mcr at sandelman.ca
Sun, 28 Mar 2010
My MPP, Yasir Naqvi has been in the news complaining that someone "stole" his identity, and sent out an email mis-representing his views. Nevermind what his views are.
http://www.yasirnaqvimpp.ca/pressreleases.aspx?id=61
http://www.ontla.on.ca/web/members/members_detail.do?locale=en&ID=7097
Mr. Naqvi's identity was not stolen --- he is clearly still him. If it was stolen, then he would no longer have it.
His email account was not "hacked" --- someone simply set up a new identity on gmail claiming to him. But really, there are dozens of higher-tech ways to impersonate him. In fact, ANYONE CAN IMPERSONATE ANYONE on the Internet.
The press have repeatedly written the story wrong. http://www.vancouversun.com/news/politician+livid+after+fake+mail+sent+list/2732203/story.html
"On the Internet, nobody can tell you are a dog", was the comic from over a decade ago.
The real question is, why, in 2010, 12 years after S/MIME became a standard (1998) and 14 years after PGP was documented (1996), our governments and representatives are still completely in the dark about what it means to be online.
http://www.rfc-editor.org/info/rfc1991 http://www.rfc-editor.org/info/rfc2311
And there are lots and lots of further documents about PGP, OpenPGP, and S/MIME. My email has been signed with PGP since about 1994. Think about this: I've been signing my email longer than the kid serving you at McDonald's has been alive.
"Poor planning on your part does not constitute an emergency on my part".
You were warned. MANY MANY MANY TIMES.
Provincial governments and federal governments have very clear, centralized IT support and services, and they could trivially roll out email security.
Have they done so? Why haven't they? It seems like NEGLIGENCE to me.
I documented above when the standards were written, but in fact that is 3-8 years after the technology became available --- so it's more like 20 years since you could have started using PGP.
It's not like S/MIME is not ubiquitous --- it's one of the major reasons that I've been told that government organizations HAVE to run Outlook: Nothing else has been evaluated by the CSE for use in government work. (Why that is, is another rant)
SO WHY ARE THEY NOT USING IT?
This is not a rhetorical question. I want to know. What part of "email is not secure" did they not get? Maybe they were not there that day in class.
Shame on you Mr. Naqvi. Go do some learning and start asking some real questions.
posted at: 12:36 | path: /standards | permanent link to this entry
Sun, 22 Feb 2009
Charles Stross on open standards
Charles Stross <http://www.antipope.org/charlie> writes in his book GlassHouse, page 47:
"We know why the dark age happened. Our ancestors allowed their storage and processing architecture to proliferate uncontrollably, and they tended to throw away old technologies instead of virtualizing them. For reasons of commercial advantage, some of their largest entitites deliberately created incompatible information formats and locked up huge quantities of useful material in them, so that when new architectures replaced old, the data become in accessible."
"This particularly affected our records of personal and household activities during the latter half of the dark age. Early on, for example, we have a lot of film data captured by amateurs and home enthusiasts. They used a thing called a cine camera, which captured images on a photochemical medium. You could actually decode it with your eyeball. But a third of the way into the dark age, they switched to using magnetic storage tape, which degrades rapidly, then to digital storage, which was EVEN WORSE because for no OBVIOUS reason they encrypted everything. The same sort of thing happened to their audio recordings, and to text. Ironically, we know a lot more about their culture around the beginning of the dark age, around old-style year 1950, than about the end of the dark age, around 2040"
posted at: 19:45 | path: /standards | permanent link to this entry
Mon, 02 Apr 2007
Quirks and Quarks gets it wrong
This is what my play list says about the Quirks and Quarks downloads.
