slef-reflections on Bad Technology


Stupidity

This is a section for all the 'surely no-one ever thought it was a feature' pieces of bad technology.

MSN Santa Sex Scandal

Posted by mjr 2008-01-03 (permalink)

I missed this one when it happened earlier last month, but I'm still putting it on my 2007 page of Bad Technology. Thanks to a colleague for pointing it out.

Apparently MSN's Santa-bot made inappropriate comments to children and was exposed in Microsoft's sex-obsessed RoboSanta spouts filth at children | The Register

After that, it was almost inevitable that it would be taken off-line, even if just for a short while, so I think the next headline could have been predicted:- Microsoft kills Santa Claus | The Register

What surprised me was the ham-fisted PR attempt described in Microsoft accuses kids of bullying Santa into sex chat | The Register

If it was a mistake, then admit it. How did it happen? Unruly programmers wanting easter eggs at Christmas, or did someone make the Santa-bot by modifying a porno-bot, or was it a learning bot finally corrupted by all the abuse it was sent - like Arnold on UEA/tsw's #pubfood IRC?? Truly bizarre.

PHP's Standard Sub-standard Approach to SQL

Posted by mjr 2007-11-30 (permalink)

I'm just fixing another customer web site where the reported bug was something like

"when I put a customer password that includes an apostrophe into the web form, the site returns an error message"

and in the PHP source code I found something roughly similar to

"insert into customers values ($id,'$username','$password')"

(no, I didn't write the site - I'm doing ad-hoc support on it).

Now, I realise that there are times when you want to send particular SQL instructions to the database and I know there are 1001 modules for tieing databases to variables, but it is still a problem that PHP's basic standard approach to SQL is to shove strings around and even today, with the dangers well-known, many PHP coders will interpolate unsafe user-submitted variables into them. It's enough to make a meltdown imminent. Surely no-one ever thought it was a feature?

Pierre wrote:

"Every language did it like that and many still do. However, if you use pgsql (or some other), you can take a look at the prepare methods. Or if you use php5, pdo supports prepared statement or the notions of query arguments.

The short version is, that's not really a PHP way of doing things. Every language in the world has a way to pass raw queries to DB layer (raw queries == string) and we can't fix brains =)"

So why does it happen so often in PHP? Partly because PHP doesn't have easy mysql prepare()s before version 5, MySQL is most PHPer's first database and when they change database, they take their old bad habits with them.

Yes, it's ultimately a programmer brain problem, but it's a problem that PHP helped to encourage.

By the way, the original developer was given access again and tried to fix it by liberal sprinkling of addslashes() without telling anyone, which would have caused double-escaping of some characters if we hadn't spotted it when merging his change. Thank $DEITY for revision control.

Email Newsletter Links

2007-08-09 (Permalink): Automatically-generated links in email newsletters are usually ugly because they contain tracking data, to measure response to each individual copy of the newsletter.

If your links are ugly, I think it is stupid not to override them when you launch a link-shortening service.

The FON MOVIMIENTO Newsletter: August 2007 contained:

"With FON GET SIMPLE you can convert all of those long, impossible-to-remember URLs into short, easy-to-remember URLs that make your Internet travels simple. https://fon-en.custhelp.com/rd?1=AvcE~wolDv8SWivzGhIe~yL~Jvkq~_3~&2=118 "

Oops.

Online Banking Authentication

I'm registered with three online banking systems. (Actually, I'm probably on more, but I only use three.) Two of them use similar authentication systems. The third one uses some similar details but adds a random alphanumeric user ID and a load of restrictions on passwords and so, I just locked myself out again which has annoyed me somewhat, as well as blocking my access to some of my money.

First of all, adding restrictions to passwords is stupid. It makes them easier to guess by eliminating whole regions of the solution space. If I can send the damn thing to the webserver, that should be all that matters. It also makes me more likely to either store the crippled password or details of the crippling somewhere. And it makes me more likely to lose access, like I just did yet again.

How many more of the Security Myths and Passwords do they need to follow? Just put the login in a GUI transmitted unencrypted and they'd have a full house, I think.

