Over the last few days the 'net has been buzzing about Swedish student Erik Nordenankar's claim to have created the biggest drawing in the world using a GPS. Skeptics immediately pointed out serious issues: How would he convince DHL to fly rather large loops over the ocean given the current cost of fuel, issues related to taking a case full of batteries and a GPS on board an aircraft, and the fact that a GPS receiver won't work well inside a metal cargo container within a metal aircraft.
As a security guy I gravitated toward agreement with the skeptics. One would hope that couriers wouldn't load a case full of connected batteries and electronics into their aircraft, and to my knowledge the use of "personal electronic devices" (which includes handheld GPS) is generally prohibited during critical phases of flight (taxi, takeoff, landing, etc.) However, having personally been invited onto a flight deck along with my handheld GPS years ago, it is certainly possible that some pilots may be willing to take such a package aboard after it has been checked out by qualified experts. In short, pulling this off would require a non-trivial level of cooperation from the air carrier.
Erik's web site is well done and the video on his web site appears to show Erik airside, inside an aircraft cargo hold, and in other locations in support of his story. It also contains an image of him holding a stack of DHL waybills. Thousands of bloggers and outlets like CNET picked up on it, hook, line, and sinker. (At least the CNET author wrote that he had emailed DHL and would update his post later.)
So is it a hoax? DHL responded promptly and diplomatically to my inquiry: "To our knowledge this map or picture has been made by a student as an examination project. However, DHL is not a sponsor of this activity."
So while the "biggest drawing in the world" appears to be a hoax, Erik may have a bright future in Internet marketing.
Some people have such different values and beliefs that it's hard to believe we share the same planet -- this article is a good example.
Thanks to Squid for passing it along.
"Business Name: Dogstar Radios
BBB has made several attempts to contact the business regarding the above referenced complaint. We regret to inform you that we have not received a response from the company. "
DogStar has a nice web site, and their list of logos includes "Authorized Sirius Satellite Radio Online Dealer". Sirius didn't respond to my inquiry, which included a simple request to comfirm whether they were an authorized dealer.
If you're running Debian Etch (i.e. Debian version 4), take note:
A significant security vulnerability has been found in OpenSSL that renders the random number generator predicable. I'm in the process of upgrading my boxes and generating new SSH keys, and I haven't yet had the opportunity to digest the full implications, but it's bad news for those of us who use SSH for access to our machines.
You can find the security advisory here.
This vulnerability appears to only impact Debian linux.
Fido has announced the launch of UNO, a new service that connects calls from a specially-enabled handset to a high-speed Internet connection when users are at home, as well as through the Fido wireless network when they are on the go. Customers use the same handset inside and outside the home, which offers the convenience of having one phone number, one voicemail, one address book and one bill. Customers can also talk as much as they want on their Fido phone while at home without using up their wireless plan minutes. A Fido voice-optimizing wireless router, which can be connected to an existing Internet connection, enhances wireless call clarity and reception inside the home network. Fido UNO is available on the Nokia 6301 handset, which retails for $50 on a three-year plan. Service plans are priced at $15/month (unlimited local calling) or $20/month (unlimited local and Canadian long distance) for wireless calling at home, in addition to the regular wireless voice plan. Existing customers can add the service to a current voice plan with the purchase of a UNO-enabled handset and receive the voice-optimizing wireless router free of charge.
Source: CWTA
The Ottawa Citizen and Ottawa Sun both ran articles today on the Crime Stoppers SMS launch.
Monitor Today also ran a more detailed article on how the system works.
I received email from a single buddy of mine earlier today, and it reminded me how glad I am to be married and out of the dating game. He was kind enough to give me permission to post it here:
I had another "date" yesterday evening.Holy Crap!!
I'm totally shocked at how many angry and maladjusted people there are in fact out there...
That could have been one of the longest 25 mins I'd experienced in a long time had I not decided mid way to just have total fun with it and see just how bad I could make this for my own pleasure...
Freak show in the most extreme sense of the word...
