Thursday, April 26, 2007

Rage Against Phones

Those who know me will be aware that I seem to go through regular phases where technology fails me entirely. I'm in one of those now. In the last two weeks I've had to replace my xbox 360 (which thought that randomly freezing was more fun than actually playing games), reload nearly all of the drivers on my PC to cure a random problem where the screen would jump around (and the "start" menu button would expand and contract in time with its own persistent beat), run two wireless networks because my wifi printer doesn't speak WPA and my Apple 802.11n gadget doesn't speak WEP. I've been there before with wifi more than once or twice. I've even got a red flashing light on my fridge that apparently means I have to replace something that I'm completely unable to find. But the thing that's driven me most mad has been the phone formerly known as the Treo 750v and now known, simply, as useless. I've been upset with this phone before of course (back in an earlier tech trouble phase). The same problems continued to occur - it would randomly stop ringing or buzzing, battery life got ever shorter requiring intra-day charging, and had started to freeze or reboot at least once a day. Simple inertia had stopped me replacing it - I actually like what the Treo does and am absolutely wedded to threaded text, believing it to be a killer application (such a 90s term). But last week a new phone arrived. It's a Samsung SGH-i600, always with the catchy titles these phone-makers - design aside, you can see why everyone loved Moto's RAZR; who wouldn't want a phone name you can actually pronounce? It'll be interesting to see how Apple branch out with the iphone - will we see iphone Nano, iphone Video, iphone Giga on top of the inevitable multi-coloured offerings? I will lay good money that we certainly won't see the AAPL-S600iVn or anything even close. Although maybe they'll come up with a phone a year or so from now called the St-EvE. First call with a new phone is to backup the old one. I hadn't done this for at least a couple of months but wasn't expecting it to be hard. I was wrong. The Treo wouldn't connect to the PC via its charging cable (it would charge whilst connected, but ActiveSync couldn't find the phone), nor with a second cable that I tried. Endless wiggling and restarts of both phone and PC made no difference. Ah, bluetooth I thought! No, that didn't work either. I left it alone for a few hours until lightning struck with the idea of using infra-red - remember that old-fashioned technology? Remember when the idea was that you'd beam contact details from phone to phone with simple (free) infra-red? Before everyone just switched to sending business cards by text (although, that said, the 750v doesn't support sending cards by text). I dug around in a big box full of old tech looking for my PC infra-red plugin - I can't remember when laptops stopped coming with infra-red capability but it must be at least 3 or 4 years ago. The Treo, however, has an infra-red port (the new Samsung, by contrast, doesn't - but it has Wifi and bluetooth). Infra-red worked just fine - it took a couple of hours though (that's what 2000 contacts, 1000 tasks and 2000 diary entries does for you I guess). Just checking the settings on ActiveSync afterwards, I saw that the "contacts" box was greyed out. And, as you'd expect in that scenario, the phone hadn't transferred any recent contacts to the PC. More restarts, more wiggling, more clicking. No difference. So a couple of hours of sync without 2000 contacts. Uhoh. It turns out this is a common problem. Searching for "treo 750 contacts won't sync" gives nearly 70,000 instances. Various proposed solutions on the web didn't work; there were downloads to try and configuration changes and all sorts of other things. Another lightning strike (imagine that, two in a day) and I downloaded pocketmirror from Chapura. Fortunately it comes with a short trial period for nothing. And it worked perfectly although, again, it took a couple of hours (but at least I knew what to expect this time). So, 69,800 of you Treo users, if you haven't thrown it away by now, that's your answer. Just searching my blog, I've found that I've been here before though, with other phones (like the Nokia 7650. It's staggering really that after 18 years of mobile phone usage, the same problems with transferring from one to another still exist, as my letter to Nokia in February 2003 shows. It's 4 years this month since I stopped being a Nokia user. From about 1993 until 2003 I was a committed Nokia fan - I loved their interface (didn't everyone) and, frankly, there wasn't much competition. But in all those 4 years, the problems that I was having then are no nearer being fixed. It's harder to move from one phone to another with all of your settings intact than it is to move from one PC to another or, heavens above, a PC to a Mac. You could understand this a little if it was easy to move from a phone by the same manufacturer to another in their range, but that isn't easy either. So I left behind, on my Treo 750v, all of my texts, my email account settings, my speed dials, my pictures assigned to contacts (the few that I'd bothered with) and a pile of other things. Some of the things that I used to have I just can't set up on the new Samsung phone but at least it rings, its battery lasts more than a day, it syncs every time and I've only had to reboot on a couple of special occasions. More on the problems it does have another time.

