I had the privilege this week of being asked to take some photographs at the Vanuatu unveiling of the Pacific Economic Survey. The event was attended by two Australian Parliamentary Secretaries and by a number of fairly senior individuals in Vanuatu. The photos I took will be collected here.
I was proudest of the photo above. It’s of two veteran politicians whose approach and presentation could hardly be further apart.
April 1, 2008
Sunnyvale, California
Yahoo! CEO Jerry Yang told reporters today that the board of directors of Yahoo! Inc. had met earlier that morning and agreed to the sale of the company at a price of USD 66.6 Billion. Yang took the opportunity to defuse speculation about what this move means for the company.
Said Yang, “Honestly, it’s not that big a deal. The truth is that we used to show up at the company HQ every day, see that Yahoo! sign up there and get excited. But recently that just hasn’t been the case. I must be getting old or something. Anyway, I figured, ‘they want it? They can have it. I’m stinking rich anyway, why should I have to work?'”
One of the conditions of sale was that the Yahoo! name be changed.
“Let’s just admit it,” explained Yang. “It’s a stupid name. It was fun for, like, 20 minutes. Then we all sobered up and realised we felt like dorks whenever we told someone where we worked.”
Yang then took the opportunity to unveil Yahoo!’s new name: Meh… Its logo, Yang said, will be a giant emoticon consisting of the ‘8’, ‘-‘ and ‘/’ characters. When pressed by reporters, he admitted that it would not be easier to spell, and would still cause problems with grammar checkers.
“On the bright side,” he added, “we might finally be able to fix this, now that we’re part of… Meh… Microsoft.”
Microsoft’s CEO, Steve Ballmer, was not present at the press conference, due to a ‘minor’ chair-related injury. He instead released a taped message stating his satisfaction with the negotiations, which ended with a cryptic reminder to Yahoo! employees that their families would be safe, now that they’d shown some sense. Yang would not speculate about the comment’s meaning.
I’ve been arguing for the last few weeks that what’s needed most for Vanuatu is to invest significant time and effort into the creation of a new crop of technically savvy individuals who can help Vanuatu bridge the growing gap between life in the information age and life as we’ve always known it in the islands.
There’s a pressing need for people to assist with this transition. The barriers have begun to fall that once allowed life in the village to remain consistent, with change seeping in slowly and in tiny doses. Very soon, most everyone in Vanuatu will have access to mobile telephony. We’re already hearing stories about Tannese in Middle Bush bringing their mobile to the garden with them, just in case someone wants to reach them.
Only weeks ago, nobody really got fussed about waiting days or even weeks to hear a bit of news. But now that we can actually get it, we want information immediately. It’s a universal human trait to want to keep caught up on the latest. In the past people here have been content to let information and gossip arrive at its own pace, confident at least that nobody was getting the jump on anyone else. But now, someone who owns a mobile phone holds a distinct advantage over those without. In this culture – and most others – knowledge is power, and in Vanuatu, a new arms race has begun.
Michael Krigsman’s most recent entry in the IT Project Failures blog is an interesting, colourfully-illustrated and upside-down look at the relationship between IT and traditional business.
His question, based on numerous similar postulations, is whether IT is becoming extinct. His answer (you knew it was a rhetorical question, right?) goes like this:
Since the days of punch cards, IT has believed itself to be guardian of precious computing resources against attacks from non-technical barbarians known as “users.” This arrogant attitude, born of once-practical necessity in the era of early data centers, reflects inability to adapt to present-day realities. Such attitudes, combined with recent technological and social changes, are pushing IT to share the fate of long-extinct dinosaurs.
The list of arguments he offers in support of this thesis are all valid to some degree, and all supportive of what he’s positing, but he somehow manages to miss the point that means most to business:
Monolithic, top-down, IT-as-bureaucracy approaches are being subverted by recent changes in technology and services, but so too is business in general.
I made a mistake this week, or rather a misjudgement. I wrote about a new threat called Goolag, in which a malicious person could use Google to find servers on the Internet that are vulnerable to attack. The servers are infected with malicious code that causes anyone who visits them to be exposed to compromise. This is how many an innocent person’s computer becomes a spam-bot, remotely controlled by hackers and used to send spam, and sometimes to infect its neighbours as well.
I wrote, “Making simple mistakes is the easiest way to expose yourself to attack…. You won’t be targeted so much as stumbled across.”
Within two days of writing about the issue, an online security blog reported a wave of attacks affecting approximately 200,000 web servers. The single most important part of comedy, as they say, is timing.
This latest wave of attacks is important to us for a couple of reasons: It demonstrates that the democratising effect of information on the Web respects no single set of ethics or morality. The very same information-sharing tools that have so empowered people everywhere are being used by vandals and criminals for their own selfish ends as well.
It also means that there are no safe havens online.
UPDATE: How wrong could I be about the severity of this threat? Very wrong, apparently. I haven’t confirmed it yet, but it’s hard to imagine how this week’s mass server hack could have happened without tools like the one described below. I’ll write more about this in this week’s column….
Heh, cute:
Cult of the Dead Cow Announces Goolag Vulnerability Search Engine.
