If you tell enough stories, perhaps the moral will show up.


The Man in the Middle for All Purposes

I love simple ingenuity, and FormSpy is ingenious. From the McAfee writeup:

... a malware that is installed as a Mozilla/Firefox component extension.

Upon execution, it registers Mozilla event listeners to the malware and sends information submitted by the victim in the web browser to a malicious website. These information can include, but is not limited to, credit numbers, passwords, e-banking pin numbers etc. The main executable is also capable of sniffing passwords from ICQ, FTP, IMAP and POP3 traffic.

This malware was modified from the "NumberedLinks 0.9" which is an open source Mozilla component available off the Internet. To the victim, he or she would only notice the "NumberedLinks 0.9" extension being installed

Minimum effort, maximum effect. Nice.


Saving the Appearances

News like this is a bit puzzling. The basic story is straightforward: nasty Chinese government wants to keep its people in ignorance to preserve the despotism, and nasty western (in this story, given the source, read American) firms are way too ready to help.

Except. Except.... I don't believe there's the slightest hope of it working. I can't see that anybody can believe it'll work. It's just bollocks. For certain Skype can censor keywords like "Falun Gong" and "Dalai Lama" and those words won't get through. But unless they are using something a lot better than our spam filters (among the best that money can buy), "F4lun G0ng" and "Da1ai L4ma" will work just fine. Is this just quaint? And for sure google.cn can slant its results (but not that much). The great firewall (it must actually be transparent proxy) can even put up polite panels explaining that such and such a site conflicts with government policy and is therefore blocked. But it doesn't matter.

The effect of the Internet is not to link poor confused foreigners to proper liberal western thought. I wish it was sometimes, but it's not. And I'm sure that there are plenty of people in the middle and upper levels of provincial and national PRC Party and government who imagine that a nice Middle Kingdom Internet without alien pollution and troublemaking would give all of the benefits and none of the trouble. They're wrong too. The Internet puts people in touch -- terrorists, racists, grey-haired security bores and the rest. It's such powerful communication that you can cut and hack away at it, and unless you shut it off entirely it'll pass ideas, rumour, gossip and news better than the world ever saw before.

The last twenty years of the Soviet Union were run in a state of hysterical denial. Everyone from factory foreman up all the way up to the all-union politburo was aware of the choice between muffled giggles and bare-faced lies. The self-confidence of the national intelligentsia had been undone in the sixties by a few hundred dissidents writing and circulating hand-copied and roneoed samizdat publications. Pretty much everyone in that key group went to prison and all that did was keep the lid on for a while.

Agile Deng, the octagenarian contortionist, dodged the fate of the USSR. The focus on economic development, dropping socialism while retaining the central position for the party, has diverted, as it was intended to, the art and skill of the whole nation. And a cultural entity as big as Han+Mandarin doesn't need to look outside much. Nonetheless, the basic battle has been lost. There is a middle class with weak or absent Party affiliations. Those people know they're smart, they know they've done something amazing, and they know the Party needs them more than they need it. And their communications are slicker than rubber stencils and biros.

They hardly need outside thought -- their own is dangerous enough. The corrosive, indelible idea: people like them should choose their own rulers, is there already. The rest, as they VoIP, email and blog, will emerge from their side of the great firewall, not ours. They may act this year. It may have to wait for a big shock: the coming bank failures, a corruption & incompetence scandal like SARS, too big to hush up, or even a failed military adventure. It may be a polite handover, stage by stage. It'll be Chinese, but the end result will be a multi-party state and a bigger and more frightening democracy than India.

And the Chinese network perimeter? It's just saving appearances. I doubt if anyone who works on it really believes that they can freeze or channel political thought. Sure sells a lot of firewalls though.


The Scent of 1995

Since Websense is so mechanical about what consitutes Adult Content, I have to check out the sites that have triggered the blocker before phoning HR. So, anyway, I was on the quarantine box just now browsing a porn site off my list, and a dialogue came up inviting me to download and execute "www.google.com"!

Isn't that sweet? Ten years ago ".com" would have set anyone's alarms jangling. Now, that choice of name exudes high quality, safe, brand value. (Only windowsupdate.microsoft.com could be better.....) I nearly pressed the button myself!

I wonder what it would have installed? The download was hosted on http://xearl.com and it seems to have linked from the homepage of Matureskin.net. If you're interested, matureskin.net is not a technical site, nor is it concerned with skincare.


How Security Policies Fail (5)

Policy: No plain text password storage.

Failure: The real failure here is my failing to find words able to describe this. Maybe I should have written: "no encryption technology more than a thousand years old...."

Private Function Encrypt(strPlain As String) As String
    Dim i As Integer, j As Integer, n As Integer
    n = Len(strPlain)
    Encrypt = ""
    For i = 1 To n
        j = Asc(Mid$(strPlain, i, 1))
        j = (j + 33) Mod 256
        Encrypt = Encrypt & Chr$(j)
    Next i
End Function

Public Function Decrypt(strCode As String) As String
    Dim i As Integer, j As Integer, n As Integer
    n = Len(strCode)
    Decrypt = ""
    For i = 1 To n
        j = Asc(Mid$(strCode, i, 1))
        j = (j - 33) Mod 256
        Decrypt = Decrypt & Chr$(j)
    Next i
End Function


Why Perl?

It's looks like line noise, and if it was ever in fashion it's dropped out now. But Perl suits me, and I think this is why:

  • Some people see the world as tables or XML -- I see it as text files with easy to parse lines
  • Security does a lot of work with "fairly regular" data. (It doesn't seem possible to get the admins to stick to strict group naming conventions.) Putting regular expressions at the heart of the language acknowledges that the data are a bit dodgy.
  • Security has many command line utilities that do roughly what you want. Perl runs external code, gathers output, skips the irrelevant bits and tidies up the good lines, all without too much pain.
  • I've never written a right-first-time program in any other language. (I don't think I've ever written a right-at-all program in any language where I have to do my own garbage collection.)
  • Languages that let me say what I want get my vote:
    $a++ unless ($its_time);
    foreach ( <STDIN> ) {reformat($_)};
Perhaps I'll grow out of it. Perhaps I'll just get frustrated with weak Windows integration. Perhaps I'll write that integration the way it should be done. Perhaps the Active State port will blow up once too often. We'll see.