Insecurity :: Musings on Risk Management

Kiwi Flight Part 1: Hexa XL Mikrokopter Beginner Steps

2011-02-19T23:52:00.002+01:00

Today was the first flight of my Hexa XL. I drove to Kosice (in Slovakia) two weekends ago, spending around 12 hours on the road (there and back again). From his small (but extremely well-organised and well-stocked) apartment, Ing. Miroslav Vasilko completed the construction of the kit of the Hexa XL, based on the sophisticated design of the Mikrokopter team in Germany.

First glimpse in Miroslav's office

Doesn't everyone have a 3D milling machine in their office?

The smart electronics of the MK

Test flight with experienced pilot

We rented a gymnasium for the test flight, and Miroslav showed me the basic controls for its maiden flight, which verified everything was nicely operating and well-balanced. I wasn't quite ready to take the controls for a full cycle of take-off and landing, but I learned the basics of how to increase thrust and rotate the machine left or right.

I returned to Vienna, and started my training by installing a RC Helicopter flight simulator on an old Windows XP laptop. I immediately learned that the simulator was a great investment. I must have crashed the virtual choppers at least a hundred times, learning the basics of the dual joystick controls.

My JR DSX11 RC controller

The simulator controller looks a little different from the RC controller. Its controls also function a little differently too, so I was a little nervous when I finally found the opportunity to take my Hexa out for some actual flight time.

Having never flown any sort of Radio-Control model aircraft before, I was a little nervous about how I would manage the XL. Although it has a reputation as a very stable platform, and despite my dozens of hours on the simulator, I was not looking forward to a possible crash.

Today's weather was overcast, with sporadic rain showers -- again, not ideal for a maiden flight, especially with a slightly gusty wind. After shopping for the week's groceries, it was after 2 p.m. before I headed outside, determined to give it a decent go. It was 3 degrees Celcius, so I didn't want to stay outdoors for too long.

Near my house is an empty field, which during summer is worked for silage crops by one of the local farmers. I set up my video camera on a tripod, and set down the XL onto the ground. I ran a few pre-flight checks, then started the engines. The first few minutes were spent edging closer and closer to lift-off, but each time I noticed the platform was uneven, tipping one way or another, so I eased off on the power.

After adjusting the balance of the empty camera holder mounted underneath, I decided to use the roll and pitch controls to compensate for the apparent instability during takeoff, as well as ensuring that the nose was pointed into the prevailing wind. Somehow, I found the right combination, and had the thrill of my first flight!

As you will see in the linked video, I still have some issues about the height controls. Even though I make tiny adjustments to the throttle, I find that the challenge of maintaining a constant height is not easy, and once or twice I bounced the craft off the ground, before recovering again. I'm trying to fly nose-out, as this is how I trained in the simulator. The Hexa has been set up with brightly colored LEDs to show the nose, but I didn't always keep the correct orientation.

After a few bounces, I realized I could call them "test landings", and when I was ready, guided the bird in for its "official" touch down. Who says kiwis can't fly?

2010: Weaponized Cyberwar has arrived

2010-09-29T16:13:00.002+02:00

The recent series of reports on the Stuxnet worm shows that Information Security specialists are facing a whole new order of threats, none of which were unexpected. Hidden inside its 600 kb payload are all sorts of tricks and traps, which have amazed and impressed every researcher who's looked into it.

First, this is not a normal worm. It uses something known as "zero-day" vulnerabilities -- undisclosed or as yet undiscovered vulnerabilities, usually found in Windows or its associated software (Adobe Flash and Acrobat have been particularly egregious in this regard.)

Unlike most other malware, however, Stuxnet deploys (according to Symantec) a total of four new zero-day defects in Windows -- a major achievement for any virus. But it doesn't stop there -- in addition, it includes two stolen certificates used to sign drivers, taken from a couple of Taiwanese manufacturers.

Recent research suggests that Stuxnet also hides itself among specialized files (known as Siemens SIMATIC Step 7), and even after being cleaned using regular techniques, it can re-infect PCs which use such software.

Why Step 7? Because this malware is highly targeted -- it focuses its effort on reaching Windows PCs with attached PLCs -- Programmable Logic Controllers, which are heavily used in industrial control processes, power plants -- and not surprisingly, nuclear laboratories.

Which has led many commentators to suspect that the target of Stuxnet is one, very specific, and highly sensitive location -- the Bushehr nuclear power plant in Iran. This view is supported by the analysis of Symantec's Patrick Fitzgerald, whose team found that 58.8 per cent of infections were in Iran, 18.2 per cent in Indonesia, 8.3 per cent in India, 2.6 per cent in Azerbaijan and 1.6 per cent in the US.

Furthermore, the payload for this worm is heavily customized to focus on one very specific configuration of PLC logic -- to the extent that the PLC will be ignored if it doesn't match exactly. What this implies is that a particular target was in mind. It's only speculation, but it could be linked to nuclear centrifuges, or critical cooling systems associated with the production of nuclear fuel.

Why, and more importantly, who has the capability and the motivation to do something like this? The sophistication of Stuxnet strongly suggests we are dealing with a small, highly skilled team, using intelligence about a specific target. Furthermore, this team has the resources to buy or discover independently four new zero-day vulnerabilities (which are valuable items in underground hacking markets), as well as stealing two signing certificates.

The only logical conclusion is a government-based cyberwar team. The likely candidates are the USA (CIA or NSA) and Israel (Mossad or IDF Unit 8200) -- both of whom are likely to wish to disrupt Iranian nuclear developments. We'll probably never know for sure, but there does seem to be a strong correlation of the worm's spread with delays in Bushehr's operations.

Why is this significant? Well, it exposes several well-known risks, and some new ones. First, Siemens' reluctance to change default passwords for its software, fearing collateral damage due to stupid administrators. Secondly, one of the primary vectors for infection was the AUTORUN "feature" of Windows, meaning that every USB key inserted into a computer is a potential plague vector (and which also provides a way to infect computers not attached to the Internet.)

The biggest risk here in my view is that we have been given a glimpse of the future of Cyberwar -- a threat which I have in the past considered negligible, but now think is starting to build. It's as if we are snorkeling just below the surface on a peaceful blue ocean, and have just seen a great monster in the depths below us, rising out of the darkness. This monster is military-grade cyberwar, and the consequences will be more investment in such weapons, and potential collateral damage as the titans of the deep struggle together.

Wi-fi Hacking

2010-02-28T23:42:00.001+01:00

Check out this SlideShare Presentation, about the problems and risks associated with Wi-Fi.

Wi-fi Hacking

View more presentations from Paul Gillingwater.

ADB driver for Android development

2010-01-24T00:45:00.000+01:00

I've been getting into Android development recently, and while the development environment includes an emulator, it's not quite as efficient as using the real thing. Until now, I've been building a run configuration which creates an external APK, then I've transferred that to my HTC Dream and used Linda Manager to install it.

What I'm testing now is the USB ADB interface. I saw this being used in a Google developer video, and it looks rather cool, although it was tricky to install.

These are the steps I used:

1) Inside the Eclipse environment, go to the Window/Android SDK menu option. Select Available Packages, and download the USB Driver Package, revision 3.

2) Go into Control panel, select your Android phone driver (or detect it new if not already done), and select the file android_winusb.inf (which on my system lives in the path C:\Documents and Settings\Administrator\Desktop\android-sdk_r04-windows\android-sdk-windows\usb_driver). Install that, and reboot Windows. (I'm also going to test this with OSX when I change to a Macbook Pro next month for development.)

3) Ensure you have set android:debuggable="true" in the Manifest.xml of your application.

4) In the Settings/Applications/Development menu of your Android phone, set USB debugging to true.

5) Now in Eclipse, when choosing your Run Configuration, your Device Chooser should now have a new entry, assuming your phone is plugged in via a USB cable.

The result of this is that ADB can now directly update and run new applications on the fly on your own phone!

Spanish, Gender and Computers

2010-01-16T16:45:00.000+01:00

Something a little lighthearted for this bleak Saturday morning...

A Teacher was explaining to her class that in Spanish, unlike English, nouns are designated as either masculine or feminine. 'House' for instance, is feminine: 'la casa.' 'Pencil,' however, is masculine: 'el lapiz.'

A student asked, 'What gender is 'computer'?'

Instead of giving the answer, the teacher split the class into two groups, male and female, and asked them to decide for themselves whether 'computer' should be a masculine or a feminine noun. Each group was asked to give four reasons for its recommendation.

The men's group decided that 'computer' should definitely be of the feminine gender ('la computadora'), because:
1. No one but their creator understands their internal logic;
2. The native language they use to communicate with other computers is incomprehensible to everyone else;
3. Even the smallest mistakes are stored in long term memory for possible later retrieval;
and
4. As soon as you make a commitment to one, you find yourself spending half your paycheck on accessories for it.

The women's group, however, concluded that computers should be Masculine ('el computador'), because:
1. In order to do anything with them, you have to turn them on;
2. They have a lot of data but still can't think for themselves;
3. They are supposed to help you solve problems, but half the time they ARE the problem;
and
4. As soon as you commit to one, you realize that if you had waited a little longer, you could have gotten a better model.

The women won...

Thoughts on airport security

2010-01-06T23:37:00.000+01:00

After traveling to the USA this week, and seeing the security measures first hand, I am concerned that they remain largely ineffective, and mostly constitute window-dressing. It's as if someone said: "We have to do something." And then they did something, or anything which might help.

In my view, a sophisticated and determined attacker can easily bypass the current measures, even with the new backscatter scanners. This article in the UK's Independent newspaper suggest some serious issues with the technology, and question whether it is really fit for purpose.

A basic knowledge of the technology suggests that such systems are interested only in detecting explosive material with relatively high density. Since thin cloth (such as clothing) is transparent, then the obvious response by attackers will be to create thin layers of some suitable material, impregnate it with PETN, then stitch it into clothing. The bomber then simply needs to remove the item of clothing (for example, a turban or sari), and wrap it into a very tight bundle to increase density.

Remember, we don't need much more than 80 grams to disrupt structural integrity, according to some tests.

What about the detonator? Well, it should be recalled that many laptop batteries have been recalled by the manufacturer for their tendency to spontaneously ignite. I would think that an ingenious terrorist might find a way to rig a laptop battery to function as some form of detonator -- even while powering a laptop sufficiently to show that it works if TSA screeners become suspicious. Of course, laptops themselves have lots of places where high-density materials might be stored internally.

There isn't really an easy answer here. I suspect the TSA has many good people working on this, and are doing the best they can. However, I tend to agree with the cynical view that only two things have significantly improved airplane security in the past ten years: locks on cabin doors, and a recognition by passengers that they may well need to take matters into their own hands if a situation arises -- as one brave Dutchman did on Christmas day in the skies near Detroit.

Journeys

2010-01-03T12:30:00.000+01:00

I began my journey to St. Louis at 5 a.m. this morning. All went smoothly, despite long queues at Vienna's Schwechat Airport. The sunrise over a sea of cloud was beautiful. I'm now waiting for my next flight.

I am taking photos, and will be blogging regularly on this trip. I will be in St. Louis for two months, where I will be teaching a couple of courses at Webster University -- Telecommunications and Mathematics for Computer Science. I'm also working on some software ideas, which I'd love to see implemented on the Android environment.

Here's a poem by the Welsh poet Dylan Thomas, which has long been a favourite of mine:

Do not go gentle into that good night,
Old age should burn and rave at close of day;
Rage, rage against the dying of the light.

Though wise men at their end know dark is right,
Because their words had forked no lightning they
Do not go gentle into that good night.

Good men, the last wave by, crying how bright
Their frail deeds might have danced in a green bay,
Rage, rage against the dying of the light.

Wild men who caught and sang the sun in flight,
And learn, too late, they grieved it on its way,
Do not go gentle into that good night.

Grave men, near death, who see with blinding sight
Blind eyes could blaze like meteors and be gay,
Rage, rage against the dying of the light.

And you, my father, there on the sad height,
Curse, bless me now with your fierce tears, I pray.
Do not go gentle into that good night.
Rage, rage against the dying of the light.

Seriously? No encryption on predator video feeds?

2009-12-17T18:36:00.003+01:00

Sometimes a news story appears which leaves me flabbergasted. This report from the Wall Street Journal describes how "the enemy" in Iraq and Afghanistan have been able to use a simple piece of off-the-shelf software (costing $26) to capture video feeds being broadcast by Predator and presumably other UAVs working in the theater.

This reported incident, if true, seriously beggars belief. It has been more than 20 years since commercial satellite TV has deployed effective encryption for both analog and digital video signals to protect commercial interests. And yet the military planners singularly failed to specify simple encryption for sensitive information -- the live video feed of the drone.* Most likely this was done to speed up time-to-market, or to reduce costs--but most security experts would consider this a false economy.

The article clearly indicates that this problem was known since the Bosnian conflict in the 1990's -- but military leaders felt that "local adversaries wouldn't know how to exploit it". This is a perfect storm of stupidity, with two basic blunders: a) assuming that the enemy isn't as smart as we are, and b) relying on security through obscurity. One wonders if this decision means that there are similar weaknesses in the command-and-control channel of the drone's avionics or weapons platforms?

---
*Subsequent reportage suggested this was not a live feed directly from the Predator, but rather a rebroadcast of said feed via a satellite from the local groundstation uplink. It's still a COMSEC issue however.

Rant of the day: DHL is seriously flawed

2009-12-16T12:19:00.002+01:00

I recently had to send an important document from Austria to New Zealand.

I went to the local Austrian Post, and selected the EMS (Express Mail Service), which cost me 59 Euros to send a letter weighing 70 gm. I knew that this was outsourced to DHL, so assumed it should reach the destination reasonably quickly -- and I could follow it with the tracking number.

So, imagine my surprise when I learned that an item I had submitted in Vienna on Friday 11th of December had only reached London Heathrow by Wednesday 16th of December.

Thats FIVE DAYS to go from Vienna to London. And it still hasn't left on the plane for New Zealand!

I am seriously unhappy with the service from DHL, and plan to avoid using them in future. I've asked them for an explanation, but I doubt one will be forthcoming.

To see for yourself, check the URL:

http://www.dhl.at/publish/g0/en/eshipping/track.high.html?pageToInclude=RESULTS&AWB=9653805361&type=fasttrack

The AWB number is 9653805361. Is this some kind of record for tardiness?

DHL, please fix your broken system!

/rant ends

Update: the package arrived on 21 December -- a total of TEN DAYS after I sent it on 11 December. I think this is the last time I use DHL, or the Austrian EMS which resells their service.

CyberSecurity Weekend roundup for 1st November 2009

2009-11-01T17:43:00.000+01:00

There have been quite a few security and risk-related stories this past week, which raise all sorts of questions about public perception of the theme of CyberSecurity.

Let's start with this one: http://www.wired.com/threatlevel/2009/10/gawker/

To summarise, a well-organised criminal gang is using paid advertising to distribute its malware through popular, respectable web sites. One of the challenges facing malware distributors, is how to get the ordinary person (who wouldn't visit a dodgy web site) to become infected. The answer is to be included in a popular website (which Gawker certainly qualifies for) as part of their advertising, then use a known Adobe vulnerability to foist its payload on the unsuspecting victim.

The fake ads, ostensibly from Suzuki, caused browsers to crash and malware to be installed. Gawker have published their correspondence with the fakers, showing them to be skilled and knowledgable in the media business -- not obvious script kiddies or foreigners with poor English. A similar scam targeted the New York Times recently.

In fact, the hackers were displaying quite competent social engineering techniques (including registering plausibly-near domain names for their email responses), in order to get an opportunity to deliver their payload. This is an excellent example of a blended attack -- social engineering, plus an exploit of a known vulnerability in Flash, plus a malware solution to be later used to steal identities and gain access to accounts and funds. In my view, this shows a high degree of coordination and professionalism, which is becoming a dominant characteristic of modern Cyber criminals -- and suggests a degree of specialization, and also possibly separate commercial illegal entities working together for fun and profit.

The second story, also from Wired, suggests that there is something of a disconnect between security planning and technology procurement, particularly in the energy sector.

It is well known that years of neglect and under-investment have left the US power distribution infrastructure in a vulnerable and delicate state (although not as bad as many other countries.)

According to the article,
“Smart grid” refers to the transition from the current, outdated power-grid infrastructure to a more technologically advanced structure that allows expanded real-time monitoring and energy delivery that’s more efficient and cost effective for utilities and consumers. The technology promises to solve a number of problems, but it also (as the Illinois press release states) could “introduce new problems, such as increasing the vulnerability to cyber attack as power grid resources become increasingly linked to the internet.”

One of the challenges of engineering new technology (such as the Smart Grid concept, with its intelligent monitoring) is to ensure that adequate security mechanisms are designed-in from the beginning, rather than being an afterthought -- much as UNIX had security pretty much from the beginning, while Windows security was very much bolted on later.

For me, CyberSecurity in the critical infrastructure protection business must be Job #1 -- to ensure that by design, the infrastructure is built with adequate redundancy and resiliance, able to cope with multiple cascade failures, extremes of weather and malaicious attack. The big issue here is only partly one of cost -- because make no mistake, anticipating and mitigating all possible risks can be expense -- but it is also one of the mindset. Where huge investments are being made, those with a responsibility to make associated decisions need to take into account risks of sabotage, insider attacks and even simple human error -- all of which have in the past caused serious problems, with associated loss of life.

Following up on this year's attacks apparently from North Korea, South Korea's spy agency has reported that the origin has indeed been traced back to that country.

Personally, I am not convinced. It's far too easy for competent hackers to mask their IP addresses through a long chain of anonymous proxies, which would then be programmed to wipe out all traces long before the attack has finished. It's a little too convenient for the South Korean intelligence officials to be able to attribute such an attack to North Korea -- although Occam's Razor does suggest it is the most likely party to want to commit such attacks.

I guess the issue for me here is whether such attacks are truly useful to a State actor such as North Korea -- even one so vilified and long associated with funding terrorism and "dirty tricks." At the most, I see this as a "me too" operation, where the NORKs are reading press reports about the "big boys" engaging in CyberWarfare investment and training, and deciding that they want to play too as a matter of national prestige, much as they joined the informal "Nuclear Club" by detonating a low-yield nuclear weapon.

These days, the capabilities being exercised by state actors and non-state actors seem to be converging. For example, a recent UN investigation into the legality of the US use of drones to carry out "targeted killings" raises some questions (beyond those of customary international law) about whether such use of force is a terrorist act, when not carried out in the theater of war.

Legally (and I'm no scholar of law), I wonder if the UN-sanctioned war action in Afghanistan can justify killings that cross the border in Pakistan -- even if it's compellingly clear that "terrorists" are well-ensconced in that region, and actively participating in actions that clearly deserve the label of terrorism.

My thinking here though is more about the fact that many other countries are deploying their own versions of these UAVs, some of which include ordinance capable of destroying cars or buildings. How long will it be before non-state actors (i.e., the local Al-Queda cell) are signing up for model-aeroplane classes, and buying Chinese UAVs in the black market to act as delivery systems for their Weapon of Mass Destruction Du Jour?

Now some old news -- which I guess will now be part of history. François Mitterand, the French president who committed a terrorist act in 1985, complained that Margaret Thatcher blackmailed him with the threat of a nuclear strike in South America in order to get the disable codes for the French-designed Exocet missiles being used by the Argentinians against the British.

This is an interesting story from the point of view that weapons systems often may have a built-in "kill switch" that may be used by their designer to disable their operation -- a concern shared by the Pentagon.. As an article in IEEE Spectrum suggested, it seems likely that the Israelis successfully used something similar in 2007, when their jets bombed a suspected Syrian nuclear installation -- and the Syrian radar seemed to mysteriously malfunction, or go offline. Of course, the techniques of electronic warfare, jamming, and sending spurious "ghost" signals have been widely known since the Cold War, but it's tempting to wonder just how many Trojan Horses remain covertly buried deep in the electronic bowels of the weapons systems that we still depend upon.

Some of the examples given include:

In 2004, Thomas C. Reed, an Air Force secretary in the Reagan administration, wrote that the United States had successfully inserted a software Trojan horse into computing equipment that the Soviet Union had bought from Canadian suppliers. Used to control a Trans-Siberian gas pipeline, the doctored software failed, leading to a spectacular explosion in 1982.
Crypto AG, a Swiss maker of cryptographic equipment, was the subject of intense international speculation during the 1980s when, after the Reagan administration took diplomatic actions in Iran and Libya, it was widely reported in the European press that the National Security Agency had access to a hardware back door in the company’s encryption machines that made it possible to read electronic messages transmitted by many governments.
According to a former federal prosecutor, who declined to be identified because of his involvement in the operation, during the early ’80s the Justice Department, with the assistance of an American intelligence agency, also modified the hardware of a Digital Equipment Corporation computer to ensure that the machine — being shipped through Canada to Russia — would work erratically and could be disabled remotely.

The Myth of CyberTerrorism

2009-10-26T12:13:00.000+01:00

I was woken shortly before midnight, on a chilly July evening in Auckland by the sound of a bomb. It was 1985, and the Greenpeace vessel Rainbow Warrior had been hit by two explosions, from limpet mines attached by two frogmen (I use that term very deliberately.) One man, Ferndando Pereira, was killed in the attack.

Most commentators now accept that this was an act of terrorism -- and indeed, the initial reaction of the French government was to condemn it as such. It was only twenty years later that French president François Mitterrand admitted that he had personally authorised the bombing.

Was this an act of terrorism, albeit state-sponsored? In my view, absolutely. It was an act deliberately intended to terrorise Greenpeace and its supporters (although the agents concerned claimed that they had tried to avoid any loss of life.)

