January 2003

Real World
Web-wide World
Wired World
Wireless World
Hard World
Soft World

Real World

  • The papers have been full of 'Operation Ore' this month, the operation against UK subscribers to one child pornography site. According to reports, a list containing over seven thousand names has been given to the UK police by the US authorities. As we are now all aware, the list contained a fair number of famous names, as well as those less famous but in positions of authority or responsibility.

    It looks likely that the operation is going to drag on for some time, with the police struggling on limited resources to get through all the names. In addition, it has been suggested that there are even longer lists, relating to other websites, soon to be delivered.

    Meanwhile, the Home Office is continuing its campaign to protect children using the Internet. Advice for adults, as well as new 'best practice' guidelines for Internet content providers are available at http://www.wiseuptothenet.co.uk/. There is also a site whose aim is to educate children directly; this can be found at http://www.thinkuknow.co.uk/.
  • Before the end of the consultation period for the proposed UK 'entitlement card' scheme, the government posted a rather self-congratulatory piece describing how most of the responses to it had been favourable. Naturally this riled those organisations critical of the idea, who then encouraged sceptics to post their own responses. This in turn motivated us to make some sense of the debate for ourselves, and the following is the result.

    To start off from basics: large number of activities within society are subject to restriction, whereby some people have a licence to act, and other people don't. In some cases this licence is concrete and specific: driving licences, passports, raffle tickets, etc, all directly authorise certain rights. In other cases the licence is not physical, but tacit. When I sell a book to a second-hand shop, for instance, I don't standardly have anything official to show that the book is mine to sell.

    In a common use of the term, an 'identity card' is a *general licence*, on the basis of which a whole range of different activities are allowed or restricted. Paradigmatically, this is a physical item like a smart card, but it could also be something less concrete, such as a social security number. The UK scheme's consultation document expresses the general nature of an identity card thus:

    "A universal entitlement card scheme would: ... (iii) help people gain entitlement to products and services provided by both the public and private sectors, particularly those who might find it difficult to so do at present; (iv) help public and private sector organisations to validate a person's identity, entitlement to products and services and eligibility to work in the UK."

    For governments, the attractions of identity cards are threefold. Firstly, having a single, centralised method of authorisation for lots of different systems would likely be more efficient than each of these systems having its own authorisation method. The consultation paper suggests, for instance, that the centralised authentication system could be used by the social services, by customs and excise, by retailers as a proof of age, and by the NHS as a medical card.

    Secondly, by having individual data all hooked onto a single identifier, this should make it easier to 'data mine' complex information about people. The security services, for example, would probably benefit from being able to correlate and cross-reference various different data about suspects. It may also allow the Government to offer more complex and personalised electronic services to citizens.

    Thirdly, there is the idea that identity cards can improve the general security of the systems they are used by. The thought is that because the identity card provides a single, general licence, this can be checked much more thoroughly than each of the specific licences that it replaces. One of the motivating factors behind the proposed entitlement scheme, for example, is to address benefit fraud by hooking the benefits system to a highly regulated identity card.

    Critics of identity cards, however, take issue with some of these points, and worry about other negative consequences. Some of the major issues are these.

    Firstly, it is not clear (somewhat paradoxically) that replacing a number of low-security systems with a single high-security system would improve security generally. For this would also increase the rewards to forgers of defeating the high-security system, and thus focus their attentions on it. The proposal would only make sense if the security on the single card could be made extraordinarily good, so that the costs of forging the card would be higher than the value of a forged card. But history suggests that this is unlikely to be the case, at least with current technologies.

    Secondly, any benefits of being able to 'data-mine' complex data on individuals should be balanced with the dangers of this being used to infringe people's privacy. There are of course laws covering access and release of data, such as the Data Protection Act. But reports (such as the recent Home Office report on Police Integrity) also suggest that there is a fairly widespread abuse of access to private data.

    Thirdly, there is the background worry that identity cards just make it easier and more tempting for the government and its agents to exercise social control. This is problematic if you take the view - as certain cynical types might - that on the whole all governments tend to be drawn down the slippery slope of increasing control. For example, if there was a de facto universal identity card system, then the police would probably be keen for people to be required to carry the card at all times, to streamline their procedures. And in order to track murderers and paedophiles, it might then be a good idea to use each identity card to keep a record of its carrier's location...

    The consultation period for the UK Entitlement card is, at the time of writing, over, although there is a campaign underway to extend it. It looks likely that the responses from those people sceptical of the project now outweigh the 'overwhelmingly positive' responses hailed by the Home Office.

Web-wide World

  • Something we've only just come across: Wikipedia (http://www.wikipedia.org/) is the Web's 'open content' encyclopaedia, containing 102662 articles at the time of writing. It is entirely open to users to change and add articles, and their quality seems pretty high. An invaluable free resource.
  • A research team in New Zealand have been testing a redesign of the behaviour of the browser 'back' button. At things currently stands, use of back and forward navigation can lead to a situation where a page is 'lost' to the navigation functionality.

    Suppose, for instance, that you surf to the main page of a Beatles information site, which contains links to pages about each of the fab four. First you decide to check Paul McCartney's birthdate, so you click on the 'Paul' link. Then you decide to check Ringo Starr's hair colour, so you click first on 'back', and then on the 'Ringo' link. Unfortunately, at this stage you can no longer get back to to the page about Paul using 'back' (although you if you're brave enough to use Internet Explorer you can use the 'history' functionality).

