Wednesday 18 July 2007

Wild life!

I just watched the coolest amateur wildlife video I've ever seen. A pride of lionesses attack a buffalo baby, only to have a crocodile attempt to steal it from them. Then along comes the rest of the buffalo herd and starts attacking the lionesses! You have to see it to believe it. Even the guide can be heard saying "I've never seen anything like this" over and over.

Watch it here

Also, here's another version with a voice-over from the lions point of view. Funny!

Wednesday 11 July 2007

Flexible working hours

I just received an email from "management" (to all staff), the first paragraph reads:

All leave is to be approved by your department manager and/or myself. This includes taking the morning off, ducking out for the afternoon, taking and extended lunch break or adjusting your working hours.


This is a divergence from our previous "agreement" where we could be flexible, within reason, so long as we completed our 40 hour week. (Which is quite easy, given everyone generally works - and is even expected to work - a few hours more per week).

Of course, I don't agree, and in my usual fashion, I am composing a reply stating as much. However, I'm giving this one a "count to 10" before I reply.

The point of this post is to see if our "flexible agreement" is one of the last, or if there are still many workplaces operating successfully this way. I understand this gets harder to manage as a company grows, but we have an efficient time sheet system, so I don't see the reason (nor was one given) for this email.

I personally think it's an affront to the effort we've shown in the last few months - given lay-offs and cutbacks, everyone has been working hard to try and keep the company profitable, and yet random emails like this come through from time to time.

I leave you with an excerpt from "The Tao of Programming":

A manager went to his programmers and told them: "As regards to your work hours: you are going to have to come in at nine in the morning and leave at five in the afternoon." At this, all of them became angry and several resigned on the spot.

So the manager said: "All right, in that case you may set your own working hours, as long as you finish your projects on schedule." The programmers, now satisfied, began to come in at noon and work to the wee hours of the morning.

-- Geoffrey James, "The Tao of Programming"

Tuesday 10 July 2007

Internet Banking Security - feel-good fuz or the real-deal?

One of my banks recently upgraded their website. Apart from some issues with plug-ins, session timeouts, and secret questions, they also now use an on-screen keyboard to enter passwords.

I would like to say first that On-Screen keyboards are simply a waste of time and frustration for the user, and they are an unnecessary and costly implementation for the organisation. I will tell you why soon.

"Graham Cluley, senior technology consultant for antivirus company Sophos ... argued keylogging software can beat on-screen keyboards. Any keylogger is likely to be part of a more complex piece of spyware. That allows the hacker access to everything on your PC, such as monitoring the screen and mouse clicks. Similarly, drop-down boxes are not immune to hackers grabbing information from them." Original story here.


These are the steps that I have to take to get a new username and password, or if I've forgotton it:
  1. Enter credit card number and pin
  2. Select a username
  3. Select a password with an On-Screen keyboard that has minimum 8 characters; not more than 2 of the same character in a row; at least one number; etc.
  4. Re-enter the password in a second input box, with the On-Screen keyboard with the numbers jumbled in a different order
  5. Select three secret questions from a drop-down list, and enter three unique answers
Then to log in, I have to enter the username and password, again with the On-Screen keyboard with the numbers jumbled; and I have to answer one of my secret questions.

A small price to pay, you might be thinking, to provide an extra level of security and make my password invulnerable to attack! Wrong. Firstly, forget the idea that just because someone can make a good argument sound convincing, that it is actually a good idea. Secondly, forget the idea that just because every bank in the world is taking steps to implement such devices, that "thousands of banks can't be wrong". I believe on-screen keyboards (and similar devices) are simply ways that web hosts make money. "Criminals are getting more sophisticated, therefore you have to pay us to upgrade your web site with an on-screen keyboard. Besides, Bank of Universe did it. Do you want to be held legally and financially responsible when someone breaks into your bank, and we show that it could have been prevented?". [Answer to rhetorical quetsions: "What? Banks financially responsible? Horror...] Thirdly, let me tell you why they will fail in any real attempt:

I would like to separate criminals interested in getting your account details into two groups:
  1. Those who are doing a dedicated attack on an individual
  2. Random script-kiddies exploiting worms / trojans / security holes who install a keystroke logger.
Now let me say that you have no hope of avoiding the first type of criminal. He could steal your wallet and credit card; he could install a hidden camera over your computer; he could tap your phone conversations; he could simply beat you up at night time for your money. No on-screen keyboard will stop this. (OK, to allay your concern, you do have a hope: that your criminal is not smart enough, dedicated enough, or willing to do any of these things. And in most cases, he is not.)