Now let's look at another case. Three years earlier, in June 1982, the Russian government was conducting pressure tests on its new trans-Siberian gas pipeline, which resulted in a catastrophic explosion -- allegedly with the force equivalent to three kilotons of TNT.

According to the 2004 book "At the Abyss: An Insider's History of the Cold War", written by Thomas C. Reed, this was a deliberate act of sabotage, carried out by the CIA as part of the cold war against the Soviet Union. Reed, a former Air Force secretary who served in the US National Security Council during the Reagan administration,

reported how the U.S. allowed the USSR to steal pipeline control software from a Canadian company. Unknown to the Russians, this software included malicious code (known as a Trojan horse) that caused a major explosion of the Trans-Siberian gas pipeline in June 1982. The Trojan ran during a pressure test on the pipeline and massively increased the usual pressure, causing the explosion. Reed writes:

"In order to disrupt the Soviet gas supply, its hard currency earnings from the West, and the internal Russian economy, the pipeline software that was to run the pumps, turbines, and valves was programmed to go haywire, after a decent interval, to reset pump speeds and valve settings to produce pressures far beyond those acceptable to pipeline joints and welds"

By creating an explosion with the power of a three-kiloton nuclear weapon, the U.S. managed to disrupt supplies of gas and consequential foreign currency earnings of the Soviet Union for over a year.

Was this an act of CyberTerrorism? In my view, yes. This was probably the very first documented case where computer-related sabotage was used to trigger major damage (although apparently with no loss of life.)

Subsequently, the world has witnessed hundreds of lesser cases of sabotage and attempts to compromise control systems and economic attacks, which might be classed as cyberterrorism -- but is there really a threat here of the same class as we are confronted by with "classical" terrorism -- i.e., suicide bombers, assassinations, anthrax letters or mass poisonings?

In my view, the threat of CyberTerrorism is largely a myth. A report published by James Lewis of the Washington think-tank Center for Strategic and International Studies, tends to support this view, claiming that although clearly many major states have the capability of undertaking CyberWarfare attacks which could be classed as acts of war, there are few, if any, non-state actors with these capabilities.

These days, the greater threat comes from organized criminal groups, and their targets are almost exclusively economic. It's now possible for a well-funded terrorist group to rent a botnet, but this begs the question -- what would be their target? In order for a terrorist attack to be effective, it has to by definition cause fear or terror, and few conceivable attacks could lead to loss of life necessary to achieve that.

Despite what several "B" movies and shows like "24" or "Law and Order" suggest, there are no super-powered hackers who can take over GPS satellites, hospital emergency equipment or air traffic control systems. Any failures are more likely to be collateral damage from economic attacks, or simple incompetence in the deployment of basic safeguards by those responsible for defense.

CyberTerrorism is a great buzzword, and is being used to attract millions of dollars in counter-terrorism funding, but the real risks should be seen as financial, and the attackers are far more likely to be from the world of organized crime rather than Al Queda.

Financial Crime and Money Laundering

2009-10-25T12:15:00.000+01:00

Let's start by talking about 10 days in January earlier this year [2009]. You may have heard of the torpig malware, which builds a botnet focused on stealing Banking details and other information.

In a period of just over a week, US researchers were able to penetrate the torpig botnet, and collect some information. Here's a summary of what they found.

182,000 unique PCs were infected. In addition, 50,000 new PCs joined the network from fresh infections, mostly from drive-by web site takeovers and other program flaws.

That's 5,000 new PCs every day.

8,310 financial accounts were compromised, from USA, Italy, Germany, Spain, Poland and more countries – from 410 different banks. (The standard torpig configuration targets more than 300 online banking systems around the world.)

Top financial accounts stolen include PayPal (1,770 accounts), followed by Poste Italiane (765), Capital One (314), E*Trade (304) and Chase (217.)

Also stolen were credentials from thousands of corporate web sites, and 1,660 credit and debit card details.

Nearly 300,000 user names and passwords were collected, including Google, Facebook, MySpace and others, thereby compromising a wide variety of personal information and documents.

Typical attacks include man-in-the-middle browser phishing, web injection and form spoofing.

The market for stolen credit cards and bank details is now seeing greater sophistication, with increasing supply leading to lower prices. For example, credit cards with CVV2 codes which have not yet been confirmed can be sold in batches of 1,000 for around $3 each. Prices go up to $12 when you add the consumer's name, address and date of birth. The market is so strong, thieves are using classic marketing tactics -- “buy 500, get 500 free.”

Estimates of revenue from just 10 days of the botnet operation range up to $8 million, based on current market prices for credit card details and compromised bank accounts. Not a bad return on investment for just one criminal enterprise.

And in news from researchers at McAfee, 12 million new computers have been taken over as botnet zombies since January – that's a 50% increase over last year. According to the report, 18% of all computers in the USA have been compromised, with second place China on 13%.

Here's another case, from Korea. Rhee Jin-shik, a 57 year old self-employed businessman, received a phone call from the Post Office, telling him that they were unable to deliver his new credit card. Rhee said he never ordered one, so the Post Office told him they were reporting it to the Financial Police, who would help him. A few minutes later, with uncharacteristic efficiency, someone from the Cyber Investigation Unit called, and told him that he was being targeted by a gang of criminals. In order to protect his money, he was recommended to transfer it from his current account, into a special “protected” account set up by the government. A kind manager from the government controlled Bank soon called him, to help him do this.

Naturally, all three callers were fake – part of a sophisticated Voice Phishing scam, which targets small business owners.

You've all heard similar cases, and we could stand here all day talking about them, but let's focus on what's important.

First, the Fraud market is a global, complex problem. Nearly every country is affected, and the criminal gangs behind it are increasingly professional, using sophisticated techniques and the latest technologies to achieve their goals.

Wherever there is Fraud, you can be sure that Money Laundering isn't far behind.

Fraudsters need to channel their illegal earnings back to where they can spend them. This also brings in tax evasion, and a whole range of different ways of benefiting from the proceeds of crime.

A more worrying trend is that a significant percentage of crime is also being used to benefit terrorist organisations. Recent investigations for example show that Somali marine piracy is being funded from Dubai, and banks there have been accused of laundering money for the pirates.

There are well-recognized links between some traditional informal methods of money transfer (such as Fei Ch'ien or Hawala), and terrorism financing. Increasingly, terrorists are using the same channels as regular criminals, and are investing resources to build their capabilities.

This global problem is growing and changing, almost faster than the authorities can keep up. To protect themselves, financial institutions have to become more effective.

The criminals are becoming smarter. Last week, we learned that fraudsters were using their access to Lexis-Nexis to steal information required for Credit Cards – and have been doing it for three years, putting more than 32,000 people at risk of financial loss.

The threats are multiplying. Another factor which is starting to have a major impact is the financial meltdown of the past 12 months.

This has led to a huge loss of confidence among consumers, as well as a surge in financial crime from desperate people, some of whom may have lost their jobs in the industry.

Thus, we see greater risk from insider threats, as internal fraud is driven by employees with knowledge of vulnerable systems, and fear for their future.

Finally, we must not neglect consumer confidence among the risks, as this has been particularly hard-hit by the collapse of banks and property prices, with a string of bankruptcies leading to unemployment and loss of investments.

In the Unisys Security Index survey (Wave 4), 61% of Europeans believe that the world financial crisis will increase their personal risk of becoming a victim of identity theft – with the Spanish having the highest levels of concern.

All of these problems require a firm decision by regulators and financial institutions to take the threat seriously – which means continuing to invest in training, building institutional capabilities, and selecting appropriate technologies to combat financial crime.

To summarize, we have the following conditions:

1) Increasingly sophisticated complex attacks on financial systems;
2) More professional, highly motivated and intelligent criminals, with an apparently endless variety of new techniques for stealing our money;
3) Blended threats, using combinations of online phishing, telephone and document fraud, plus dangerous malware and botnets;
4) Global financial meltdown, with associated higher risks of internal attacks;
5) Threats are increasing by 40% each year – we are entering the age of CyberWar.
6) Urgent action is needed now – requiring coordination between the financial industry and government.

The “sharp end” for most of this criminal activity is something we see every day in Fraud and Money Laundering investigations.

Those of us active in CyberSecurity believe that the old techniques, based on basic transaction monitoring with pattern matching are no longer enough.

Investigators and the executives responsible for risk reduction need better intelligence to combat these threats.

By intelligence, we mean the training, tools and techniques used in the world of CIA, NSA and FBI, but applied in the domain of financial crime.

It's not enough to have access to data. By itself, the data does not help us.

We have to work smarter. This means approaching financial crime in a new strategic way. It means breaking down some of the barriers which may exist between silos, bridging the gaps between compliance and fraud investigation departments.

We see a need for closer cooperation between regulators, the Financial Intelligence Units, and banks and insurance companies.

And finally, we need the political will to tackle these issues, or the problems will simply continue to get worse.

Chinese CyberWarfare Capabilities Developing

2009-10-23T10:21:00.003+02:00

The following article (from Associated Press) shows that modern governments are seriously investing in their CyberWar Fighting capabilities.

But what does this mean to the rest of us? How can a government (especially one under totalitarian rule such as China) impact on the lives of we who live in democratic countries?

Currently, English is the dominant language on the Web -- but Google's Eric Schmidt recently proposed that within five years, Chinese language web sites could overtake this dominance, with their current rate of growth.

Increasingly, every aspect of our lives is becoming more dependent on the online experience. As China grows, and with the suggestion that "GreenWall"-like censorship measures could contain hidden backdoors that could recruit nearly every Windows PC in China into a giant government-controlled botnet, the threat of the Chinese being able to bring down nearly every Web site with a massive DDOS attack becomes a reality.

But in my view, for the Chinese government it's not only about force projection -- it's also about infiltrating themselves into foreign networks (e.g., NYPD and LAPD have long reported subtle attacks apparently originating from China), using a combination of HumInt and SigInt to subvert critical infrastructure, as part of a long-range plan to support potential future strikes.

More concerning for businesses however is the existence of ties between such intelligence operations, and the covert industrial espionage that endangers commercial enterprises. For this reason, in my view companies need to invest in long-range planning and strategic actions that reduce their exposure to such threats -- and acknowledge that the attackers are usually much better-funded, and smarter than our current defensive systems.

China is building its cyberwarfare capabilities and appears to be using the growing technical abilities to collect US intelligence through a sophisticated and long-term computer attack campaign, according to an independent report.

Released Thursday by a US congressional advisory panel, the study found cases suggesting that China's elite hacker community has ties to the Beijing government, although there is little hard evidence.

The commission report details a cyberattack against a US company several years ago that appeared to either originate in or come through China and was similar to other incidents also believed to be connected to the country.

According to the analysis, the company noticed that over several days, data from their network was being sent to multiple computers in the US and overseas. While the report does not identify the company, it contends that the attackers targeted specific data, suggesting a very coordinated and sophisticated operation by people who had the expertise to use the high-tech information. An internet protocol (IP) address located in China was used at times during the episode.

Barring proof, the study by the US-China Economic and Security Review Commission warns that the sort of expansive and sophisticated computer resources that have been seen in cyberattacks on the US and other countries "is difficult at best without some type of state sponsorship."

The study contends that the Chinese, long reported to be stoking a massive military build up, has also made computer warfare a priority. The Chinese government is said to view such cyberprowess as critical for victory in future conflicts - similar to the priority on offensive cyber abilities stressed by some US officials.

Potential Chinese targets in the US, according to the report, would likely include Pentagon networks and databases to disrupt command and control communications, and possibly corrupt encrypted data. The report notes, however, that penetrating such classified systems would be time consuming and difficult.

In large part, the commission report expands on the Pentagon's annual China military power review. The Defense study said earlier this year that China's People's Liberation Army has set up information warfare units to develop viruses to attack enemy computer systems and networks as well as to protect friendly systems.

The Pentagon report described computer attacks believed to have originated in China, but concluded that "it remains unclear if these intrusions were conducted by, or with the endorsement of, the PLA or other elements of the PRC (People's Republic of China) government."

The new report, prepared for the commission by Northrop Grumman, relies largely on publicly available information from Chinese hacker websites, technical articles and analysis of computer intrusions attributed to the Chinese.

Presentation on CyberSecurity

2009-10-21T18:36:00.001+02:00

Here is a presentation I prepared earlier this year for a talk I gave to a class at the University of Florida Levin College of Law.

Risk Management applied to Banking fraud

2009-10-21T18:29:00.000+02:00

Trends in contemporary Risk Management and Enterprise Security

The Banking industry continues to be beset by external and internal fraud, covering a range of lines of business, from securities, online channels, application fraud, ATM, checks and money laundering. Recent best practices have recognized that Risk Management techniques yield the best results in detecting and preventing some of these diverse types of fraud.

From the earliest years when banking services were introduced in support of commerce, long distance trade and the prosecution of wars, there were creative and immoral intellects applying themselves to the task of fraudulently obtaining a share of the wealth. Banking has always been about trust, and finding mechanisms for allowing the legitimate control over flows of money that are difficult to counterfeit or circumvent.

In recent years, with the addition of the Internet and other online Banking channels (such as mPayments, Debit/Credit Cards and Wire Transfers), the tasks for banks have become exponentially more challenging. In addition to a huge increase in the value of transactions operating over electronic channels, there has also been a dramatic level of growth in the number and speed of such transactions. Given this trend, and the costs associated with manually checking each transaction for signs of fraud, Banks have been forced to invest in ever more complex systems and processes for detecting and preventing illegitimate transactions.

One of the earliest online international banking frauds hit Citibank in 1994, when a Russian criminal, Vladimir Levin, purchased access details for Citibank's X.25-based Cash Management system from fellow hackers. Over the next four months, he illegally transferred $10.7 million to several international accomplices. Citibank's fraud detection systems eventually were triggered, leading to investigation by the FBI, who traced the connections to St. Petersburg, which led to Levin's eventual arrest and successful prosecution.

In recent years, Citibank has again been hit by Russian fraudsters, who used ATM card information (including PINs) which were stolen from a compromised 3rd party banking system. With Ukrainian confederates, $2 million was stolen in cash from ATMs around New York over a period of months in late 2007, then laundered through various methods back to Russia.

Of much greater impact in recent times is the growth of insider fraud, which in more serious cases has led to the complete wiping out of a bank's assets -- such as the Barings Bank collapse in 1995, triggered when rogue trader Nick Leeson lost $1.4 billion from unauthorized futures trading positions. Austrian bank BAWAG hid $1 billion in losses for seven years until 2005, with on-going court cases, and the forced sale of the bank to new owners. An HSBC clerk stole $143 million from the bank in April 2008, using stolen account information. Credit Agricole lost $250 million from unauthorized trades in credit market indexes in its New York Calyon unit. And most spectacularly, Jerome Kerviel lost $7.1 billion from his employer, Societe Generale, from uncontrolled and highly risky trades in equity derivatives (hedge funds) based on European stocks.

These cases, while spectacular, are the tip of the iceberg, as many banks refuse to dislose publicly many of the smaller losses incurred, such as hundreds of millions annually from phishing attacks against customer accounts, as well as substantial levels of persisting check and credit card fraud. Understandably, banker's reluctance is driven by the fear that customers would lose confidence in a bank with such a poor security track record, and justifiably so. However, recent surveys [Unisys] have shown that many banking customers already are highly concerned about security, as more of them are hit by phishing, identity theft, advance-fee fraud and increased costs from banks, not to mention the dramatic liquidity crisis resulting from apparently fraudulent sale of unsecured mortgages and their toxic derivatives.

Bankers have not been unconcerned, and the most promising efforts in this area have come from a combination of self-regulation and government legislation. For the former, the Basel Committee on Banking Supervision has released many documents which outline voluntary codes by which banks can regulate their internal controls and risk management processes, especially in regards to Credit and Operational Risk. The Three Pillars of Basel II include:

1. Minimum capital requirements -- defining mechanisms for calculating the required level of capital adequacy to deal with market, operational or credit risk (potential losses);
2. Supervisory review process -- increasing accountability and transparency of banking supervision, in particular in its Risk Management processes and procedures;
3. Market disclipine -- requirements for a bank to publicly disclose its known risks and capital positions.

Beyond these voluntary accords, which have been successfully applied world-wide by banks in hundreds of countries, governments have enacted legislation intended to strengthen confidence in the banking system by requiring greater protection for consumers, as well as regulating bank's behaviours in selected markets. These laws include, for example, MiFID (European law for governing the sale of securities); 2nd and 3rd EU AML Directives, OFAC lists, FATF 40+9 (which regulate bank's behaviour in regard to requiring the detection and prevention of money laundering and terrorist financing,) and a host of other local laws that seek to improve Governance, Regulatory and Compliance processes within the financial services sector.

Such industry self-regulation and government laws have unfortunately not significantly diminished the growing wave of financial crime which threatens the banking industry. There is a trend for well-funded, ruthless and highly skilled and motivated international criminal gangs, which deliberately target the weakest institutions and the apparently threadbare security of online banking channels (according to one recent survey by the University of Michigan, 75% of a sample of 214 banking web sites have significant security flaws which could be used for identity theft or other fraudulent activities.)

Banks are driven by increasing complexity in the management of their business, with consumer demand for faster response, lower costs, wider ranges of products and services, and regulatory pressure. All of these conflicting demands mean that the necessary investments in security have not kept pace with the rapid rate of change in the fraud landscape, and the almost monthly tales of huge losses due to unauthorized insider trading and the rapid growth in identity theft paint a grim picture. Banking management will spend on security only in the face of a compelling event, such as recent major loss, or threat of government intervention. Until then, they will perform a rational risk cost/benefit analysis -- are the losses due to fraud likely to be significantly higher than the investments required and internal process changes needed to better detect and prevent such fraud? When the answer to this question is no, then banks will spend the minimum required to achieve compliance with the basic standards, and hope that customers won't notice the difference. Fortunately, consumers are becoming more discriminating, and are starting to insist that banks take responsibility for the poor state of banking security and its concomitant lack of confidence.

Can we continue to trust banks? In my view, the answer is maybe -- and those banks which demonstrate a higher level of security competence and investment in improved Governance, Regulatory and Compliance activity will get my business, while those other "soft target" banks will struggle to maintain their position. A revolution is needed--but fortunately the evolutionary effects of increasingly more successful "predators" (the fraudsters and criminals) will have the effect of weeding out the weaker banks, leading to an overall strengthening of security.

Aubade: A poem by Philip Larkin

2009-10-12T09:48:00.000+02:00

I work all day, and get half drunk at night.
Waking at four to soundless dark, I stare.
In time the curtain edges will grow light.
Till then I see what's really always there:
Unresting death, a whole day nearer now,
Making all thought impossible but how
And where and when I shall myself die.
Arid interrogation: yet the dread
Of dying, and being dead,
Flashes afresh to hold and horrify.

The mind blanks at the glare. Not in remorse
- The good not used, the love not given, time
Torn off unused - nor wretchedly because
An only life can take so long to climb
Clear of its wrong beginnings, and may never:
But at the total emptiness forever,
The sure extinction that we travel to
And shall be lost in always. Not to be here,
Not to be anywhere,
And soon; nothing more terrible, nothing more true.

This is a special way of being afraid
No trick dispels. Religion used to try,
That vast moth-eaten musical brocade
Created to pretend we never die,
And specious stuff that says no rational being
Can fear a thing it cannot feel, not seeing
that this is what we fear - no sight, no sound,
No touch or taste or smell, nothing to think with,
Nothing to love or link with,
The anaesthetic from which none come round.

And so it stays just on the edge of vision,
A small unfocused blur, a standing chill
That slows each impulse down to indecision
Most things may never happen: this one will,
And realisation of it rages out
In furnace fear when we are caught without
People or drink. Courage is no good:
It means not scaring others. Being brave
Lets no-one off the grave.
Death is no different whined at than withstood.

Slowly light strengthens, and the room takes shape.
It stands plain as a wardrobe, what we know,
Have always known, know that we can't escape
Yet can't accept. One side will have to go.
Meanwhile telephones crouch, getting ready to ring
In locked-up offices, and all the uncaring
Intricate rented world begins to rouse.
The sky is white as clay, with no sun.
Work has to be done.
Postmen like doctors go from house to house.

Some quotes on Atheism

2009-09-19T11:11:00.002+02:00

I saw this collection of quotes on Atheism, and decided to collect them here for future reference.

