) is caused by people of different genders willingly going in together. Having different bathrooms wouldn’t stop it in that case.

Forming a group of paid cops/detectives/security-guards who will patrol in the area of the clubs, paid for by a toll the municipality will charge from the clubs. So in addition to their own security, bar owners will need to pay to people who generally patrol the street and supposedly provide security for the entire area? That’s very nice for other business and private homes nearby, I think. Not so nice for the bar owners. Or for their customers who will have to pay for it. Mostly, the problem is that those who will pay will not have any control or guidance over the actions of these rent-a-cops, they just pay the bill, and someone else will give the orders. This is never good. Hey, if having more people patrolling the neighbourhood is a good thing that customers are willing to pay for, then make such decisions public, and let the business compete by publishing how seriously they take it. Let the customers decide if they want to pay for it. But don’t put another tax on these businesses without them having anything to say about it.

Modifying the law forbidding selection, to allow selectors to prevent entry to people who may “endanger the public safety”. It was deemed unfair, prejudicial, or whatever, to allow pubs to put employees outside who will decide that they don’t want some people as customers. I don’t really get it, since it’s their business, and being far from monopolies they should certainly have the right to refuse customers, but that’s the way it is. So now they want to allow this practice, but only for people that they think are dangerous. This is far worse than either having no selection, or having full selection. First, the costs issue again, since this is in fact just a job of another trained security guard, that the bar will need to pay, but who will not provide the value that a proper selector does. Second, people who will be denied entry will raise the exact same complaints they did before. Instead of being told that they don’t look cool enough (or whatever the criteria may be) they will be told that they’re dangerous. This will certainly raise again all the ethnic discrimination issues, just as before. But people will be even more offended, because instead of just being told they don’t fit in with the rest of the crowd, they will be told they’re dangerous. This is very insulting if you don’t see yourself as dangerous, and could actually encourage violence if you really are dangerous.

Classify laughing gas as a dangerous drug. Yes, they want to change the law defining dangerous drugs to also include laughing gas. Why? Because they discovered that sometime criminal elements tend to sell laughing gas outside clubs. And this is supposed to be relevant how exactly? Making something a controlled and legally dangerous substance, just because some criminals sometime sell it near areas where sometime there is violence, strikes me as an enormous overkill and out of all proportions. As well as totally outside the scope of what those drug laws are supposed to deal with. Not everything sold by criminals is a dangerous drugs, and being sold by criminals is certainly not a reason to do classify anything as such.

People with criminal history will not be allowed to own, or be partners in, a club or bar. On the surface, this could make sense, since these people may be more likely to allow criminal activity in the premise. Is this criminal activity directly related to the violence, though? Or just people being drunk and stupid? Because most of the article implies that it’s the latter (after all, this committee was formed to deal with violence, not a crime problem with a side-effect of violence). And so this is outside their mandate again. Not only that, but officially serving prison time is supposed to be the punishment, and people who are released are supposed to be given the option to reform. And this is an explicit discrimination against ex-cons.

I saw another version of the article, on a print paper, which also mentioned something about placing cops who will measure the breath alcohol levels of people leaving bars and pubs. Which makes absolutely no sense whatsoever, since being drunk is legal. So unless someone parked right in front of the bar, and they stop them from entering the car (All of which is nice, but again totally outside their mandate on the violence issue), this doesn’t help. The exception being if they want to put a cop who will follow every single drunk person leaving the bar on foot, to make sure they don’t drive, or get involved in violent acts, until they sober up a bit. That’s totally unrealistic, and is also not legal, so that can’t be it as well. For now I just prefer to believe that this particular tidbit may have been a mistake of the paper I read, but given the other recommendations above I’m afraid I’m not so sure.

That same printed article also mentioned showing educational films about the dangers of violence in those clubs. The popularity of which is bound to skyrocket the amount of people who will actually go there to have fun.

