Month: November 2005

If you don’t know much about Radio Frequency ID (RFID), it’s time to get up to speed. This is (or will be) a hot topic.  This Wiki article has pictures and more on RFID if you need to get caught up. I’ve also blogged a couple of times on this issue.

There is activity going on here driven by commercial and government interests.  Companies like WalMart want RFID tags on pallets to track inventory and local governments use them for things like toll-passes. 

Well that brings to mind a kind of obvious privacy issue.

Q: Where were you on the night of the 15th?

A: I was at my friend’s house playing cards.

Q: Oh really… Then why is that you went on this toll-road at 9:12 pm using your smart pass?

So there’s certainly discussion about the potential privacy implications.  I forwarded a blog article by Ted Richardson about RFID privacy issues to a friend of mine who is an executive with an RFID company.  But his response was more pragmatic: “Nonsense….It’s hard enough to get them to work consistently at any distance!”

Today, the BBC had an article about RFID. 

Changes brought about by the internet will be dwarfed by those prompted by the networking of everyday objects, says a report by a UN body. 

…Radio Frequency Identification (RFID), sensors, robotics and nanotechnology will make processing power increasingly available in smaller and smaller packages so that networked computing dissolves into the fabric of things around us.

The result could mean remote controls embedded in clothing, cars that alert their driver when they have developed a fault, managers who check on workers through the RFID devices embedded in their phones, and bags that remind their owners that they have forgotten something.

BBC link here via LifeHacker.

What do you think about RFID privacy implications?  A chimera or a real problem?

Alex Eckelberry

 

180 Solutions, makers of Zango and 180 Search Assistant, responds to the new TRUSTe certification:

…This is huge news for our industry, as this certification program finally levels the playing field by creating a third-party legitimizing mechanism with universally-accepted standards. 

…The question will be asked, “Does this legitimize adware?”

The answer is categorically yes. Millions upon millions of consumers around the world have knowingly been saying that for many years. Zealots will continue to disparage targeted advertisements while real-world users and real-world advertisers know they are more effective and helpful than page-embedded advertising.  [My emphasis]

Link here.

Alex Eckelberry
(Thanks Suzi!)

There is some recent press about some statements on the growth of keyloggers.

…The number of keyloggers unleashed by hackers exploded this year, soaring by 65 percent in 2005 as e-criminals rush to steal identities and information…

We are seeing keyloggers, but the only infestations we’re seeing are on older un-patched XP systems (patch your systems!).  Also, I’m not so sure of the scale implied in the article — there are keyloggers out there but there are plenty that only collect info from a few dozen or a few hundred people.   In the couple of dozen keyloggers we’ve found since early August, I would guess that perhaps a total of 8,000 people were actually infected with them.

So while I do want people to be well informed, I’m getting equally concerned that people are unplugging from the ‘net because of the fear of this stuff.  There is bad stuff but it’s not like the sky is falling.

Link to the article here.

Alex Eckelberry

You’ve probably seen these “Bots” on instant messenger programs. My kids all played with the Austin Powers one.

Well, AIM has added a Bots group to the AIM buddy list.

You can ask bots about movies, shopping, etc.  Also, it’s salvation for the delusional (”my computer is talking to me!”) and lonely (”why won’t my computer talk to me?”).

Link here.

 

 

 

 

 

 

 

 

 

Alex Eckelberry
(Thanks Jarrett)

Today, TRUSTe announced a new program to certify software.  It’s focused primarily on adware.

Here’s the idea:

It’s a whitelist of programs that have passed certification.  These programs can then access ostensibly broader networks of distribution because they have passed the certification.

This well-intentioned move does have some meat to it. You can see the influence of the Center for Democracy and Technology (CDT) on the documents.  These are not “light” requirements.  The requirements are actually fairly stringent and from that standpoint, I’m impressed.

From the TRUSTe site:

To be placed on the whitelist, adware and trackware must prominently disclose the types of advertising that will be displayed, personal information that will be tracked, and user settings that may be altered, and must obtain user opt-in consent for the download. An easy uninstall with clear instructions must be provided, and advertisements must be labeled with the name of the adware program. Program participants must maintain separate advertising inventory for users of certified applications. To move legacy users to certified advertising inventory, they must obtain new opt-in consent.

Executive summary here.  Full requirements document here. (These are Word docs that I can only presume are safe.  I really wish they would have used PDF!)

So what’s the problem? I’m concerned that Truste is, in effect, legitimizing adware and that’s a bigger issue.

The larger, “mainstream” adware companies such as Claria and WhenU (assuming they get certified) will now have the ability to greatly increase their distribution network, under the cloak of “certification”.

Now, this is not a certification that’s outward facing — it’s a whitelist used by web sites owners to determine if the app is “acceptable” to put on their site.  