The fact that a believer is happier than a sceptic is no more to the point than the fact that a drunken man is happier than a sober one.
- George Bernard Shaw

We must question the story logic of having an all-knowing all-powerful God, who creates faulty Humans, and then blames them for his own mistakes
- Gene Roddenberry

The world holds two classes of men - intelligent men without religion, and religious men without intelligence
- Abu'l‐Ala al Ma'arri

I do not fear death. I had been dead for billions and billions of years before I was born, and had not suffered the slightest inconvenience from it
It ain't the parts of the Bible that I can't understand that bother me, it is the parts that I do understand.
- Mark Twain

Properly read, the bible is the most potent force for Atheism ever conceived.
- Isaac Asimov

Lighthouses are more useful than churches
- Benjamin Franklin

"The Christian God can be easily pictured as virtually the same as the many ancient gods of past civilizations. The Christian god is a three headed monster; cruel, evil and capricious. If one wishes to know more of this raging, three headed, beast-like god, one only needs to look at the caliber of the people who say they serve him. The are always of two classes: fools and hypocrites."
"Christianity is the most perverted system that ever shone on man"
-- Thomas Jefferson

God is an essence that we know nothing of. Until this awful blasphemy is got rid of, there never will be any liberal science in the world.
-- John Adams

"During almost fifteen centuries has the legal establishment of Christianity been on trial. What has been its fruits? More or less, in all places, pride and indolence in the clergy; ignorance and servility in the laity; in both, superstition, bigotry and persecution."
What has been Christianity's fruits? Superstition, Bigotry and Persecution.
-- James Madison

"The Bible is not my book nor Christianity my profession. I could never give assent to the long, complicated statements of Christian dogma."
- Abraham Lincoln

"Religion was born when the first con man met the first fool."
"If religion was based on real truth, there only would be one."
-- Mark Twain

I contend that we are both atheists. I just believe in one fewer god than you do. When you understand why you dismiss all the other possible gods, you will understand why I dismiss yours
- Stephen Roberts

With or without religion, you would have good people doing good things and evil people doing evil things. But for good people to do evil things, that takes religion.
- Steven Weinberg

Isn't it enough to see that a garden is beautiful without having to believe that there are fairies at the bottom of it too
- Douglas Adams

It was, of course, a lie what you read about my religious convictions, a lie which is being systematically repeated. I do not believe in a personal god and I have never denied this but have expressed it clearly. If something is in me which can be called religious, then it is the unbounded admiration for the structure of the world so far as our science can reveal it.
- Albert Einstein

"Creationists make it sound as though a 'theory' is something you dreamt up after being drunk all night."
"Creationists don't want equal time, ... they want all the time there is."
Isaac Asimov

And in the other corner:

"Reason must be deluded, blinded, and destroyed. Faith must trample underfoot all reason, sense, and understanding, and whatever it sees must be put out of sight and wish to know nothing but the word of God."
-Martin Luther

Hence today I believe that I am acting in accordance with the will of the Almighty Creator: by defending myself against the Jew, I am fighting for the work of the Lord.
~ Adolph Hitler, Mein Kampf

1981: adventures in computer science

2009-05-25T15:40:00.004+02:00

Many years ago (in 1981), I was one of a small group of people in New Zealand who were part of the first wave of computer entrepreneurship, and defying logic and common sense, felt that we could compete by designing and building our own personal computer.

I'd met the late Stewart Holmes at Auckland University, where he was studying for his PhD in digital microelectronics. I was working part time at the then Auckland Technical Institute, with a focus on digital circuits and electrotechnology, although my speciality was software. Together with the Irishman Ernest Halliday, we three formed a company, which I named "Technosys" (combining "Technology" with "Gnosis", or deep esoteric knowledge.) I also designed the logo, but the core idea of making a personal computer (and therefore the credit for the pioneering vision) came from Stewart.

Ernie Halliday was a fascinating fellow, full of stories from his years serving with the British SAS regiment in Northern Ireland and Borneo. Who knows, some of them might have even been true. I have no idea whether he is still alive, but after the injuries he reported (botched HALO drops), I suspect he might not be. Whatever his fate, he was a great salesman, and had the vision to put the company together, and find a market when few business people even knew the potential of computers.

When time permits, I will dredge through my recollections, and perhaps contribute them to the archive. I am grateful to Philip Lord, who has put together a Web site which features the Aamber Pegasus, including photos, some old documents, and even software downloads. Great work guys!

Three Nights in Dubai: Staying in a Hotel with reservations

2009-04-24T12:55:00.003+02:00

The plane came in over the desert sands, the far off towers gleaming in the evening light. It was our first trip to Dubai, and I was anticipating a unique experience. As tourists, I knew that we might be unable to appreciate all the challenges we had read about, which are faced by the exploited foreign workers, wealthy expatriates and aloof Arabs, but I hoped to get a genuine taste of the local culture in our brief stay there.

Arriving late at night, our first challenge was to get to our hotel, the newly opened Atlantis at the Palm Jumeira. We were disappointed that even though the hotel knew our flight details, they hadn't arranged transportation, and we had to find our own way there. Fortunately, the airport staff were friendly and helpful, and we only had to wait a couple of hours for a shuttle heading our way.

Soon after midnight, we passed through the huge brass doors of the hotel, adorned by sea-horse and other marine motifs, into a lobby of polished marble floors, filled with colorful murals and amazing glass sculptures. It was like entering into a dream – which we soon did for real, after the rigours of the journey. As I feel asleep, I wondered if Dubai's reality would match its reputation.

We were woken before dawn the next morning by a siren – the fire alarm was going off! We'd heard that the opening of the hotel some weeks earlier had been delayed by a major blaze, and were worried about a repeat performance. Fortunately, a voice with a strong Australian accent came over the tannoy, telling us that “the situation is now under control. Elevators are running again. We apologise for the conven... uh, inconvenience.” Reassured, we went back to sleep.

I'd booked us into the Atlantis in Dubai for a few days, on a stop over for a trip to New Zealand. I had followed the hotel's construction details, starting with the creation of a completely artificial island, the “Palm” (one of three such man-made archipelagos off the coast.) Hotelier Sol Kerzner had left behind the wildly successful Sun City and Lost City resorts he'd created under the apartheid regime in South Africa, to build a new gambling complex in the Bahamas, with a strong aquatic theme.

He continued this theme with the Atlantis in Dubai (minus the gambling of course), and again invested heavily in displays of marine life, and an incredible re-imagining of an archaeological reconstruction of what the fabled lost city of Atlantis might have looked like. Marshalling a team of artists, sculptors, architects, marine biologists and creative engineers, Kerzner has produced a unique artistic statement, which repeats mythical and nautical themes throughout the décor and interior furnishings of the 2,000+ room hotel.

The centerepiece is the lost city itself, which includes a massive sea-water tank with a huge variety of sea-life, swimming around the reconstructed throne room of the sunken kingdom. Selected rooms of the hotel abut directly onto one wall of the tank, so well-heeled guests may be observed at their slumbers by a plethora of marine life. A labyrinth of mysterious artefacts and ancient scrolls in unknown scripts, and murals depicting long-lost gods and goddesses round out the illusion, including crystal power sources and dozens of marvellous living aquaria.

In addition to the indoor marvels, the hotel boasts a 160,000m2 water park, including a remarkable ziggurat water slide taking its riders down underneath a shark-filled lagoon, and 2.3 km of tidal river rapids in a tropical setting – highly incongruous in dry and dusty Dubai. These attractions and the hotel's shopping precinct bring in thousands of visitors every day, most of them families with young children, who seem delighted by the attractions.

We found our basic room (which had already stressed our limited budget) comfortable and well-appointed, with a sea-facing balcony and great attention to detail in the furnishings and fixtures. Navigating the warren of corridors was a little daunting, but eventually we discovered landmarks of unusual wall coverings or art work, leading us back to the central lobby with its massive glass sculpture, looking like a fountain of translucent serpents, illuminated and with trickling water.

A selection of restaurants awaited our palates, from the traditional middle eastern (complete with a too-thin blonde belly dancer) to the upmarket Nobu and European mainstay of Ossiano. I found most of the dining options quite expensive compared to other hotels we have stayed in, although the food of course was a very high standard. We were particularly impressed by the effort made by staff of the cafeteria restaurant, who kindly prepared a travel meal for us, as we had to catch an early flight before breakfast was to be served.

Training my binoculars on the far-off Dubai cityscape, the dominant feature of the Burj Dubai tower was impressively prominent, soon to open as the planet's tallest building. The city inspires a sense of vibrancy and energy, with evidence of construction everywhere you look. The latest model cars race around streets that might be seen in a PlayStation game, with mile after mile of aseptic concrete, steel and glass. This is a city that never really followed the slow evolution of European metropolises, but rather sprang as if fully formed like Athena from the brow of Zeus, its towers spearing into the air from the hot dry sands, pushed up from underneath by subterranean oceans of oil.

We took a taxi to visit one of the largest shopping malls in the world at the base of the Burj tower, with over 600 retailers covering 12 million square feet. Size isn't everything however, as I discovered few bargains in the Dubai Mall, with mostly well-known brands and luxury goods which may be found in almost every airport duty free store. Taxis leaving the mall are in high demand – if you depart at a peak time, be prepared to queue for more than an hour.

One highlight which delighted my wife was a perfumery nestled in the Gold Souk within the mall. Eschewing the traditional western brands, this small shop is a treasure house of garish bottles and jars, replete with mysterious herbs and tree barks, essences and attars, merging into a harmonious olfactory note which soothed and uplifted. We observed middle-eastern women dressed head to toe in black burkas, attended by an Indian serving girl, taking tea and sampling the wares.

My impressions of the city were consistent with my understanding of its culture. Dominated by expatriates and low-wage guest workers, Dubai has many faces. To the tourist, it is a shopping mecca, and fantastic children's holiday destination, lacking the sleaze of Las Vegas or the sophistication of Paris. To the labourers and domestic servants subsisting on near slave salaries under harsh conditions, the city recites a litany of broken promises and shattered dreams, especially as the realities of the global economic crisis have closed down all but the most well-funded construction projects. To the less than twenty percent of locals, the emirate presents a Disneyfied face of Arab culture and opulence, untempered by economic modesty yet trammelled by Islamic mores.

I had the sense that there is a darkness at the heart of Dubai, hidden behind a thin veneer of opulence, and characterised by stark inequalities of consumption and excess, both of consumer items and natural resources. The Atlantis stands out as a triumph of engineering and artistry, demonstrating a dominance over the natural world, rather than an efficient stewardship of resources. One cannot fail to be impressed by the grandeur, the excitement and beauty of the surroundings, yet at the same time feel guilt over the exploited under-classes, who must have suffered in building this temple of excess and the city that surrounds it.

Would I go back? Probably yes. As an experience, Dubai is remarkable for its unflinching focus on tomorrow, its apparent disregard of market forces and its steadfast determination to find a new economic reality based on tourism rather than the rapidly depleting oil reserves of the region. The Palm symbolizes the triumphalism of man's expropriation of Nature's bounty, and yet it retains a unique beauty and impressive artistry, that celebrates the latest pinnacle of Marx's concentration of capital. The Atlantis hotel is a meeting place, of Western and Middle Eastern cultures, of economic power and mythical legend, that entertains and sustains the weary soul – until the money runs out.

A Delicate Balance: A Visual Guide to Secured Business

2009-04-23T17:11:00.001+02:00

Unisys have released a great high-level booklet on managing risk in large enterprises, which is surprisingly easy to read and helpful. Although I was not involved in writing it, I certainly concur with the conclusions, and would be pleased to discuss its implications and application to different industries.

A Delicate Balance: A Visual Guide to Secured Business Operations

Publish at Scribd or explore others: Brochures & Catalogs security risk

SECURING CONSUMER TRUST AS THE RECESSION TAKES HOLD

2009-04-22T11:50:00.003+02:00

The International Monetary Forum recently forecast that the global economy will shrink this year for the first time in more than 70 years. Appropriately dubbed the ‘Great Recession’, the current financial crisis is causing unrest across the world for consumers, businesses, governments and financial institutions. Paul Gillingwater, European lead, Fraud and Risk Intelligence at Unisys, examines the growing link between this time of unrest and a rise in financial fraud and provides insight for businesses and governments on how to tackle growing consumer fears.

Over recent years we have seen a significant rise in financial fraud across Europe. This form of fraud, which primarily encompasses identity theft and credit card fraud, is now the number one consumer complaint and billions of Euros are lost each year to unscrupulous operators, hackers and gangs.

And how are consumers reacting to this burgeoning offense? According to research from Unisys - poorly. The Unisys Security Index, a bi-annual global study, shows that nearly two thirds (61 per cent) of Europeans believe that the world financial crisis will increase the risk that they will personally fall victim to financial fraud.

According to fraud prevention agency CIFAS, in 2008 fraud levels increased by 16 per cent compared to the previous year. Facility takeover frauds – when a fraudster takes over a victim's bank, credit card or catalogue account - increased by 207 per cent. Specifically, a survey conducted by MessageLabs directly following the bank chaos which began in August 2008, reveals that phishing attacks rose by 16 per cent between August and September before a surge of 103 per cent the following month.

So why is this happening? During a time of financial unrest when banks are making global headlines, it makes sense for spammers to use the credit crunch as a hook to exploit the worried and confused customers who have been shaken by recent events and are looking for a way out.

And how can we explain the sudden increase in the number of perpetrators of these attacks? Hand in hand with a recession comes insecurity. It is this insecurity which increases the motivation for some employees and consumers to commit crimes in order to maintain their existing lifestyles, replace lost funds, or meet increasingly challenging sales targets. In short, difficult economic times can foster the criminally opportunistic and create desperate individuals who embark on desperate measures to deal with personal debt. An overall rise in white-collar crime is in turn seeing attacks such as identity theft and credit card fraud explode.

Additionally, consumers are an easier target for credit card fraud during a recession – leaving themselves more open and vulnerable to fraudsters. As they desperately shop online for bargains, they are not as cautious as they might have previously been.

Finally, there has been a serious breakdown in the relationship between financial institutions and their customers. Consumers have lost faith in banks and no longer trust them to protect their livelihood and money. As faith in financial institutions declines, consumers become a prime target for online attacks such as fraudulent mass e-mail campaigns designed to lure customers into providing personal financial information such as passwords or account information – phishing attacks.

Revisiting Unisys Security Index results from March 2009, the survey reveals significant disparity across Europe, with only one third (32 per cent) of Dutch consumers believing that there is an increased risk of fraud during the recession, compared to 83 per cent of Spaniards. Interestingly, the Spanish were more concerned than their German counterparts over this issue, with just over half (56 per cent) of German consumers thinking that the global crisis will increase the risk of ID theft. This figure falls as income rises – Germans with monthly household incomes of 4,000 Euros or more worry the least. Surprisingly, the research places Germany as one of the least worried nations over this issue, coming fourth out of the five countries questioned.

Perhaps the impact of the financial crisis has not yet filtered down from company level to consumer in Germany, or perhaps the German public planned well for it.

Despite the Belgians relatively low levels of concern in the overall Security Index, residents are clearly worried about this issue, as two thirds (63 per cent) think that their personal risk of ID theft and credit card fraud will increase in light of the recession.

The British are also extremely anxious about ID theft, with a clear majority (72 per cent) believing their personal risk will increase. This puts the UK as the second most worried European country, at 11 per cent below Spain.

While there is disparity across all of the regions surveyed in Europe, these results underscore the urgent need for companies to address this burgeoning fear. Banks and financial service providers in particular must now do everything to win back the trust of their customers. These include strict security measures to protect data, identities, credit cards and cash cards.

It is important that any company doing business online or handling sensitive data take note that the current financial crisis has deepened consumer fear and intensified risks. Outside of the financial services industry, all organisations in both the public and private sector must demonstrate good security practices, ensuring that the high profile security breaches and customer data losses of the past 12 months become a thing of the past. Although cyber criminals will continue to attempt to access our private information, consumers, companies and governments can all work together to combat the threat and reduce the risk of fraudsters succeeding.

While the debate rages on about the mechanics of government bailouts and optimal interest rates, one thing is certain: there will be no return to economic stability without increased trust and rising consumer confidence. Restored trust among banks will open the flow of credit and boost deposits. Stronger trusts between governments and citizens will promote the sense that economic growth and fair markets can be sustained over the long term. And importantly, secure operations and high-quality customer experiences will help inspire the confidence necessary to boost consumer spending.

For more information about the Unisys Security Index and full European results, visit http://www.unisyssecurityindex.com.

Automation of Bank Card Fraud

2009-04-18T10:13:00.003+02:00

I was interested to read about an old scam resurfacing with modern technology, as reported in the Police blotter of the Denton, Texas Police Department.

The scam is as follows. An automated calling system is programmed with an "Interactive Voice Response (IVR)" (set of audio menus, to which the callee must respond by pressing digits on their phone.) Such calling systems are cheap and easy to set up, e.g. using the great open source software Asterisk.

The initial call is made using a message that identifies itself as coming from a local Bank (which is of course a lie.) The message tells the callee that there is a problem with their credit card, and that it has been blocked. (More lies.)

In order to solve the problem, the callee is invited to enter their credit card number, expiration date, CVE code and other confidential details, and to record their name and address. This might be done using the touch-tone system (for the numbers), and with simple audio recording for the name and address.

The scammers will often use a phone link which is able to block caller ID (typically by routing using SIP through a VOIP provider over an anonymous relay,) or they will spoof the Automated Number Identification to pretend that they are originating from the genuine business.

As soon as the hapless victim falls for the scam, their credit card details will usually be sold on via an aggregator, to the next stage in the criminal chain who will then use the stolen information to order goods over the Internet. These goods are then usually laundered through yet more victims, who think they are working at home for a real business.

The insidious aspect of these crimes is that the originator is very hard to track down (and may be operating off-shore.) Furthermore, because the process is automated, they can program the system to call tens of thousands of targets without any additional effort -- and if even 1% of the victims fall for the scam, then the criminals are making money.

What can be done? In the absence of good technical solutions that can make it easier for law enforcement to track down such criminals, and the lack of strong international Policing cooperation, such criminals can operate with relative impunity. Therefore, our only option is to get the word out, and educate the intended victims to never give confidential information over the phone, especially to automated calling systems.

If someone calls you claiming to be from a Bank with whom you do business, then ask for a number and call them back -- but even this might not be enough, so check on the Internet whether that number is listed for your bank.

Sumitomo: Anatomy of $423m Fraud that failed

2009-03-21T21:35:00.002+01:00

The Register offers a fascinating analysis of one of the most audacious Bank heists of the past few years, and the story of the patient investigation which led to the conviction earlier this year of most of its suspects.

It has elements of a classic heist -- the inside man, recruited with thoughts of greed to compromise internal security controls (in this case, tampering with cameras and giving the criminals access to the bank at weekends), the hackers, and the money launderers.

The technology used was simple and readily available -- a commercial keystroke logging software package, installed on critical PCs in a trading room to capture account details and passwords. The target was the Swift system -- the world-wide and widely trusted system for transferring money between banks around the world. Sumitomo was the victim -- and if it wasn't for a crucial lack of vital information, the crooks would have got away with it.

Accomplices around the world -- in Spain, Dubai, Turkey, Israel, Singapore and Hong Kong -- were ready to assist with laundering of the money, seeking to withdraw the large sums from counterparty banks. Luckily, the banks never received the wire transfers, because the Swift forms had not been correctly filled out, and the bank's internal controls prevented the losses.

The lesson here is that insiders can always be compromised, but robust internal controls with strict separation of duties can prevent most issues. The criminals were unlucky (or incompetent) because they failed to fill out the Swift forms correctly -- had they done so, it is likely they would have made a great deal of money. Another lesson is that username/password pairs are not enough -- at least two-factor authentication should be used.

Most importantly however, is that Sumitomo Bank made the correct decision in reporting this crime as soon as possible to the authorities, and diligent police work led, four years after the fact, to the successful prosecution of most of those responsible.

Cyberstalking and You

2009-02-13T10:00:00.002+01:00

A brief guide to staying safe online

Email, instant messaging and social media websites are ubiquitous, convenient and useful forums for networking, doing business or just staying in touch. But there is a dark side, which may often be very upsetting for the victim--that of being stalked or harassed online. Anyone who uses the Internet can be subjected to Cyberstalking, which can occur in many ways. According to Wikipedia, Cyberstalking may be defined as

the use of information and communications technology, particularly the Internet, by an individual or group of individuals, to harass another individual, group of individuals, or organization. The behavior includes false accusations, monitoring, the transmission of threats, identity theft, damage to data or equipment, the solicitation of minors for sexual purposes, and gathering information for harassment purposes. The harassment must be such that a reasonable person, in possession of the same information, would regard it as sufficient to cause another reasonable person distress.[1]

It's very easy for an anonymous person to forge emails, making it look like messages are being sent by someone else. If the messages contain personal details combined with insults or obscene images, it can be very upsetting for the recipients, especially if they think the mail is genuine. Furthermore, it's possible to make anonymous phone calls over the Internet which are untraceable (without the resources of major governments or law enforcement agencies).

Usually, the person being Cyberstalked (if not a celebrity) knows their stalker, or has engaged in online discussions which triggered that behavior in some stranger. Examples might include the ex-partner from a relationship gone bad, political antagonists, fired ex-employees, or predatory individuals with a sexual motivation.

The results of Cyberstalking can often be very distressing for the victims and their family, and in extreme cases have led to serious mental health issues, including attempted suicide. Where the subject of the attacks is a minor, their physical safety may also be at risk, especially if grooming is being used by suspected pedophiles.

Young people don't always use social media sites in responsible ways, and parental guidance and regular monitoring of online activities is often recommended. Parents need to inform themselves of the risks of online activities, and educate their children in keeping themselves safe. Some simple guidelines might include:

Don't exchange emails and photographs of yourself with people you've never met
Don't assume that the person you meet online is who they say they are -- digital identities are malleable
Don't use a webcam like a bathroom mirror
Never open unknown attachments from strangers, and use up-to-date anti-virus software
If you with to meet someone you know from online, take a friend or parent
Educate your child about the risks of "stranger danger"
Always assume that if you send someone naked pictures of yourself, they are likely to be shared with strangers

Young people are likely to have a false sense of security when online. They may engage in attention-seeking behavior, where they seek to validate their sense of self-worth by craving the approval of others, even strangers. Blogging and twittering are popular social communications, but have their extreme cases. Some people seem to invite unwanted attention, such as the case in January 2009 of "Boxxy", a young woman with plenty to say. Her videos on Youtube generated tens of thousands of fans, and many others who couldn't stand her, with escalation of hostilities between the two camps leading to death threats, Cyberstalking, flame wars and distributed denial of services attacks on web sites (such as the popular message board 4chan.org, that originated the LOLcats meme.)

