Month: March 2004

Privacy, Decency, Creativity, Delusions

A Canadian judge ruled that sharing copyright works over P2P networks is legal in Canada.  His justifications make sense individually, but I am dismayed by the hillarity of the sum.  The judge wrote:

"The mere fact of placing a copy on a shared directory in a computer where that copy can be accessed via a P2P service does not amount to distribution.  Before it constitutes distribution, there must be a positive act by the owner of the shared directory, such as sending out the copies or advertising that they are available for copying."

which reads to me like:

"The mere fact of placing a switchblade inches from a person and holding out a hand in a dark alley does not amount to robbery.  Before it constitutes robbery, there must be either an injury or loss of property."

When I first played MUD games, I was having fun until I got PKed.  I was angry and confused so I made efforts to understand the PKers.  Their answer was that they didn't really kill me because a MUD character is not a person.  To them, killing a MUD character is no different from killing a monster in video games.  No one got hurt so what are you bitching about?

In Korea, there are millions of credit card abusers who ended up with inevitable mountain of debts.  Every five minutes, someone in Korea attempts suicide.  Every 45 minutes, someone succeeds.  Korean government is trying to help them with a new program that will restore their bad credit rating if they make some efforts to payback some of the money they owe to banks and credit card companies.

Unfortunately, the program is encouraging corrosion of decency and sense of financial responsibility in Korean.  Not only are people refusing to pay back, some of them are even asking for banks to return of the money they already paid.  They are also using the Internet to share information about ways to avoid paying back.  One way is to incite collectors into making verbal abuses and using recorded evidence to threaten the collectors.

Putting aside all the arguments and circumstances, I can't shake the feeling that we are losing something important.  Where the fuck are we going?  I have no answer, but I am certain that people who believe good arguments make better worlds don't know either.  Their visions are not a map of reality but a map one might find in a Fantasy novel.

<

p dir=”ltr”>Remember that movie with Tom Hanks where a kid, obsessed with D&D, ended up at the top of the World Trade Center thinking it was the Two Towers from Lord of the Ring?  How did you feel while watching the movie?  Well, that's how I feel as I watch the events unfold while sandwiched between assholes and dreamers.

VS6 SP6

VS6 SP6, latest service pack for Visual Studio 6.0, is out.  Looking at the bugfix list, I'll have to upgrade soon or later for legacy projects.  Here is a choice selection of bugfixes:

  1. CRT string format functions may underwrite buffer.
  2. ISAPI DLLs that are built with MFC static libraries are vulnerable to Denial of Service attacks.
  3. Visual C++ 6.0 Optimizer may generate code that experiences access violations
  4. Inline functions return incorrect results when you specify the /Gx and /Ob1 compiler options for optimization
  5. VCSpawn fails during build.

I wonder if SP6 fixes frequent build state corruption?  Having to rebuild completely over and over is not fun.

Cross-Site Scripting Network

Blogs are highly linked and implicit trust accumulates at each blog up over time.  Many windows of vulnerability exists in blogosphere and many more are being opened everyday though unsafe cross-site script sharing, holes in scripts that run blogs, wreckless copy-and-paste practices (what you see might not be all that you copied), etc.  Net result is a growing field of dominos waiting for smart hackers to take advantage of.

Here is an example.  Some websites, popular among bloggers, encourage bloggers to add some HTML fragments into their blogs that looks like this:

  

This is, in fact, committing cross-site scripting (XSS) voluntarily.  Even worse, because hubsite.com typically offers some useful service, a cross-site scripting network is created around hubsite.com, turning hubsite.com into a very attractive target for hackers.

Once hubsite.com is penetrated and bar.js replaced with some hostile script, hackers can not only steal cookies but hack all the pages served by spoke sites.  How bad can it get?  Hackers can search links to well known sites like Paypal in all the pages that loads the hacker's script file and replace them with links to phishing sites.  Even worse, hackers could drop in zero-day exploits into thousands of blogs within minutes.

Update:

I had to replace the HTML fragment above with an image to prevent the tags from being inadvertently pasted into other blogs.  With all the escaping, unescaping, copying, and pasting in blog softwares out there, I can't take a chance.

Korean Election Law

A Korean student is arrested after posting satirical pictures.  It's the unusually uptight Korean election law that caused his arrest.  The election law turns Korea into a police state whenever there is an election.  Rights usually enjoyed by Korean citizens like free speech and freedom of the press are restricted to the point of absurdity.

President Roh Moo-hyun was impeached because two largest parties accused him of making a comment that violated the election law.  Even wearing cloths of certain color can be controversial because colors are often associated with political parties.  Han-nara Party use the blue color.  The yellow color, originally used by President Roh Moo-hyun because his last name is Korean word for yellow color, is claimed by two parties: Min-joo Party, which was spurned by Roh and subsequently helped Han-nara Party impeach Roh,  and Woo-ri Party which is pro-Roh.

Woo-ri Party, led by a young charismatic former TV news anchor, is expected to jump from #3 to #1 spot and the majority of the Korean Assembly in the upcoming election.  After the impeachment fiasco, Han-nara and Min-joo, the two largest parties, both put women into the leadership role to avoid complete defeat.

