Life, Photography, and Security

Farewell Jack C. Louis

Jack C. Louis - The loss of a dear friend…

Our discussions over beer at T2 will not be forgotten. I see what you saw.

Nincompoops!

Recently, a list of 78+k password hashes to various Finnish internet forums was posted on the net. Apparently a number of bulletin boards were hacked, and the password hashes extracted. Some passwords were actually plaintext, suggesting that some software even stores passwords in plaintext.

The most striking aspect of the list, however, is the fact that a huge portion of the password hashes are not using salts. That is just plain depressing. How to properly compute and store password hashes has been know for decades, but still incompetent programmers keep repeating the errors of history.

There is a lovely English word for the programmers who have omitted to use proper password encoding methods in their forum software. “Nincompoops”. You know who you are. Shame on you!

Transcoding Topfield .rec files to DVD

I’ve read too many complicated guides about how to convert Topfield .rec recordings into DVDs. Many of them even re-encode the video. Recently I realized that mplayer nowadays supports .rec files, because they are simply mpeg transport streams dumped in a file. Now, how could I make mencoder transcode those into something DVD authoring software understands.

After some thinking, I came up with the following quick guide to encoding .rec files for DVD. No, I haven’t thought about how to handle subtitles (yet).

mencoder -oac copy -ovc copy -of mpeg -mpegopts format=dvd:tsaf -o foo.mpg foo.rec
Take your favorite DVD authoring software, and burn away

Quite simple, wouldn’t you say? Yes, it will break if the frame size is not correct. Yes, it will probably break in other ways as well. But it works for me.

The 2006 Stupid Security Competition

Privacy International has again opened the Stupid Security Competition for entries. I foresee that they will have no lack of potential winners this time around, take a look.

Looking at the numerous egregiously stupid security measures that have been executed during the last few years, I am stunned. I don’t know if I should laugh or cry, or both at the same time.

The award categories are:

Most Egregiously Stupid Award
Most Inexplicably Stupid Award
Most Annoyingly Stupid Award
Most Flagrantly Intrusive Award
Most Stupidly Counter Productive Award

I wish the competitors good luck; in many categories the “security” organizations of several Western countries will give each other a good run for the money. I predict a shut-out; all categories will be won by bodies who can be traced back to one organization.

Pluses and Minuses for my Treo 650

I have now used a Treo 650 for about a month. Time to sum up my experiences sofar.

Showstoppers

None sofar. This really is a Smartphone!

Things that I really want to get fixed

Voice dialling using BT handsfree does not exist
Sending and receiving business cards and calendar entries over messaging is not supported
Entering scandinavian characters is way too tricky

Annoying things I can live with

Versamail still doesn’t grok UTF-8 properly
Landline phone numbers are not recognized when calls arrive
Radio part is sub-par compared to other GSM phones, I know a few locations where the phone keeps losing network connectivity.
Mixing WAP and Internet doesn’t work well, network settings must be changed every bloody time. Partially an operator issue.
Voice quality occasionally sucks badly
No receipts for SMS messages (only for MMS messages)

Cool things

SMS chains are grouped into “chats”—Very Cool
GPRS signon takes almost no time at all
Datebook supports “Location”
Photos of contacts sync with Outlook
Personal ringtones (for favorites only)
Browser works surprisingly well
WAP works well, once you switch network settings
Screen is very bright and sharp
Fast! Fast! Fast! in use

Requirements for a smartphone

I am forced to upgrade my company-provided GSM phone, and decided it was time to go for a smartphone. Until now, I have used a Palm PDA and a basic Nokia GSM phone, but carrying around two devices kind of gets on my nerves. I first thought I’d get the new Nokia E70, but decided to list my requirements first.

I mostly use my Palm for

Calendar, categorized
GTD lists, i.e. categorized large todo lists
Contacts, categorized
Notes, categorized
Outlook synchronization
Encrypted password storage
Occasional web surfing
Occasional email reading
Rare ssh connections

I use my GSM for

Calls
Contacts
GPRS over Bluetooth
Car Bluetooth Handsfree set
SMS messaging (a lot)
GPRS Internet connectivity over Bluetooth

The only really particular requirement is the ability to categorize items. I have over 220 items on various GTD lists. The lists are disjoint—viewing them together makes very little sense. Not to mention that browsing such a list would be infeasible.

I have also gotten accustomed to using the Nokia 6820 qwerty keyboard for SMS messaging, so a keyboard comes in high on my requirements list.

So, essentially, what I need is simply a device for a mobile professional with a decent qwerty keyboard. Can’t be too difficult?