Quirks & Quarks - CBC Radio - QQ-170207-01-Obesity Quirks & Quarks - CBC Radio - QQ-170207-02-Bird Butts Quirks & Quarks - CBC Radio - QQ-170207-03-Peregrine Recovery Quirks & Quarks - CBC Radio - QQ-170207-04-Moth Antennae Quirks & Quarks - CBC Radio - QQ-170207-05-Question-Frozen Carbonation Quirks & Quarks - CBC Radio - QQ-140207-01-Censorship in Science Quirks & Quarks - CBC Radio - QQ-140207-02-Giant Clams Quirks & Quarks - CBC Radio - QQ-140207-03-Ancient Agriculture Quirks & Quarks - CBC Radio - QQ-140207-04-Dusty Planet Quirks & Quarks - CBC Radio - QQ-140207-05-Columbus Silver Quirks & Quarks - CBC Radio - QQ-030307-01-Walking on The Moon again Quirks & Quarks - CBC Radio - QQ-100307-01-Peruvian Sun Towers Quirks & Quarks - CBC Radio - QQ-100307-02-Smart Scrub Jays Quirks & Quarks - CBC Radio - QQ-100307-03-Origin of Lice Quirks & Quarks - CBC Radio - QQ-100307-04-AEGIS Quirks & Quarks - CBC Radio - QQ-100307-05-Cowbird Mafia Quirks & Quarks - CBC Radio - QQ-100307-06-Question, Lightbulb Lifespan Quirks & Quarks - CBC Radio - QQ-170307-01-Mars Ice Quirks & Quarks - CBC Radio - QQ-170307-02-Chimp Tools Quirks & Quarks - CBC Radio - QQ-170307-03-Bone Printer Quirks & Quarks - CBC Radio - QQ-170307-04-Hearing Mammals Quirks & Quarks - CBC Radio - QQ-170307-05-The Elephant's Secret Sense Quirks & Quarks - CBC Radio - QQ-240307-01-BC Algae Quirks & Quarks - CBC Radio - QQ-240307-02-Dinosaur Burrows Quirks & Quarks - CBC Radio - QQ-240307-03-Modified Malarial Mosquitoes Quirks & Quarks - CBC Radio - QQ-240307-04-Friendly Monkeys Quirks & Quarks - CBC Radio - QQ-240307-05-Herzberg Winner - Bond Quirks & Quarks - CBC Radio - QQ-310307-01-Sugar Fuel Quirks & Quarks - CBC Radio - QQ-310307-02-Kuiper Collision Quirks & Quarks - CBC Radio - QQ-310307-03-Marmoset Chimera Quirks & Quarks - CBC Radio - QQ-310307-04-Wind Hunter Quirks & Quarks - CBC Radio - QQ-310307-05-E. coli and Chimps Quirks & Quarks - CBC Radio - QQ-310307-Questions- Body Temperature
What's wrong with this?
This is because the "album label" says:
[Quirks & Quarks - Dec. 16, 2006] [Quirks & Quarks - Dec. 2, 2006] [Quirks & Quarks - Dec. 23, 2006] [Quirks & Quarks - Dec. 30, 2006] [Quirks & Quarks - Dec. 9, 2006] [Quirks & Quarks - Feb. 10, 2007] [Quirks & Quarks - Feb. 17, 2006] [Quirks & Quarks - Feb. 24, 2007] [Quirks & Quarks - Feb. 3, 2007] [Quirks & Quarks - Jan 6, 2007] [Quirks & Quarks - Jan. 13, 2007] [Quirks & Quarks - Jan. 20, 2007] [Quirks & Quarks - Jan. 27, 2007] [Quirks & Quarks - Mar. 10, 2007] [Quirks & Quarks - Mar. 24, 2007] [Quirks & Quarks - Mar. 31, 2007] [Quirks & Quarks - March 17, 2007] [Quirks & Quarks - March 3, 2007]
This is a plea for sanity. YYYY-MM-DD.
Please.
posted at: 21:46 | path: /standards | permanent link to this entry
Wed, 18 Oct 2006
Ontario's Privacy commissioner endorses non-standards
CBC.ca writes:
http://www.cbc.ca/technology/story/2006/10/18/privacy-identity.html?ref=rss Ontario's privacy commissioner and Microsoft Corp. on Wednesday unveiled a framework of principles they hope will be adopted by internet companies to help increase personal privacy and reduce online crime.
Since when does Bill Gates write laws in Ontario?
Since when the government of Ontario endorse proprietary solutions from single vendors?
Did the IPC pay for consulting from MS? Was there an RFP?
BTW: the ipc.on.ca is full of non-compliant web pages, and character
encodings which are proprietary. and the pages do not validate with http://validator.w3.org/
http://validator.w3.org/check?uri=http%3A%2F%2Fipc.on.ca
The FIRST and MOST IMPORTANT thing you can do to protect people's
privacy is to make sure that you never require people to run a single
vendor's computer system. Choice > competition > security.
"Doctor Heal Thyself"
posted at: 20:48 | path: /standards | permanent link to this entry
Wed, 04 Oct 2006
Mobile phone physical standards
I responded to Ontario Today's piece of mobile phone use in automobiles.
Subject: mobile phone usage in cars
I think it's great if employers do not require, and even actively discourage mobile phone usage while driving. But, I suggest that maybe people are thinking about this in the wrong. Maybe it's not the mobile phone that is inappropriate, maybe it is the DRIVING that is inappropriate.