Organizations and cults are often high-profile targets for abuse, such as the Church of Scientology (along with some of its most prominent converts like Tom Cruise and John Travolta). Such organizations often employ professionals who track down and use legal threats to silence their critics, although the actions in 2008 of the international group that call themselves "Anonymous" showed that it's easy to hide your identity on the Internet.

Usually, however, Cyberstalking is more personal, with a single individual attempting to harass or threaten their intended victim. The target of such harassment has few options. Unless there is evidence of a direct physical threat to safety, it is rare for a complaint to the Police to be useful. However, establishing a paper trail through an official complaint might be useful later when seeking to take out a restraining order against a particular individual.

Targeted individuals may sometimes have their accounts or email hacked, especially if they use poor password selection policies. Immediate complaints to the abuse departments of the relevant websites can sometimes help, but will likely take weeks or months for action. Sometimes, the better choice is to create new accounts, and contact all friends personally to let them know that correspondence from the old accounts should be ignored. Related to this is the important step of making backup copies of all contact information and personal documents, which is good practice under any circumstances.

In general, it's best to ignore communications coming from a Cyberstalker, and refrain from giving them validation through attention. Don't attempt to reply -- simply delete such messages, which can be handled automatically by some email systems based on filters. For those who spend a lot of time online, it's a good idea to check how much personal information can be found about yourself through search engines. Use your social security number, name, email addresses or user names to discover whether you have "leaked" personal information online. If you can find such data, then it's likely that other people can too, so try to remove it if possible. As a rule, avoid entering private information (such as your birth date or passport details) into any web site. If it's not "official", then just make up fake data.

Some popular websites, like Facebook or Bebo, request personal information, that most people are happy to provide. While mechanisms exist on many sites to restrict the privacy of such information, mistakes can be made, and have led to leaks of private data (including birth details, names and addresses, and phone numbers or credit card details.)

In a world where life is increasingly being experienced online, some basic common sense should be applied to protect your privacy, and respect that of others.

Recycled: Essay on Capital Punishment

2009-02-09T00:20:00.003+01:00

Another old essay written back in my university days.

The Hand of a Killer -- An Essay on Capital Punishment

by Paul Gillingwater

for LLN210 Methods of Research (Webster University, Spring I) April 1995

"No man is an Iland, intire of it selfe; any man's death diminishes me, because I am involved in Mankinde; and therefore never send to know for whom the bell tolls; It tolls for thee."

John Donne, Devotions upon Emergent Occasions (1623-1624)

Last week, Nicolas Ingram was executed in Georgia, U.S.A., after 12 years on death row. Despite considerable publicity and appeals for clemency from secular and religious leaders, the electric chair was again used to end the life of a convicted killer. Is such state-enforced killing justified? When we are faced with this question, we are challenged to define our moral position in relation to society. To what extent do the laws relating to capital punishment reflect our individual ethics? Laws are formulated in Western countries to maintain civil order and to protect society from criminal behaviour. To this end, penalties are devised which are intended to punish those who break the laws. Is execution an appropriate form of punishment in modern society? There are many arguments for and against execution. This paper will review some of the important ones, and show that capital punishment is unjustifiable, not only because it is both ineffective as a deterrent and can cost more than long-term detention, but also because it is ethically wrong by the standards of developed Western nations.

Ethics is about the relation of human beings to each other, especially in the field of moral questions. John Donne's poem (cited above) about the interconnectedness of all humanity holds true in more than just a philosophical sense, as suggested by findings from the field of ecology which show how the actions of one group of pople can have their effect on another group. Each person in society contributes to public opinion, which influences the official attitudes to moral questions in a democracy. Any argument for or against capital punishment eventually arrives at the question of the morality of taking one life in exchange for another. My view is that the deliberate decision to end the life of a human being is equally wrong, whether made by an individual contemplating murder or by a court passing sentence, because life is inherently the thing that each one of us values the most.

A clear distinction exists between lawful and unlawful killing. Since modern society universally condemns murder as morally wrong, we'll confine our discussion only to that form of official penalty known as "capital punishment", (named thus because early forms of execution involved beheading.) Individually, most of us have never participated in a killing, however in a democracy, all citizens are responsible for the laws enacted by our representatives in government, so it may be said that we are all individually implicated in any state execution. To understand this, it may be useful to consider the analogy of the hand, that symbolizes how each member of society participates in the processes leading to an official execution. Whether the finger of a killer pulls the trigger to unlawfully end another human life; or the hand of a doctor administers the lethal injection during the state-authorized execution; the result is the same, and it is the human hand that carries out the intent.

Our hands, with their opposable thumbs, serve to distinguish us from, and elevate us above, the animal kingdom. Human beings rarely use anything else to kill. It is the hand which must grip the weapon, sign the death warrant, pull the trigger or administer the fatal dose. By way of contrast, in the wild no mediation is required between predator and prey, unlike in our human world, where most of us isolate ourselves from the reality of death in the slaughter-house by butchers and supermarkets. Similarly, those who favour executions are rarely willing to pull the trigger themselves, preferring that the State develop the mechanisms to kill the condemned: out of sight, out of mind. How and why did these mechanisms develop?

A brief consideration of the history of capital punishment shows that public killing has long formed a part of law, as early as the Code of Hammurabi (1750 B.C.E.) In early societies, the punishment of wrong-doers was the prerogative of the individual or the tribe, and was usually undertaken as an act of vengeance. It often consisted of forms of torture or execution, which today would be deemed excessive and disproportionate by most educated people. As society became more complex, the right to punish was taken over by the state, which used each execution as a public spectacle "to encourage the others." [1. Voltaire] Since the 1950's, many developed Western nations have joined an international convention against capital punishment. Even in those countries which continue the practice, such as the U.S.A., executions are largely private affairs with public participation limited to the trial and sentencing. It's interesting to speculate as to why executions are no longer held in public --- could it be that the sight of a deliberate killing is somehow deleterious to society? Regardless of the possible negative effects that public executions may have on society, it is clear that certain countries still consider that executions per se have a deterrent effect, as evidenced by their continued popularity; however most Western criminologists believe that there is no conclusive evidence that the death penalty is any more effective as a deterrent than life imprisonment. [2. Microsoft]

Proponents of capital punishment would argue that the deterrent effect of capital punishment, whether public or not, is far stronger than the threat of life imprisonment, a view which is shared by the majority of the U.S. public opinion. This view does not accord with the evidence. [2. Microsoft] In one study, it was shown that two adjacent states (one with capital punishment and the other with life imprisonment) showed no significant differences in the murder rate. In fact, states that use the death penalty seem to have higher murder rates than those which do not, (although this does not necessarily imply a reverse causal relationship, as many other factors are involved, including the influences of demography and poverty.) Similarly, no change was seen when one state first abolished then reintroduced the death penalty, and no reduction in murders has been found in cities where executions have recently taken place. Thus it may be seen that capital punishment has no statistically significant effect on the rate of murder in a state, from which we can deduce that the deterrent effect of executions is negligible. Unfortunately, neither capital punishment nor imprisonment seem to be capable of slowing the growth of crime in modern society.

Since deterrence is no longer a convincing argument in favour of capital punishment, we may turn briefly to consideration of the economics of death. At first glance, it would seem that simply killing an offender may be cheaper than keeping him or her in gaol for life. This is true in some countries, such as China, which has a policy of "one execution, one bullet." In Western countries, however, the extensive legal proceedings of indictment, trials, appeals and their associated expenses have been shown to cost more than the projected costs of life-long incarceration. This apparatus is necessary to reduce the likelihood of mistakes in the administration of justice, since more innocent people would be executed if matters were speedier. Advocates of capital punishment who claim that long-term use of imprisonment costs taxpayers more than executions not only fail to provide evidence for their arguments, but also commit the fallacy of an appeal to greed (lower costs may potentially mean lower taxes), at the expense of compassion. Such logic can lead to the view that public health services should be denied to the elderly or to smokers, because they're more likely to die than others on whom limited funds could more effectively be spent. A further danger of this type of thinking is that once capital punishment is commonly used for murderers, it may more easily be extended to other crimes. For example, China has recently begun a series of executions of people who have defrauded the government of V.A.T. (Value Added Taxes.) Should tax evasion also be considered a capital crime?

A third area which has been used to attack capital punishment is that of bias in its application. Although advocates of capital punishment would argue that there is nothing inherent in the laws of capital punishment that causes racist, sexist or class bias in its application, research has shown [2. Microsoft] that all of these biases have been demonstrated. For a start, women are responsible for 20% of all homicides, yet proportionally far fewer women are executed than men --- a bias which works in the women's favour, but discriminates against men. Secondly, when considering sentencing of convicted murderers, racism is clearly a factor in determining the death penalty, with statistics showing that black men are far more likely to be executed for similar crimes than white men. Finally, defendants without the money or influence to buy experienced (and often expensive) legal counsel are more likely to be executed than well-educated and wealthy murderers. From the above, it may be seen that any suggestion that capital punishment is unbiased fails to meet the same standard of evidence that might be applied in judging a defendant. Now let us consider the most abstract, yet to many, the most compelling argument against capital punishment --- the ethical one.

When we execute a convicted person, what are our reasons? Are we killing him or her to exact vengeance on behalf of those wronged? Such retribution does nothing for them --- it certainly won't bring back the victim of a murder. Do we want to remove the offender from society, eliminating any chance that he or she will reoffend? In this case, it could be argued that life imprisonment should be sufficient, especially when it is accompanied by attempts at rehabilitation. Admittedly, there are problems with this argument, for example, if a prisoner escapes, he or she often returns to a life of crime. Furthermore, some prisoners who are paroled lapse back into offending. Such failures, however, point more to a failure of the current system of rehabilitation rather than any fundamental error in the rationale for opposing capital punishment. Surely, each person deserves a second chance? When such persons reoffend, society has the right to deny them liberty, but not to deny them their lives.

Will executing criminals reduce crime? Unfortunately, as already argued, not even the threat of death is enough to slow the growth of crime in our increasingly sick society. Whatever the reason, it is important to consider the effect that the execution has upon those who carry it out. Given that the act of killing can desensitize the finer human feelings of compassion and forgiveness (as may be seen in times of war and in slaughter-house workers), society has a moral obligation toward those who carry out the punishment on its behalf. Someone has to pull the trigger, throw the switch or inject the poison that ends a life. The chain of responsibility continues back to prosecutors, judge and jury, through to the legislators who voted for capital punishments as an option, and eventually to each of us. Each person who supports, condones or does not actively oppose capital punishment is in some small way contributing to its continuation, and to the debilitating effect this has upon society. That this effect is real was shown by a recent Time [3] magazine article, in which a judge in the Philippines formed a club for judges who have imposed the recently reintroduced death penalty. He explained that some form of support group was needed by those who had to give such terrible sentences. How much worse must the effect be on those who have to carry out the execution? Moral philosophy might provide an answer to the question of whether we have an ethical obligation to our fellow citizens. Once such an obligation is recognized, we might then accept responsibility in a personal sense for permitting society to kill on our behalf, whether in time of war or through execution of murderers.

Recognition of personal responsibility for the death of others was first suggested by John Donne, who talked about no man being an island, existing apart and separate from society. Donne's view, although radical in his day, is now increasingly seen to be true. (Depth ecology [4. Lovelock] takes this idea further, suggesting that all life on earth is somehow interconnected by ties of mutual dependence, as demonstrated by environmental problems knowing no political boundaries.) Social philosophers such as Bertrand Russell suggested that each individual must participate fully in the life of society, and that personal ethical decisions should be made for the good of society. In a contrasting view, Hegel argued that moral choice was not the result of a social contract as outlined by Hobbes, but a natural outgrowth of healthy family life. In either view, human beings must make choices that dictate their place in, and the operation of, the society in which they live. Such a choice is made when we determine that people who seriously transgress our laws are to be denied their freedom. These choices link each of us in an inextricable web of moral responsibility, in which the serious offender may be seen as one who is threatening the health of society. A common analogy is that if we consider society as a single body, then criminals are similar in effect to disease organisms, which can cause suffering to the whole body. (Of course it must be acknowledged that criminals are often a product of illnesses that afflict the whole of society, such as poverty, racism and poor education.) When something threatens our health, we generally act to destroy it, isolate it or control its effects. In the case of habitual criminals, we seek to reduce their negative impact on society by denying them freedom.

In the past, this denial of freedom was achieved in one of several ways: either by imprisonment, mutilation, banishment or death. Today, banishment is no longer practical, and mutilation by the state is considered cruel and unusual punishment by all but the most fundamentalist of Islamic states (although the senate of one U.S. state has just allowed for the surgical castration of sexual offenders), leaving us with two options --- imprisonment or death. Incarceration alone, however, is not sufficient for an ethical society. Penal science advocates rehabilitation --- the training and reeducation of offenders so that they may potentially contribute once again to, and enjoy the privileges of, a free society. Such a choice means that a price must be paid, in the form of higher taxes to pay for the construction and maintenance of prisons --- but greed should not be an acceptable argument for the use of capital punishment, as earlier discussed.

In summary, I have dealt with capital punishment in terms of its failure to deter, its economics and its inherent unfairness. A serious consideration of the ethical basis for eliminating execution as a means of combating crime has shown that there is a wider picture that must be grasped. That wider view may be analogous to the holistic view of medicine, which states that when an individual part of the body is sick, then the whole person is ill. Similarly, when an individual chooses to commit crimes such as murder, this is a sign that the whole of human society is somehow sick. If it is your finger that pulls the trigger, is it enough to simply cut it off? No, because the whole person is responsible. By analogy, when one person runs amok, we need to look at all of the factors influencing this behaviour, including education, racism and poverty.

Just as the hand may be seen as symbolically responsible for killing, it may equally be used to prevent death. If you feel as I do that termination of human life is wrong, then pick up a pen and write a letter --- to your congressman, political party, newspaper or judge. Make your feelings known, that every time a state chooses to end someone's life, such an act is against your will. Eventually, public opinion may be educated to the point when it recognizes that executions are both barbaric and unnecessary, in the same way that we now condemn slavery, torture and murder.

References:

1. This is a quote from Voltaire, who wrote of England that "it is good to kill an admiral from time to time, to encourage the others." (Pour encourager les autres.) The reference is to Admiral John Byng, who was executed in 1757 for failing to relieve Minorca.
2. Microsoft Encarta Encyclopedia, article on Capital Punishment.
3. Time Magazine, March 1995
4. Lovelock, J. The Gaia Hypothesis

The totem animals of the United Nations Bureaucrat

2009-02-05T08:57:00.008+01:00

Many years ago, I used to work for the United Nations. While bored at the office one day, I composed the following essay (1996)...

It was a quiet night in November. I was working late in the United Nations building, finishing off a document for a forthcoming conference, when I decided to take a break for a cup of machine coffee. Heading back to my cubicle, I nearly bumped into an elderly man shuffling around the corner. His UN Retiree’s pass fell off, and I automatically reached down to pick it up. He must have been more agile than he looked, because our heads bumped as he ducked too. Laughing, we agreed to head back to the coffee area, where we sat on some low chairs, and he started talking.

He told me this story, which he said was told to him by a friend of a friend. His eyes twinkled, as he asked me whether I knew about the three totem animals of the U.N. Pleading ignorance, I smiled, and he continued.

The first totem animal of the UN bureaucrat is the
three-toed sloth (Bradypus Tridactylus). A native of South America, this animal has long puzzled Biblical scholars, due to its amazing abilities. How could a pair of these intrepid animals have made the incredible journey from their home in the wilds of the Amazon basin, all the way to Mount Ararat in time for Noah to take them on board the ark? Clearly, they must have a prodigious capability for anticipation of important events. Calculating a daily distance travelled of around 3 km, the pair must have known about the forthcoming inundation over 30 years before the first drops fell. Imagine the sneers of the other sloths as these two visionaries departed on their epic adventure.

The hardships of the journey are almost beyond belief, with intervening stretches of desert, ocean, ice-floes and predators all too capable of running down an animal whose best defence consists in hanging upside down in a tree, nearly motionless. It is this motionlessness which fits the sloth for its place at the bottom of the UN totem pole, as staff members have sometimes been known to avoid the predatory glance of internal auditors through remaining absolutely still at their desks.

Our second totem animal also spends considerable time in trees. Evolving in the great southern land of Australia, the koala bear (Phascolarctos cinereus), is blessed with the ability to sit motionless on a branch for dozens of hours at a stretch, occasionally reaching for a new handful of gum leaves to chew. This unique talent is so well-developed that the koala has actually evolved a hard bony plate in its rear, which it uses to sit on the durable wood of the gum trees. Any UN bureaucrat worth his or her salt would immediately recognise the advantages of such an adaptation, given the long meetings, conferences, sessions and plenaries that fill our days, not to mention long hours in front of a desk.

For the third and final totem animal, we turn to that great reservoir of mysterious life, the ocean. The humble sea squirt, (Cnemidocarpa finmarkiensis), in its juvenile form frolics in the clear warm waters of the Mediterranean, crawling around the bottom of the sea, called by an unknown impulse to find a suitable rock on which to perch. When the rock is found, a subtle alchemy occurs within the metabolism of the sea-squirt, as it undergoes a sea-change, from animal to a kind of sea vegetable. To facilitate the process, the sea-squirt glues itself to the rock in much the same way as oysters do, its permanent post now assured. It immediately begins the next stage of its transformation. The rudimentary brain it used to find the rock is now superfluous, so the sea-squirt starts to absorb it, effectively digesting its own brain. Sadly, the parallel is in some cases all too clear, as the staff member with the permanent post is no longer obliged to engage in creative thought.

My new friend got up to leave, his eyes still twinkling. “Don’t worry too much about the Bureaucratic totem animals. They’re only as true as you want them to be. Perhaps we’ll meet again someday, and I can tell you of the feeding frenzies that follow the release of the hy… --I mean delegates—as they leave their great meetings. But that’s another story.”

More random twitterings

2009-02-04T13:28:00.003+01:00

After literally years of procrastination, I have taken the plunge into the world of micro-blogging. I may be found on Twitter here: http://www.twitter.com/ahbleza/

I've been very careful about joining various social media sites -- I decided long ago to avoid MySpace, Bebo, Facebook and the like. I am active on LinkedIn for professional purposes, and occasionally maintain my old personal web site -- http://www.gillingwater.org -- but that's down at present until I get a chance to update it.

Twitter is a lot of fun, and functions wonderfully as a disintermediation device between various minor (and a few major) celebrities and their stal^H^H^H^H fans. If you've not joined up, I recommend it!

Google G1 Handy activation in Austria

2009-01-06T19:46:00.003+01:00

First a note for international readers -- in Austria and Germany, the word "Handy" is used ubiquitously for mobile phones, even among native English speakers.

In December, I had the opportunity to pass through Dubai (more about that in a subsequent post), and went shopping. I was lucky enough to find a store selling the new t-Mobile G1 phone, which is based on the HTC Dream hardware platform, and which runs the new Android operating system (based on Linux.)

The shop assistant helpfully pointed out that the phone couldn't be used in every country, and had a complex unlocking process, but I'd researched this already, and was prepared for it. I handed over my UAE currency, and received the box. It was a standard package, but was missing the latest addition I'd read about, a cable to adapt from the micro-USB to standard ear-phone jack, so it wasn't the latest version.

I knew it probably wouldn't work, but I tried a few different SIMs (none of them t-Mobile) to get past the initial activation -- and sure enough, I got to the point where it asks for the Gmail login, but the G1 timed out every time. I figured I would have more luck back in Austria, and sure enough, this week I was successful.

I visited a small shop that offers various telephone-related services, and bought a t-Mobile pre-paid card. (At first, I borrowed a t-Mobile SIM from the shop assistant, but it didn't work -- this was due to data services not being enabled on the SIM, as I proved when I tested it in my existing Nokia.) Plugging in the new t-Mobile SIM, I was successfully able to complete the initial registration (using my existing Gmail account), and started the process of downloading applications.

Now here was the first problem -- the initial pre-paid sum of 20 Euros disappeared VERY rapidly, and I was soon cut off. I realized that t-Mobile charge excessively for data traffic with their pre-paid cards, and that viewing Google Maps and downloading all those apps wasn't a smart idea. Since I was planning to use it with another SIM anyway, I didn't plan to sign on to a more economical data plan from t-Mobile. (They seem to offer 10 Gb for 10 Euros per month for existing voice accounts, which seems quite reasonable for a mobile service plan.)

Once I got home, I switched the phone to use my Wireless LAN, and downloaded to my heart's content.

I read the process to switch the G1 to another network provider, and started by booting the Android into safe mode (hold down the Menu button when powering on), then used the *#06# sequence to display the IMEI. I figured that I would need this to submit to the t-Mobile unlocking service.

Just for a laugh, I tried using my non-t-Mobile SIM in the G1. Hmmm... booted up OK. Accessing 3G services... OK. Calls in and out... OK. Wha? I realized that the Handy I had purchased in Dubai must have already been unlocked, because I certainly didn't enter an unlock code, and it's not a developer version.

My next challenge is to download the newest firmware -- this one seems to be running version 1.0. Hopefully, it will still work after the upgrade. Because I'm not using t-Mobile as my primary carrier, I suspect the Over The Air update won't reach me.

I've been using the phone fairly extensively for the past few days, and I must say I like it a lot. I have seen the iPhone 3G in operation, and feel the G1 is close to that standard, while offering a few features the iPhone doesn't have, like WLAN, a hardware keyboard, GPS, and a more open platform. Admittedly, the Android Market hasn't quite reached the 10,000 applications offered by the iPhone Marketplace, but I suspect it's just a matter of time, once Google allow people to make money through it.

