Spam Counter - 2009 Mar: 939

At least it's not going up.
"Update your manhood here and now" (upgrade?)

Authentication News Roundup

Two items tonight, on the Authentication Hotline

Rubbish Disguises
City financial types are being directed by firms and industry bodies to wear casual clothes on the riot days, so they don't stand out. It's a lovely idea -- take one middle aged bank operative, replace suit with M&S chinos and polo shirt and Shazam! indistinguishable from a climate change protester.

Or maybe you could try wearing a keffiyah. That should do it.

Effective Disguises
New spam trend: We're starting to get stiffy lolly spam pointing to .cn sites. The sender appears to be bright enough to realise that firms have filters which spot this a mile off, but also that there will be approved addresses bypassing the filters. So this mail is spoofed from plausible addresses. Yesterday I removed unisys.com from our approved list which should stop the immediate problem, but the attack is going to work until there's some way of authenticating envelope sender addresses.

The problem will really kick off when spammers realise that everyone has a bypass for FT.com because their news alerts are totally indistinguishable from spam.

I guess we need a checkbox. For any bypass, domain or just a single address, you need to be able to say "only bypass if the sender is spf authenticated".

"It's Wrong to Wish on Space Hard Ware"

I wish, I wish, I wish you'd care.

I saw the space station!

On Monday night, I did it properly, looked up the ephemeris on Heaven's Above, prepped up the less mad son, and saw it rise and brighten splendidly out of the ruins of the sunset, fly right overhead, flare sunset orange and drop suddenly into the shadow about ten degrees past the zenith. All highly satisfactory, and making me feel like a Proper Dad.

Then today, walking west on my way home from the station, a familiar-looking star caught my eye with its rapid rise and increasing brightness. I watched and sure enough it disappeared twenty degrees past the zenith. Pure fluke, but I caught the time and there's the transit on the site.

Minor Identity

The less mad son just had a significant birthday and Mrs U was fulminating about the difficulties the building society put in the way of his opening a teenager's account -- effectively the full-scale anti-money-laundering precautions for a pass-book account with no cheques and a cash-only card. As a minor can't be held to a contract, she couldn't even see the point of asking for a signature.

But I can. If I was laundering money, I think the prize of a full scale bank account attached to a false identity would be well worth waiting a few years for. And in the meantime, spending rich uncle Lenny's generous birthday and Christmas gifts on Premium bonds keeps the account warm, plausible, and busy with a spot of placement. So I don't blame them at all.

Existential Insecurity

The problem I have is that I don't believe in computer hardware.

This story puts it nicely. How can you fabricate and reliably operate a device with 16 billion capacitors, each holding 10 electrons? http://www.theregister.co.uk/2008/12/16/mlc_cpm_pcm/

It's not the physics. I believe in electrons. I did the Milliken experiment in school and I made a transistor in college.

And I've got over credulity gaps before:  As a young man, I couldn't believe in computer processors and language compilers. I thought it was magic. It took a degree in computer engineering to see that you could build a processor out of NOR gates and a clock, and that a compiler was a data structure task preceded by lexical and structural analyses. I understand that the right mental tools can turn incredible things into engineering.

But this gap is just too wide. Think about the difference between a nice throwing rock, and a modern assault rifle. Or the difference between a cave with a fire at the front and the Bell Labs building in Holmdel NJ. There's a difference -- a huge difference. But is the modern as much as a thousand times more difficult or involved than the primitive? Stretching a point, is it as much as a million? It's not more, and it's taken many lifetimes to go from one to the other.

The simplest computer memory cell in modern designs is a transistor and a capacitor, more or less. That's one bit. You need eight to make a byte, and another for parity -- call it ten. So the 2G flash card in your camera, or the 2G DRAM on your PC -- and these are low values today -- is 2 x 10E10 cells. Twenty billions. The vast majority of them have to work reliably, predictably, over a service life of years. A single bad cell won't make the device unusable, but it can't tolerate many failures -- and this stretches my credulity.

Shockley was making recognisable transistors in 1947 -- less than a single lifetime ago. And now we have twenty billions -- not total in the world, but mass produced on commodity component  for a dollar. It's not a bit more of a step than the modern building or weapon. It's order after order of magnitude in a vanishingly short time. I don't believe there's any mental tool (Moore's law, the square law of miniaturisation ...) that will cover that gap.

So if you ask me how the ALU works, or what microcode looks like, or why recursive descent parsers are a good thing, I can tell you. But if you ask me why you can trust the data in your camera card or your memory stick, all I can say is that it's magic.

I Have Been Advised....

Mr Infrastructure sent me an email. He was escalating an issue his team had with security policy.

One phrase stood out: "I have been advised..."