We agreed to meet at chapters in the travel section. It was a total interrogation. How many of these, how many of those, what about this, what about that, how much do you earn.... like WTF? How about we just have a regular conversation for 2 mins about the pleasures of tooth extraction and actually do a live show and tell right here right now, it'll be waaay more enjoyable than this... "Perhaps had I known ahead of time you were going to go through your questionnaire I would have brought my favorite pencil..." (I actually said that to her). She didn't like that, it was downhill from there and I figured I was going for the ski jump record at the end.
All I was after was to talk about travel or some other pleasant topic and maybe even enjoy a sip of tea... ?
10 mins in, I was actually accused of hiding something... 10mins in!!!!...
(ME!!!!?? seriously???) after probing to figure out what she was referring too (with no answer) and being told that I was putting up a smoke screen (for what I still have no idea...) I figured WTF open season, so I turned it on and only gave one or two word totally aloof answers each time she asked something serious and just smiled and stared at her.My coup the force was when I finally went into a French accented voice and looked at the nails on my fingers and said " Yes, I admit it, I have a 7 year old son, named Twang. His prostitute Philippino mother and I enjoyed 3 nights of passionate love making in the dingiest of alleys. She was the least expensive 12 year old they had but she was definitely not unwilling or unseasoned... "
That's when she actually got angry!!!
Then I went on to do my Dr Evil monologue... "Very well, ok, you win, I'll be serious, where shall I begin...
my father was a relentlessly self improving boulangerie owner from Belgium, my mother was a French prostitute named Cloe with webbed feet... childhood was typical, summers in Rangoon, luge lesions.... " At this point she was totally fuming. I figured I'd done enough. So I just smiled and I gave her a hug around her arms and body (somehow I managed to keep a straight face, I don't know how I did that) and whispered in her ear "wow, you like totally made my evening. I haven't had this much fun in years, thank you for being just the way you are." and just turned around and left... I could barely contain my straight face and laughter.
I saw this woman on the way out who apparently had witnessed this whole scene culled from the Twilight Zone highlight reel and I just gave her a wink and smiled as I shook my head.. she lifted her eyes and just smiled and covered her mouth in an OMG that was so freakin' funny what you just did.
And I walked out without even looking back.
Unfortunately the answer is very simple: The people who develop many applications obviously don't get it.
Case in point.
It's 7pm on Thursday night and my daughter has a really good question: Is tomorrow's Ottawa Senator's game on TV?
We pay way too much for Bell ExpressVU, but we get our fix of news, kids programs, etc. So I pull out my notebook, surf over to the Bell site, and find the "Advanced" search. I search for hockey, and it exceeds the 50 item search limit, showing me games that were on two days ago, along with countless replays. It suggests I refine my search, so I add Ottawa. Nothing. So I change Ottawa to Senators. Nothing. I change Senators to Sens, and bingo, a full list of fifty Sens games -- starting two days ago, and ending today, again with countless replays, and the suggestion that I refine my search.
Unfortunately, I can't. There's no search field for date. The bottom line? I can see stuff that was on satellite TWO DAYS AGO, but I can't tell my kid if the game is on tomorrow night.
I work in the field, and I'm frustrated. I can only image how ordinary users feel when they run into such poorly implemented systems.
According to an AP story yesterday carried by MSNBC, Arkansas has corrected a legislative error that would have allowed Toddlers to marry, as long was they weren't pregnant.
So did all those people miss the extra "not" in the legislation, or did they vote on it without reading?
According to a Business Week article last month,
"About 57% of small companies don't think they need a formal plan to secure their data, and 61% say they never sought information on properly protecting their files, according to a March, 2007, survey by the National Federation of Independent Business and Visa USA."
If you're in Ottawa, I'm speaking to small business owners on managing information security risks next week, and I'm told there is still some space. Event information is here.
There's a lot in the news about the accidental discharge of a pilot's gun in the cockpit. Crimefilenews has an interesting insight. If their information is correct, and procedure really requires the pilot to place a padlock through the trigger guard of a loaded pistol, the real news story is that it took this long to happen.
A loaded pistol belongs in the user's hand or a proper holster designed to prevent anything from entering the area around the trigger. Otherwise it should be unloaded. Period.
Back before the Internet, I remember hearing about political candidates from friends and the media. If the media didn't run it, and friends didn't know it, neither did I.