Secondly, why the devil aren't our banks using things like certificates or multi-site identity services yet? Our national government moves with the efficiency of treacle in snow when it comes to web services, yet it has been using both in its government gateway for years. It's not perfect, but they're working. Meanwhile, we're still waiting for everyone to get on the list of banks that work with GNU/Linux and I've yet to find a PGP- or S/MIME-ready bank. (Update 2007-09-27: I had a PGP-signed email from Nationwide )

Online banking authentication - stupid bad technology.

Stephen Touset commented:

"The worst offender in my experience is the "Verified by VISA" program.

They restrict you to a subset of characters (alphanumeric, if I recall correctly) and even restrict the maximum length!

You know what the worst part of it is, though? If they were using a widely-published, widely-analyzed, and widely-reviewed secure hash standard like SHA-1, Whirlpool, or any number of alternatives, these restrictions wouldn't be in place.

This tells me that they're likely not using a well-reviewed standard, and instead have probably come up with their own bastardized password "encryption"."

I'm a bit worried by this, but I'm moving my customers to Verfied by VISA and Mastercard 3DSecure because of the carrot-and-stick used by the payment gateways. Am I sleepwalking off the cliff here?

Wouter's Eclectic Blog writes "My bank [Fortis] actually thought about this stuff before implementing it."

CGI Scripts and Line Endings

Bad Tech: DOS using different line end character sequences.

Problem: CGI scripts uploaded with the MS Windows version of FileZilla over SFTP don't work until converted. Either there's some FileZilla settings wrong by default, or it just doesn't work.

Solution: Evilly, I made a perl^M symlink to stop having to convert users' files. Surely there's a better way I'm not seeing?

Brett Parker suggested educating all users about line-endings - sadly, I think there are more users than I have time to educate (even with a web page that makes the basic point, I think there will still be lots of questions) and also, I think stuff on the Windows side should handle their bad decision - they came along last, didn't they?

Jon Atkinson commented:

"WinSCP deals with line endings properly, and is free software. It also has a NC-style interface, which I prefer to the Filezilla interface. http://www.winscp.net/"

Thanks. I'll suggest that some users try WinSCP instead of Filezilla.

Ben Hutchings commented:

"Version 4 of SFTP introduced the SSH_FXF_TEXT open flag, but OpenSSH is still stuck at version 3."

Why no version 4 in OpenSSH yet, then?

HD-DVD

David Berry wrote:

"Spread this number 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0. [...]

It's the HD-DVD Processing Key for most movies released so far. I was not aware that a string of numbers and letters was copyrightable."

Source post, more explanation [etbe] and Original.

Government and Free Sofwtare

Apparently, yet another NHS IT project has tanked. Steve Purkiss wrote in:

"I've just written an article on the latest debacle in our Government's long line of software failures, and how a switch to Open Source would provide a far better solution all round.

I would be extremely grateful if you could help by digging it: http://digg.com/linux_unix/The_MTAS_debacle_Even_more_reasons_to_switch_to_Free_Open_Source_Software

Thanks!"


Spam Bloggers (Sploggers)

What are you doing with pingback splogs?

Posted by mjr 2007-11-15

Is anyone else getting pingbacks from sites consisting entirely of formulaic posts like

"/foo/ /posted-phrase/ today on /title/ - here's a /summary-phrase/ : /quote/"

? I've been rejecting that style of comments because I think sooner or later those sites will be identified as sploggers (spam bloggers) and get penalised in site ranking systems. Another alternative is that once they build enough links, they'll start linking to their paymasters or replace the site with less mundane content.

It's a tough call - I've only been seeing such sites for about a month and I usually like the idea of turning spammers to our own ends and these do increase a site's comment count and relevant link network - but I'm a bit worried how these will turn out.

Have you seen this style of comments? What are you doing with them?

Josef Assad commented:

"When I had trackbacks, I was moderating them. For comments, a simple math captcha is doing the trick.

This is drupal."

Yeah, but what trick is it doing? I just tried leaving a comment on the qmail PD story:

"The original thread is on the web with replies at http://comments.gmane.org/gmane.mail.qmail.general/53000

Maybe the much-satirised default error/warning replies will get replaced at last!"

but it replied

"* Invalid CAPTCHA token. * The answer you entered for the CAPTCHA was not correct."

I have a degree in maths. I'm pretty sure I added 4+1 correctly.