This is the greatest cop-out ever. It means: "Because I don't claim to understand this, you can't challenge me on it. I win."

I challenged him.

Financial Insecurity

When I drafted this this morning, I wondered if I was only one who interpreted this as a cabinet minister threatening Goodwin with a bill of attainder? A quick google shows I wasn't, and in fact there doesn't seem to be any alternative construction. The problem would arise at the ECHR and I suppose that's why mad Harry (or the rest of the government anyway) is backing away.

Mark my words. Sometime over the next few months, there will be a quiet announcement: The matter is settled, and the settlement is secret. Though the spokesman will be authorised to say that Sir Fred Goodwin has agreed to reduce his pension payments. And every year, £700,000 will be paid out -- under a variety of headings -- to Sir Bentnose.

Spam Counter - 2009 Feb: 972

Mostly drugs. Some Rolex. I particularly liked "Unlock her odorant gates" but it was just a graphic so I can't tell what it was about.

It's going up. I suppose the spamternet has interpreted the loss of McColo as damage, and routed around it.

Trusting Strangers -- Why Certificate Authorities are like Credit Rating Agencies

My list of causes of the banking crisis isn't quite the same as everyone else's. For me it generally boils down to moral courage. Because I have none myself, I can recognise that it was missing in plenty of differnt places.

• "Spineless non-Execs" rather than "Wicked Banker" and
• Fannie and Freddie for not making it plainer that they were lending on this stuff in response to government fiat rather than thinking it was any good, and
• Rating agencies for closing down credit discussion on the grounds that if it was good enough for Fannie and Freddie it must be A+ at least, and 
• Bankers (aha) for closing down credit discussion on the grounds that the securities were rated A+ by an independent rating agency, and .
• Bankers (yes!) for saying that as everyone else was making fortunes:
  
  
  • writing liar's mortgages at tempting rates, and securitising them on
  • lending to doomed ventures, and securitising them on
  • buying A+ securities that somehow pay three points over base, and securitising THEM on
  they had better do the same, or the shareholders would kick their arses, and
• Shareholders for kicking the arses of anyone who missed these amazing opportunities
• and you know who else? Lying or self deluding borrowers. That's us.

Oh. I'm ranting. Let me get this back on track. Check out the credit rating agencies. They're right in the crux of this. Their business is to turn more or less synthetic securities (anything from a strip or a mortgage bundle right down to a plain bond -- anything that's denominated in money rather than equity) into a capital "I" Investment. The fairy dust they sprinkle to do this is their rating. They form an opinion on the ability of the borrower to pay as advertised. That's not whether it's a good investment or the right investment for you, or whether the issuer will craftily exploit the early redemption terms or whatever. The rating is just Moody's or S&P's opinion on whether the coupons and face will be redeemed on the published dates. Ratings go from AAA which is supposed to be a dead cert  down to ccc -- and you'll never get an agency to agree a correlation between the rating and a percentage probability.

Because of a long history of grade inflation, pretty much anything that can't make at least an A is called junk and a lot of investors aren't allowed to touch it.

Sometimes the agencies rate because they want media attention or because their franchise demands that they have an opinion on some popular issue. More often, they rate because the issuer pays to get a rating needed to get the issue away. You can't buy a particular grade, but the agencies will advise on how to get it,  and if you're an investment bank there's such a thing as being a good customer of the rating agency..... I don't really need to spell this out. Suffice to say that the investor (the technical term is "victim", these days) has no contract with the agency. If Moody's were to rate a bundle of Motown mortgages as A -- and some agencies were doing that -- and it defaults, then the owner of the bond, who trusted the rating, has no come back to Moody's when the bond defaults. It was the agency's published opinion, no more and no less. You relied on it at your own risk.

Now I expect that at some point you could say it was negligence, and of course rating agencies are controlled by financial regulators, but my point is a little different. Because there's a very fine parallel to this in the world of Internet security. The whole technical paraphernalia of X.509 has one purpose: to tell you, reliably, that the certificate authority has certified that the far end is the correct user of a name. You are trusting the certificate authority to do the necessary diligence, to refrain from certifying incorrect users, to guard their private key. (You are also, in effect, trusting them to do things they definitely do not do, like ensuring that the sites they certify can keep track of their private keys -- that's why the system is mad.) For ordinary users, this trust is a matter of default -- it's installed with the browser. Sites pay CAs for certificates because CAs pay browser authors to install their keys. The free-rider is the user, and that's a bad thing. No payment == no contract == no rights. As the rating agencies have shown us.