Times have changed, and we've watched politicians slowly come to grips with the Internet. For example, the folks behind Obama's web site clearly understand the power of the Internet. Just scroll down to "Obama Everywhere" on the bottom right. Hillary's campaign is also using some of the same communication tools: MySpace, Facebook, Flickr, YouTube, Eons, and Twitter.
But perhaps the more interesting aspect of politics on the Internet is that anyone who can make a catchy video for YouTube has direct access to an audience the size of which makes many TV stations drool. They can distribute their video for free and use it to make a point, promote their cause, launch a career, or even just have fun.
For example, you've probably heard of Amber Lee Ettinger, aka "obama girl". She became infamous following the release of a political parody on YouTube in which she lip-synced a song sung by Leah Kauffman. The video went on to become the number one viral video on the Internet according to E! Television. (Wikipedia has some interesting history on the video here.)
The video also spawned a number of other satirical videos, including this one:
Use MySpace, Facebook, or LinkedIn?
The Privacy Commisioner of Canada has a brief yet thought provoking presentation on social networking that's worth a few minutes of your time.
I'm not sure what to make of this one...
For those of you who missed the print edition, here's a .pdf of my March articles in Monitor Magazine.
Bell has removed the map from their web site.
I received email from the Bell privacy folks late this afternoon indicating that the matter is under investigation and that the Bell Privacy Ombudsman will write to me after having reviewed the findings.
My concern is that two days after being notified of the issue, Bell Canada's web site continues to provide information on the physical location of unpublished residential customers.
It's important to understand that ensuring the privacy of customer information requires much more than correct technical implementations. I don't know what process Bell did or didn't follow, but here is a summary of what should have happened:
1) Prior to implementation, a privacy review should be been triggered by the fact that the application connects to a data source holding customer information. The review should have identified the fact that unpublished numbers were in the data set, and that information such as geographic location that could potentially compromise the privacy of those with unpublished numbers was also present. This isn't rocket science -- it's a simple matter of looking at what data is there and how it could impact privacy. (Those readers familiar with privacy in Government will know this as a Privacy Impact Assessment).
2) Based upon the privacy review, the issue should have been identified as a risk, a plan developed to mitigate the risk, and the overall decision to implement the map reviewed. The decision should have taken the risk, availability of safeguards, and business benefit into account.
3) If a decision was made to proceed, specific safeguards should be have been identified (such as filtering unpublished numbers) and test cases developed to ensure a correct implementation.
4) Those who implemented the system should have considered the consequences. Assuming they had basic security and privacy training (which is often unfortunately not a safe assumption), the database administrator involved in setting up the connection for the application to access the database should have been thinking, "What are the consequences of doing this?" The developer writing the database query should also have been asking him or herself a similar question.
5) Upon receipt of my complaint, the issue should have immediately been escalated to a security response team, who should have visited the web site, confirmed my findings, contacted the application owner, and had the mapping functionality shut down pending a full investigation.
While errors and mistakes can happen, privacy breaches like this are usually the result of ineffective policy, process, and training. Technical errors and mistakes are the result, not the cause.
Today the Citizen quoted Jacqueline Michelis, associate director of Public Affairs for Bell Canada as saying, "Certainly protecting the privacy of such customer information is of prime importance to Bell and our strict privacy practices and policies consistently rank among the top corporations in Canada." I think it's time that Bell begins to review those practices.
Hi Colin,
Thanks for your reply.
The issue is that anyone can go to Bell Canada's web site, type in my unpublished residential number, and Bell provides them with a map that displays the location of my home.
As someone who pays for an unpublished number, it is my understanding that it is up to me to decide who I give my number to. However, the fact that I give someone my number doesn't mean that Bell Canada is authorized to provide them with a map showing the location of my home.
Just to be clear, I am reporting to Bell Canada that its web site is giving out confidential personal information on Bell Canada residential customers with unpublished numbers and that I expect Bell to take immediate action to cease this privacy violation and to notify customers that have potentially been impacted.
Also please note that I have filed a complaint with both the CRTC and the Office of the Privacy Commissioner of Canada.
Regards,
Eric