Maybe that CAPTCHA is testing something but it's sure as hell not testing for spammers. See my previous message on this topic: http://mjr.towers.org.uk/blog/2007/blogtools#captchacomments

Russell Coker commented:

"Most of those summary splogs don't correctly attribute the author. When they mis-attribute my work to someone else I file a DMCA take-down request with their ISP."

Shane commented:

"I have been getting track backs from one particular site.

I was accepting them at first, but then after concluding that the site was automating the content, now I am just deleting them. Although it is kind of strange..."

Vid asks:

"What do you do with Incoming links like these:- loanbankcredit.org/category/credit-card-application/167/credit-card-fraud-in-the-making/ and http://www.technorati.com/blogs/www.svaksha.com/?reactions

I moderate the comments, but incoming links ...??!"

I think there's not much you can do about toxic links, other than refuse to reciprocate and hope that search engines and social bookmark sites will get clue about them.


Bad Solutions

Get Safe Online and security through obscurity

Posted by mjr 2007-11-12

This is mainly a comment on the BBC report of the Get Safe Online campaign - the campaign seems to have some good advice, such as securing wireless networks (WPA at least now!), and their website is more useful than other gov.uk ones I've seen, but some comments in the report just seem strange, like "a date of birth and address details were enough for someone to set up a credit card in another name" - if that false credit card would affect us, then we need to fix the credit card issuers, not stop posting details online!

Trying to hide details is well-known as security by obscurity and it's not much security at all. I'm disappointed if that's a major focus of Get Safe Online's message. What about trust and encryption advice?

Also, many people don't have a choice whether our details are posted online. They are already posted by government agencies like Companies House and then that information is bought and republished by private companies. So, we're not adding much to the risk by using social networking.

Finally, it's rather amazing that some Secured Web Browsers can't access much of the content on www.getsafeonline.org because of their careless use of Flash and client-side scripting on their site. Are they safe themselves?

Get Safe Online will be travelling around the country offering advice on how to stay safe and secure when using the internet. They're in Bristol tomorrow - if I don't feel nearly as bad as this any more, maybe I'll go visit them and see if the reports are accurate.

BBC iPlayer - thanks to the unique way it's funded, by selling landmark buildings

Posted by mjr 2007-10-24

I read Interview with Mark Taylor, Pres. of UK Open Source Consortium, by Sean Daly on Groklaw and lurking near the end are these points:-

"[The Times] said that there were £130 million pounds spent to develop the Windows-only iPlayer over the past four years.

[...] I was reading in the Financial Times a couple of days ago that they're selling one of their prime locations in central London, one of the sort of landmark BBC sites, and the estimation of its value is between £100 and £200 million. Now, the iPlayer has cost them one of their landmark head offices."

This sort of linking equivalent values puts the extortionate costs of DRM/TPM and hidden taxpayer-funding like the BBC, or our Police being used as Big Music's private army into stark context.

The BBC's use of DRM/TPM has cost the nation one of our national heritage buildings. What will DRM/TPM cost your country before you act against it?

Stuffing Standards Bodies and Network-unlocking iPhones

2007-09-04 (Permalink): Here are link-summaries of two interesting topics which have developed while I was away: the OOXML vote-buying scandal and the iPhone unlocking:-

Microsoft accused of rigging OOXML votes - ZDNet UK
A good summary of the start of this problem, in a complaint from FSFE. Fairly full description of the Swedish incident and suggestion that it's happening elsewhere. One Paid Partnership Programme One Vote, anyone?
SIS declared its own vote invalid
The Swedish standards body will not vote, due to a technical failure in the Microsoft-stuffed ballot.
New Zealand OOXML rejection 'not final' - ZDNet UK
It looks like opponents of OOXML are negiotiating surrender. Worrying.
NJ 17 year old Kid creates hack for the Apple iphone opens carrier network access beyond AT&T | open4.org - create. share. earn.
It cracks me up that the iPhone was cracked, even if it did take him over 500 hours. I read it first on open4, which does the right thing and links both of George Hotz's sites.
BBC NEWS | Technology | Teenage hacker unlocks the iPhone
Slightly more information, but fewer links, from the BBC. They don't even seem to link the blog which is cited as a source. Very strange approach to the web from the BBC.
VOIP IP Telephony: iPhone hacker saga continues! Hotz gets $30000 for the phone
Then the iPhone was traded for a car...
Code to unlock iPhone cracked
Finally, this morning, I saw CNN report that a software-only crack is available. Network-locked phones are so 1990s anyway.