Hmmm…ok.  Let’s keep in mind that it’s still adware that will spawn ads in the user’s face.

It’s redolent of the CAN SPAM Act of 2003. It turns out that CAN SPAM really did mean that — you could spam.  CAN SPAM effectively created a safe-harbor for companies, when in fact, the question should be asked: Why are we getting the spam in the first place? 

Who needs adware in the first place?  What is the real quid-pro-quo that the user is getting?

Installing a program like Weatherbug, which displays advertisements inside its application (and is itself something that has real use), is a far cry from an application that spawns pop-ups while the user is surfing.  Or provides “targeted” search results.  No matter how much disclosure you layer on top of it, the user should be getting a fair exchange and there’s a lot of soft factors — will users really understand that search results, for example, might be sponsored and not actual organic results? 

Note I’m not an anti-advertising zealot.  But should we be even going down the slippery slope of effectively condoning adware as a concept?

Your thoughts are welcome.

Alex Eckelberry

Years ago,  I was peripherally involved in an investment in Questia, which put a ton of academicly-oriented books on the net.   While I’m a little vague memory-wise on the details, I think they had something like a bunch of people offshore manually scanning books into their system.

Well that’s all easier, now with the World’s First Automatic Book Scanner.

Link here via  Jeff Nolan.

Alex Eckelberry

 

Jeremy Wagstaff at the Wall Street Journal has a good blog today about so-called “grassroots” sites that are actually run by corporate interests.

You’re familiar with the faux blog — a blog launched by a marketing company to look like a grassroots blog to promote a product, but actually maintained by PR drones. Naff is probably the word that springs to mind. But how about the faux community site? What word springs to mind when you visit YourPointofView.com, a website set up by marketing company JWT on behalf of HSBC? Despite all the flash (and there’s lots of it), it seems to be community-oriented, interested in your point of view on gorillas, organic food, sports fans and the like. Your point of view is sought, sort of. Click on a window and another window pops up, letting you select from a drop down list of choices (no, you can’t type anything in) and then you’re taken to another window where you have to register and then offer some personal information (approach to life? realist/optimist/surrealist/pessimist) and then it goes on. Call it a survey pretending to be interested in you, so long as your choices are listed among their choices. So what’s the point?

It’s a classic old PR mechanism to set up “think tanks”, “grassroots organizations” and the like to forward a corporate objective.

While this HSBC site is actually fairly innocuous, it highlights the need to be wary. When you get some “study” or see some advertisement by a group of “citizens”, always check it. There’s a ton of incredibly misleading information out there spawned by corporate interests.

Jeremy’s link here.

 

Alex Eckelberry

From Donna’s security blog:

Claudio “Sverx” has discovered a weakness in Opera and Internet Explorer, which can be exploited by malicious people to trick users into visiting a malicious website by obfuscating URLs displayed in the status bar.  The problem is that the browser fails to show the correct URL in the status bar if an image control with a “title” attribute has been enclosed in a hyperlink and uses a form to specify the destination URL. This may cause a user to follow a link to a seemingly trusted website when in fact the browser opens a malicious website.

Solution:  Do not follow links from untrusted sources.

http://secunia.com/advisories/17571/ and http://secunia.com/advisories/17565/  

Read more

 

Alex Eckelberry

Earlier we speculated about Google Base.

Well, it’s up.  Check it out here.

Help the world find your content.  
Google Base is a place where you can add all types of information that we’ll host and make searchable online.

You can describe any item you post with attributes, which will help people find it when they search Google Base. In fact, based on the relevance of your items, they may also be included in the main Google search index and other Google products like Froogle and Google Local

Also PC World blog here.

Alex Eckelberry
(Thanks Jarrett)

Why is Claria no longer mentioning that their software spawns pop-ups? 

                                             April 2005

November 2005

 

Ben Edelman discusses this and more here.

 

Alex Eckelberry

There’s been news out that Time Warner will be making its back catalog of old TV shows for a new Internet service.

Digital analyst Phil Leigh is actually a bit impressed, and has this to say about it:

Congratulations to Time Warner …for taking the biggest step yet to launch an “Internet of Video”. The plans by Warner Brothers to make their back catalog of old TV shows available for a new Internet service, termed In2TV, early next year is to be vigorously applauded by those of us who want to see Digital Media come-of-age. They have 4,800 episodes from more than 100 old television series that they’ll be distributing at the AOL portal.
 
There are five reasons why we think this is significant.
 
First, the content has genuine value to consumers. Some of the programs include such formerly popular ones as Maverick, Welcome Back Kotter, Eight is Enough, and The Fugitive. It is not oddball programming from the lunatic fringe.
 
