Tim Anderson’s ITWriting

Short comment in IT Week:

http://www.itweek.co.uk/itweek/comment/2222045/cloud-suspicion-hangs-online-4124287

The article was prompted by this incident. Of course I asked Apple to comment but it has declined to do so.

According to this post, someone at Apple committed a huge security blunder, giving the password to someone’s Apple ID to a third party. How was this accomplished? Someone emailed from an email account not associated with the Apple ID, and asked for the password. Apple apparently just reset the password and emailed it to the enquirer.

I haven’t verified the claim; but even if it is false, it highlights the risks of living the cloud life. Here’s what victim Marko Karppinen emailed to Apple:

Apparently based on a single-line email inquiry, you have allowed a third party access to:
- My personal details
- My personal email
- All the files stored on my iDisk
- Everything I’ve synchronized to .Mac, including my Address Book, Bookmarks, Keychain items, etc.
- My credit card details as stored in my Apple Store profile
- My iTunes Music Store Account
- My ADC Premier membership, including the software seed key and other assets
- The iPhone Developer Program’s Program Portal, including details of our development team

Frankly, this makes me so angry that I can’t see straight.

Simon Willison, whose blog alerted me to the incident, mentioned a few weeks ago the security problem inherent in any site which will email you a password:

I have a very simple rule of thumb for whether or not a site should consider whitelisting OpenID providers: does the site offer a “forgotten password” feature that e-mails the user a login token? If it does, then the owners have already made the decision to outsource the security of their users to whoever they picked as an e-mail provider.

Let’s bear in mind too that email mostly travels through the internet as plain text, vulnerable to interception.

Thought for the day: how much of your data is protected only by a simple username/password combination, and presuming there is some, how well protected is that password itself?

I imagine Apple will be tightening up its procedures, if the incident above is confirmed, since it was easily avoidable.

AVG found a virus on my Vista system this morning:

I was puzzled at first: what is Scratch? Then I remembered: it’s an innovative visual programming language aimed at education. Virus, or false positive? I checked the file, which seemed unchanged since 2007, but of course these things can be deceptive. Still, why this file, and how had this virus arrived? I looked here; other Scratch users have had the same problem, and other anti-virus software does not detect any virus, so it seems that this is indeed a false positive.

Most anti-virus software is based on a broken concept, the idea that you can detect malware by comparing files against a “known-bad” list of signatures, and occasional false positives are inevitable. I’d like to see that possibility properly recognised in the UI that the a-v software presents.

Not good for AVG, following its ill-judged LinkScanner problems.

An interesting facet of the recent problems with UK non-supplier Zavvi Direct is that all the purchasers I spoke to found the fake web site via a Google ad. Put another way, without the ease of advertising through Google and eBay, it is likely that far fewer people would have found the site and potentially lost their money.

That raises the question: does Google do anything to verify that its advertisers are genuine? Here’s the answer, from a Google spokesperson:

Google, along with other online and offline advertising platforms are not able to proactively check the legitimacy of each and every advertiser. Consumers should always check the validity of what is being sold to them and how they are asked to pay for items. If Google is alerted to a potential fraud then we will work with the relevant legal authorities to help them resolve such matters.

This was clarified to me as follows. Google will assume ads are OK unless it receives complaints. If it receives a few complaints it might pass them on to the merchant. If it receives numerous complaints it might warn the advertiser and eventually disable the account.

I guess it is unreasonable to expect Google to conduct checks on every advertiser. Still, there is a related point: does Google do enough to highlight the difference between advertisements, and links identified by its famous search ranking algorithms? Here is a snapshot of a search I just made:

I’ve sized the browser small to get everything in; there are more search results than I’ve shown. However, it shows three panels of results. The top left is tinted and marked in unobtrusive gray type “Sponsored links”. The top right is narrow, not tinted, and also marked in gray type “Sponsored links”. The bottom left is what most tech-savvy folk think of as the main results area.

Judging by my interviews, some people are not really aware of the distinction between a “sponsored link” and a search result. In some cases, the buyer could not tell me what kind of link they clicked. To them it was just “Google”.

It would be easy to make the ads more distinct. Google could use the plain English “Advertisements” rather than the “sponsored links” circumlocution. It could use something bolder than gray text to identify them. It could use a different font and colour for the links in the right-hand column. It is good that the top left links are in a tinted panel; yet some may perceive this simply as best-match links, rather than links in an entirely different category than those that follow.

Overall, it seems to me that Google deliberately makes its ads look the same as search results. Which is good for advertisers, but can be bad news for buyers.

I spoke this morning to Paul Mackinnon and Steve Plank at Microsoft, about Information Cards and CardSpace. CardSpace is part of .NET Framework 3.0 and higher. It enables uses to authenticate on web sites by presenting a virtual card, instead of typing in a username and password.

The CardSpace concepts strike me as sound, but as far as I can tell adoption has been minimal. I expressed my frustration; why is it that 18 months after the 1.0 release even Microsoft is not using it to any noticeable extent? I still see username/password dialogs whenever I need to sign into a Microsoft property like MSDN subscriptions or Live Mesh. Actually there is a beta service which lets you sign in with CardSpace – but I believe my point is still valid – how many people even know about this?

I was told that it is still early days and that we will hear more about the Live ID service when it comes out of beta. Mackinnon also mentioned that Microsoft is working on a native code client for CardSpace. Currently users need at least .NET Framework 3.0 which is a huge download and can be problematic. A native code client will be a small download with few dependencies. There is no firm date for release, though it is at least a year away (maybe previews before then).

