Michael N. Dundas

A colleague of mine recently pointed me to a new show on CBC called Spark that started in the fall. All their shows are available via the web which is great.

I just finished the show Unseen connections: New ways that objects and poeple are linked.
Great show. They discuss RFID tags, how they work and examples of their uses today. Casinos use them in chips to stop forgery, how they can be used in consumer products and save information such as product lot number, when, where it was manufactured and other information that can be extracted.

Smart homes were discussed. In the interview they discussed up till recently the hold back to the adoption of smart homes has been compatibility. This has now been overcome by the Amigo Project, an open source project that is supported by most vendors. One of the issues currently being researched by this project is privacy. With your home all connected privacy is naturally a big concern. Lots of information can be generated by a smart homes and the devices in your home; what you purchase, how often you cook, what you watch, what items you take with you, prescription information. This type of personal information is valuable and wanted by marketing and research firms. Privacy is becoming one of the hottest issues on the internet and it only makes sense that this issue is of even more concern in your home as it becomes more and more connected to the outside world. I look forward to the results of their research. Although a smart home is something that really intrigues me, I worry about both security and privacy. If my thermostat was connected to my smart home for example, would it be possible for an external entity to keep tabs on what I set my thermostat temperature at? This doesn’t seem like a big deal, but it is one step towards government stepping in and legislating that we are forcing everyone to keep their dwellings at x degrees for the sake of the nation, betterment of the greater population, or something to that effect. You might think I am paranoid and spreading fear but this was tried recently (although unsuccessful).

Personally, I think any smart home should have an override for the home owner. A switch or detailed configuration screens where under no circumstances can data be extracted or removed without prior authorization — a default ‘deny’ on ingress and/or egress connections. No individual device should be able to override the master control of the house. Even the government should not be able to do it in any circumstance. On the positive side, the project is open-source so even if this is discovered to be possible, someone will patch it quickly.

This weekend I was visiting my sister and brother in law. They are the proud owners of a new laptop that came with Microsoft Windows Vista. They have two children as well and they all use the computer. They were unable to figure out why one of the websites that the children visit was no longer working and had not been for some time. As well, the kids had several programs popping up when they logged in and were unable to remove them.

The website problem turned out to be the “Internet Protection feature” of Internet explorer. I spent about an hour trying to ‘fix’ it so that this children’s site was allowed to function. No luck. I dove deeper and deeper into the system settings, registry, internet add-ons, and account permissions. No use. There was was no easy way to override it, except to turn off the Internet Protection feature. Adding the website didn’t work, adding the IP addresses and other sites it contacted didn’t work. According to the error logs, Microsoft has decided that the flash software is doing some system call ‘incorrectly’ or in a non-secure way and therefore is blocked. No way to override it. Where does Microsoft get off telling people what they can and can’t do with their computers? More to the point, turning off the Internet Protection feature was the only way to permit the site to run. All these new cool security features and in order to get to a single site I know is safe, I need to turn off all the security for all sites — stupid design.

Stopping all the other software starting when the user logs in was another large task. None of the programs started in the startup folder. My sister-in-law didn’t even know a startup folder existed. Not that it would have helped even if she did know how to get to it. All the programs started via the registry. I had to enter the registry to disable the software from starting up.

This whole process took me over an hour and most would say I know what I am doing. How is a general home user that is not technical suppose to work with this? Even if you are technical, why would you put someone through this just to get to a website? Did anyone at Microsoft even stop to consider this? Microsoft needs to re-think both system design and security. I would not hire the people that designed this. They obviously need much more education and training.

There have been and continue to be ongoing debates as to whether disclosure of security vulnerabilities and software bugs are required. Proponents of free speech, open software, and a majority of consumers say absolutely. Companies that create software of course disagree. These companies often state they are reputable and fix their security vulnerabilities and software bugs as a top priority… after all they have their customers best interest at heart (or a set of PR statements to that effect).

Here is a perfect example of why disclosure is necessary. How would you feel if you paid extra for an unlisted phone number service yet anyone on the internet could find your address that knew your phone number? It is reasonable to assume that if your phone number is unlisted you would not want your address available, even to those that may know your unlisted phone number. Lauren Weinstein found this exact vulnerability. In the guise of responsible disclosure, he contacted the company and informed them of the vulnerability. He posted about the vulnerability on his blog, not mentioning any information that would reveal the vulnerability. The company responded with a nice letter basically saying, they were doing nothing wrong. So after a little debate, Lauren posts the vulnerability. Guess what happens next? Yeah, the company is going to fix the vulnerability.

Unfortunately, this will always be the case. At the end of the day, companies are there to make money first. It doesn’t make financial sense to spend money on resources to fix a vulnerability or software bug when that same money can be spent on resources to add new features that customers want and have stated they will pay money for. Disclosing the problem changes this balance and forces the companies to do the right thing.

One of my favourite groups is The Corrs. They are from Dubland, Ireland. Currently the band members (all brothers and sisters) have gone on a hiatus, while they raise families. One of the members Andrea Corr has gone out on a solo career. I was interested in her website, and started looking around. She had a section of her latest songs and videos and I attempted to select it. The website came up with a message saying:

“Thanks for trying to access the digitalInsert for Ten Feet High – Andrea Corr. Unfortunately due to contractual restrictions, access to this promotion is not available to residents of Canada.”.

So they have a GeoIP database of some kind and my IP being registered in Canada is blocked. I’ve been seeing more and more of this lately. Not difficult to get around. Select a proxy in a permissible country and download the site, use one of the VPNs I have access to and exit out in the UK, a little annoying but easy to bypass. What about people that are not technical however? Well fortunately that is easy, a quick search on YouTube and poof all the videos available for viewing there that were on the website, no restrictions. So I ask why bother?

Do the people that do this not remember the Commodore Vic-20 and 64 days? They would put copy protection on the software, someone would create a program to allow you to bypass the copy protection and get a copy of the software. Then they tried the dongles. You put a electronic device that came with the software in the joystick port. If that was not present, the software would cease to work. These were bypassed as well. Eventually they gave up.

DOS based systems for the longest time didn’t bother with copy protection, it was just considered a dis-honest and illegal thing to do. Windows software tried the special serial numbers you have to enter and they still do this to this day. Of course, it is easy to get hold of them, and there are key generators for all the different software. Microsoft latest trick is to use windows update to verify the authenticity of your software. Of course you can get around this as well.

DVD’s now use ACSS encryption to attempt to stop copying. It has not been broken, but there are workarounds. The latest DVDs are freely available on the Internet as soon as they are released. It has stopped nothing. There are countless other examples.

Does anyone see a pattern here? Does anyone pay attention to history? This doesn’t work. It has never worked. Why do they keep trying and trying to do this? It’s a waste of money. The business models they have don’t work on the Internet or with digital media. Give it up. Change your business models.