I Got Spywared

I ought to go into detail about this, but it's late so I think I'll go straight to the takeaways:

• Don't browse as an admin. Resolving this has taken about fifteen hours over three days. I would rather have spent that time asleep. You can resolve a lot of LUA issues in fifteen hours. The problem here is that Firefox needs to be used as an admin to update, and I wanted 3.06 ....
• It can happen to you. I was using Firefox, I didn't click on anything I was aware of, and the MS Antispyware 2009 installer ran. Arguably it's time to get into Noscript -- I've always put that off because I can't face setting up the exclusions.
• It took me a long time to figure out what was going on. I was able to dump the overt spyware without too much difficulty, but the blocking of anti-malware domain names and the re-writing of Google search results in Firefox and IE to go via windows click dot com had me puzzled. It wasn't the hosts file: they've moved on -- it's device drivers now. I needed to get clear understanding becuase I couldn't get any tools to run -- of course.
• I needed help to figure out what device drivers were the problem. I found it at www.myantispyware.com which appears to be a guy called Patrik publishing instructions. God bless him. His advice didn't quite fit the condition of my machine -- no surprise after all the work I'd done -- but it gave me the names of the files to remove, and that did the job.
• Everyone needs a boot disk. I could have used my Backtrack key, or anything else that could mount NTFS to write, but I had a copy of the Ultimate Boot CD for Windows so I tried that. It was slow to boot, but easy to use. If I wasn't really comfortable in Linux, UBCD would be my first choice. Without it, I would have had to follow Patrik's laborious instructions , and I might have chosen to re-install instead.
• Everyone needs a fabulous hosts file. I got the Winhelp2002 version -- it seems pretty comprehensive.
• Wow! A lot of competent sounding people discuss malware in terms of removal, detection utilities etc. This seems insane to me -- it's really a question of not being admin. This is my first in years, and I don't have any of those tools.

Extreme Hedging Porn

This is the butt end of a willow post. Now I do know that willow roots if you put it in the ground, but I needed a post and this one had a handy crook to hold down the benders. I figured it would be all right because it was going in upside down. There is no way at all that a cutting -- even willow -- could ever root successfully with its vascular arrangement the wrong way up. 

One year on, you can see the crook -- three foot from the ground -- is fresh and green and sprouting new shoots.

Pussy Wussy is a LOLCat

I Am My Own Regulator

We've all seen stories like this, and they're getting more common. I first noticed it when the NHS lost crown immunity back in, ooooh, 1986. One branch of government regulates another, finds a breach and issues compliance requirements. The more deranged cases actually have one office fining another. The only person punished is the taxpayer, as the overall costs of goverment rise. In theory, careers suffer, but in fact the civil service requires a consistent record of egregious failure to have any effect on an officer's final pension.

The absurdity does get media attention, sometimes, but the level of comment is muted compared with the gross mentalness of the situation. I think the problem is that the only reasonable conclusion to draw is rather unfashionable: there are things that are unsuitable, by nature, by structure, to be done by the government.

If Brent PCT had been a private insurer or HMO, the costs would be borne -- in a fair setup -- by the shareholders. Fair is the challenge here of course, but it's a question of reasonably hard-nosed negotiation when the contracts are let. "Fair", in this context pretty much means that regulatory consequences fall on the owners of the supplying firm. The dividend reduces, and the board decides whether the problem is severe enough to be worth fixing or insuring against or whether it was better just to take the hit. If the shareholders don't like that choice, they sell out, the price drops and the bag-holders sack the board.... And if the regulation is too hard to be borne, the supplier walks away and society gets a lesson in realism.

There's nothing available, structurally, to deliver the same result from a public sector supplier. Basically, all you can do is dock the pay of the managers, and watch your remaining sliver of talent in the civil service wither away. Except, you'll never succeed in touching their pay, and no-one who makes choices, no executive, will ever be motivated by any sharper spur than the desire to avoid a moderately difficult interview.

Burning the Evidence

Today, in pursuit of my ever-doomed goal of getting on top of my filing, I burnt a mountain of receipt slips and cheque books -- stuff that just won't shred -- from the nineties.

Burning documents isn't easy. You can't mound them up in a grate and set light to them -- I tried. Nor can you dump them on to a little fire -- they just put it out. Two approaches that have worked for me:

1. Dump them on to a huge blazing bonfire. You'll need to keep turning until all the paper is gone, and you'll need to add plenty of branches or whatever to keep up the supply of hot coals. Maske sure you don't end up the next day with a pile of ashes with sheaves of unburned documents in the middle.
   
2. Start small in a grate. Once you have a flame, pile on a few sticks of kindling. Let that blacjken and go for another layer of paper. Repeat until the flames are stable enough to add logs. Keep the fire mixed until the paper is all gone, then burn logs for a while to make sure.

The problem is that the pages stick together, and one way or another you have to counteract that.

Spam Counter - 2009 Jan: 850

850 -- Rolex and Canadian Phamacy