Second, they’re free. Programs on In2TV will be advertising supported, but will have only one or two minutes per half-hour episode as compared to today’s standard of eight minutes on regular network shows.
 
Third, more than any initiative since satellite television, this one promotes the benefits of competition into the video-to-the-home market where the Cable TV companies have been exercising the power of a gatekeeper for too long.  Cable companies have abused their near monopoly power in two ways. First, they sometimes require program originators to pay them money for the privilege of being “carried” on the system. In such instances they “double dip” by charging the viewers a monthly fee to see the programs. Second, they often structure subscriptions in such a way that the consumer has to pay for things that she doesn’t necessarily want in order to gain access to the services she does want. For example, you often cannot get video-on-demand without first becoming a digital cable subscriber. That means you pay an incremental monthly fee, merely to have the “right” to pay a “pay-per-view” fee as well.  
 
Fourth, AOL will be using Peer-To-Peer technology in order to economically distribute the video. This is significant because it underscores the point that the first uses of a technology are not always good predictors of the ultimate uses. As anyone not living in a cave for the past five years will recognize, the P2P concept was first popularized by Shawn Fanning’s Napster and was universally condemned by the media companies owing to the initial use characterized by the unauthorized sharing of copyrighted music files. Time Warner’s intent to employ legitimate P2P distribution via Kontiki’s network illustrates how important it is that courts avoid outlawing an entire technology merely because its first user engage in illegal activity.
 
To see an audio-visual interview with Kontiki’s CEO, visit www.insidedigitalmedia.com and click on the show for October 24, 2005.
 
Fifth, it seems almost certain that the initiative will evolve into the first major application of video podcasting. People who want to watch the programs are very likely going to want to subscribe to them. For example, if you are a big fan of James Garner’s Maverick, you’d rather have each episode automatically delivered to your computer than to be required to visit the AOL portal to see if additional episodes have been posted. If In2TV does become the first important instance of video podcasting, it is likely to be good for Microsoft and, not-so-good for Apple. That’s because it will promote the awareness that RSS delivery of Digital Media is not exclusive to the iPod. Most subscribers will be viewing these programs on their computers. It is not yet even known if they will play on the iPod.

 

Alex Eckelberry

This was actually published in our WXPNews newsletter, and it’s pretty nifty.

Office Letter reader Lyn Hancock wrote to share her list of shortcuts for Word. She began several years (and several Word versions) ago collecting the information and when she discovered something new would update the list. It’s still a work in progress — but you’ll find her years of work helpful. You can download this lengthy set of shortcuts and keyboard templates here  (this is a Word document, not a PDF).

Thanks to the Office Letter for this tip.

Alex Eckelberry

 

 

From Eric Goldman’s blog:

I hate to state the obvious, but I can pass along a friendly tip to current/prospective law students: spyware/adware litigation appears to be a growth industry!

Link here.

 

Alex Eckelberry
(Thanks Suzi!)

Click here.

Alex Eckelberry 
(Thanks George)

Freedom to Tinker has two bits of news.

More on the potential security risks of the web-based uninstaller Sony is using:

Over the weekend a Finish researcher named Muzzy noticed a potential vulnerability in the web-based uninstaller that Sony offers to users who want to remove the First4Internet XCP copy protection software. We took a detailed look at the software and discovered that it is indeed possible for an attacker to exploit this weakness. For affected users, this represents a far greater security risk than even the original Sony rootkit.

The consequences of the flaw are severe. It allows any web page you visit to download, install, and run any code it likes on your computer. Any web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get.

And, Sony is recalling the CDs… (USA Today link here)

Sony BMG Music Entertainment said Monday it will pull some of its most popular CDs from stores in response to backlash over copy-protection software on the discs….Sony also said it will offer exchanges for consumers who purchased the discs, which contain hidden files that leave them vulnerable to computer viruses when played on a PC.

“Sony BMG deeply regrets any inconvenience to our customers and remains committed to providing an enjoyable and safe music experience,” the company said. Sony says more than 20 titles have been released with the XCP copy-protection software, and of those CDs, over 4 million have been manufactured, and 2.1 million sold.

Freedom to Tinker link here.

Alex Eckelberry
(Thanks Adam)

 

From CNET this morning:

A flaw in a key Internet security protocol used by major networking products could open systems up to denial-of-service and other kinds of attacks, experts have warned.

Finnish researchers at the University of Oulu announced Monday that they have found a vulnerability in the Internet Security Association and Key Management Protocol, or ISAKMP. The technology is used in IPsec virtual private network and firewall products from a range of networking companies, including giants Cisco Systems and Juniper Networks.

Link here.

Alex Eckelberry
(Thanks Jarrett)

 

F-Secure reports:

In a surprise move, the Bavarian Police is warning on a worm outbreak that will happen – tomorrow.