One-eyed iPlayer

2007-07-06: So iPlayer, the BBC's on-demand 7-days TV download service, launched as Microsoft-only, despite the feedback to the trial service. They come along to events like hackday pretending to be our friends, but they're really not. It's more BBC Backdoor than BBC Backstage.

My IMDB-listed friend Martyn Drake estimates the cost of using iPlayer as at least £215 for GNU/Linux users and you can't do it with free software. It seems to be even more expensive for a Mac.

"The BBC should remain impartial, but they're currently having hot patootie with Bill Gate and his chums in Redmond. They continue to use OUR license fee regardless of our objections to their dimwitted decision to use DRM, and now say they'll review the situation is six months.

Thanks, BBC. Thanks a lot. Can I get some of my license fee back to afford these additional costs, please?"

No wonder the Open Source Consortium says they'll complain to the European Commission - it's blatent bundled sales. TV has got away with worse in the past (for example, Channel4-satellite requires you to buy Sky), but the BBC's TV-tax-funded services had been getting progressively freer. This latest reversal of that makes me wonder whether Freesat will be fully-viewable with free software.

Also, they're up against another big problem: given a choice between the expensive and inconvenient legal iPlayer and the free and easy illegal torrents (which I'm told have US imported shows earlier), which will users choose? Surely not even the BBC's advertising power will overcome iPlayer's 200 quid bundled sale and auto-delete?

Let them know it won't: petition the Prime Minister to open iPlayer. The BBC is a Royal Charter Corporation and should act in the public interest.

Ban the Net

It's the Fourth Safer Internet Day which is fine in itself, but it also seems to be an excuse for politicians and journalists to say stupid things about the internet.

Example 1: Interior Minister John Reid suggests making sex offenders register all email addresses and internet nicknames - seems fine at first reading, but then you realise that anyone can have an infinite number of email addresses and nicknames and wonder how the hell the police will cope with a denial-of-service attack that enumerates each address and nickname in turn. a@mydomain, b@mydomain, ... z@mydomain, aa@mydomain, ab@... you get the idea?

Example 2: BBC Five Live asks 'Should websites that promote anorexia be shut down?' which was also subject of an ITV news programme called 'thinternet' yesterday evening - There are practical problems shutting down any web site (the internet views censorship as damage and routes around it) and if it's not on the web, it will be passed from person to person. It's shameful that Eating Disorders Awareness Week is getting hijacked by this futility.

Can someone get these people to realise that banning and controlling things on the internet is about as easy as controlling radio waves? The radio laws are mostly unenforced against small offenders because they are mostly unenforceable without a huge police force. The solutions will come from addressing the problems (sex offences, eating disorders) not the symptoms (email addresses, web sites).


Scammers

Data Protection Racketeers Jailed

PDF press release saying

"The Information Commissioner's Office is again reminding businesses across the UK not to be misled by bogus agencies that send notices demanding money to register under the Data Protection Act 1998 (DPA). The warning comes after Leeds Crown Court sentenced three men to prison on Friday 8 June for their involvement in fake data protection agencies."

They earned £62,575 before they were closed (that's a lot of £135-a-time victims) and got up to two and a half years in jail (tip to PL&B for emailing me).

I feel this type of scam only works so well because most of the official advice is vague and unhelpful, while the most useful notification page is three-clicks deep in a section that few businessmen would choose unless they already knew about it.


Billing

edf energy and npower

There's a stupid system in England for utilities billing. In theory, you have the freedom to choose who supplies your electricity and gas. There are supply networks, maintained here by Wales and West Utilities and Western Power Distribution which are the same for all suppliers, but your supplier has to put the amount that you use into their network. More info at Energy Watch

In practice, when you move home, you have no freedom to choose. You can't even keep your existing supplier. The supplier of the previous occupier writes to you and tells you that you are on a "deemed contract" which is a funny sort of contract which they reckon is valid even though you have no choice in the matter.

Even if you tell the suppliers of your choice on the day you move (as if you didn't have enough to do), you're screwed. There are long notice periods, even for deemed contracts. With gas, you're doubly screwed, as they can make daily standing charges even if you use no gas. Nasty deemed contract supplier npower refused to negotiate and then billed for nearly 50 quid, thanks to their standing charge.

