Sounds like the security violation that led to the posting of Paris Hilton’s private list of celebrity phone numbers was pretty straight-forward: they Googled the answer to her secret question (what’s your favorite pet’s name?) to “recover” her password on T-Mobile’s online web account. Ironically enough, Bruce Schneier blogged about this very problem just last week.
Month: February 2005
The Tulsa World newspaper is threatening BatesLine, a blog that’s been critical of their activities, with copyright violation for quoting their editorials and “unauthorized linking.” (As BatesLine points out, one of the mainstays of Fair Use is the ability to make comment and criticism, and linking isn’t a copyright violation because it’s not copying.)
Why don’t they just come over and threaten to torch the place like honest extortionists would?
(By way of Political Animal)
Intelligent Design proponent Michael Behe asks us to eschew logic and evidence and instead to “trust our feelings” in a recent New York Times Op-Ed. But even when I follow this dubious advice, Intelligent Design feels like nothing more than hubris to me.
Behe looks at the complexity and grandeur of life and thinks “an intelligence must have created this.” I look at the complexity and grandeur of life, and I know in my heart there is no way mere intelligence could have produced something so wondrous.
The Union of Concerned Scientists just released the results of a survey of US Fish and Wildlife Service field scientists that reveals serious political preasure to self-censure and even exclude or alter technical information that might lead to species being protected. (It’s telling that there was a 30% response rate even after a directive was sent out instructing scientists not to respond even from home on their own time.)
From the executive summary:
- Large numbers of agency scientists reported political interference in scientific determinations. Nearly half of all respondents whose work is related to endangered species (44 percent) report that they have been directed for non-scientific reasons to refrain from making findings that protect species. One in five have been instructed to compromise their scientific integrity, reporting that they have been directed to inappropriately exclude or alter technical information from a USFWS scientific document. In the Southwest region, that number was even highercloser to one in three.
- Agency scientists reported being afraid to speak frankly about issues and felt constrained in their role as scientists. 42 percent said they could not publicly express concerns about the biological needs of species and habitats without fear of retaliation, while 30 percent were afraid to do so even within the agency. A third felt they are not allowed to do their jobs as scientists.
- There has been a significant strain on staff morale. Half of all scientists reported that morale is poor to extremely poor; only 12 percent believed morale to be good or excellent. And 64 percent did not feel the agency is moving in the right direction.
- Political intrusion has undermined the USFWSs ability to fulfill its mission. Three out of four staff scientists felt that the USFWS is not acting effectively to maintain or enhance species and their habitats.
There’s a nasty phishing exploit that was made public yesterday that lets anyone fake any domain including SSL certificates. The problem comes out of international domain name support and the fact that the English letter a and the Cyrillic letter а look almost identical. It affects pretty much every web browser except IE and Lynx, which don’t support international domain names yet. (If you installed the IE plugin for IDN support, you’re still vulnerable.)
The phishing attack is really simple. Domain names can now include non-Latin characters, which are mapped back into a “common name” so it’s backwards-compatable. So, for example, the Latvian domain name in http://tūdaliņ.lv translates into the common name http://xn--tdali-d8a8w.lv/. So all you have to do is register something like the domain www.xn--pypal-4ve.com and then send people to the innocuous-looking www.pаypal.com. (Course, if you’ve already fixed your browser you won’t be able to follow the link anymore….) If you look carefully or if your browser isn’t displaying this page as Unicode you can see the letter а is in a different font (in fact, it’s a Cyrillic “a”).
Temporary fix for Firefox:
- Goto your Firefox address bar. Enter about:config and press enter. Firefox will load the config page.
- Scroll down to the line beginning network.enableIDN — this is International Domain Name support, and it is causing the problem here. We want to turn this off — for now. Ideally we want to support international domain names, but not with this problem.
- Double-click the network.enableIDN label, and Firefox should change it to false. (If you get a dialog box, just change it to false yourself.)
You can check to see if you’re vulnerable by going to the website http://www.shmoo.com/idn/
Update: It turns out the fix I listed does not work in at least some versions of Firefox (sigh). The user preference gets set all right, but for some reason Firefox ignores it. Tech.Life.Blogged has posted both a somewhat kludgy workaround that at least disables IDN support until you install a new plug-in, and a nicer fix that just involves installing the AdBlocker extension and configuring it to block URLs that contain characters outside of the normal ASCII.
Longer term we really need a preference that paints the address-bar or otherwise warns us when a domain contains characters from more than one language set — that’d solve both the problem of pаypal and the equivalant domain that’s all Cyrillic except for the Latin character a.
Update 2/15/05: Sounds like one of the original authors of IDN, Paul Hoffman, has proposed something that goes one better than what I was proposing: highlight characters from different languages in different colors. That way it’s not a “warning” (and constant false alarm for languages that routinely mix character-sets) but still stands out if you weren’t expecting it. (Thanks to Boing Boing for the link.)
Update 2/26/05: Firefox 1.01 has been released with a fix — now punycode appears on the URL line as the encoded www.xn--pypal-4ve.com (it can be changed back to the old display in the configuration). While not as pretty as Hofflan’s solution, it’ll work. Note also that Shmoo has stopped hosting https://www.pаypal.com, though they still have a test link up at http://www.shmoo.com/idn/.
If I were any of the other mapping services I’d be scrambling to catch up right about now…
Disk size has nothing to do with importance, but I still get a weird feeling seeing my music collection as a big blue block some 50 times bigger than the project I’ve been working for almost two years. Now I wish I had a treemap for how I spend my time during the day…
Update: and for Linux there’s KDirStat, which is apparently older than either of the other two…
Technology Review recently declared they are trying to get back to being more science & analysis, less breathless hype. Let’s hope David Talbot’s Terror’s Server in the February ’05 issue was just still in the pipeline before they made that decision. Here’s the letter to the editor I just sent:
David Talbot’s “Terror’s Server” was the kind of rambling, analysis-free hand-wringing we came to expect from the mainstream press in the mid 90s, not from Technology Review in 2005. Talbot’s main point that terrorists are (gasp) using the Internet is obvious and trivial. Terrorists are also using telephones, SUVs, credit cards, textbooks and mail-order catalogs to plan their attacks. Why is there no call for the automobile industry to “fix” their terrorist SUV problem?
The Net amplifies individual voices, be they the voices of civil rights activists, cancer survivors or terrorists. The real issue is not whether terrorists use the Net (just like everyone else does these days), but whether society is better off allowing individual voices to be so easily heard. This is an important debate with historic undertones; Gutenberg’s press amplified Luther’s 95 theses and led to hundreds of years of war and bloodshed — and to the Protestant Reformation and Renaissance. Please, next time address the issue directly instead of simply hiding behind the terrorism flag.
PhD, MIT Media Lab (2000)