Voice quality on the G1 is definitely better than my Nokia N73, and usability is far superior to Symbian, even with after-market add-ons like Fring (which I quite like.) I've upgraded the micro-SD to 8 Gb, so it has plenty of room for music and photos, and migrating all my existing contacts was a breeze (I merged my Gmail contacts with a copy of the SIM from my old mobile.) Battery life is the one weakness I have identified, but I've heard that HTC have a next-generation battery available soon which should improve that problem.

Most applications have been easy to learn to use. One small thing which wasn't immediately obvious -- accented characters can be typed by holding down the appropriate matching letter, then selecting from a list of accented versions which pops up.

Another minor issue is that sometimes the G1 loses the WPA-secured signal from my WLAN router, which doesn't automatically reconnect. Once noticed, I can reconnect manually, but it's something that hopefully will be fixed in a subsequent revision.

On the whole, I would say I am highly satisfied with the Google G1, and look forward to seeing what after-market software can do for me.

ADSL Insanity in Austria

2008-12-01T16:05:00.003+01:00

So, I decided to upgrade my Internet experience, and ordered the "aDSL solo Privat max 8192/768" from iNode (now part of UPC) in Vienna, Austria.

Dealing with this company as a private customer is simply hell. They have phone trees which lead nowhere, or which direct you through to a hotline, only to immediately drop the call because of overload. When you do finally get through, they take a long time to process, and need to put you on hold for ages (assuming they don't simply do this for the pleasure of winding up "difficult" customers.)

My record for one call trying to get this Internet connection sorted out was more than one hour and five minutes.

Here's the fun part -- I first placed the order with them on October 8th. They finally gave me an installation date -- 2 January 2009. Yes, more than 10 weeks. They claim this is not their fault, because they outsource the installation of ADSL connections to Telekom Austria -- but I believe this is simply an excuse. Perhaps they are overloaded with demand, but they won't stay in business long if they treat customers in this way. Solve the problem already!

It gets better. I called to cancel, saying that 10 weeks is too long to wait. (In the meantime, I have been using mobile Internet, which is much more convenient.) And they tell me that there is a "cancellation charge" of 180 Euros -- for a service which they haven't been able to install! Oh yeah, and they blame this charge on Telekom as well.

So, bottom line. If you are an Internet user in Austria, STAY AWAY FROM INODE/UPC. They will rip you off, and are unable to deliver in a timely manner. Their support is abysmal, and they seem to be engaged in a marketing war with Telekom (to whom they subcontract the installation.) You have been warned.

Updated 6 Jan 2009: Finally, the Telekom installer came on 2 January (as promised), and installed the ADSL modem. So, now I have Internet again -- but there were still issues. First, the router wasn't working. I called tech support (which was quite helpful), and learned that I had to manually add the login credentials, via the Web interface at 10.0.0.138. Second, the default configuration for the Thomson ADSL router leaves the wireless access point completely unsecured. As I already have enough WLAN routers, I simply disabled it. Thirdly, and this is the most serious issue -- the ADSL connection was set for a downstream bandwidth of 1,088 kbps and upstream 128 kbps -- basically one eighth of what I am paying for. I've logged another service call, and naturally it's down to an argument between UPC and Telekom again, each blaming the other. I'll be happy if they can increase it to 4 Mbps downstream.

One night in London (are we there yet?)

2008-09-04T22:47:00.003+02:00

The journey started out uneventfully. I was flying from Vienna to London Heathrow last Sunday night. The Austrian Airlines flight was quite full. Scheduled for 7:45 p.m., it left at 8 p.m. due to availability of the landing slot in London, but the pilot told us he would try to make up the time in the flight, so we expected a close to ontime arrival.

After two hours, we were approaching London Heathrow, when the pilot informed us we needed to sit in a holding pattern, while we waited for our landing assignment. Everyone on board was relaxed -- there had been no turbulence, and the cabin staff were friendly and attentive. After four or five circuits, some people were beginning to become impatient -- and then the Captain announced that we had to divert to Gatwick, due to weather-related problems at Heathrow.

Well, this was a major inconvenience for many, but not an unmitigated disaster. The pilot expressed the view that perhaps the plane could be refueled, and fly on to Heathrow when a slot became available. We landed at Gatwick 20 minutes later, and waited for the airstairs to arrive, along with the necessary buses.

After fifteen minutes of waiting, the Captain apologized for the delay, explaining that Austrian airlines wasn't able to find a gate agent to assist, but they were working on the problem. Again, he suggested that some people might wish to deplane at Gatwick, but their checked luggage would have to stay on board due to safety regulations (which in my view shouldn't apply for such a diversion -- but sorting through the luggage to separate items for individual passengers would of course be too time consuming.)

The time dragged on. The Captain was apologetic but professional, and gave us regular updates on the situation. Eventually, we waited two and a half hours on the ground, with no one able to leave the plane. The Heathrow option was no longer on the table -- that airport was closed. It was now past midnight. According to the Captain, in his more than twenty years of flying, including many airports in Africa, he had never experienced such a situation, where passengers were kept on a diverted aircraft because of unavailability of a gate agent company.

With the one hour time zone difference, our expected UK arrival time would have been 10:30 p.m. Including the holding pattern delays, we eventually landed in Gatwick at around 11:30 p.m. Two and a half hours later, we were allowed to board the buses to the terminal. Our pilot informed us that the matter had to be escalated through the Austrian foreign ministry, using diplomatic channels, as the situation was so unusual.

But things were't over yet. Once inside the terminal, it took forty minutes before any announcement was made about our luggage -- and another twenty minutes before it arrived on the conveyor. Next, I had to wait another half hour for the bus to Heathrow airport -- which took an hour.

Eventually, I arrived at Heathrow at 3:30 am -- that's after more than eight hours of travel, for something which should have taken less than three hours. Naturally, we weren't the only flight affected, leading to all hotels around Heathrow being full (except for the ones charging 200 pounds per night.) I chose to spend the night sleeping on the floor in Terminal two, to meet my wife's flight the next morning.

Next time, it might be faster to take a train.

Pre-paid Mobile Internet Surfing in Austria

2008-08-11T14:39:00.007+02:00

The offer seems quite compelling: pre-paid Mobile Internet surfing, using an anonymous card which you can buy in a supermarket.

But does it work?

Here's the link to the offer: http://www.yesss.at/diskont-surfen/angebote.php

It's sold in Austria through a chain of German supermarkets, which go by the name of Hofer. They take cash, so anonymity is assured.

They sell an unlocked modem (the Huawei E220, with HSDPA/UMTS/GPRS/GSM compatibility) for €69.99, and a pre-paid SIM card with (allegedly) 2 GB of data for 20 Euros -- with optional bonus cards selling additional blocks of 2 GB for the same rate.

I then struggled to make it work. Frankly, it was a real pain. Plugging it in to my Windows XP laptop, I saw the E:\ drive with all necessary files appear momentarily -- then disappear a few seconds later. Maybe it's a problem with some security software on my laptop, but I simply couldn't make it install under Windows. The support web site offers a Windows Vista download, but no files for XP -- you're meant to install direct from the USB connection.

So, I then tried my MacBook Pro. The software for this is on their Web site -- but once again, it was a bust. I was able to download and install the software, but couldn't configure it -- it failed each time I tried to add the APN information.

Finally, I got out my trusty Asus eee PC, running the standard Xandros distribution. I plugged it in, was prompted for the PIN, then configured the APN (which for this network in Austria is web.yesss.at), and clicked connect... and it worked perfectly.

So, here we have a system which struggles with Windows XP and OSX 10.5, yet works like a charm with Linux. Of course, I intended all along to use it with my eee PC, so I am quite pleased it works, but am still a little frustrated I couldn't get it working with the other systems.

Update: looking into the tariff options is interesting. Basically, they have two tariffs, one for light occasional use, and the other for heavy users. Both tariffs cost 20 Euros -- but for a heavy user, that 20 Euros buys 2 GB of data, while for an occasional user, it buys only 1 GB of data. The difference? As a heavy user, you must consume all of your 2 GB in one month, while occasional users get a year to consume the credit.

My first Knol

2008-07-25T13:54:00.002+02:00

OK, I decided to dip my toe into the Knowledge Management new wave (apart from tinkering with various articles on wikipedia over the years.) I have therefore published my first Knol, on the subject of Financial Fraud and Risk Management. Feel free to check it out.

The Kerviel File

2008-02-03T21:34:00.003+01:00

There has been a lot of ink printed about Jérôme Kerviel, the trader at Société Générale who cost the Bank US$7.2 billion. This is a classic case of failure of controls, which shows that there was a culture of lax oversight and enforcement.

Two recent articles caught my eye -- from the Wall Street Journal, and The Register. The former is a cogent analysis of what went wrong with the controls, and how the bank was forced to unwind the position, possibly contributing to the recent global hiccough on the world markets.

Especially noteworthy is the old chestnut of an employee who fails to take holidays -- the classic danger sign which every auditor is trained to look for. How could SG's internal revision department not see this as a red flag? It's a clear indicator that an employee doesn't want their position to be too closely inspected -- especially in one where such huge risks are being taken. Ostensibly, however, Kerviel's position was one of arbitrage, which should eliminate risk -- however, for reasons which have yet to be revealed, his counter trades were not covered, or were fictitious.

It was also interesting that the Deutsche Börse's Surveillance unit was the first to alert SG to the volume of trades -- but Kerviel himself blocked this, and it wasn't until a month later that in order to cover a masive profit! (which turned into a loss in a matter of days), a brokerage house was involved in the cover-up, which triggered a credit check, which forced his back office to investigate further, and led to his recall from holiday and eventual dismissal (which even now, isn't yet formalized due to French corporate culture.)

The Register's take is even more interesting, suggesting a number of ways that the trades could be masked. Once again, the classic techniques of "borrowing" passwords from colleagues, and the triviality of fudging the figures in Excel sheets used for reporting, highlight just how vulnerable most major Banks might be in this area. I especially recommend reading the comments from industry insiders, that suggest such abuse of systems and lack of formal oversight is endemic.

The Risks are clear -- any employee who is granted privileged access needs an appropriate level of oversight and relevant controls, however tedious, which are required to prevent similar events from unfolding in even the most reputable of institutions. And despite the progress of industry regulation and self-policing in the past dozen years since the collapse of Barings' Bank, not enough is being done.

The remedies are not very difficult -- clear segregation of duties, independent risk management, enforcement of policies, and regular rigorous audit -- but they are not being adequately applied, and until European Bank Managers experience personal liability (as their cousins in the USA are starting to feel with Sarbanes Oxley), we will continue to see collapses, possibly even larger than the latest fiasco.

Vienna Review Newspaper

2008-02-01T22:45:00.001+01:00

I am proud to be associated with the Vienna Review newspaper, who are launching their new Web site next week. I've been privileged to assist the capable team of students and staff, who are making the transition onto the Web.

Already published for several years as one of Vienna's few English-language newspapers, the title has prospered under the leadership of experienced journalist and professor, Dardis McNamee, who draws upon the talents of her students and several willing external volunteers, who donate their time to produce an impressive print publication.

Update March 2009

One year later, and we have relaunched the website, based on a new platform called ProsePoint, a variation based on Drupal. ProsePoint is much better suited to the needs of an on-line newspaper, providing better layout and control, as well as editions, author bios, comments, and much more.

A Prayer for Everyone

2008-01-25T17:09:00.000+01:00

The Agnostic Prayer

Insofar as I may be heard by anything, which may or may not care what I say, I ask, if it matters, that I be forgiven for anything I may have done or failed to do which requires forgiveness.

Conversely, if not forgiveness but something else may be required to insure any possible benefit for which I may be eligible after the destruction of my body, I ask that this, whatever it may be, be granted or withheld, as the case may be, in such a way as to insure my receiving said benefit.

I ask this in my capacity as my elected intermediary between myself and that which might not be myself, but which may have an interest in the matter of my receiving as much of said benefit as it is possible for me to receive of this thing, and which may in some way be influenced by this ceremony.

Ramen.

New developments in SPAM?

2008-01-24T10:33:00.000+01:00

I have fought SPAM off and on for nearly ten years, having administered mail servers for large organizations, but these days, I leave it to Google, by routing all my email through their excellent systems.

However, occasionally one slips through, and this one happened to catch my attention.

ATTN:
I am Mr Mike Leonard,a registered and legitimate private loan lender. I give out loans to Individuals,families,student,Organization, Business Men and women that needs financial assistance at the interest rate of 3%
Loan is given out in Pounds, Euro and $US. The MAXIMUM I give is 5,000,000 both in pounds and $US and the MINIMUM is 5,000 pounds and US$ so if you are really interested contact us for more information on how the loan can be transfered to you.
There is one Question i have to ask i hope you are serious? Because we give out loan to serious minded people and those that we know they can pay us at the stipulated time that was agreed.
Loan that is more $10,000,000M can be given to those that falls only on this category.

Manager of a company
A private Holder
A broker in banks
A director in any office or company
A high investor of a company
If you are interested you have to fill this application form below.
*Applicant full name:....................................

* Applicant Contact Address:..............................

* Phone No:.....................................

* Country:.......................................
* Age:.............................................

* Marital Status:................................
* Amount Required As Loan:............................
*Proposed Terms/Duration Of Loan:..................
.
*Annual Income:..................................

*Occupation:......................................

Mode of Payment:
* Payment by bank to bank transfer
* Payment by bank certified check(courier)
************************************
Fill this for and get back to us so that my loan terms and conditions will be sent to you. If you are interested i need you to get back to us via mike.leoloans@gmail.com and you will be glad you did!!!
Best regards,
Sign;
Mgt.

And also this one:

Earle Crane to brad.boyce

If you have your own business and want:

- IMMEDIATE cash to spend ANY way you like.
- Extra money to give the business a boost.
- A low interest loan - NO STRINGS ATTACHED

http://www.nowdthis.net.cn

Without investigating too much, I note that the first link is a relatively new approach (for me at least), to what I expect is a two-fold attack:

Advance fee fraud -- they will "process" the loan, but will expect some payment to facilitate the transfer, which of course will never happen

Identity Theft -- full disclosure of Bank Account and related details will of course be required.

The second link is more interesting. Visiting the site (which seems to use a Chinese DNS name), shows a Web server based in Beijing (which should ring alarm bells), for someone claiming to be "E2 Finance". At first glance, it might even be legitimate -- I can't figure out the angle, compared with the first one which seems more obvious. Perhaps they really are offering finance? Naaah. They're Spammers. Spammers lie. Ergo, they are simply a Phishing site, which will use any disclosed info for identity theft.

The obvious risk here -- trusting what one reads on the Internet, and entrusting financial information to unknown persons.

P.S. I heard a very funny comment on the local FM4 radio station this morning. I think it was daddyd (Dave), who suggested that the U.K. had actually proactively engineered a superb response to the current economic downturn -- by "accidentally" releasing in a series of incidents the identity information of more than half the U.K.'s population, this was going to provide a major boost to the only area of the economy which is currently experiencing double-digit growth -- identity theft. Respect, mate. I like the cut of your jib, and would subscribe to your newsletter.

And now for something completely different...

2007-12-20T21:43:00.000+01:00

A little humour at this festive time...

Phone Menu at the Mental Health Institute

Hello, and thank you for calling the Mental Health Institute

If you are obsessive-compulsive, press 1 repeatedly

If you have multiple personalities, press 2, 3 and 4.

If you suffer from post-traumatic stress disorder, press 5 but do it v-e-r-y- s-l-o-w-l-y and carefully.

If you are dyslexic, press 6. Now press 9. Now press 6. Now press 9. Now press 6.

If you are delusional, press 7 and your call will be transferred to the mothership.

If you have short term memory loss, press 8. If you have short term memory loss, press 8. If you have short term memory loss, press 8.

If you have schizophrenia, listen very carefully and a small voice will tell you the number to press.

If you have a nervous disorder, fidget with the hash key until a representative comes on the line.

If you are co-dependent, ask someone to press a number for you.

If you are depressed, don't bother to press any numbers. No one will be able to help you anyway.

If you are paranoid, you don't need to press anything. We know who you are, we know what you want, and we know how to reach you.

If you suffer from low self-esteem, please hang up because all our operators are too busy to talk to you.

Christmas Carols for the Insane

1. Schizophrenia - Do You Hear What I Hear?
2. Multiple Personality Disorder - We Three Kings Disorientated Are
3. Dementia - I Think I'll Be Home For Christmas
4. Narcissistic - Hark The Herald Angels Sing About Me
5. Manic - Deck the Halls and House and Lawn and Streets and Stores and Office and Town and Cars and Buses and Trucks and Trees and...
6. Paranoid - Santa Claus is Coming to Town to Get Me
7. Borderline Personality Disorder - Thoughts of Roasting on an Open Fire
8. Personality Disorder - You Better Watch Out, I'm Gonna Cry, I'm Gonna Pout, Maybe I'll Tell You Why
9. Attention Deficit Disorder - Silent Night, Holy, ooh look at the froggy - Can I have a chocolate? Why is France so far away?
10. Obsessive Compulsive Disorder - Jingle Bells, Jingle Bells, Jingle Bells, Jingle Bells, Jingle Bells, Jingle Bells, Jingle Bells.

End of the year

2007-12-20T16:07:00.000+01:00

While the calendar year still has more than a week to run, for many of us, the Winter Solstice is a time of reflection, and marks the end of the year on a much older calendar. Half way between Samhain and Imbolc, the shortest day (and longest night) of the year is traditionally a time for renewal of hope -- in the certainty that the light will return, that the days will lengthen, and the power of the cold is slowly weakening (although often, some of the worst weather follows the solstice.)

This has been a year of many transitions and inflexion points, both for myself and some around me. I've learned a few lessons, and have had to grapple with some challenging topics, some of which are previous topics in my blog. Business has had its ups and downs (especially with the extreme delays in decision-making by some customers), but I haven't ever regretted leaving my last job, more than seven years ago, and running my own company (for the third time.)

Another characteristic of the solstice is that everything around us in Nature is showing signs of death or decay. Trees have lost their leaves, grasses and plants have died away, many birds and small animals have disappeared. But all is not what it seems, because we know that the green shoots of spring are not far away. Gradually, the ground squirrels and hedgehogs will come out of their hibernation, and the birds will return, along with the insects, frogs and lizards. I guess there is a lesson there, although it doesn't make it any easier to climb stairs, or get out of a nice warm bed on a chilly morning. Perhaps it's because we all have slightly different rhythms, and suspect the renewal of spring isn't always an option.

Still, I feel that our beliefs and internal dialog are important characteristics of making our journey through life a positive one -- the old Hermetic axiom, "As a man thinks, so he becomes."

Wild Geese -- A Poem by Mary Oliver

2007-12-20T12:43:00.000+01:00

You do not have to be good.
You do not have to walk on your knees
For a hundred miles through the desert, repenting.
You only have to let the soft animal of your body
love what it loves.
Tell me about despair, yours, and I will tell you mine.
Meanwhile the world goes on.
Meanwhile the sun and the clear pebbles of the rain
are moving across the landscapes,
over the prairies and the deep trees,
the mountains and the rivers.
Meanwhile the wild geese, high in the clean blue air,
are heading home again.
Whoever you are, no matter how lonely,
the world offers itself to your imagination,
calls to you like the wild geese, harsh and exciting --
over and over announcing your place
in the family of things.

I don't often quote poems on my Blog, but this one is pretty good, and reflects my mood today quite well. Happy Eid to all Muslims, as they celebrate the end of Ramadan.

Significant Increase in SPAM leading up to holiday period

2007-12-16T16:56:00.002+01:00

Update August 2008: even more spam...

It's August 2008, and the level of spam I get in my Gmail account is reaching record levels. The picture speaks for itself -- basically, that represents 3.6 spam messages per minute, every minute for 24 hours, for the past month.

-----------------------
I've noticed a huge upsurge in the amount of SPAM reaching my mailbox, especially in the first two weeks of December. Unfortunately, this seems to have co-incided with a Joe Job against two of my mail domains, lanifex.com and gillingwater.org. I don't see these attacks as personal, since it's unlikely any Spammers would even bother to target me, but it's irritating having to deal with all the spam.

Fortunately, most of the heavy lifting is taken care of by Gmail, whose dedication and skill at intercepting spam borders on the miraculous. My current spam count for the past 30 days (according to the Gmail Spam folder) is 29,712 messages -- which I think must be some sort of record. That's an average of 41 messages arriving per hour.

Not all of the messages are directed at me -- due to the Joe Job, many of them are simply bounces from other people's mail systems, either with a spam trap challenging for a human response, or due to the mailbox being full. Oddly, many of the messages claim to be from "jerusha.davie@lanifex.com", a name which doesn't seem to be in Google. Unfortunately, I get all the bounces because my domain will collect any unknown user mail, and forward it to me--I guess I like to know what's going on. I just wish that a lot more mail server administrators would refrain from sending Bounce Messages for mail that has already been rejected as spam, since 100% of the From: or Reply-To: headers are certainly forged.

The risk here is that some legitimate email will be intercepted, although Gmail has a very good record of false positives, so I'm happy to accept the residual risk after mitigation -- but I will occasionally trawl through the spam folder, in case something slipped by that I wanted to see. A related risk is that Gmail will start sending all bounce messages to the spam folder -- making me miss a genuine one.

If only Gmail had some form of Cacti graph, so we could see the spam versus genuine mail on a time-series display, with history. I guess I could write something, but don't really have the free time. Still, I feel that nearly 1,000 messages per day arriving as SPAM means my spam to mail ratio is around 99% -- surely some kind of record?