    The research project investigated changing the default 'back' functionality to a scheme whereby 'back' just backtracks the user through the pages previously seen, in the order in which they were viewed. So in the given example, you could get back to the 'Paul' page from the 'Ringo' page with two clicks of the back button. The project found that the new functionality made some navigational tasks easier, but some more difficult, and that users were therefore about as happy with each. This suggests, perhaps, that we could see forthcoming browsers supporting both kinds of navigation.

Wired World

  • Online IT News site The Register has just run three interesting articles describing and comparing the working of domain name registrars ICANN and Nominet (from a non-technical perspective). Anyone interested in how the domain name system is (mis)managed should find them informative. The final article also gives practical advice on buying domains, so that you can avoid the myriad problems that can arise in this area.

    The first article is available at http://www.theregister.co.uk/content/6/29065.html, and it contains links to the second and third.
  • The much-coveted Virus of the Month award for January goes to the 'Slammer' worm, which infected a large number of business networks with pretty impressive results. For instance, the cash machines of the Bank of America were reportedly unusable for a day, and 300,000 Internet users in Portugal suddenly weren't, when their ISP fell victim to the worm. Thankfully the long-term consequences of the infection will be small, since the worm doesn't harm its host, but instead overloads network traffic.

    It is pleasant to be able to report that one of the victims of Slammer was the Microsoft network, since the worm works by exploiting a vulnerability in Microsoft SQL Server. And it did this despite the fact that a patch has been available from, um, the Microsoft network, for about six months.
  • The friends of humanity who brought you email spam have found another way of irritating Windows users. This involves hijacking the Windows' Messenger service, which is designed to be used by network admins to send alerts to client computers on the network. In the hands of the spammers, however, this messaging channel has been subverted to carry the usual advertising garbage.

    In fact, this exploit has been around for some months now, but with advertising resellers now taking on the spamming application we can expect the volume of this kind of spam to increase. For details on how to protect your network against it, see http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b330904.
  • The Open Web Application Security Project (http://www.owasp.org/) is an Open Source project which exists to provide tools and documentation for developers trying to make secure web applications. It recently released an interesting overview of the 'top ten security vulnerabilities' in web applications, but the whole site is worth a look for those needing to secure their online apps.
  • The case of 'DVD Jon', in which Norweigan Jon Lech Johansen was prosecuted for producing and distributing the DVD-decryption utitlity 'DeCSS', has now been settled in the teenager's favour. In acquitting the teenager of all charges, the court has ruled that the use of DeCSS in Norway is fine.
  • And now for a Newsletter first, in which we name and shame an Internet Services Provider (ISP). So please stand up 1&1 (http://oneandone.co.uk/) and take your five minutes of infamy.

    The reason for this critical spotlight, we hurry to point out, is not because of any technical problems with the ISP. Instead, it stems from its decision to advertise hosting on .NET servers before it actually had any available. Now, this in itself wouldn't have been too bad, except that on the basis of its own advertising the company allowed the .NET Users Group (North) to pay for space on a supposed .NET server. So this organisation duly transferred its domain name and website. Which didn't work, of course, because the server wasn't what was advertised. It then took several increasingly irate phonecalls, and a good deal of time, for 1&1 to realise their cock-up. Bad show!

Wireless World

  • This is slightly old news now - months, even - but those interested in setting up community wireless access points should take a look at http://www.linuxdevices.com/articles/AT5073214560.html. The 'MeshBox', available at 250 UKP, acts as a wireless router, as a wireless mesh repeater, and as a thin client workstation. So, to cut several long stories short, you can use it to create a wireless network, to interact with other wireless networks, and to run various applications that you don't have installed on your computer.

Hard World

  • We have commented previously on Microsoft's 'Palladium' project, which was introduced to shrieks of alarm last year. Basically, the project was to provide a way for computers to retain and use encrypted data so that it cannot be copied by unauthorised processes. This would involve wiring cryptographic functions into the CPU itself, and providing 'secured' pathways from and to peripherals like keyboards and monitors. (The alarmed shrieks were caused by the fact that the main use of this technology would be to support ever-more-intrusive Digital Rights Management of data).

    Well, Palladium is no more. Hooray! Except that Microsoft has just decided to change the name from the slightly publicity-soiled Palladium to the deliberately anodyne "Next-Generation Secure Computing Base". So if you come across a discussion of the NGSCB, think Palladium.

Soft World

  • Opera - the 'third' web browser after Internet Explorer and Mozilla-based browsers - has just been released at version 7. The main improvement from the point of view of developers is better support for DHTML, and in particular the ability to make dynamic changes to the DOM. Looking at it from the user side of things, the main improvements are these: support for multiple user accounts; an integrated mail client; skinning of the user interface, custom stylesheets. On a personal note, we didn't much like the way the user interface was set up initially, but it was pretty easy to set things up as we wanted them.

    The opera homepage is at http://www.opera.com/. The free version comes with adverts, but these can be removed for 39 USD.
  • Apple's new product range caught the eye of most commentators this month. According to technology guru Bob Cringely, the new software, which includes both an entirely new browser and a Powerpoint-alternative, reveals Apple's desire to provide a desktop alternative to the Microsoft office suite. If his thesis is correct, then we can expect Apple shortly to bring out a word processor and a spreadsheet to complete the set.

Link Building Information