Sunday, April 22, 2007

Watching Not Running

I sat out this year's London Marathon. Or, at least, didn't run it but did spend several hours on my feet watching it. I missed out mostly because I tore the meniscus in my left knee a couple of months ago and I'm still unable to run. Watching right at the finish line, for the first time ever, I wanted very much to be running it. I watched the mini-marathon finishers, the wheelchair racers (1:30:49 - I couldn't cycle the course that quickly), the first ladies (impressive time, boding very well for Beijing, of 2:20:38) and then the men. What stunned me was the huge gaps between runners. Once the first 3 or 4 were past, the gaps before the next were far longer than I'd expected. I always knew it was a big deal to do sub 2:30, even sub 3:00, but when you see the finishers come home, you really see how rare an achievement it is. The gap from first place to 20th place is 18 minutes; from first place to 100th, it's 30 minutes. I hadn't realised just how rare sub 2 1/2 hours is - when you run from the back of the pack with everyone ahead of you, you don't get to see anybody that fast after all. By 2:45, there were barely 250 runners home and 34,000 still to come. By 3 hours, there were still only 847 home. The hot weather probably had something to do with it, slowing some folks down and causing more than a few to drop out - last year, a rainy, cold day, 1234 made it home in under 3 hours. I watched as several runners, even those finishing well under 3 hours, collapsed with just yards to go - many were carried over by the race marshalls, many more by their fellow runners. One, completely overcome and looking very, very ill, was stretchered off with 25 yards to go - no medal despite being so close. The crowd at the finish line went wild every time someone arrived who looked like they wouldn't make it. You see the faces of the runners as they get near the finish line. Most are showing the signs of pain and suffering - rictus grins, awkward running motions, heads bouncing around. Some are rock steady and look like they're waiting for the bell telling them to go round again. But, most suffer. In some ways that's reassuring; even the folks running 2h 30m feel the pain of a marathon run. By the time the clock's on 4 hours, the fancy dress runners are coming home, their are bigger smiles, waves to the crowd and then huge signs of relief as they cross the line. Awesome day. Well done to everyone who made it home; special well dones to all those who hit their target time on a day when I saw many people I know miss their best by 45 minutes or more. And congratulations to all those who raised money for charity. Something like £50 million was raised this year.

Wednesday, April 11, 2007

Second, Third and Fourth Lives

Visit my blog. Link to me in LinkedIn. Find me in ASmallWorld. Check my MySpace page. Take a look at my FaceBook entry. Check my gamerscore on Xbox Live. See my Mii. Research me in Wikipedia. Look me up on FriendsReunited. View my photos on Flickr. Play on my team in World of Warcraft. Have sex with me in Second Life (no, on second, third and fourth thoughts, don't). So many points of presence. So little time. How does anyone keep even a few of these up to date. How does anyone manage to create all of those online identities? Easy. People invite you; you go where your friends are. You show up late, stay for a drink or three, your friends leave before you and then you're alone; realising that, you leave too, leaving a few of your footprints on the carpet. Usually leaving the presence behind forever. They say that the churn rate on Second Life is over 60%. That's probably less than the one post wonder blogs that are out there. For corporations, having a virtual presence appears to be the new mission statement. Gotta have one. The one-upmanship game has already come into full force with some corporates going out of their way to create their own virtual worlds. Sony is next up to the plate with its "Home" plan. The problem is that as we wander from world to world, we can't take anything with us. It's like taking a 'plane on a bad day for travelling. All of a sudden, you're stripped of everything you have and told that you can pick it up when you leave. Like going into an old Western saloon and having the big guy on the door take your guns away. Worse, you have to figure out the protocols, principles, manners and, of course, controls. No wonder people try it and either hate it (can't figure it all out) or love it (stay forever - the cost of figuring out a new one is just too high). I'm looking forward to the day when there'll be teleporters in all of these worlds that will let me move from one to the other with everything that I have translated into whatever is needed in the new world. My Level 61 orc-bashing knight from WoW enters Second Life with a nice big house by the beach with a cool car parked on the drive. My big house on the beach translates to a big gamer score on Xbox which, in turn, gives me a nice pad in Sony Home with some pretty pictures on the wall, maybe a Rembrandt. My blog uploads to MySpace, keeping its theme but fitting right into MySpace. If anyone wants to find me, they can find me right where they are, or call me and I'll come to them, right away. If this doesn't happen then people will chase the new new thing, leaving the old new thing behind until it's just the old old thing. The wasted effort will be enormous - gazillions of hours in building houses, killing dragons, posting profiles - wasted. Pipedream.