Nokia E70 is not a GTD phone

I tried out a Nokia E70 today, to see if it fit my needs. At least it comes with a lot of bells and whistles, including an mp3 player and a feedreader.

Unfortunately, the E70 falls short of satisfying my smartphone requirements. The todo list is essentially the same simple thing that I had in my old 6820, and it just does not cut it. No categories—No GTD. The same goes for the rest of the basic data types—no categories. To put it frankly, I don’t see how any professional would be satisfied with that. With hundreds of contacts, appointments, todos, and notes, not having support for categories simply makes things impossible to manage.

Another thing I noted about the E70 was that despite its very nice form factor, the screen would be hard on my eyes in daily use. Not much fun carrying around a magnifying glass, is there?

Palm Treo 650 or 700p?

After the dismal failure of the Nokia E70 to meet my professional requirements, I decided to look beyond the familiar form factor. Much to my joy, I almost immediately encountered the Treo 650 and the newly released Treo 700p.

The “killer” application for the Treo is the fact that my Palm Tungsten T2 has a very established track record for supporting GTD well. As a matter of fact, I am quite satisfied with my T2 in general.

The downside is the internationalization issues. The T2 just doesn’t grok utf-8, neither in email nor in web pages. Unless that’s fixed in the Treo, the usefulness of the device is reduced significantly. But that’s not a major use case for me, so no showstopper. And of course, there is a chance that Palm got their act together…

Another slight drawback is the large size of the Treo. Or rather, large compared to my GSM phone. It’s not that much bigger than my T2.

There is no information yet about a European version of the Treo 700p. The major advantages of the 700p versus the 650 appears to be significantly increased memory, 3G networking, and better camera. Neither includes WiFi by default. If I could get a 700p “EU” version, I would be very happy, but my schedule for switching phones may just force me to go for the 650. Not ideal, but it would probably match my needs just fine.

“Would you like some fish with that Chip & PIN?”

It is with a small amount of thrill that I have followed recent news about “chip and pin fraud”. Users of new chip and pin debit cards have experienced the rather unpleasant surprise of having their alledgedly secure card cloned and promptly misused abroad.

First of all, my sincere sympathy to anyone hit. I know what it feels like, as I had to change my credit card after fraudsters ran up a significant bill in just a few hours on my old one.

Another thing which should be made clear right now is that there is nothing fundamentally wrong with the chip and pin technology itself. It is still a reasonable substitute for the old magstripe and signature system. So what is wrong, then?

Time after time, I emphasize that one of the typical causes of security failures is change. This is exactly what has happened here. In the original magstripe system, the pin code was used quite rarely and even then in “trusted” enviroments—such as ATMs. Some fraudsters were able to use high tech gear to copy both pins and the magstripes, but this was rare. So rare that the losses were acceptable. But even then, it took years of suffering customers before banks even admitted the problem existed. So what changed?

With the chip and pin system, the already dubious concept of “trusted terminal” is outright foolish. Banks still claim “tamper proofness” and other silly stuff, but the fact is that there are too many terminals around to properly secure them. Every bar, gas station, diner, laundry shop, tailor, etc. will eventually have a terminal. Put it another way—there will be many untrustworthy terminals.

During the transition period from magstripe to chip and pin, cards will have to carry both systems. The US inability to convert rapidly to chip and pin extends this transition period further. The problem is that the pin code for the magstripe just must not fall into the wrong hands. Together with the magstripe, it’s just begging to be abused.

The banks were faced with a tough choice. Either have customers remember two pins, or use the same pin for both magstripe and the chip. With one pin, card cloning was inevitable. The banks weighed the pro’s and con’s and decided to go for a single pin.

The banks made a deliberate choice to temporarily risk the cloning of magstripe cards, hoping that the losses could be silently covered. Their gamble has backfired, and now they are facing a real PR nightmare. Customers are losing confidence in the chip and pin system, even though the real problem is with the magstripe system.

If magstripe fraud continues to rise, banks are faced with only two alternatives. Either they have to issue cards with two separate pins, or they have to remove the magstripe.

Some day, I may just dig into the bad implementation of wireless chip and pin readers. But that’s another story.

Getting Things Done

Procrastination vs. “Getting Things Done”. I’m trying to hone my time management skills (again). This time I ran into a methodology known as “Getting Things Done”, which actually seems to make sense. Of course, this means I extract the pieces of it that I consider useful–it’s always too easy to go over the top. At least the guy who developed the approach, David Allen, is making money off it.