Overall, like I said, I’m not impressed. Or rather, I am impressed, by how badly done this is. And they intend to turn everything into laws and regulations during the next three months…

Attack of the Nazi spam bots

May 17th, 2005

All of a sudden, several hours ago, some of my email accounts (oh, alright, one of my email accounts, so far) started to get a large amount of odd spam messages, in German. Which made very little sense to me since, well, I don’t really speak (or read) German. So I had no idea what the heck did they want from me, and what could anyone possibly have expected to gain from it.

Some of the messages came with subject lines in English, but the content was either some long text with a link to articles in Spiegel magazine (Don’t ask me. I don’t read German, remember?), or just a long list of links to sites with one or two lines of text describing them.

All in German. I don’t read German, did I mention that already?

In any case, a little search indicates that this is indeed a recent phenomenon, where a network of zombie computers infected with the Sober virus is being used to send neo-Nazi messages related to some election next week…

I think this is the first time I’m getting spam messages which are politically, rather than commercially, oriented. Instead of trying to sell me Rolex watches, increase my whatever, and lower my mortgage, they’re now trying to get me to vote Nazi??

Good luck with that guys, you’ll certainly need it. I don’t live in Germany, so I can’t vote in your election. Not only that but, while I’m very much not religious, I’m a Jew. Which statistically speaking is a very strong indication I’m not going to be very sympathetic to the Nazi agenda. Seriously.

And to the masses of careless computer users out there: Secure your computers! Install security patches, use a firewall, run an anti-virus program, and don’t open email attachments you’re not explicitly waiting for. Because if you continue to let every worm and virus out there to get control of your computer, then the terrorists Nazis have won.

Business ethics and private correspondence

May 10th, 2005

In the recent year my company started to sell a certain system worldwide. One of the systems went to a rather large company, L, which can also act as a reseller for our system as part of their own production line. And which also intended to also use if for presentation purposes, in exhibitions and the likes, as part of their product lines and solutions. L asked for a discount price, and due to the fact that we were trying to push the system, and the fact that this would also provide publicity for our own system, my boss decided this would be a good investment, and gave them a nice discount.

Fast forward to last week. My boss met with the head of a different company, G, who was also interested in purchasing such a system. And started the discussion by asking for the same price we gave L. When my boss asked what price he was talking about, the guy from G pulled out a printed copy of the email that my boss sent in the past to L’s representative.

My boss explained to the person from G that the price cut there was an investment, and that now we are also not so avid to push the system, since it’s not so new and we have sales. And that due to that we cannot sell him a system at such a low price (which is break-even, or even a loss for us. I’m not entirely familiar with the cost analysis, but it would in any case not allow us to make any profit from the sale).

The bigger problem was that the email was a private one. As a rule, individual price quotations are not something which companies are supposed to pass along to other companies. Not as a general rule, and certainly not when it is clearly specified that this is a one-time offer and is a special discount under special circumstances, as that email did specify. So G should never have seen that email.

My boss called the guy from L, to complain, and asked him why did he give the owner of G this message. The guy from L was stunned, claiming that he never did passed along that email…

As it turns out, the G boss was visiting L’s headquarters for business, a short while ago. And for some time they left him alone in the office, going to check for some data. And he used that time to open their file cabinets, browse through folders, and photocopy documents. Which included a printed copy of that email.

This was a senior of a rather large international company, during business meetings with another large international company… Lesson learned: Do not leave anyone in an office unattended, no matter how respectable he may seem.

Needless to say, he won’t be getting that discount.

Security clearance procedures

April 29th, 2005

A friend of mine is now in the process of passing a security clearance procedure for some company he is applying for a job at. As part of the process they require details of some friends, and he called me, which reminded me of the security clearance I had to go through myself before joining my army unit in the past.