While Korean election laws are draconian, I have mixed feelings about whether it should be relaxed any time soon.  They exist because Korean voters, particularly the old voters, can be easily bought with free gifts, parties, travels, and money.  Even students can be bought to influence the Internet opinions.  People are changing for the better but they are not changing fast enough to cast aside the shackles around the election.

But the question is whether the impatient should be punished.  If he isn't punished, the message Korean people will hear is: if you are righteous, you are above the law.  Candle marches in Korea were also declared illegal recently yet people are still gathering in large numbers.  They know the marches will affect the election but they are feeling righteous.

So what I see in Korea right now is people marching in the right direction but a fog of anarchy stands between them and where they want to go.  I wish them luck for they'll need it and will keep my fingers crossed that some stupid general doesn't the idea that his country needs to be saved from communist sympathizers and corrupt politicians.

Collaxa on BPELJ

Edwin Khodabakchian, CEO of Collaxa, enumerates the shortcomings of BPELJ, a joint-proposal from BEA and IBM for skintight integration of BPEL and Java.  In summary, BPELJ introduces new elements (code, value, package, snippet, etc.) for embedding and using Java code snippets in BPEL4WS files to specify variables, join conditions, partner links, correlation sets, and other extension points.  Since Collaxa is the leading vendor of BPEL servers and tools for J2EE, Edwin's observations are important IMHO.

BTW, I have to note that the BPELJ whitepaper (PDF) does mention briefly about supporting other languages although I am not sure how deeply and sincerely that support is.  After all, that 'J' in the name means something.  In comparison, Biztalk use of CLR (.NET VM) supports multiple languages.  Still, Biztalk is a wonderful sword with the vendor lock-in curse.  BPELJ looks similarly cursed with Java language lock-in.

Is being locked-in vendor or language-wise really bad considering J2EE is a binding marriage with Java and most of the corporate IT shops are Microsoft addicts?  I guess the answer depends on whether one cares about being tied down or not.  After 12 years of marriage, I try not to think about the question too much. 🙂

Update:

Another well thought out opinion against BPELJ (PDF) by Howard Smith, co-author of the book BPM the Third Wave (book site with extensive excerpts).

Cleaning Phish with a Hammer

Two must-have features I am planning to add to PhishGuard are:

  • Require the user to approve hyperlink activation from within e-mail clients using a security dialog that clearly displays destination URL.
  • Disable all hyperlinks in e-mail clients

Implementing these two features for just Outlook and Outlook Express should stop most phishing attacks on Windows platforms.  It's a brutal solution, but I am sure there are plenty of IT guys who are dying to wield these two lovely hammers.

BTW, I somehow ended up as the top Google result for Phishing Toolbar.  I guess Phishing Hammer is next.

Anti-Phishing Working Group

Anti-Phishing Working Group (APWG) is an industry group whose mission is to:

  1. Share information and best practices
  2. Identify the size and cost of the phishing problem
  3. Promote visibility and adoption of industry solutions

I like what the group is about and what they are doing but it's not apparent how an independent consultant/developer like me can easily participate.  APWG membership is only available to eligible organizations without specifying who or what dictates eligibility.  Also, I don't like the idea of having to pay to contribute my time to the group activities.  It would be nice if they had something similar to W3C's Invited Expert status for membership.

Anyhow, APWG is meeting in San Francisco on April 5th.  I have asked them if I can attend the meeting but haven't heard from them yet.

Phishy Domain Names

This morning, I got a phishing e-mail pointing to:

http://www.securecitibank.us

It won't be long before domain name registars are forced to treat phishing target names specially to prevent this sort of things from happening.

PhishGuard TODO: If a link's textual content appears to be a URL yet differs from the link's URL, flag it as a possible phishing attempt.

Web Password Hashing

Reusing passwords is common and many paranoid-yet-lazy engineers have adopted the habit of appending or prepending their 'universal' passwords with domain names.  In reality, such practice is not very secure because the password can be easily deduced if any of the machines are broken into.

Dan Boneh's Stanford Applied Crypto Group, which created SpoofGuard and Identify Based Encryption (the technology behind Voltage), is using an automated variation of the scheme to let users reuse passwords at multiple sites with arguably acceptable level of risk.  The idea is to detect password fields using a browser plugin and replace passwords entered with site-specific passwords calculated like this:

    site-pwd = hash(domain-name + reused-pwd + universal-pwd)

universal-pwd is needed for protecting against dictionary attacks.

I like the general idea but there are many implementation and usability issues yet to be solved, some listed in their PowerPoint presentation and some not such as password length limitation and password field spoofing.  Still, I think the idea is useful when combined with other ideas and am looking forward to their demo.

BTW, SpoofGuard also uses password hashing using server-provided salt to protect password reuse, but I don't think server-provided salt alone provides much value.  Also, I think they gave up on per-user salt too easily.  Anyhow, I am impressed with the work Stanford ACG is doing because they are not afraid to roam outside the crypto realm to find creative solutions.

Update:

One important side-effect of above password hashing scheme, which I neglected to mention, is that passwords cannot be 'phished' without DNS poisoning because the domain name will be different.  Neat, eh?