You might avoid paying the home's previous electricity supplier by giving them a zero reading. As long as they're not silly about it, they shouldn't send a bill. There doesn't seem to be a daily charge for electricity.

Silly edf energy sent a 16p bill. 16 pence. 0.16 pounds. The printing and posting probably cost them another 16p. I paid it at a post office counter, which I'm told pays the post office 12p. It just cost edf about 28p to receive 16p. Why the devil didn't their billing system write it off?

I suggest that customers of 'no-negotiation npower' or silly money-wasting edf energy should look for a new supplier. Probably not British Gas: Martyn Drake has some British Gas horror stories, but he recently reset his web site (google!). I'm sure another BG rant will be along shortly, though. One of my uncles has had trouble with them too, but I don't think he's on the web yet.

Chris Cunningham commented:

"Errr, standing charges on gas are pretty rare now. British Gas abolished them years ago, for instance. Standing charges for electricity are generally a good idea if you use any reasonable amount of electricity though.

The single best piece of advice I can hand out for saving money on utilities is to take meter readings every month. Not only does this make it much easier to negotiate re-estimation of poorly-calculated start/end reads, it also gives you an immediate idea of how much you're using.

I'm rather surprised that you didn't take the opportunity to rail against the evils of privatisation which led to this situation. Deregulated utilities are a bit of a nightmare in the UK, speaking from experience working for one."

Standing charges may be pretty rare, but they are still allowed and npower put them on so-called deemed contracts. I can see why that makes sense to a company like npower. It seems a good way to make sure you can bill a customer who hates you.

Reading your own meter is a good idea. Doesn't really help if you've only just moved in, though. npower still argue that the absurdly low meter reading they're using for your start value (which would mean a bigger bill) was the final reading given by the previous occupier.

I can't really comment on the evils of privatisation: I never interacted with the public utilities. Interestingly, the "deemed contract" problem seems to come from the regulations. Gas Act 1995 Schedule 2B section 8 creates the deemed contracts and doesn't explicitly handle the situation where someone moving in has an existing gas contract and doesn't want the deemed contract at all.

This seems a misregulation bug as much as a deregulation one.



Crackers

I'm installing Paul Martin's iptables ssh-rate-limiter on the public machines that I run, to reduce the amount of logfile rubbish that ssh-scanning crackers produce. I've also added an iptables-restore line to the pre-up of the relevant sections of /etc/network/interfaces

So far, there doesn't seem to be any disadvantage to doing this. Is there one? If not, why doesn't everyone do this?

Evil Mambots and a com_extcalendar exploit

A couple of hours of today (early May) went on dealing with the effects of a big spam attack on a managed server. One user had installed the Joomla ExtCal component on their web site, while another reported that email was running slowly.

The attacker was exploiting com_extcalendar/admin_events.php to send spam and trying to send 9000 emails meant they hit the maximum permitted sending rate quite quickly. As soon as I spotted it, I shut down outgoing mail, killed the sending process, disabled the exploited site and component, cleaned the spam from the queue and restarted mail.

I'm searching the rest of the server for any other com_extcalendar installations and then I should contact the other exploited servers I've seen during this attack. It looks like there's an entire class of evil "Mambots" out there, using exploitable Mambo and Joomla sites to crawl in search of others.

I don't think the exploited site's owner will be billed for the clean-up, because I can't find a security advisory for this. Neither the mambo site (whose site search doesn't work for me) nor the joomla site seems clear about security alerts. I didn't find a third-party advisory that was clearly about this (but there were a few maybe-relevant ones). The homepage at Mambo last released in 2005 and doesn't mention this in its release notes, while the homepage listed by Joomla 404s (and I don't enjoy using the Joomla site because, as it says,

"we are aware, and regret, that our website does not comply with many WCAG/508 requirements"

).

If you are using com_extcalendar on your site, check whether it's safe, or replace it with a better calendar.


Comments are moderated (damn spammers) but almost anything sensible gets approved (albeit eventually). If you give a web address, I'll link it. I won't publish your email address unless you ask me to, but I'll email you a link when the comment is posted, or the reason why it's not posted.


Spam

Items that used to be here, including:-

are now listed on their own page.

This is copyright 2007 MJ Ray. See fuller notice on front page.