It follows therefore that the only criminal you can protect yourself from, is the opportunistic criminal, who downloaded some 1337 Warez, and who thinks he is a hxr.

Let me convince you that this type of criminal, for maximum yield, will most likely target the largest number of people he can. He would tire very quickly if he only targeted one person at a time, only to find Grandma's secret chocolate cake recipie; or a letter from Joe Taxidriver to the President on why children need more discipline. This means that his data will be thousands of pages long. "cool" he says, eyes glowing at all the random text, and then realises how much time this is taking away from Second Life, and very quickly your logged keys get forgotten.

Let's assume that his internet connection is down, and he has nothing else to do. He would still have to:
  1. Randomly target your computer, exploit a vulnerability, and have the logger installed and running while you log into your bank.
  2. Get the data back from the logger on your computer. Usually this is not sent straight to the criminal in question (unless he is dumber than usual) as the police would then be able to find where his computer is. So he sends it to another (perhaps compromised) machine that has no relation to him, but that he can log into and download the data from. This machine also has to be up and running, and the owner must not close the security hole before the criminal returns.
  3. Randomly pick one out of the thousands of results that might be yours.
  4. Find your username and password in a lot of text. This is not as easy as you think. The more data, the harder it is to find. Remember that you may type a few words in an email, enter a web address in your browser, make some notes on your toenail clippings, then enter your username and password, then go back to your email, etc.
  5. Know where you used this username and password. If you use your mouse to click on a shortcut, then he can't get it from the keylogger data. He either turns to the next person, or tries to find out what your shortcuts are. Remember he is probably not logged into your computer, he is most likely analysing results, so he would have to get back into your computer and look through all your shortcuts, desktop icons, etc, until he found the right one. And just because he downloaded a program to automatically install keyloggers, doesn't mean he can a) get back to your computer and b) see your shortcuts.
It is highly unlikely that a great series of consequences would lead our criminal to this point. And if you want to make sure, there are some simple measures you could use to thwart him at the start:
  1. Make sure your computer is up to date with the latest operating system updates. Whether you're using Windows, Linux, BSD, or anything else, they are all vulnerable to the programmer's mistakes. Update regularly.
  2. Make sure you have installed a good firewall. Unfortunately, at the time of writing, Microsoft has never had a good firewall. If you can't afford one, at least use AVG Free [http://free.grisoft.com/] oh, and KEEP IT UPDATED!
  3. Install Spybot Search and Destroy [http://www.safer-networking.org/] This will take care of worms, trojans, etc., that don't technically fall into the "virus" category. (and guess what? update it!)
  4. For an extra level of security, make sure your computer isn't even directly accessible from the "big wide world web". Use NAT (Network Address Translation, look it up on google or wikepedia). If you have an aDSL router, that attaches to your computer with ethernet, then you're probably here already. If you have a dialup modem, or internal aDSL / ISDN card, then be careful.
  5. Change your passwords regularly. And make them secure. This one gets bolded and italicised, because it is one of the easiest and most straight forward measures to take, and yet only the technically savvy seem to do it. How many of you use some combination of part of your name, birthday, city, or pet in your password? Even if your bank enforces on-screen keyboards, use some random words, or phrases, and characters (like !@#$%^&*;.,<>? etc.)

    If this is too much for you to remember, then write it down and put it in your purse / wallat. Remember, the dedicated criminal will be able to steal your purse with your money in it anway, so he won't care about some random words on a piece of paper. Make it look like a shopping list if you must.
Well here ends my rant about unnecessary security measures. I hope that you will petition your bank to remove farcical security, and let you get on with your life, instead of spending most of your time logging in.

"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."