I wish however to respond to the belief that we need to outlaw mobile phone usage while driving. I question if this is in fact enforceable, or if we really want to make it possible to enforce. Perhaps we really already have enough laws to deal with the problem --- surely it's illegal for a person to eat cereal while parked on the 401. (I think you had a call-in about this kind of thing).
Further, the number of mobile/connected devices is going to massively increase, not decrease. At some point, it may be that your driver's license might in fact be a mobile device you use to authenticate to the highway. (Think 407ETR)
Instead, I think that the Ontario government can make some improvements that will have widespread effects on mobile phone usage and safety. What we need is to be able to take any mobile phone into any vehicle and have it operate in the most safe fashion. This means a hands free mode with a headset and/or speakerphone. To do this properly requires cooperation of the phone and vehicle.
The nice thing is that it would also significantly reduce the amount of waste in the form of "obsolete" mobile phones, batteries and accessories:
I would make it required that all mobile phones sold in Ontario:
a) be unlocked, so they can be used with any mobile network provider (this would permit the phones to be re-used, rather than throw out) This might eliminate the $0 for your phone deal in its current form. Tough.
b) there shall be a standard headset adapter format. c) there shall be a standard interface to a charger. d) there shall be a standard mounting bracket. e) there shall be a standard battery format. (very controversial)
b,c,d would permit vehicles to be equipped with a standard way to mount your mobile phone on the dashboard so that it can get power from the car, and put the audio through the car speaker system. That would make mobile phone use in a vehicle very much safer.
e - would eliminate a lot of waste in batteries. I have two mobile
phones would work fine if only I replaced the battery, and bought new chargers. But the cost of that exceeded the cost of a new phone. So they go into my junk drawer until I decide to put them in the landfill.
a - would create an actual market for used phones (they all have serial
numbers, so it would be trivial to see if they are stolen)
This would not require that current mobile phones be changed, just that they come (at no charge) with some kind of adapter to adapt their current mechanism to the "standard". New ones might come with the standard mechanism.
I think that this would be a massive boon to Ontario uses, and other jurisdictions would rapidly adopt our regulations. Yes, there will be costs, but as I have a different headset and a different charger (and replacement charge, and computer cable, and spare battery...) for EACH phone I've owned, I know that I'll win in the end. The industry can not be depended upon to do this on their own --- it's not in their interest.
posted at: 18:12 | path: /standards | permanent link to this entry
Wed, 19 Jul 2006
application/octet-stream considered unsafe
I get various emails, often bills from organizations that I have accounts with in PDF. Some of them send them to me as application/octet-stream, with a .PDF extension. When I double click on this attachment, it saves-to-disk.
When they send me text/pdf format, then I start acroread and/or gpdf, and I can see their PDF. This is what I reply to them with:
In the past a number of popular mail programs have resorted to looking at the file extensions to determine the file type. These same systems are very vulnerable to trojans and virii, and the reliance of file extensions causes confusion to users --- they wind up authorizing dangerous operations. It's kind of like letting your toddler play with a loaded gun. Something bad is going to happen. In this case, something bad happens to the tune of nearly $6B/year. This is despite massive spending on mostly ineffective virus scanners --- always keeping us safe from last years' attack, but never defending against what might come tomorrow. Internet standard email, as defined by RFC2822 and a great number of other documents on MIME, does not use extensions. This means that it is not possible to mis-represent file content to users --- if the file appears to be a safe picture, it will always be displayed as a picture, not a trojan. You have sent me files of type application/octet-stream. I may be able to guess that they are safe, but I have no real assurance of what they really contain.
posted at: 16:13 | path: /standards | permanent link to this entry
Wed, 24 May 2006
http://www.theregister.co.uk/2006/05/24/skype_vuln/
describes a vulnerability in Skype's clients. Okay, no big deal, bugs happen in programs. Just switch to another program for awhile until it gets fixed.
What? you mean, the program and the protocol are one? You can't switch without switching networks? Isn't that bad?
Yes, it is.
The reason why we should strive to use standards in our network protocols is so that one can have a competitive marketplace where one can use the best software that there is.
And one should be able to trivially switch from one to another: we do this all the time everywhere. Let's take an example from motoring: we get upset if the vendors of gasoline (petrol) do not compete! We expect all of the gasoline to be essentially interchangeable. Honestly, anything else is communism.
posted at: 19:55 | path: /standards | permanent link to this entry