So one quick comment about my friend’s forms, and then I’ll go on to my own story. As part of the friends’ details, they also ask the name of the father, and of the grandfather on the father’s side. That’s it. They don’t care about the mother, they don’t care about grandmothers, and they don’t care about the grandfather on the mother’s side. Don’t ask me why.

OK, back to my story. First, no, telling a few minor things about the procedure is not a security breach, and does not include revealing classified info. Everything there, after all, is shown to people who don’t yet have any clearance. So as long as I talk about impressions, and thought I had at the actual time, there isn’t possibly any problem. I will of course not mention any further things that may, or may not, have been done during the service.

Now, like any good bureaucratic and public (i.e. government managed) organization does, the forms that I was given to fill out needed to be submitted in multiple copies. Except that the usual method of putting copy paper between the pages was not allowed. I had to fill all copies by hand. And my memory is a bit vague on this, but I think it wasn’t in triplicates, but seven copies. By hand, with a pen, repeating the same info.

Worse, every field without an answer (Like the long table for family members, of which I have far less than the table had rows) had to be filled in, not left empty. And just striking it out wasn’t good enough, I had to write something. Don’t remember what it was by now, but it was the equivalent of "N/A", or "Nothing".

Multiply the several copies by the many many different fields. For example, on each of these rows on the family members table, the first name, surname, date of birth, and so on and so forth,  were all different fields and needed separate N/A. That took a lot of time, and that’s just on the parts where I didn’t have anything to write.

One of the parts was educational history. There was room for university, but I didn’t have that at this point. But they also wanted a listing of all of my schools, all the way from kindergarten. And they wanted the names of the teachers. The way lower schools work, beside the "professional" teachers for specific aspects, each class had an "educator" doing general stuff and trying to instil some general values. So they wanted the names of them all.

No, I did not remember the names of the teachers from my first, or second, or third (…) grades. This will come up later.

Another very important aspect is recommendations. People who are not direct friends, and who can recommend you and say what a wonderful and reliable person you really are. Anyone want to guess how they are picked? Simple enough, you just go over all the people your parents know, that have seen you a little bit, and call the ones who held the highest ranks in the military among the lot, or who have a solid position in the public sector. Can’t see what this gives anyone, but that’s the requirement, and that’s what everyone does with it.

And they wanted a list of friends, with all this personal info about them as well. Felt silly asking my friends for their date of birth, or the exact dates their parents may or may not have immigrated to the country. Plus, are they really going to get any info from that? This only helps them if I name a well known communist activist, or an Arab person, or something which is on the short list of disqualifies. But what sane person wanting to get a clearance would do that? Unless they’re so unpopular that they can’t even find the required 3-5 friends…

After all the forms has been filled, I had to come to an interview. The interviewer spent some time going through the forms, and started with the hard questions.

For starters, he scolded me that I didn’t mention the name of my first grade teacher. To which I of course replied that I don’t remember it. He was surprised as to how can I possibly not remember it. The facts that I was 5-6 years old at the time didn’t seem like good enough a reason, and neither did the fact that I haven’t see her in over 10 years. I should have remembered. He made me sit there for several minutes trying to dredge up the name. As if.

More interesting was the questions about drug usage. When asked if I was using drugs, I answered (totally truthfully) that I wasn’t. So he started to explain that he doesn’t mean just hard drugs, but also things like marijuana, and do I want to change my answer in light of that? I didn’t. He then proceeded to try and make it clear to me that in this particular case they’re also not only asking if I’m a general user, but want to know of any single use. Did I take drugs only once? Maybe at a party? Driven for a one time experiment by peer pressure, and never tried it again? I didn’t and that’s what I told him.

He went on to assure me (An assurance that could only have worked if I was on drugs at the time, and maybe even then not) that I can admit it. Because it doesn’t matter. They won’t disqualify me for it. They don’t really care. They just want to know. If I’m a light user, or used in the past, or even using now but it’s nothing critical, then it’s no problem with them… Riiiight. In any case, I stuck to my denial.