Once you get past the Chinese porn silliness, there’s a real story here:
Google’s effectiveness as a search engine also makes it an effective… well, search engine. Common website weaknesses are exposed by search engines such as Google, and anyone can access them by using specially crafted queries that take advantage of Google’s advanced searching capabilities. As the cDc press release indicates, there are approximately 1500 such searches published and readily accessible on the Internet. And now the cDc has built a(n a)cutely satirical web front end and are offering a downloadable desktop search application for Windows, giving script kiddies the world over something else to do with their time.
What effect has this had on website security? It’s difficult to tell. The principle of using Google as a scanning tool has been common knowledge since at least 2006, but according to Zone-H, who record large numbers of website defacements every year, the only significant increase in website attacks since then was the result of an online gang war between various Russian criminal factions, back in 2006. Ignoring that anomalous rise in activity, the rate of attack actually fell slightly in 2007 compared to recent years, relative to the number of active websites.
Zone-H’s latest report proves only that the percentage of insecurely configured websites scales on a roughly linear basis with the number of available websites, and that the choice of technology has almost no bearing on the likelihood of a successful attack. Indeed, most exploits are simple attacks on inherent weaknesses: guessing admin passwords or copying them when they’re sent in cleartext, misconfigured shares and unsafe, unpatched applications. Attacks requiring any amount of individual effort are not very common at all. Man-in-the-middle attacks rated only fifth place in the list of common exploits, representing only 12% of that total. But researchers have elsewhere noted that cross-site-scripting attacks are on the rise, and are being used mostly by spammers to increase the size of their bot nets.
The lesson here is fairly obvious: Making simple mistakes is the easiest way to expose yourself to attack. And search tools like Goolag make finding those mistakes remarkably easy. You won’t be targeted so much as stumbled across. Given the recent rise in the number of websites being used to inject malicious software into people’s computers, spammers and other online criminals appear to have a strong incentive to use even the less popular websites to ply their trade.
Your choice of technology won’t save you, either. Most popular web servers are fairly secure these days and though not all server operating systems are created equal, the big ones have improved markedly. But the same cannot be said of the applications and frameworks that run on them. The old adage that ease of use is universal still applies. When you make things easy for yourself and your users, you are liable to make things easy for other, less welcome guests as well.
The lesson for the average website owner: Do the simple things well. Don’t waste your time trying to imagine how some intrepid cyber-ninja is going to magically fly across your digital alligator moat. Just make sure your systems are well-chosen and properly patched, pay attention to access control and treat authentication seriously. Statistically, at least, this will drop your chances of being Pwned to nearly nil, or close enough as makes no never mind.
Drop a stone in the middle of the pool. Watch its ripples spread wider and wider across the surface. Inevitably – sometimes sooner than later – the ripples mingle and apparently disappear among the others. Cause and effect: A simple action creates immeasurable, unpredictable and unforeseeable results.
Among development professionals, this provokes roughly equal amounts of fascination and frustration. Fascination, because anyone with a mote of interest and natural curiousity is quickly engrossed by the flow of events as human cultures mingle and change. Frustration, because at some point it will be necessary to say to a donor, ‘Your money will have exactly this effect.’
And that will be a lie, of sorts.
We got some good news the other day. A Kenyan friend’s younger brother passed his university qualification exams with high marks, enough to allow him some freedom of choice of his future education. We were all happy for him, of course, but one detail of the story struck me as particularly interesting….
Read more “Let the Left Hand Know”
A few words about the title: The first seven letters are written using a very simple code, or cypher. Each of the letters in the original word is replaced by the non-alphabetical character to which it is closest on a US keyboard. The process of hiding a message by substituting other letters, numbers or symbols is known as encryption. When the code is reversed, the title reads ‘Explaining Encryption’.
But it also looks like swearing, doesn’t it? In fact, the use of characters like this to denote swearing is a simple (dare we say crude?) kind of encryption. A child too innocent to know such words derives no meaning from the random collection of characters. Someone well versed in the ways of the world, though, can add up the number of characters and quickly deduce what was intended.
On and off over the last two months, we’ve been looking at various aspects of online security. This week, we’re going to consider what steps we can take to make the information we send over the Internet secure from prying eyes.
We’ll also consider why it is that no one uses these measures, and why most of us won’t any time soon.
Instead of exposing the painful ritual of public/private key exchange, software developers should instead be using metaphors of human trust and service.
A ‘translator’ service, for example. The user ‘invents’ an imaginary language, then decides who among her friends is allowed to speak it with her. She then instructs her ‘translator’ (e.g. her own personal Navajo) to convey messages between herself and her friend’s translator.
(Only the personal Navajos actually need to speak this ‘language’ of course. As far as the two correspondents are concerned, the only change is that they’re sending the message via the ‘translator’ rather than directly, but even that is a wafer-thin bit of functionality once the channel is established and the communications process automated.)
Quick encryption, well understood, and easy to implement. Most importantly, you don’t have to explain encryption, public and private keys, or any other security gobbledygook to someone who really doesn’t want – and shouldn’t need – to hear it.
Update: Of course, the greatest weakness to this idea is if Microsoft were to create an implementation of this and name it Bob.