Thursday, April 05, 2007

Word of the Week - No. 2 in an occasional series

I've always hated the word "issuette." Let's face it, it's not even a real word yet it seems to crop up increasingly in conversation with technical and non-technical people alike - even with people that I'd normally like and pay attention to (no names please): people who want to fess up to a problem, one that could be quite serious, but want to downplay it and convince you that they have it under control and that you shouldn't actually worry about it (so why bring it up). But this week, I was proffered the sentence (if that's what you can call a string of words where at least two of the words within don't exist) "We have a little issuette brewing so what I'll do is write a short paperette." That was followed by "and, of course, the RFC is dependent on the TCP" ... I'll fetch the disinfectant.

Sunday, April 01, 2007

Phorget Phishing?

When you see news stories breaking claiming that over 45 million people have had their credit card details stolen, a reasonable first reaction would be to ask why you bother protecting your data on your home PC if some faceless corporate is going to make it available to anyone who checks in. We might as well all change our banking passwords to "slartibartfast" and be done with it. When that many people find their finances suddenly put at risk, in one go, there's bound to be news coverage. Google is carrying over 1,000 reports on the problem. Mainstream newspapers all over the world are reporting. It's not helped when the company spokesperson says “These figures only relate to what we do know. There is a lot more we do not know and may never know. We have identified two [computer] files that were removed from our UK system but we still do not know precisely what was in them" - otherwise known as "we haven't a clue." The BBC was told "that 100 files were moved from its UK computer system in 2003, and two files were later stolen." Even when the information, whatever it was, was stolen is less than clear: The company confirmed that information had been stolen from 45.6 million cards used in Britain and North America between December 31, 2002, and November 23, 2003. It did not know how many had been stolen for transactions made between November 24, 2003 and June 28, 2004. (both quotes sourced from the Times Online. According to the comapany's own SEC filing, they're unable to say "whether there was one continuing intrusion or multiple, separate intrusions." Maybe the login details were put on warez.ebuy.com and made available to everyone? Yet, happily, they are able to say, with a degree of certainty that is out of line with their earlier uncertainty, "Of the details stolen in both Britain and America, 30.6m came from cards which had expired at the time of the breach, while 15m were unexpired. Of those still valid, 3.8m had "masked" or encrypted information but 11.2m had clearly accessible data." The banking industry will reassure us, of course, by saying that the new Chip and Pin technology prevents this information being useful any more - but that's why increasing amounts of cardholder not present fraud and overseas use of stolen credit cards are being seen. Such news is certainly enough to make you wonder whether the fuss over home PC security is worth it. The Anti-Phishing Working Group reports 280,179 known phishing attacks in the 12 months to January 2007 with average monthly growth of about 6%. This is, of course, "reported" attacks. Who knows how many go unreported? Perhaps a better piece of data is the number of actual phishing sites (i.e. illegitmate, say, banking sites masquerading as the real thing) which ran to over 27,000 in January, down from a peak of 37,000 in October, but still up three fold from the total a year ago. December saw the first government branded phishing attack with an email, supposedly from HM Revenue and Customs, suggesting that you were due a tax refund (of either £70 or £170, reports vary). Indeed, there may be another circulating today (although given the date I'm wary of anything published today) that offers a refund of "J140", however much that may be. When I was first shown a phishing demo by SimonF, sometime around mid-2001, I was stunned by both the brazenness and simplicity of the process. A spoof Government Gateway website, cloned from the HTML of our very own, type in your userid and password, see a failure message (your details have been captured somewhere in the background) and you're bounced back to the main Gateway site - where you enter your details again, this time on the real site. With government userid and password details being necessarily complicated (long story), mis-typing them is incredibly common - it probably happens 1 time in 3 even now (the stats are tracked but I can't remember the exact ratio). At the time it wasn't that important - government didn't pay money out via the web and we figured you were unlikely to want to file my tax return (there was some concern about the potential for de-stabilising e-government by