After the interview came the long part, where they have their own people doing background checks. This could take months.

During that time they also interview some of the people listed on those forms, like our friends, and tell them not to tell us about it. Which works great, since 18 years old kids are just terrific at being grilled about a friend by big guys with sunglasses, and then not telling about it to anyone.

In any case, they didn’t mess up too badly in this case, since I passed. Even though one of the friends got confused, and gave them a different answer than I did, about how long have we known each other and when did we first meet (Yes, that was on the form as well. Those things are thorough).

Hotmail against identity theft

April 26th, 2005

Hotmail occasionally send to members (Hotmail mailboxes) these notification messages explaining the many virtues of their new offerings, and miscellaneous stuff.

This time I noticed a part of the message giving some tips under the heading of “Telltale Signs of Identity Theft Scams“, including this one:

Scroll over the URL. If you see lots of numbers, or a different URL, it’s probably fake.

Which is, by itself, quite sensible. It isn’t foolproof, and there are legitimate addresses that look like that, but can usually serve as a decent indication for people without too much technical knowledge. And a little below they provide a link for more information, with the text:

For more information, go to http://safety.msn.com.

And, well, guess what shows up when you scroll over the URL? Let me tell you, the URL showing up on the status bar is http://g.msn.com/3HMHEN/1892

And, as you may notice, it is a different URL (g.msn.com instead of safety.msn.com). I know it’s the same domain, but it may not be entirely obvious to the average Joe who actually needs those explanations. More than that, it has some odd letters and numbers that don’t make sense, which the same average Joe could clearly identify as lots of numbers.

So someone paying attention would have to conclude this is an attempt at identity theft…

Now I need to replace my credit card

April 14th, 2005

I got a phone call today. The women presented herself as working for
my credit card company. According to her, details of credit card
numbers, including my own, have leaked from a certain business establishment.

She wasn’t very forthcoming about the business involved, claiming that they cannot provide more information at this time regarding it. But the card needs to be cancelled.

I asked if they think my credit card details leaked because someone
made suspicious purchases with it, or because they know for sure that
there has been a leak from a certain place. She assured me that as far as
they know my card was not used, yet, but that the details are out.

She then read to me the last two transactions made with the card,
yesterday, and asked me to verify that they’re indeed my own. Which
they were.

This had the added benefit, though I’m not sure if it was
intentional from her point, to let me know she is probably legit. The
two orders where made from different places, using different payment
methods, so anyone with access to the data is either from the credit
card company, or has access to my own computer.

All the information she asked, in order to verify the person she
called is really me and so authorized to cancel my card, was my date
of birth. And by the reasoning of the above paragraph, I knew this
wasn’t a phishing attempt, since anyone with her data already has
access to this information as well.

This isn’t that bad a verification method from her point too, since while anyone trying to pretend to be me would have that info, she made the call herself from a number they have for a long time. A wrong number wouldn’t have been able to give a date and pull a prank, and intentionally planting my phone number at their database is too much work for someone just so they could cancel my credit card after stealing its details.

So we cancelled the card, and I’ll have to survive the weekend
without. According to her it would take three business days to issue a
new one. Hopefully, by Monday next week I could actually buy stuff, or
withdraw money. She did ask if I had enough cash on me, or want a
slight delay to go withdraw. But I have some cash, so I told her to cancel straight
away.

This left me curious as to where the information got out from.

And
seconds later, I received an email, from a second-hand book store here
in Israel, letting me know that:

We just got a notice
from our hosting service that some of the information on transactions
from our site may have been tampered with.

Because we can’t confirm the extent of the damage at the present time, we feel obliged to inform you of this current situation.

We notified the credit card companies and we suggest you do the same and act according to their recommendations.

We apologize for any inconvenience and are sorry that things such as these can happen.

Feel free to phone us for additional information or questions

Which is very honest of them. And rather prompt, at least assuming the credit card company didn’t wait too long with it.