Bayerisches Landeskriminalamt has today put out a press release. In the release they warn of a possible new Sober variant that would be launched tomorrow (Tuesday 15th of November).

The new variant should be spreading in emails like this:

 Subject: Registration Confirmation
 Body: Thanks for your registration. Your data are saved in the zipped Word.doc file!
 Attachment: registration.zip

More here.

Alex Eckelberry

Got this through Xavier Ashe:

The uninstaller requires you to install an ActiveX control to your system before you can even request for an uninstall url. Turns out, the uninstaller activex marks itself safe for scripting, and has plenty of interesting methods available for everyone to use. Although I have not analyzed them in depth, I have tested one of them to confirm it really does what I think it does. It’s called “RebootMachine”. If you have installed Sony’s ActiveX control, follow the link to invoke the RebootMachine method. I don’t even want to know what the ExecuteCode method does…

The InstallUpdate method seems to download a file in XCP.DAT format, extract a dll from it and then execute stuff. So far I haven’t analyzed the code enough to determine if it’s exploitable, but I’m guessing it doesn’t do any significant verification – meaning this ActiveX control could have exploitable remote code execution hole in it by design. NEEDS URGENT VERIFICATION! If anyone has working uninstall link, please view the source for page at every step and check the javascript it uses. I’d like to see how these methods are supposed to be used.

Link here via Xavier.

I’ll see if I can hunt more down on this topic.

Alex Eckelberry

 

Did you know that it’s the 194th anniversary of the Luddite uprisings? 

You’ve often seen me use the term “Luddite” in this blog.  

Luddite, of course, refers to the 19th century movement in England that attempted to overthrow advances in technology.  It’s also a term generally used for those who oppose technology.

From The American Heritage® Dictionary of the English Language: Fourth Edition:

Luddite: NOUN: 1. Any of a group of British workers who between 1811 and 1816 rioted and destroyed laborsaving textile machinery in the belief that such machinery would diminish employment. 2. One who opposes technical or technological change

But did you know that November 1811 was when the Luddite uprisings started?  From Wikipedia:

The original Luddites claimed to be led by one Ned Ludd (also known as “King Ludd”, “General Ludd” or “Captain Ludd”) who is believed to have destroyed two large stocking-frames that produced inexpensive stockings undercutting those produced by skilled knitters, and whose signature appears on a “workers’ manifesto” of the time. The character seems to be based on a local folk tale about someone whose motives were probably quite different (frustration, and not anti-technology).

The movement began in Nottingham in 1811 and spread rapidly throughout England in 1811 and 1812, with many wool and cotton mills being destroyed, until the British government harshly suppressed them. The Luddites met at night on the moors surrounding the industrial towns, practising drilling and manoeuvres and often enjoyed local support. The main areas of the disturbances were Nottinghamshire in November 1811, followed by the West Riding of Yorkshire in early 1812 and Lancashire from March 1812. Battles between Luddites and the military occurred at Burtons’ Mill in Middleton, and at Westhoughton Mill, both in Lancashire. It was rumoured at the time that agent provocateurs employed by the magistrates were involved in stirring up the attacks. Magistrates and food merchants were also objects of death threats and attacks by the anonymous General Ludd and his supporters.

“Machine breaking” (industrial sabotage) was made a capital crime (Lord Byron, one of the few prominent defenders of the Luddites, famously spoke out against this legislation), and seventeen men were executed after an 1813 trial in York. Many others were transported as prisoners to Australia. At one time, there were more British troops fighting the Luddites than against Napoleon Bonaparte on the Iberian Peninsula. Three Luddites ambushed a mill-owner, the luddites responsible were hanged and shortly after old style ‘Luddism’ died away.

However, the movement can be seen as part of a rising tide of English working-class discontent in the early 19th century (see, for example, the Pentrich Rising of 1817, which was a general uprising, but led by an unemployed Nottingham stockinger, and probable ex-luddite, Jeremiah Brandreth).

In recent years, the terms Luddism and Luddite or Neo-Luddism and Neo-Luddite have become synonymous with anyone who opposes the advance of technology due to the cultural changes that are associated with it.

You can read all about it at Wikipedia, here.

So I hereby proclaim November National Luddite Remembrance Month!

In honor of this august occasion, I ask each of you: What are some of your favorite examples of Luddites?  

Join the party!  Comment away.

Alex Eckelberry

Google Analytics.  I’ll try and spend some time with it whenever (if) I get some free time…

Google Analytics tells you everything you want to know about how your visitors found you and how they interact with your site. You’ll be able to focus your marketing resources on campaigns and initiatives that deliver ROI, and improve your site to convert more visitors.

 

 

 

 

 

 

 

Alex Eckelberry
(Hat tip to John Murrell)