harvesting lots of account details and then sending random tax returns, either to cause a denial of service attack or just to cause extra work behind the scenes, but it seemed unlikely). Since that early example, attacks have become far more sophisticated, notwithstanding that many still don't manage the basics of grammar. Digital certificates were one answer to this problem, although browser incompatibilities, issuance difficulties and stability problems prevented them being part of the solution then. Physical tokens - USB devices - were another but many of the problems that afflicted digital certificates were apparent: did the user have USB (at the time it wasn't as widespread as now), was the port accessible (the idea of ferreting behind a desktop PC in a library or internet cafe wasn't seen as part of the e-government experience), issuance and so on. Both are now viable but rarely used, at least at the consumer level, solutions. Instead many financial services companies have gone for simpler solutions - pull down menus with, say, letters 2 and 5 of your secret word, multiple challenge questions (what is your dog's name, what is your favourite film and so on) with any 2 of 6 picked to allow logon. Bigger banks with richer customers have opted for DES-gold style one time password (OTP) devices. The hackers will work through these and will find ways to get the information they need. It's easier to see how they work the latter than the former - if they can capture the OTP and then use it right away, perhaps they can make a transaction happen before the customer knows; challenge questions that only give part of the password would seem harder, perhaps requiring multiple passes (although doubtless some people if asked to enter the entire word will still do so). But can we Phorget Phishing? It seems unlikely. A google search for the single word "phishing" gives over 23,000,000 results. Wikipedia says that losses are large: It is estimated that between May 2004 and May 2005, approximately 1.2 million computer users in the United States suffered losses caused by phishing, totaling approximately $929 million USD. U.S. businesses lose an estimated $2 billion USD a year as their clients become victims.[38] In the United Kingdom losses from web banking fraud — mostly from phishing — almost doubled to £23.2m in 2005, from £12.2m in 2004,[39] while 1 in 20 users claimed to have lost out to phishing in 2005.[40] Getting accurate, current information is still challenging. But phorgetting phishing still seems out of the question - 6 years of questionable technology advance seems to have been matched by 6 years of better advance in the world of hackers, coupled with many, many more inexperienced users added to the internet mix. Technological, legal and educational responses will all have to work together to move this forward. At Simon Moores' e-Crime conference a year or so ago I challenged the security product industry to take a less technology and marketing centric view. I put up this slide (it's an ad from Wired magazine, probably December 2005 or January 2006) Firewall and security products always seem to be sold like this razor - 5 times more protection than you had before, 1 special new blade that chops out left-handed viruses with impunity, new breakthrough technology to do all sorts of things that you won't understand so we won't explain them to you. Product names have gone from version numbers (1.5, 2.0, 3.0) to annual updates (95,97,2000) to video game console lables (the new Norton 360 seems to have copied Microsoft's Xbox, though doubtless it means something clever like "all round protection", like some new kind of deodorant). What I want is to know that whatever product I have will "kill all known germs dead" - I don't care what they are, I just want to know that they're protected. And if I'm going to pay for daily, monthly or yearly updates, I'd like the vendor to take on some of the liability - if I get infected, whether for my own stupidity or because the product hasn't worked the way it's supposed to, then I'd like to be repaid for the damage. Insurance companies don't say, "sorry sir, you should have seen that the slope was steep and that the route was clearly marked as a black run and declined to descend; when you did and you broke your leg, you failed to comply with our policies". Why should I pay the fee but get no real coverage? Having seen, only a few weeks ago, a perfectly good (and accredited) up-to-date bit of virus protection software get tricked by a particularly malicious bit of trickery causing widespread damage, it does happen. Sadly, even Domestos has had to abandon its 50 year old slogan "kills all known germs dead" to say that it kills only "99 per cent of known germs". That will be advertising standards for you. At the rate of technology change, we need kills "all germs dead, known or unknown". But, in the meantime, with Vista vulnerabilities reportedlly being sold on the internet for $50,000 and up, we're going to have to pay more than a little bit of extra attention.