Food origin labeling

2007-12-14T12:28:00.000+01:00

I noted with disappointment the recent decision by the New Zealand Government Food Safety Authority not to require compulsory country-of-origin labeling . Yet again, this is something that the Australians do better, as they have in so many areas. Perhaps we should consider moving to Australia as so many other New Zealanders are doing, especially considering the apparent economic advantages enjoyed across the Tasman, which is why nearly 10% of New Zealanders seem to prefer living there. Even better, let's just invoke a little-known provision of the Constitution document which established Austrialia's states, and add New Zealand onto the list. (After all, prior to the Treaty of Waitangi, NZ was governed as part of New South Wales from 1840-1841.) I guess one advantage of political or national union is that we could put an end to the ignominious defeats of our national Cricket and Rugby teams, by competing at the State level rather than as our own country.

I'm also very much a supporter of Genetically Modified Organisms (GMO) in food -- but ONLY when the food and products prepared using GMO ingredients are clearly and correctly labelled, so that consumers have a choice. Included on the label should be some sort of unique identifier for transgenic items, which can then be identified in a publicly-available database.

Personally, I'm not afraid of responsible genetic modification of food products -- as long as there is disclosure, and the possibility of informed debate on the topic. Let the market decide -- but also the various governments should heavily fine and prosecute companies who try to hide the truth. The danger comes when governments intervene for what appear to be solely economic reasons.

Ordinary consumers, such as myself, are hardly equipped to make correct Risk Assessments in relation to the potential dangers of GMO foods--we rely on our government Food Safety bodies to do this job on our behalf. The risk here is just how much will the Food Safety authorities be swayed by economic arguments from the major agri-businesses -- who are more concerned with returning profit to their shareholders than the safety of their foods, let alone the unintended ecological impact, on which the jury is still out.

The Convergence of Physical and IT Security

2007-12-13T16:26:00.000+01:00

I've been thinking extensively about the on-going convergence of Physical and IT Security, especially within a corporate context. Many companies with whom I deal have a Security Manager of some type, who usually reports to the Chief Information Officer -- or just an IT Manager, who in turn reports to the Chief Financial Officer. Unfortunately, the corporate environment in Central Europe is still rather under-developed, as there are few organizations which recognize the role of Chief Security Officer (CSO) -- so that very few people with responsibility for compliance, corporate governance and security performance monitoring are at a C-level reporting grade.

Conversely, the importance of physical security is quite well understood, although often not well-implemented. In Austria, physical security is usually just a function of the Building/Object Management group, and is staffed by people who understand about locks, keys and door systems -- but not necessarily about principles of least privilege, and four-eyes oversight.

In my opinion, the international trend is towards a rapid convergence of both types of security, especially in terms of applying similar standards, methodologies and 24x7 operational monitoring. A recent customer of my company has done good work in implementing centralized monitoring of dozens of distributed locations, collecting a diverse range of output from devices such as alarm controllers, fire suppression and monitoring equipment, door access controllers, UPS (Power Supply) controllers, and even Camera Digital Video Recorders.

By centralizing all of this information in one command and control centre, the company is better able to respond to problems, and encourages early detection of potential crisis situations. As a secondary goal, convergence can allow for cost reduction, by having a single 24x7 threat response monitoring centre, who can be charged with both IT Security and Physical Security monitoring. After all, the computer doesn't care whether the intruder is detected in a LAN, or in the warehouse at 3 a.m. -- the incident response action and escalation paths will be much the same (although different personnel may be involved.)

But collecting information centrally isn't enough. You also need correlation, which means a clear understanding of the process workflow behind the security events -- and this starts with a detailed Risk Assessment, to identify the threats and their signatures. For example, security cameras act as a deterrent, and can be useful in post-incident forensics, to help identify perpetrators. But properly used, they can also detect intrusions, to trigger incident response much earlier. Naturally, cameras can be defeated -- for example, it's possible to adapt a DVD-recorder laser diode into a battery-operated laser pointer which can permanently blind most off-the-shelf security cameras (and incidentally, this can be used as a non-lethal weapon against unprotected security personnel, as it can cause instant blindness too.)

Therefore, the vigilant security manager has to prepare for such scenarios, through regular posture assessment and tiger-team testing, as well as drills and security-related staff training. Appropriate counter-measures need to be selected, and then constantly reviewed and improved. Ultimately, security is a demanding and continuously-changing battleground of strike and counter-strike, where we must always assume that the attacker is smarter, better-funded and more highly motivated than ourselves. We can only wait, prepare, be vigilant, and constantly assess our readiness -- and challenge our imaginations to anticipate the next moves.

Television : A Modern Sophist's Mirror

2007-12-13T12:53:00.000+01:00

"For it is a false assertion that the sense of man is the measure of all things. . . The human understanding is like a false mirror, which, receiving rays irregularly, distorts and discolours the nature of things by mingling its own nature with it" [Bacon 1620, xvi].

Modern television is by many to be considered solely a form of entertainment -- a mechanism for television channels to deliver their true product to customers, i.e., consumer attention for advertisers. I feel however that it has a different meaning, where we can use the TV shows that someone professes to enjoy as a kind of Socratic mirror, in which is reflected the true intentions, ideals, likes and fears of the viewer.

So, what are we to make of the current plethora of television shows which grace our TV screens (or Bit Torrent trackers?) Can we learn something about our Western culture (I am confining myself to the current "Rex Artis" or cultural hegemony of the USA and its satellites in Australia, UK, New Zealand and even Canada) by identifying the themes which rise to the surface?

Perhaps TV writers are like the Delphic pythonesses, drugged on the steady stream of residuals emanating from the crevices of Producers' nethers, while mining insights and visions which are served symbolically in the context of a 45 minute sit-com or a 22 week story arc. Jung's collective unconscious suggests that we share a deep connection with all other humans at some level, which may be addressed through the historically unprecedented sharing of compelling stories by millions of people simultaneously (or time-shifted as the "Must-See TV" hour precesses across the time zones.

A dark place

One of the most psychologically revealing shows of recent years has to be Showtime's Dexter. My wife cannot bring herself to watch it, but I find it oddly compelling -- the story of a deeply damaged serial killer, struggling to be a productive and happy member of society, while cleaving to a unique moral code which allows him to act on his darker impulses, killing only those who "deserve it." As Florida is one part of the US where executions are common place, it makes sense for Dexter to pursue his career there. The show has excellent production, great acting with believable characters and compelling stories, with characters you care about. The recent and ongoing writers' strike fortunately didn't interfere with completion of the current series, with a finale which hit one out of the ballpark. I wonder however if people enjoying Dexter are measuring themselves against his clearly-defined ethical standards, or whether they continue to lead an unexamined life.

Heroes and Villains

Season One of Heroes was fantastic. Season Two was somewhat hit and miss, with Tim Kring admitting that there were pacing issues, and regretting an emphasis on the romantic angle, which fell somewhat flat. (I still loved the Hiro storyline though, as he is my favourite character.) The premature end of Season Two, yet another casualty of the Writers' Strike, didn't do much to rescue the show, but it's still not going to stop me from watching Season Three, whenever it arrives. The show itself, when we look beyond the great special effects and cool ideas, seems to be telling the same stories about relationships, families, secrets and lies which make for great viewing anytime. Ultimately all characters seem to be linked in various ways, and the struggle especially of the HRG to keep his family together, is simultaneously bathetic and profound.

Who's on First

As one raised in the shadow of Dr. Who stalking my nightmares, I have a fondness for the Timelord from Gallifrey. Even if we exclude the delectable Billie Piper, and some of the more dodgy scripts from the past few seasons, there have been some amazing stories -- especially "Blink", "Girl in the Fireplace" and "Empty Child." So, what does this tell us? I think it informs us with a sense of the connectedness of history -- that those people who make up are past are somehow still there, beyond the liminal "now", trapped in the amber of the past but potentially visitable by anyone with a TARDIS, or perhaps via a Shamanic journey. While it's always fun to see the aliens and other planets, the best stories seem to involve people, and mysteries as yet unsolved.

Guilty Pleasures

Californication. David D. just does it for me. Excellent, funny writing, with yet another po-mo take on the importance of family and relationships. I'm not sure I would go so far as Hank Moody did for Charlie, his wing-man and friend, but it makes compelling TV. Writers writing about writers with issues seems to too-strictly follow the dictum "write what you know", however it's also fun following all the cultural references, especially for fans of the late lamented Warren Zevon.

Another recent discovery which has rapidly appeared on my "Must Watch List" is "Curb Your Enthusiasm", by Larry David. I can't believe I missed such a great show until its sixth season, and will definitely add the DVD Box Set to my Christmas wish-list. Its tales of a hapless middle-aged neurotic Jewish guy, with a talent for misunderstanding and a Black Belt in Passive Aggression, make Curb very funny indeed, if sometimes a little edgy.

My curmudgeonly qualities are encouraged by the delight that is the sarcasm of Dr Gregory House, M.D. The perfect antidote to generations of past TV doctors, we have a vicodin-addicted cynic whose use of the Socratic method would impress any would-be sophist.

Journeys Into Redemption

Many stories deal with journeys -- through space, seeking a new home (such as the reincarnated Battlestar Galactica), or through time, such as Journeyman (perhaps an updated Quantum Leap with better grooming?) The recent made-for-TV movie Razor showed us just how good BSG became up until the Pegasus story arc, but recent episodes have left me somewhat disappointed (except for the ones with Lucy Lawless.) Come back Dr Baltar, all is forgiven! Sometimes the mirror to society symbolism is a little heavy-handed, but certain viewpoints might require a higher degree of philosophical water-boarding before its intended audience gains a further measure of self-insight.

Journeyman gives us a more mysterious Dr Beckett, traveling without conscious volition into his past and that of others, having to live by his wits and work out, along with the viewers, just what the heck is going on -- while also trying to prevent his family life from fracturing. I have hopes this show won't jump the shark, due to the quality of the writing, but am not certain that the network can refrain from interference.

Honourable Mentions

There are a number of TV series which have moved, inspired or simply entertained me in the past couple of years. Onto this list, I would like to add the following:

Flight of the Conchords -- Kiwi cultural cringe at its New York best.

Stargate Atlantis -- consistent Canadian SF fare, with occasionally interesting themes.

Blood Ties -- nice retelling of Tanya Huff's vampire/detective crossover

Bones -- excellent production values with some great stories, and on-screen chemistry in abundance

Pushing Daisies -- takes risks, but they sometimes pay off. Eccentric, quirky, oftimes amusing.

Aliens in America -- not what you might think. More "Family Values meets a Muslim" than X-Files.

American Dad -- cartoon, but more Adult Swim than Roger Ramjet. Edgy animation (but not as bad as Drawn Together.

Daily Show with Jon Stewart -- together with the Colbert Report, two of the first casualties of the Writers' Strike. Sadly missed.

My Name is Earl -- endearing retelling of the nature of Karma for Rednecks. Appealing, sometimes appalling.

Dresden Files -- wonderful books, nicely translated to the screen, cancelled in the first season.

The IT Crowd -- inspired British nerd silliness. Have you tried switching it off and on again?

Painkiller Jane -- started with a nice premise, but soon jumped the shark.

Numb3rs -- one of the few shows I have included in a university class I taught.

Burn Notice -- smart, funny, educational story about an ex-spy trying to get on with life.

The Sarah-Jane Adventures, Torchwood -- two spin-offs from Dr Who.

Primeval -- short-lived British time-travel mystery, with dinosaurs and intrigue.

BBC's Planet Earth

2007-12-09T18:54:00.000+01:00

I just have to write about the BBC series "Planet Earth", which was released last year on DVD. This is a fantastic series, which was two years in the making. Narrated by respected naturalist David Attenborough, and produced by the BBC together with Discovery Channel and a Japanese broadcaster, this series is one of the best nature documentaries I have ever seen. Filmed almost entirely in High Definition (HD), this series takes various themes in each program, including fresh water, oceans, caves, grasslands, etc.

The quality of the visuals, with breathtaking aerial shots, plus amazing action sequences, simply outclasses any other documentary I've ever seen. The DVD extras includes several "behind the scenes" interviews, which shows the impressive dedication and sheer hard work the crew of filmmakers had to go through. With the addition of sound effects, beautiful orchestration, and Attenborough's hypnotically calming delivery, the whole series is chock full of interest facts and discoveries. Who knew there was a massive mountain of bat guano deep inside a cave, with some of the largest colonies of cockroaches ever found? Or the stark beauty of snow leopards stalking Markhor in the Himalayas?

The series is probably best seen on a high-definition system (Blue Ray or HDTV), but even on standard definition DVD, it's an impressive piece of work, which highlights the tremendous variety of life on our beautiful planet. This is must-see TV, and should be compulsory viewing for all children everywhere.

The China Syndrome: Update on (alleged) Google Adwords Click Fraud

2007-12-07T14:57:00.000+01:00

As you may have read in my previous blog entry on this topic, I am convinced that Google's Content Network is not really the best place for advertisers to submit their ads, at least until they understand some of the issues.

Specifically, I recommend avoiding certain countries for placement of ads -- which of course doesn't mean that you won't get clicks from those countries (because you will if the click fraud is organized), it means instead that your ads won't be served to end users originating from those countries. The actual location of the Web servers hosting the ads is irrelevant. The web is such an international place, that the location of the server is often different from the location of the beneficial owner.

Today, I received an email and call back from Google UK, who kindly undertook to look into my complaints. I have to say that it is a pleasure to do business with the people at Google, as they know their stuff. Professional and courteous to a fault. This was in response to my informal request to the Google Country manager, Dr Karl Pall, who forwarded my concerns to the Google UK Public Affairs Manager, who in turn passed me on to a very knowledgeable Adwords specialist, Patrick Singer. I am still waiting for a response to my support request to the Google Adwords Quality Control team, which I expect will come next week.

The upshot of the call was that Google has done a lot of work to improve its transparency of reporting for advertisers. Specially, the newly introduced Placement Report is able to show which web sites were used to host the ads that I paid for. Together with the Campaign Report (which showed an average Invalid Click Rate of 10.66% (with up to 25% on one campaign), I was able to identify the source sites for most of the traffic which I consider fraudulent. Unfortunately, there doesn't seem to be an easy way to identify which country or region generated traffic on specific referring sites, at least without some manual correlation.

Unfortunately, Google didn't agree with my assessment that most if not all of the China-originating clicks were fraudulent, although I agreed to wait until the full results of the Quality Control team are available next week. I do note that some of the suspicious Web sites had a 50% CTR -- with one site having 100% CTR, which I find remarkable! (It's almost as if the site was generated by a Web server designed for someone to click on the ads.... hmmmm.....)

So, the bottom line -- I continue to be impressed by the resources that Google are throwing at this. The Adwords Reports have tremendous depths, and would repay serious study -- but it's almost a full time job to master this business, and tuning the ads for the best effect would be a valuable service. (There are probably consultants who do this.) Unfortunately, I am still not convinced that any of the Content Network Clicks are valid, at least for certain countries and regions.

My hope is that the Google Quality Control team can "follow the money" -- to see if there is any pattern as to the financial beneficiaries of this apparent fraud. I am sure I'm not the only one affected by this. Sadly, my company's investment in Google Adwords has yet to yield a single valid lead, despite spending nearly 2,000 Euros with Google -- at least based on my knowledge of all sales communications and email enquiries. My next step is to add some sort of conversion tracking, i.e., some type of click-through form for collecting lead information, so I can add some more detail into the Google Reports.

Time Machine Fun

2007-12-05T12:44:00.000+01:00

This week I learned more about Apple's Time Machine. My wife's iMac needed to have its motherboard replaced, due to the capacitor plague. Kudos to Apple for extending the warranty to cover this issue, as it meant that we didn't have to pay for the replacement. Co-incidentally, a Grundig HDTV Satellite tuner failed recently due to the same problem (I opened the case, and saw the signs of the capacitor leakage.)

One of the consequences of the replacement of the motherboard is that the MAC address of the network card has changed. And this means that the external USB drive being used for the Time Machine backup was no longer recognized, since it appears that Time Machine embeds the MAC address in the drive identifier for the backup archive.

To resolve, there is probably some way to edit the MAC address, but I didn't bother. Instead, I noted that the USB drive was still using the Master Boot Record (MBR), therefore I decided to re-partition the drive with the Apple Partition Map, which is best used with the PowerPC-based iMac. I then used the "Change Disk..." option under the Time Machine panel of System Preferences, and started a new full backup, which corrected the problem, at the expense of some older backups.

Massive organized Google Click Fraud in China

2007-12-04T16:03:00.000+01:00

I have evidence of massive and organized abuse of Google's AdWords program, especially based in China. This is certainly not a new problem. Bruce Schneier blogged about Google's Click-Fraud problem last year in Wired -- although he focuses on two types of click fraud, whereas my own case seems to be a third type, no doubt driven by human click-farmers rather than 'bots. There's also an excellent article on this problem in Business Week, which specifically mentioned the Chinese connection.

Last month, I spoke with Dr Pall, country manager for Google here in Austria. I conveyed to him my concern, that as a small business advertising with Google's AdWords program, I simply didn't trust the results I was seeing, especially when I found that I was spending hundreds of Euros via the Content Network portion.

This month, I decided to collect some real numbers on the extent of this problem, to pass on to Google (to date, I didn't get a response.) Specifically, I set up some new ads for real products and services that my company provides -- products with a very specific and limited market focus. I deliberately enabled the Content Network option, and waited to see what would happen.

I didn't have to wait very long, as the screen shot below shows.

This activity occurred within a couple of days of my ads being activated. I find it very interesting to see that 100% of the click-throughs to my site are directed via charged Content Network -- which means every one of those clicks cost me money, and earned money for the Web sites which hosted the ads at the time. Not a single click came from a search. And the majority came from 42 different cities throughout China -- which of course means not a single one is genuine.

The bottom line -- be very cautious when enabling Google's Content Network. Watch it closely, and especially don't enable it in China (India also shows some evidence of fraud, but on a smaller scale.) I am hoping that Google will be open about this problem, to restore confidence in their advertisers after last year's settlement.

I will be doing some further analysis, and will post the results in my blog. I'd also be interested to hear from others who have seen similar patterns. Note that I don't think this problem is unique to Google -- probably, it is also prevalent with other advertisers. I really like Google's way of doing business, and will continue to do business with them -- but I feel that more needs to be done to stamp out such obvious gaming of the system, which costs money for no return and wastes valuable time.

Google -- what are you doing about this?

Technical HowTo: High Availability Monitoring, Part 1

2007-11-28T14:48:00.000+01:00

This blog entry is going to be quite technical, so people with a sensitive disposition might want to skip ahead to other entries. O.K., you've been warned!

My goal here is to describe the process of setting up a Monitoring system for a High Availability network security appliance. Specifically, this is work for a customer, who is going to implement one of our AGORA systems (see my earlier blog from this week) in a High Availability configuration. A specific feature of this monitoring system, is that it should detect failure of a primary system, and switch to a secondary automatically, according to a set of rules.

Now High-Availability means different things to different people. In my case, I interpret it to mean any system which when correctly implemented, will reduce the probability of a systems failure. As a system is made up from different parts, we isolate those subsystems which are most likely to fail, and put measures in place to detect or prevent this failure.

My goal here is to develop a network-based monitoring sub-system, which will continuously monitor and measure performance of the target system, and to activate special counter-measures in the event of a subsystem failure. I plan to use off-the-shelf components wherever possible, and especially open-source tools running in a Linux environment (although not all tools selected are of this type.) I believe this approach will be helpful to document, in case others want to adopt a similar approach, and you can learn from my mistakes.

First is to choose to development environment. I am going to develop within a VMWare appliance, which is a Virtual Machine. By doing this, it will be easier for the customer to implement at their own site. I happen to be using a MacBook Pro for this work, but it could easily be an Ubuntu Linux or even Windows XP box. Some of the features and tools I plan to implement include:

Cacti -- used for time-series graphing of various metrics. In particular, useful for showing trends.

SmokePing -- a nice Cacti-based tool to show network latency. Network performance is of particular interest.

Perl -- the general purpose scripting language for writing new functionality

XAMPP -- one of my favourite bundles of Apache, MySQL, Perl and PHP

Mon/Nagios/Hobbit -- select from one of several network monitoring tools

VMware -- used to run a virtual machine, for portability

CentOS -- the version of Linux I chose for running the monitoring system inside the VMWare

I considered using a solution such as keepalived, but thought that might be more complex than I need. Plus I like re-inventing wheels...

Preparing the Development System

My first task is to connect to our VMWare server, and build the development environment. This box is stored in our data centre, and only provides access via SSH. Therefore, I am going to tunnel in via SSH, using VNC to get access to the graphical environment.

For the Mac OSX, I have chosen to use "Chicken of the VNC" as my VNC client. Because I need to tunnel in via SSH, I chose to open a terminal window, and type in the command directly.

ssh root@vmware-dev -L 5901:localhost:5901

I then connect to localhost port 1 in the VNC client, which will then tunnel to the remote system. Entering the password, and I am faced with the screen shot below.

Now I use the interface of the VMWare server, and tell it I want to create a virtual machine, using the Red Hat Enterprise Linux 4 template (which is closest to CentOS.) I choose also only 640 Mb of RAM (this machine will be running as a Web server, but I won't install X11.) I don't need a physical CD, as I have downloaded the ISO images of the CentOS onto the VMWare server, and just need to mount the image as if it was the CD drive. I switch on the VM, and it boots immediately into the CentOS installer.