-- Benjamin Franklin, 1759

Friday 6 July 2007

controlling ATI LCD output when laptop lid is closed

A little while ago, I overwrote my custom acpi scripts by mistake, (I don't keep backups just to keep myself on my toes...) so I spent some time today redoing them.

These are fairly hardware specific, for my Dell Inspiron 9100, so take what you like. If you break it, you get to keep the pieces. Also, I've taken from examples on the web that should be in the public domain.

Firstly, I keep /etc/acpi/events rather empty, with only one file /etc/acpi/events/default:
event=.*
action=/etc/acpi/default.sh %e


Secondly, default.sh (on a lid button event) calls lidaction.sh. Yes I know I could call lidaction.sh directly from /etc/acpi/events/default, but I like to have all my event decisions in one file.

lidaction.sh looks like this:

#
# uses xset to blank / unblank any X displays when lid is closed / opened.
#

getXuser() {
user=`finger| grep -m1 ":$displaynum " | awk '{print $1}'`
if [ x"$user" = x"" ]; then
user=`finger| grep -m1 ":$displaynum" | awk '{print $1}'`
fi
if [ x"$user" != x"" ]; then
userhome=`getent passwd $user | cut -d: -f6`
export XAUTHORITY=$userhome/.Xauthority
else
export XAUTHORITY=""
fi
}

setStates () {
for display in /tmp/.X11-unix/*; do
displaynum=`echo $display | sed s#/tmp/.X11-unix/X##`
# logger "/usr/bin/xset -display :$displaynum dpms force $1"
/usr/bin/xset -display :$displaynum dpms force $1
/usr/sbin/radeontool light $1

getXuser;
if [ x"$XAUTHORITY" != x"" ]; then
export DISPLAY=":$displaynum"
su $user -c "/opt/bin/aticonfig --set-powerstate=$2 --effective=now"
fi

done
}

# this "highlevel" makes us more hardware independant. Thanks to http://bugs.archlinux.org/task/7243.
highlevel=$(aticonfig --lsp | grep ":" | tail -1 | cut -d':' -f 1 | sed -e "s/\*//g" -e "s/ *//g")
[ -z "$highlevel" ] && highlevel=3

grep -q closed /proc/acpi/button/lid/*/state
if [ $? = 0 ]; then
lid_closed=1
# echo "Lid Closed"
else
lid_closed=0
# echo "Lid Open"
fi

if [ ${lid_closed} -eq 1 ]; then
logger $0: lid just closed
setStates "off" 1
else
logger $0: lid just opened
setStates "on" $highlevel
fi

That's it! I hope you see something useful. The three important bits are radeontool, xset, and aticonfig.

This has the advantage over gnome-power-manager, because it will work regardless of who is logged in, and even on the console.

Tuesday 3 July 2007

Gnome 2.18: "Prepare to be underwhelmed"

So gnome 2.18 is released with the slogan "prepare to be underwhelmed" [1]. OK, perhaps this is a bit harsh, but not for invalid reasons...

I'm not going to bore you with a full review, for that you can just google your heart out! Instead, I'll list a few things that I like (or not) after my first few days of usage:

  1. There is a nice disk usage analyser, with a great pie-chart-on-steroids view of where your data is. This will definitely beat hands-down my old du analyses.
  2. When you unmount a drive, you're asked if you want to empty the trash first (trash from removable media is stored on said media in a .Trash folder)
  3. Ala windows, you get a "drive ready to be removed" after you've unmounted a drive.
  4. The annoying power messages telling you your power has been unplugged no longer stay up when power is returned. (Instead they use the notification popup).
And the bad:
  1. There is still no gnome-screensaver customiser like the goold ol' xscreensaver-demo. Instead, gnome-screensaver-preferences has added a "power management" button. Great...
Executive summary: Don't go to the big screen, wait for the TV release!

I know there are valid excuses for these and other criticisms, but the point is Gnome is aimed at a simplified user interface, and a simplified user isn't going to understand complicated reasons about why they can't customise their screensaver, for example.

In My Humble Opinion, this looks like 2.16.4. But I'd rather some release than no release at all.

[1] http://www.linux.com/articles/61210
 
Copyright 2009 Another Blog. Powered by Blogger Blogger Templates create by Deluxe Templates. WP by Masterplan