Their website is currently down. I assume they switch hosting, and using the opportunity to clean everything up. Time will tell.

Stay away from… someplace

April 11th, 2005

Sometimes the rampant paranoia of the Americans amazes me.

Pilots are instructed not to fly near nuclear power plants. But they
are also not allowed to be told where are the plants located.
Yes, they are not allowed to fly near areas which are not specified to them. Nice and easy to do, isn’t it?

So they decide to find out by themselves, run some searches on publicly
available data, and publish it among themselves. Only to be told that
they’re not allowed to reveal those secrets. And back to square one.

Oh, yes, and it seems that it’s really not that hard to find those power plants.

Take X, add computer, add wireless connection, and wait for the crash

January 28th, 2005

And crash is quite literal when you talk about cars…

Where did anyone come with the idiotic idea of making Bluetooth enabled cars ?!
Is it any surprise that now cars can get computer viruses ?!

Sticking an embedded computer into everything, a standard CPU that can run a standard OS, I can understand. It makes development, changes, additions, and fixes much easier.

But any OS would have all the problems of that OS, and would likely be able to run other programs that were designed to run on it.
Including viruses or other malware.

So the one thing you don’t do, is make it very easy for anyone at
all to insert external programs to run on your embedded computer. For
example, if there is no very compelling reason to do so, you don’t add
Bluetooth support in. Actually, you wouldn’t add any common wireless
protocol. But if you do, you should at least try for a standard that
includes some sort of authentication. And authentication is far from
being Bluetooth’s strong side.

On the other hand, maybe some people want to give full control over
their car to bored kid on any street they happen to drive along?

And I thought making Bluetooth enabled ski jackets was stupid… I wonder what will they add connectivity to next…

Copyright Infringement

January 21st, 2005

I actually still remember the outrage from locksmiths (well, what I remember is the reports and discussions about it in the computer security circles, but still) when a couple of years ago Matt Blaze published a paper about a security weakness in mechanical locks with master keys. Those people believe in the misguided notion of security by obscurity, so got understandably upset when someone removed some obscurity and showed actual problems that nobody bothered to address.

In any case, he recently published another paper, about security of physical safes this time. And unlike the previous paper, his attitude was pretty positive about many aspects.

Still, the paper includes some explanations and pictures, so the locksmiths are up in arms again. Sending many angry, and sometimes abusive, messages both to him and to the administration of his university. Not nice, but part of the deal.

What I found particularly amusing in his report is that some of them went to the direction of suggesting he is guilty of copyright violations, by publishing pictures of safes with the paper.

While Penn’s support for the basic principles
of academic freedom would protect me even if these officials agreed
that my paper was somehow inappropriate, some of the letter writers
seem to have unwittingly stumbled upon a weapon that could potentially
be very effective (in other contexts) at silencing Internet-based
debate.  They have accused me of copyright infringement
.

My paper is heavily illustrated with photographs of safe locks and
their components.  Several letters have (accurately) pointed out that
these photographs are protected by copyright and that by distributing
my paper I’m also distributing copyrighted material.This, I must
admit, is entirely correct
.

That’s not the amusing part, yet. The poor US has a very serious problems with their copyright legislation. They’re getting totally out of whack, and it often gives the impression that violating copyright in the states will be considered only a little bit worse than murdering someone. I do hope they’ll straighten themselves out soon, before the attitude will get exported too much…

What amused me was that in this specific case:

But I created every one of the images
myself, in my own studio, and with my own materials, cameras and
computers.  I arranged the subjects, lit them, and photographed them.
The results are copyrighted, to be sure, but I hold the copyrights.

And as he’s well aware, he was still lucky that his university bothered to speak to him before removing the material out of the fear of lawsuit. The common response this days by ISP’s and date hosts is to cover their asses be careful and remove anything that may make them liable, even if they didn’t spend the time to check the facts

Go read his whole story, it’s interesting.