I run through the installation options, selecting mostly the defaults. I made the VM with only 8 Gb of disk, so I have chosen a minimal install. I'll add the other stuff I need later. My first step however will be to use YUM to install any required security patches and updates for the minimal install, then download and install my Web environment, XAMPP. I will also add the VMWare tools, as these are important if I want the system to have good time synchronization (which is important for security applications), because NTP and friends don't play together nicely with Virtual Machines due to clock tick latency correction.

Here are the commands used:

wget http://www.apachefriends.org/download.php?xampp-linux-1.6.4.tar.gz
yum update

There was around 48 Mb of updates for the CentOS packages -- mostly new versions of tools and the kernel, with a few minor security issues.

See the Apache Friends web site for details on installing XAMPP. Just follow the instructions for improving its security, and make it run from startup by using chkconfig to add it to the processes to be run upon a reboot (after symbolic linking into /etc/init.d).

Smokeping

My first choice was to install Smokeping, by Tobias Oetiker. It's a great tool for visualization of network behaviour, which is an important part of any network-based services. I simply followed the comprehensive installation guide. Later, I found a more friendly Smokeping install guide here.

For convenience of the reader, I will paste below the commands needed. I decided to use binary distributions, rather than building from source, to save installing to many prerequisites in the VM.


yum install libart_lgpl
yum install perl-Time-HiRes
wget http://dag.wieers.com/rpm/packages/rrdtool/rrdtool-1.2.23-1.el4.rf.i386.rpm
wget http://dag.wieers.com/rpm/packages/rrdtool/perl-rrdtool-1.2.23-1.el4.rf.i386.rpm
# Note both RPMs have to be installed with a single command, to avoid a dependency loop
rpm -Uvh rrdtool-1.2.23-1.el4.rf.i386.rpm perl-rrdtool-1.2.23-1.el4.rf.i386.rpm 

wget http://downloads.sourceforge.net/echoping/echoping-6.0.2.tar.gz?use_mirror=heanet
yum install curl

I'll continue this in Part 2.

Inemuri

2007-11-28T14:17:00.000+01:00

I came across a real gem while browsing the BBC News web site today. Japanese culture contains the delightful concept of "inemuri" (居眠り), which translates as napping or dozing. What's interesting about it is that it is culturally acceptable, in certain circumstances, to fall asleep in meetings or other social gatherings.

Apparently, it is intended to show that you sacrificed much of your regular sleep in your work, and is considered a type of macho display -- "look how hard I work, because now I cannot stay awake!" Naturally, like many Japanese traditions, it is not for everyone -- only those of superior social status can afford to indulge in front of their underlings, or those who have little status at all.

Now, I just need to figure out how to incorporate this into the university classes I teach.... hmmmm....

AGORA Audit Compliance Appliance

2007-11-26T14:24:00.001+01:00

I'm really excited about the AGORA Audit and Compliance Appliance which my company has developed, and which is starting to see some traction in the market.

The idea actually came from one of our large Banking customers. It's a simple idea (as some of the best ones are), but one which we haven't really seen elsewhere on the market. The "elevator pitch" is as follows:

Your company or bank has just outsourced some key IT activities -- e.g., application development or database administration. It made sense financially, and you're covered by SLAs, so you know what service you can expect. But you no longer have real control over who is doing what, and when, to your customers' data. A firewall or VPN solution doesn't really help, because it's designed to only keep out unauthorized persons -- but the outsourced company have full access, so how do you track what they doing?

Some systems, like Oracle, let you turn on database auditing -- but if you outsource the DBA function, then your DBA can turn it off. So most of the time, you just have to trust people -- until something goes wrong, some critical table is dropped, or some vital information leaks -- and then you're stuck, because where do you start investigating?

This is the business problem solved by AGORA -- it's a secure application gateway appliance which sits between your internal systems, and the authorized persons who need access, that keeps indelible records of all activity -- down to the level of scanning the network protocol in real-time, and recording all keystrokes or SQL queries sent by the external administrator, transparently and with no noticeable impact on performance. It supports SSH, Oracle SQL*Net, Microsoft SQL TDS, HTTP/HTTPS, Telnet, FTP and even X11 protocols. This means that all traffic is captured in separate files, linked to the uniquely-identified user who started the sessions.

A separate auditor user role can login via the Web interface, and review audit logs of the various sessions managed by the system. The workflow management is integrated with a built-in trouble ticket system, so audit logs of access to a service can be linked to specific problems or activities. We also tie the sessions in with specific VPN-authenticated users (we support Check Point VPN, Open VPN or even pre-shared SSH keys for authentication of users.)

We've recently added plug-in modules for supporting HTTP and HTTPS auditing, which also tracks all files which are up or downloaded from a remote Web server. Our latest version of the software will include SSH session audit (which includes the possibility to play-back sessions in real-time), as well as X11 sessions. The system does its work by protocol inspection of every packet -- extracting the audit-relevant information, associating it with a specific two-factor authenticated user, and writing it to a secure tamper-proof logging system, including packet payloads (such as SQL commands or SSH terminal sessions.)

We're planning to offer the AGORA system as a Hardware Appliance for high-performance requirements -- but it's currently available as a software installation, or as a VMWare virtual appliance. When installed on a VMWare server, the same functionality is available, but with slightly reduced performance possible (depending upon the hardware.)

The system uses email and web interfaces to communicate with its users -- typically, for example, a support technician (such as a Database Administrator or DBA) will receive an email informing them of a trouble-ticket which has been opened against one of the many production databases they are responsible for. An email will go to the support co-ordinator for the company, who will assign it to the next available technician with the appropriate access rights. Upon receipt of the email, the technician can then click on a Web link, which opens dynamically a port on the firewall (accessed through the VPN) which gives access to the relevant service. This starts the audit session, and also keeps track of when activity occurs (which is very useful for SLA verification.)

Naturally, because the system is ticket-based it blocks access to resources for which no ticket is available -- and also includes the possibility to restrict access to specific time periods -- and will automatically close access when the ticket expires.

In summary, this is a great tool for organizations that need to provide positive auditing of access to critical or sensitive internal resources by outside users (such as DBAs or developers), without requiring special logging to be enabled directly on every resource. With the increasing requirements of Basel II, ISO27001 and Sarbanes-Oxley for compliance programs, such an audit appliance will become essential in every large enterprise.

Digital Rights and the right to be paid

2007-11-23T18:19:00.000+01:00

A recent article in the International Herald Tribune by computer scientist and composer Jaron Lanier argues the case for a new model of compensating artists, writers and other creative types. Despite an earlier advocacy for Internet piracy, he now admits he was wrong, and that the promise of the Web to increase opportunities for getting paid for creative output has not materialized.

In my view, the situation is not as dire as he implies. Yes, there are many writers who would like to earn a living from the Internet, but it's simply not going to happen, due to the huge numbers of "wannabes", and limits to the demand for paid content. Aggregation services tend to function as filters for quality -- in much the same way as publishers trawl through piles of submitted manuscripts, looking for the hidden gem that might turn a profit -- but ultimately, the market will decide.

Simple economics suggests that not every writer can be paid for their writing -- there are simply too many of them, and a huge influx of enthusiastic amateurs has made it even more difficult for good writers to have their voice heard. Fortunately, I believe that the filtering mechanisms will adapt naturally as the ecosystem develops, as we already see many fine writers are featured on Blogs such as BoingBoing, Salon, Technorati and even Digg and Kuro5hin.

Whether these writers make money is an interesting question, which cuts to the heart of Lanier's thesis -- that the advertising model (as supported by Google's Adwords) is not enough to earn a decent living, and that some other micropayment model is required to solve the problem of the "free rider." Technically, such systems exist, but tend to live behind "walled gardens" (such as AOL), or are burdened with restrictive Digital Rights Management (DRM), such as Amazon's popular new Kindle e-Book reader.

For me, the more interesting issue is that the content providers -- or more specifically, the publishers -- haven't yet come to terms with the demands of its customers. Currently, many of us watch TV which is laden with excessive advertising, that disrupts our enjoyment of great programs like "Dexter" and "Heroes." Increasingly, however, there is a new generation of Internet-literate scofflaws who spurn the advertising, and prefer to trade (mostly illegally) in high-definition digital downloads of their favourite TV shows and movies.

As this trend increases, advertisers will see a decline in their revenues, leading to attempts by studios to be more restrictive with DRM -- an effort which is doomed to fail, for good technical reasons. Their only hope is to adapt their business model (as Apple's wildly-successful iTunes has shown can be done with music), so that consumers have more choice over what they download--and pay a fair price for content which is not locked down with DRM that restricts their options for viewing the shows they want to see.

Ultimately, it may be that a reputation-based system may evolve (such as Cory Doctorow's "Whuffie") -- but I'm not holding my breath. History has shown that artists and writers need some support from the wealthy to create their best works--but that until we achieve a post-scarcity economy, there will always be a surplus of artists and writers (however talented) starving in a garret.

Media Center selection update

2007-11-23T17:12:00.000+01:00

My latest thinking is that I will probably buy either a Sony PS3 or Microsoft XBOX 360 as a Media Center. The real issue is going to be DIVX/XVID support. There are rumours that both Sony and Microsoft have finally recognized that support for these codecs in their player firmware is important to some customers. Sony has apparently added a patch in the latest firmware to support selection of this type of file -- but there is no firm date on when it will be able to play them, so I will wait until that turns up before making a decision.

Also of some interest is whether NAS storage (e..g, SAMBA mount) could be used with either system. We'll see....

Dance Review: The Beggar and the Bird

2007-11-23T16:45:00.000+01:00

Dances with Birds

A drama of self discovery in movement, pantomime and special effects.

It was a chilly Thursday night at the Odeon Theater in Vienna, as the lobby thrummed with anticipation. Nearly 250 people had turned up for the premiere of "The Beggar and the Bird," a Dance and Music performance created by New Zealand Choreographer, Amber Stephens. Together with musician Natalie Jean-Marain, and dancer Albert Kessler, Stephens has produced an original story that entwines soaring vocal improvisation with pyrotechnic displays of Modern Dance energy.

Upon entering the grand portico of the Odeon Theater (formerly an agricultural trading exchange, complete with fluted marble pillars and elegant staircases), the audience found themselves viewing a broad stage, flanked on either side by two mysterious seated plaster figures – apparently the chrysalises from which some strange female figures had recently emerged. A tall banner of newspaper clippings of an actress’ life hung at stage left, while a wheeled mirror waited in the wings. A small group of musicians huddled silently at the rear, accompanied by an elegant singer, seated on a tall stool.

From her first moments on stage, Stephens led us into the interior life and feelings of each character she played. First on stage was the Diva, so upright in posture, silently miming her daily superficialities, while allowing us to glimpse the loneliness beneath the mask. Clad in a simple cocktail dress, she conveyed through gestures and facial expressions the reality of the unreflected life, diverting but shallow.

The story introduces a range of characters, in a transformative journey that leaves each affected by their interactions. The Diva is world-weary, a woman of ambition and power, capable of art, yet selfish and sometimes cruel. In an impressive display of on-stage metamorphosis, the Diva then changes into the Beggar. Initially restrained, the dancing becomes more frenetic, arms gyrating, with twirls, rhythmic breathing, dips and falls, as an insistent drumming begins to be heard.

Events begin to take a darker turn, when the Beggar meets its Shadow – Albert Kessler – who leads the Beggar down paths of power and control, which culminate in obsession, and the total abjection of the Bird, cast down into an emotional well, from which only the newly-awakened compassion of the Beggar can rescue it. The Shadow mirrors the darker side of the Beggar, engaging in a physically demanding pas de deux of puppetry and power, with great leaps, rolls, martial jabs and lifts, as well as much floor work.

Some loss of self seems to be a prerequisite for the classical journey of self-discovery, charting unknown territories of one's internal world, to discover its deeper meaning. This journey is not without missteps, as we learn when the Diva meets the Bird – played by Jean-Marain – whose wings materialize in subtle vocalizations and static poses, aided by a costume of silver and feathers.

Like Kate Bush's Aerial, Jean-Marain invents a language of birds, with its “Kirikeeks” and “Kurruuuuu” cries, evoking the lilt of a forest-dwelling bird-of-paradise. The Beggar, dances to these songs – as Stephens dances patterns that mirror the soaring voice of Jean-Marain. This interaction between Beggar and Bird is the core of the performance, as the Bird sings and the dancer reflects them in motion, a sound-driven marionette. Soon, however, the flow of influence is reversed, and the Beggar delights in exercising control over the Bird's song – with disastrous consequences for the Bird.

At the climax, the Shadow is reintegrated, the Bird redeemed, and the Beggar arises, transformed –ready for the next stage of a journey reflecting the labyrinth of our own life changes. The stunning finale, sung with English lyrics by Jean-Marain, lifts the energy and leaves an impression of serenity and self-acceptance.

Written and choreographed by Stephens, who remained throughout on stage, the work incorporates elements of modern dance, Brazilian capoeira, floor work, hip-hop, and allusions to classical ballet, all performed to a high technical standard. The music, performed live on guitar, piano and extensive percussion, hinted at Shamanic drumming, Arabic motifs and Spanish flamenco themes, emphasizing the different stages of the story, and deftly supporting the high-energy levels of the two dancers. The sparse staging included a curious mirror through which the dancer passed parts of her self, as if seeking to reflect on her actions.

The mystery of the plaster bodies was only resolved at the end of the performance, when a large screen behind the musicians showed the process of applying plaster to the dancer, which hardened and then was shed as if emerging from a cocoon – an apt metaphor for the transformation which we had just witnessed.

The performance had been a huge challenge, the creative team acknowledged later, with hundreds of hours of rehearsals, and the management of extensive details of costume design, staging, musical composition, choreographic research and improvisation. In the end, the work seemed more than justified, and was well received by the audience. The team plans to take the show abroad, to Dance and Arts festivals around the world over the next few years, as well as producing variations of the story in other media, to retell the modern myth of the Beggar and the Bird in different forms.

Disclaimer: The writer contributed the Website design for this performance, but has no beneficial connection with the performers.


"The Beggar and the Bird" 
Odeon Theater
Nov. 8, 2007
Choreographer/Principal Dancer: Amber Stephens
Music/Singer: Natalie Jean-Marain
Dancer: Albert Kessler
Website: www.beggarandbird.com

First Impressions

2007-11-13T16:56:00.000+01:00

Just for fun, I thought I'd post another picture of myself onto this Blog. Many people think they know me -- but some might be surprised by what they see in the picture.

The weapon in my right hand is a Czech-made copy of an AK47, with bipod rest. In my left hand is a 9mm automatic pistol. The picture was taken in 2005, somewhere in Slovakia.

Return on Security Investment (ROSI)

2007-11-07T11:48:00.000+01:00

Earlier this year, I prepared a presentation for a Security Conference, which includes a concept which I think other readers might find interesting. It's the "Return on Security Investment." Basically, the idea is to perform a Risk Assessment, and to calculate the probabilities of occurrence of various scenarios which can cause losses or other damage.

Next, you determine the most appropriate controls to mitigate or eliminate those risks, and determine their costs. For example, if you know that there is a 2% chance that the annual Spring rains will bring major floods, and you have a house near a river, you might expect that repairs of the damage caused by flooding could cost you 100,000 of your local currency. You consider various options for protecting your house, e.g., installing flood defenses, diverting the river, putting in basement pumps, etc.

Given that a 2% chance annual event is likely to occur at least once in 50 years, we can then analyse whether investing in counter-measures -- i.e., security controls -- is going to cost us more than the event itself. Assuming we normalize the monetary unit per time value of money (Net Present Value), a single loss event cost of 100,000 means an average cost per year of 2,000 (recall we expect this event at least once every 50 years.) So, if the capital and operational (CAPEX/OPEX) costs of the controls are more than 2,000 currency units, then it's probably not a good investment for us.

In which case, our next step would be to try to transfer the risk -- i.e., by finding an insurer who would sell us 100,000 worth of flood insurance coverage for say 1,800 units per year -- which would be a good financial decision, based on Return on Security Investment (ROSI.) Of course, our insurer would be likely to be using a similar basis of calculation -- but they have advantages of scale and usually superior sources of information on risk, and therefore may well offer a better price.

In the final analysis, the worst thing we can do -- is to do nothing, and hope for the best.

Media Center Extenders

2007-11-06T15:12:00.000+01:00

At home, I've been running a Pinnacle ShowCenter 200 (older model), which has been fine for the past year or so -- until last week, it suddenly stopped displaying any of the text in the menus. This was really wierd -- the system would boot just fine, showing the logo, and the showcenter logo in the upper right corner -- but the names of TV shows would not appear at all.

At first I suspected this was due to a recent upgrade of the Linux-based back end -- I'm using the Linux MTPCenter, which has done a great job running with Lampp on my Ubuntu system. I recently upgraded to MTPCenter 2.0, and thought this might be the issue -- but I saw the menus from the later version for a few days, and downgrading still failed to show the menu items.

A related glitch is that the fast forward capability used to show the percentage -- but this does not display (although it works just fine.) The strange thing is, I can navigate through the menus by sound, and by looking at the MTPCenter through a standard Web browser -- and the programs stream just fine. My guess is the character generator for the fonts might be broken -- I've tried everything with the ShowCenter that I can think of, and also tried hacking on the CSS in the MTPCenter to change font displays and background, but with no results.

Anyway, I decided to replace the Pinnacle with something with more capabilities. My ideal Media Center should be able to do the following:

1) Stream MP2 Video, MP3s, DivX and XVID
2) Stream from Internet Radio (e.g., ww.sky.fm.)
3) View pictures from network storage
4) Work with Linux
5) NOT require a Windows box anywhere
6) Use a remote
7) Output to HDMI or at least component with up to 1080p to my HD TV
8) Handle AC3 audio, and at least Dolby 5.1
9) Handle MKV wrappers
10) Maybe in future play either from BlueRay or HD DVD.
11) Noiseless low temperature operation
12) I don't want to spend more than 250 Euros, or "roll my own."
13) I don't want DVR or recording functionality

So, I started looking around for some options.

I first got interested in the XBMC Open Source application, which looks really cool. It does most of what I need, but only seems to work on the original Xbox (and not the Xbox 360 or Elite), which means that I won't be able to use HDMI output, or even plug in a HD DVD in future.

I considered the Sony PS3, but am not clear on whether or not it can play DivX or XVID. My guess is it's probably a "no" -- and I don't really like Sony as a brand, although getting the BlueRay drive is tempting.

I also considered the AppleTV, or even a small Apple box, but the former lacks the decoders I want, while the latter is too expensive -- and both lack HDMI (although realistically speaking, DVI output would probably suffice.)

So there are still some more options.

First up is the Xbox 360 with optional HD DVD. A little expensive, but there is the benefit of getting access to games like HALO -- but who has time for games these days? -- I barely have enough time to watch Heroes or Prison Break! I don't like supporting Microsoft anyway, although I could *console" myself (nasty pun that) with the thought that each Xbox sold is a loss for M$. I also don't like the way that the XBox 360 enforces code signing and other nasty DRM stuff, and am not aware of a simple "mod" for the 360 which won't invalidate the warranty. So that's out.

Next option is a Mac Mini. I bought one of these for my father, and he seems to use it, but not for TV. The output is DVI I think, but no HDMI -- although probably good enough. While I like Apple boxes (we already have three at home), I can't really justify spending the 600 Euros it costs here in Austria for the smallest model. So that's off the list for now, at least until I win the lottery (which isn't going to happen, since I don't buy tickets!)

I don't really want a box with a built-in hard drive, since I have enough disk space on other machines. I'm using my Ubuntu Box as my TV and media file server, running SAMBA and Azureus, and therefore simply want a box which streams over the LAN, without using Microsoft software anywhere if I can avoid it.

Looking around I found the Linksys DMA2100.

Also interesting is this D-Link box, which is only 180 Euros -- but I'm not sure if it also has a wired LAN, as well as wireless. Well, it will come out at the end of November, so we'll see. There also seems to be a US version, with different specs: the Dlink DSM-750, which looks nice, although more expensive, and I don't know if it will be available in Europe.

Time Machine on older PowerBooks

2007-11-02T16:25:00.000+01:00

A trap for young players (yes, me!) with implementing Time Machine on older Powerbook machines.

Leopard will install and run just fine -- and you can plug an external drive into the USB port, and backups will work -- but it's totally impractical, because certain older Powerbook models have only USB 1.1, rather than USB 2.0 -- which means it's very, very slow.

My recommendation -- if you have an old Powerbook, then try to get an external drive that uses Firewire rather than USB.

Using Apple's Time Machine

2007-11-01T21:47:00.000+01:00

I've been using OS X 10.5 (Leopard) for a few days, and felt I'd share some of my findings, mainly with regard to Time Machine.

I purchased a family pack, and have upgraded four Macs successfully so far. In my view, Time Machine is a great idea, and worth the price of admission alone, especially for those who haven't done backups before.

Personally, I use Mozy for my basic backup needs, but like the possibility of additional layers of backup which Time Machine provides.

So, there are a couple of things I discovered:

1. It is possible to trigger Time Machine manually. Simply hold down the "ctrl" key, then click the Time Machine icon in the dock -- a menu will pop up, which contains the item "Back Up Now". This is documented in the online help.

2. Time Machine will not activate itself (apparently) when running on a Mac Book Pro, if running on battery power. It will wait until mains power is connected, and then schedule itself.

3. Time Machine doesn't handle encrypted files well. Specifically, it won't backup individual files stored in an encrypted file system -- instead, it will backup the entire file system. This is not too surprising, considering that backing up the unencrypted files would be a security risk. I guess Apple will be working on some workaround for this, but I don't see an easy fix, due to the key management issues.