The official Ruby blog reports:

Multiple vulnerabilities in Ruby may lead to a denial of service (DoS) condition or allow execution of arbitrary code.

More discussion here and here. The community is fixing the problems energetically; but they do appear serious, and some are struggling with compatibility issues.

Since these seem to be bugs in the interpreter, it strikes me that this makes a good case for JRuby or in due course IronRuby, on the grounds that the Java and .NET runtimes are more mature. When I spoke to ThoughtWorks about its extensive Ruby work, I was told that JRuby is almost always used for deployment, partly because enterprises are more comfortable with it.

Susan Bradley is blogging about a break-in on the server that runs numerous blogs for Microsoft MVPs (Most Valuable Professionals).

She describes spotting a service that turned out to be the W32/Rbot-GOS work with IRC backdoor functionality.

Currently she doesn’t know how it happened, but promises to let us know; it’s also being investigated by Microsoft support.

Kudos to Bradley for being open about this. It’s embarrassing for someone with deep expertise who blogs about security; on the other hand it demonstrates what a tough problem this is. I’ll be watching with interest for the further analysis.

AVG is a reasonable anti-virus product as these things go; it is also available in a free version for personal use. The recent version 8.0 release however has some problems, as The Reg points out. The trouble with the anti-virus vendors is that they cannot resist adding bloat to their products, even when customers prefer them to be as lightweight and efficient as possible.

In AVG’s case the team dreamed up a feature called LinkScanner. The idea is that that AVG verifies the safety of an Internet link before you visit the site. Sounds good; but how does it work? Well, it seems that when you have a page full of links, such as those from a Google search, AVG visits all of them, just in case you click, and gives them a pass or fail based on some combination of malware reports and perhaps direct detection. It’s desperately inefficient; and overlaps with functionality built into FireFox and Internet Explorer. FireFox 3 has a phishing and malware protection feature, while Internet Explorer has a phishing filter which is evolving into a Safety Filter in IE8. There are also privacy issues with any system that depends on sending your browsing history to a third party for review.

I tried this new feature in AVG 8.0, didn’t like it, and disabled it. Unfortunately although AVG allows you to disable it, it then treats it as an error condition:

Although in reality everything is fine, the little icon in the system tray sports an exclamation mark, disguising more serious problems such as a failure to download updated virus signatures.

Fortunately you can avoid the LinkScanner by removing and reinstalling AVG. It is no longer necessary to use the /REMOVE_FEATURE fea_AVG_SafeSurf /REMOVE_FEATURE fea_AVG_SafeSearch arguments; with the latest version, just choose a custom install and uncheck the Safe Search feature (Safe Surf is a feature of the paid-for version).

If you don’t see the Safe Search option, re-download AVG and try again.

I also disable the daily scan, which slows down the computer excessively while it is running and which strikes me as unnecessary. How are viruses going to get on the computer, if the on-access scanner is working? Then again, almost nothing about anti-virus software works reliably (the task is too difficult) so I suppose there is a case for it.

Microsoft has revised its document describing Five Misunderstood features in Windows Vista.

I’m not going to analyse the revisions, as others have done that, though I will mention in passing that Adobe Acrobat’s Compare Documents feature does a nice job of showing the revisions:

However, I would like to highlight this comment to Steven Poole’s post, from Microsoft’s Brandon Paddock:

Those changes were made because the original article was written without the involvement of the engineering teams and so it contained a great deal of inaccuracy.

Quite a confession.

The trouble is, even fixing inaccuracies doesn’t rescue the document from its faulty presumption that Vista’s poor public image is all down to misunderstandings. That ain’t straight talking. That’s spin.

The irony is that some features of Vista are misunderstood - UAC especially. Here’s some real straight talking on the subject, from Marc Russinovitch:

The bottom line is that elevations were introduced as a convenience that encourages users who want to access administrative rights to run with standard user rights by default. Users wanting the guarantees of a security boundary can trade off convenience by using a standard user account for daily tasks and Fast User Switching (FUS) to a dedicated administrator account to perform administrative operations. On the other hand, users who want to forgo security in favor of convenience can disable UAC on a system in the User Accounts dialog in the Control Panel, but should be aware that this also disables Protected Mode for Internet Explorer.

Perfect.

Interesting to see Gears support in WordPress 2.6:

The patch adds all static files used in the admin interface to a single offline storage. That speeds up page loading a lot, as it serves virtually all requests for static files from the computer’s HD instead of the network. So instead of 50-60 requests to the server on some pages, there are only 2-3.

Very simple, very effective. A user blogs the experience here.

So is Gears taking off? Maybe. There’s Zoho; there’s Google itself, there’s MySpace, which uses Gears for searching and sorting messages. Note that Gears is still in beta; it’s curious that major sites are willing to use it in that state, but that’s the Internet for you.

I have reservations about Gears. There’s the security angle. More seriously, there’s the question about whether this is the right way to extend the browser. Google is doing its own thing; so is Yahoo with BrowserPlus; so is Adobe with Flash, and Microsoft with Silverlight. All of them swear that they love browser standards, and in some cases (like local storage) there may be consolidation towards a standard API - see here for a good discussion - but there is real danger of plug-in hell.

Security is bound to be an issue as well, since the more browsers and their plug-ins interact with the client (which is the purpose of these extensions), the more potential there is for compromising the client.