4. Time Machine apparently does not use encryption, or even compression, for files stored on the backup device. This is a deficiency in my view which should be corrected in the future, or by third-party add-ons. Naturally this is a user issue -- because the typical user would be unable to deal with the key management issues. I think Mozy has a reasonable approach in this regard, but it's up to each person to decide how to manage encryption keys.

5. The caveat regarding encrypted file systems also applies to virtual machines, which I believe are treated as a monolithic whole -- it's not easy to imagine how this can be otherwise, especially if the virtual machines (I use Parallels, but it also applies to VMware) are not running. Maybe VM vendors will expose their file systems to the fsevents mechanism which harvests file changes in future, and allow Time Machine to selectively back up only changes in the guest operating systems -- after all, FAT32, NTFS and ext3 formats are well-known.

6. It seems the 5160 build of Parallels has an issue with running VMs which are restored from Time Machine. I was able to cause my OS X to kernel panic when trying to run a WinXP which I restored.

Helping startups get started

2007-10-24T16:20:00.000+02:00

I decided on a new project for 2008 -- helping Internet startups to get started.

I've prepared a paper about this on my static web site: http://www.gillingwater.org/.

Here's my pitch:

I'm a high-tech entrepreneur and University lecturer, living some 15 years in Vienna, with the experience you need. I have a business license, a well-used MBA, and several years as a “Geschaeftsfuehrer” in Austria. I have taught and mentored many young business men and women over the years, and continue to enjoy teaching and sharing ideas.

I have started three high-tech companies – computer manufacture (1982), Internet Service Provider (1990) and IT security consulting (2001). Two of them are still operating, but no longer need my full attention – so I have time to work on new projects starting in 2008.

I can advise you and your team on business strategy, help draft business plans and budgets, design your infrastructure, review your marketing campaign and solve your technical or people issues.

I can guide you through the legal and taxation issues within Austria and the CEE markets, or can explain the finer points of TCP sliding window side effects within tunnelled protocols – and many questions in between, too.

I'm not expensive up front – I'm willing to work for equity plus operating expenses in your company, but don't plan to be your primary investor – I'll leave that to the V.C. specialists and private equity funds. I'll also be happy to sit on your Board of Directors, and take the lead in presentations to customers or potential investors, if you wish.

My primary goal will be to make your ideas succeed, and articulate your vision in a cost-effective and realistic approach to the market – while insulating you from the dull details of setting up a business in Austria (or Slovakia if you prefer.) I can hook you up with specialist Legal and Taxation advice, and also assist with customer acquisition (on a “commission” basis.)

Dance performance by Amber Stephens

2007-10-14T17:52:00.000+02:00

A fellow kiwi living here in Vienna is a choreographer and dancer, who is premiering a major new production next month. Titled "The Beggar and the Bird", it will be performed on 8 November 2007, at the Odeon Theater in Taborstrasse, Vienna, Austria.

For more details, check out the web site: http://www.beggarandbird.com. Should be worth a look.

Developing with the Nokia N800

2007-03-07T10:52:00.000+01:00

I decided to begin some simple development with the Nokia N800. Nothing particularly original -- just an attempt to port a few useful programs onto the platform, so I decided to blog the progress (and problems) I encounter along the way, in case anyone else wants to give it a go. Feel free to learn from my mistakes!

The first challenge I encountered is that the development environment for Maemo.org requires Linux, but I'm running OSX on a MacBookPro. No problem really -- I also run Parallels, so I have created a new virtual machine, in which I am installing Ubuntu 6.06.
It may be possible to port the development tools to the underlying Free BSD on which OSX is based, but I don't want to bite off more than I can chew at present, and I have more development experience with Linux than OSX anyway.

First step: start Parallels, then use "File|New" from the menu to create a new virtual machine. I selected "Typical", OS Type "Linux" and OS Version "Debian Linux," which I expect should work fine for Ubuntu. I accepted the defaults of 256 Mb of RAM, and 32 Gb of disk, which I can always increase later if necessary.
Next step is to insert the Ubuntu 6.06 CD-ROM, which is bootable as a Live CD. After starting, it goes into a desktop, with an icon saying "Install." I double-click this, and go through a standard install sequence, for which I take all the sensible defaults. This takes about 30 minutes, to copy all the files from the CD-ROM with the emulation running in the background.
After rebooting the Ubuntu VM (with the CD-ROM ejected), I then start an online Ubuntu upgrade, to ensure a clean environment. I may have to add some of the GNU tool chain, which probably doesn't come standard with the Ubuntu.
Next, I take a look at some of the prerequisites. I know that the Nokia N800 uses Maemo, so I visit ed there to find that I should use the latest release, known as Bora. This in turn points me to Scratchbox Apophis, which seems to be a cross-compilation toolkit. The Scratchbox installation instructions tell me that I need root access, particularly if I want to set up the Debian repository for apt-get.
On my Ubuntu system, I edit the file /etc/apt/sources.list, and add the line
```
deb http://scratchbox.org/debian ./
```
Personally, I use vi (being very much old-school UNIX). Don't forget to "sudo su -" first to get root access. Then I run "apt-get update", to update my repository list.
After the update, from the command line I can begin to install the packages, using these command:
```
$ apt-get install scratchbox-core scratchbox-libs
```
This is around 215 Mb of disk space.
Belatedly, I read the instructions for installation of Maemo's Bora, and found the recommendation to use the installer script. Naturally, this doesn't tolerate an existing install, therefore I had to remove the one I just installed.
```
$ apt-get remove scratchbox-core scratchbox-libs
```

Next, I download the correct installation script, e.g.:

$ wget http://repository.maemo.org/stable/bora/maemo-scratchbox-install_3.0.sh
$ sh ./maemo-scratchbox-install_3.0.sh -d

The script does a number of checks, then downloads and installs the necessary packages, including scratchbox.
First problem found: the install script is expecting a utility called "GNU ar" (an archiver), which is missing in the default Ubuntu install. Therefore, I interrupted the installation script, and installed the "binutils" packages to satisfy this dependency:
```
# apt-get install bin-utils     
```
After the script downloads all the files it needs, it runs an installation script, and terminates.
The next step is to create a scratchbox user with the command "/scratchbox/sbin/sbox_adduser paul yes", then login with the command "/scratchbox/login". This means exiting from the "sudo su -" with Control-D. The script recommends logging out then back in again as your regular user, but I just used the command "newgrp sbox", and permissions were correct.
Now we get to the installation of the Maemo Bora, which can be done by downloading and running this script:
```
$ wget http://repository.maemo.org/stable/bora/maemo-sdk-install_3.0.sh
$ sh ./maemo-sdk-install_3.0.sh
```
Now I have the next problem. The SDK seemed to install just fine, but we have an issue with the installation of the Nokia components. Apparently, this needs need to be done for two different environments: the X86 and the ARMEL. By default, the SDK seems to begin in the X86 environment, e.g.:
```
sbox-SDK_X86: ~] > fakeroot apt-get install maemo-explicit
```
The above command runs just fine. The problem I had was when I tried to switch to the ARMEL environment. I did this with the command "sb-menu", then chose SELECT to activate the target "SDK_ARMEL". Fine so far, but when I try the command:
```
[sbox-SDK_ARMEL ~] > fakeroot apt-get install maemo-explicit
```
This is the error message:
SBOX_CPUTRANSPARENCY_METHOD not set
I am guessing I messed up the sb-menu, by accidentally going into the SETUP menu. There seems to be a setting there for CPU_TRANSPARENCY, but it's not clear how to fix it. I experimented for a bit by using the sb_menu to reset targets, but realized I have no idea what I'm doing (which is very typical for me, being a "bear of very little brain.") Therefore, I was pleased when I exited from the scratchbox, and ran the installer again with the -y option to reset the existing targets, which seemed to do the trick. It downloads the rootstraps again, but it's only time and bandwidth.
Again, I logged in to the scratchbox, then selected each target, and ran the install for maemo-explicit, as well as the update. This seemed to run just fine, for both targets.
Step 4 of the installation process talks about Xephyr. This needs to be installed outside of the development scratchbox, on the host system. Unfortunately, I am running a stable version of Ubuntu, and the command proposed: "apt-get install xserver-xephyr" simply doesn't work, presumably because it's part of the unstable distribution of Debian.
To correct this problem, I had to edit /etc/apt/sources.list, and uncomment the "universe" repositories, run "apt-get update", then was able to run the above command successfully to install Xephyr.
To test Xephyr, I used the command line which starts up the X Windows display, naturally in the correct size for the Nokia N800:
Xephyr :2 -host-cursor -screen 800x480x16 -dpi -ac &
Now everything should be working as expected, so to test this I logged into the scratchbox, set my terminal environment, and ran the test environment:
```
$ /scratchbox/login
[sbox-SDK_X86:~] > export DISPLAY=:2
[sbox-SDK_X86:~] > af-sb-init.sh start
```

And here is the result:

Nokia N800 First Impressions

2007-03-05T20:32:00.000+01:00

I was pleased to receive delivery of the new Nokia N800 Internet tablet on Friday, just before the weekend. It's a sweet device, smaller than I expected, but with some great functionality.

I won't add to the many reviews for it, but rather will focus on the items which I think are missing, and suggestions for improvement.

OpenVPN -- this client would be helpful for securing connections over WLAN, since WEP and WPA aren't really secure enough
Bluetooth for headsets
USB improvements -- when I connect the N800 to the Mac, it doesn't allow browsing of all folders -- it just shows the plug-in media
Definitely some sort of calendar/appointments/contacts database, with online synchronization with Gmail
A Samba client would be excellent, especially for streaming music from SMB shares
Some form of UPnP synchronization with music streaming servers on the local LAN would be nice
an app for taking still images or movies
the media player definitely needs plugins for codecs. It can't handle the latest MPEG video format used by my Sony camera (although the videos play fine with VLC and Quicktime)
the USB device seems to function as a server -- but I wonder if you can add external storage?
Connecting from a Macbook with Bluetooth works, but the N800 doesn't seem to have any useful services, to allow browsing or sending files, unlike other Nokia devices such as the N73
I'd love to see the N800 able to share an Internet connection (Ethernet) with the Macbook, via WLAN or Bluetooth. It seems to manage this with the Nokia N73 -- this should work, I think, if the Macbook can provide an IP address and routing/NAT, so I suspect this is do-able.

A walk in the park

2007-02-01T15:58:00.000+01:00

One of the advantages of working for a company with enlightened policies is that it is "dog friendly." At least three of the staff have taken advantage of this, occasionally bringing their dogs to the office, and I tend to do this most often. In fact, the dogs are more often in the office than not, as they enjoy meeting people, and going for walks. My two dogs are of the Border Terrier breed, which is a hardy yet affectionate variety of pedigree, with the character of a mutt. They've been with us for eight years now, and act as unofficial "morale officers", greeting everyone who comes to the door, and snorking any spare items of tasty food which might accidentally fall to the ground.

Today in Vienna is a chilly 8° Celcius, with strongs winds but occasional sunshine -- ideal for a walk in the nearby Prater, one of Vienna's largest parks. It's a beautiful scene, stark and sere, with a few forlorn leaves waltzing past in the winter sunshine. Yes, that really is my clumsy thumb visible in the lower left corner of the image -- it's not easy to make a clean picture with two dogs straining at the leash.

The Prater is famous for the giant Ferris Wheel, or "Riesenrad", which featured in the Orson Welles classic movie, "The Third Man." It can just be glimpsed through the trees above, in an aspect which reduces its apparent "wheelness."

The main road leading in to the Prater is the "Hauptallee", which is lined with Horse Chestnut trees, now denuded of leaves. Each tree is sleeping for the winter, its photosynthesis enzymes largely inhibited by the cold.

Evolution and photosynthesis

A simple question occurs -- why do leaves fall (from deciduous trees?) What evolutionary advantage is conferred by this loss? One answer might be that the leaves could cause snow to accumulate more heavily in the branches, leading to breakages and subsequent diminution of the trees ability to photosynthesize in spring. Or perhaps the leaves represent a potential energy loss, due to the temporary breakdown of photosynthesis, and therefore this burden is reduced, because otherwise the task of maintaining circulation to all of the leaves (I'm assuming sap is circulating along with water to keep the leaves moist) could eat into the tree's stored glucose energy reserves. As an illustrative example, evergreen trees have a different leaf structure, which doesn't support snow accumulation in the way that a broad, flat leaf from a deciduous tree might. Evolutionary biology is fun, especially when you have no idea about what it all means....

Walking in the park is a great time for thinking, and reflecting on strategies and choices I face, in business and personal life. I find that maintaining a connection with the natural world of trees and parks (however nebulous) is helpful as a grounding process, to ensure that my decisions are optimal (as far as I can tell.) A brisk walk certainly helps with the oxygenation of the brain, although dogs are less interested in the speed of a walk, focusing more on the stops along the way, and the accompanying smells and opportunities to mark territory.

Grumpiness and Insecurity

2007-02-01T11:29:00.000+01:00

I'm a little grumpy this morning, after pulling a muscle during weight training before breakfast. Then I found my company car park was occupied, which means regular trips to refresh the paid parking on the street. So I'm in the mood to tackle a topic which may raise a few hackles.

In recent months, I've been reading and thinking on the topic of atheism. First, I've been reading Richard Dawkin's excellent book, "The God Delusion." I really enjoy the writer's style, and find his arguments cogent, logical and well-founded in reality.

Digg presented a link to the Rational Response Squad, a young group of militant atheists who are challenging other atheists to "come out" on Youtube by blaspheming their religion of choice. While I understand their motivation, I'm not sure that it's the most productive approach, although it will certainly increase their media exposure -- which is why I guess they're not using their real names. I was brought up in a nominally Christian culture, and have attended a variety of churches on many occasions, but I don't feel it's necessary to denigrate other's choice of belief.

An obscure New Zealand theologian, Lloyd Geering, became well known for being tried for heresy by the Presbyterian Church. He rejects supernatural explanations of the divinity of the historical character of Jesus, yet remains a church minister and nominal Christian, while being as close to atheism as most Christian churches will tolerate (although this does seem to be an increasing trend among the thinking Church-goer.) His auto-biography, "Wrestling with God", is worth a look as the life story of an interesting and thoughtful thinker.

Dawkins has provided a useful scale of unbelief:

1. Strong theist. 100 per cent probability of God. In the words of C. G. Jung, 'I do not believe, I know.'
2. Very high probability but short of 100 per cent. De facto theist. 'I cannot know for certain, but I strongly believe in God and live my life on the assumption that he is there.'
3. Higher than 50 per cent but not very high. Technically agnostic but leaning towards theism. 'I am very uncertain, but I am inclined to believe in God.'
4. Exactly 50 per cent. Completely impartial agnostic. 'God's existence and non-existence are exactly equiprobable.'
5. Lower than 50 per cent but not very low. Technically agnostic but leaning towards atheism. 'I don't know whether God exists but I'm inclined to be sceptical.'
6. Very low probability, but short of zero. De facto atheist. 'I cannot know for certain but I think God is very improbable, and I live my life on the assumption that he is not there.'
7. Strong atheist. 'I know there is no God, with the same conviction as Jung "knows" there is one.'

I'm probably around a 6 on the scale, but may change as I near death (despite recognizing the flaws inherent in Pascal's Wager. :0)

If I were to apply a label, I guess I might call myself a Bright.

My own tendency is towards a more Buddhist philosophy, which interestingly has much in common with modern atheism, rejecting supernatural explanations for phenomena, and denying the existence of "miracles." While some Buddhists may worship the Buddha as a divine being, I believe most of us view him as an enlightened man, who left behind a very effective and powerful philosophy. I certainly equate the traditional view of a Sky-Father (Odin perhaps?) with more recent innovations such as the Flying Spaghetti Monster, who seems to have just as much evidence of existence.

Faith is the keyword most often used by religious apologists, in order the justify their irrational thinking, and of course Dawkins sees this as a species of disorder -- a "faith sufferer" being one who has been infected by a powerful virus of the mind, a "meme." However, I feel that faith is a word that we should not allow to be wholly appropriated by the Christian, Muslim, Hindu or Jew -- as I have faith in the evolutionary capacity of humanity to adapt to even the difficult conditions which our overuse of natural resources has caused. I particularly admire Dawkins' spirited advocacy of the Great Ape Project, which proposes a type of United Nations Rights Charter for higher animals, such as gorillas and orang-utans. As a vegeterian since 1978, I share many of the views of the Project's founder Peter Singer, who propounds an ethical yet humanist view of the world which seems very Buddhist to me -- the idea that we can have compassion for all living creatures.

Birth of a Blog

2007-01-31T14:30:00.000+01:00

Despite being around on the Internet since the mid-1980's, I have resisted the temptation (until now) to wax prolix in the new medium, thinking that my views offer little that is original, thoughtful or even entertaining.

That changes now. I'm ready to inflict my writing on a hypothetical audience, and open up some streams of opinion, neurosis, occasional insight and more frequent venting. As I approach later middle age, I consider that I have earned the privilege to cast a curmudgeonly eye over the events, follies and long term trends that occur within my limited area of competence.

Writing is a solitary pursuit, and no doubt will reveal more about the preoccupations and insecurities of the author than is desirable, or even tasteful. However, I am happy to hold forth on some of the subjects that I like to study (and occasionally teach), including:

Information Security
Web Design
Risk Management
Atheism vs. Religion
Mathematics
Buddhism
Golf
Life in Austria
New Zealand
Contemporary Music
Science Fiction/Fantasy
Astronomy/Astrophysics

I don't claim to be qualified in any of the above, but somehow have found my way into teaching courses at Webster University in Vienna, Austria. My students kindly pretend a keen interest for hours at a time once a week (classes are usually from 6 p.m. until 10 p.m.), and suffer from my occasional digressions while I should be teaching Mathematics for Computer Science.

I've just returned from a month of travel around New Zealand (my Ur-Heimat), where my lovely wife and myself have been catching up on relatives, friends and making new friends (and perhaps occasional enemies.) The EnZed weather in January 2007 was generally good, but Southland found a few days of cold and rain, as usual. Tourism has been NZ's number one source of revenue in recent years, and I believe it will continue to grow. As a Gedankenexperiment we began planning a hypothetical future tourism-related business, wherein we might conduct guided tours around NZ for wealthy foreigners who want to learn more about connecting to the land in a spiritual way.

In our view, most NZ natives who haven't lived outside of the country for a significant period of time don't realize just how special the land is, and that it's possible to share this special quality with visitors who might be very experienced travelers. Kiwiland is geographically a very young and active country, and is one that is most recently settled by human beings, and their co-colonizers, the mammals (especially the large numbers of sheep, cattle and other farm animals -- all major contributors to carbon emissions.)

What does it mean, to connect to the Land? (I use the term partly shamanistically, recognizing a non-specific animism.) First, birth in a country doesn't in my view automatically lead to a deep connection with the land that sustains it. My own birth took place far from New Zealand, but I believe I made the connection anyway, after growing up and living there for many years. Part of connecting to the land means developing an appreciation for it, and a respect for the natural order of things. Perhaps this may be but a Thoreau-inspired reverie, but my feeling is that the natural world is part of the human condition, regardless of the reckless confinement of cities. A great privilege for those living in New Zealand is the great ease with which its denizens may "go bush", disappearing into forests or mountains, swimming in the sea, walking the beaches and bush trails, even climbing the mountains or sailing on its waters. This is an experience which is denied to almost none, due to its great accessibility. For some, the connection is made quickly, requiring only occasional refreshment, for others they may require frequent and extended stays outside of the cities -- while sadly some never seem to make the connection at all.

What is this connection of which I write? Perhaps a growing awareness of interconnectedness -- that we are in some way an eternal part of the land that sustains us, in every important sense we arise from the land, are sustained by it, and will return to it in due time. Most human beings think that conception leading to our birth is all that we are -- but the raw materials required come from the food we eat, which in turn arises from the land in its own way. The most commonly occurring metal in our body is calcium, which in turn is found in the earth that grows our plants, and feeds the cattle that we (some of us) eat. No human being can grow without that mineral, therefore we are ultimately dependent upon the good regulation of the land.

Reviewing the above paragraphs shows me how easy it is to go off-topic. Fortunately, having your own Blog means there isn't any topic which is really off-topic. This experiment may falter, and result in just a few forlorn entries, bereft of substance. Or, hopefully, it might act as a trigger to help me with some other writing projects.

My original intent for this Blog was to provide a series of views on Information Security and Risk Management. I chose the term "security-risk" as a reminder that the heart of information security is the art of Risk Management. Recent years have seen best practices in security codified as standards, including BS7799 Parts 1 and 2, then ISO17799, finally becoming the new ISO27001 et seq. standards. Risk Management as a discipline in Information Security Management is becoming increasingly important. For more on these themes, check out this white paper on deploying an ISMS.

A secondary goal is to raise awareness of Risk Management (RM) and Risk Assessment (RA) techniques and tools within the IT industry. Most European Banks are already being driven by voluntary compliance with Basel II recommendations for Operational Risk Management, while Sarbanes Oxley has established a baseline for corporate governance in North America. Unfortunately, a casual inspection of news reports shows that many SMEs and large corporations still don't get it. It's simply not enough to buy the latest generation of firewall appliances, or readily accept the glib assurances of software and operating system vendors. Security has to be managed as a business process, which requires commitment, energy and intelligence, and a willingness to learn from the mistakes of others.

In summary -- this should be an interesting ride. There will be a few digressions along the way, but I can promise you a few relevant on-topics posts, and even an occasional shared insight, if one should surface.

cheers!