Original URL: http://www.theregister.co.uk/2005/02/11/letters_1102/

Browser holes, hackers and rampaging botnets

Wild, wild world

By Lucy Sherriff

Posted in Letters, 11th February 2005 16:33 GMT

Letters This week we found out, all over again, that clicking on links can be a dangerous business. As John Leyden wrote on Monday, "A security loophole in Mozilla and Firefox browser could be used to spoof the URL displayed in the address bar, SSL certificate and status bar. The vulnerability also affects Opera and Konqueror."

So what was behind the flaw, and is there anything to be done? According to one reader, we might be stuck with this problem:

What a horror story! I tested Opera 7.54 at work, and sure enough, it functions correctly. That is, it follows the spoofed test link Secunia provide.

Unfortunately, Secunia are absolutely wrong about there being a flaw in the browsers' International Domain Name implementations. There is no loophole in the browsers. They're doing precisely what they're supposed to do, and no-one has grounds for complaining to Opera A/S or any other of the browser writers.

When I went to Secunia's site using Opera under Japanese Windows and clicked on their test link, the "problem" was immediately visible.

Instead of an ASCII "a", the second "a" in the spoofed "paypal" is glaringly obviously a two-byte character ("full-width" in Japanese parlance, one-byte ASCII characters being "half width"). OK, so I've been wrestling with these horrors cropping up in supposedly standard English text for five years now, so I'm sensitised, but they really do look different, to me at least. Unfortunately, that's no guarantee that even I wouldn't be fooled too, unless I looked really closely. Two-byte letters can take some spotting at times, especially if you're not on the lookout for them.

Now, my ancient old Acorn here at home doesn't have any form of support for 2-byte character coding, so it fails to follow the link. That's not because it sees http://www.payp&1072;l.com/ instead of http://www.paypal.com/ but because its version of the Fresco browser can't code it. It ignores the essential <ESC> codes, so it breaks the otherwise valid url and goes nowhere. Of course, its failure also meant that the spoof couldn't work on me, either.

The BIG BIG problem is not that there is a flaw in the browsers' IDN implementation, but that the dumbos who specified the IDN system (correctly) didn't spot that in the process they were handing on a plate to the malicious social engineers the best possible of all nasty tools.

Someone didn't realise that you must look before you leap.

The only "cure" I can imagine would be to break the browsers' IDN implementations so that they didn't display the valid 2-byte Roman letters (and Greek ones and Russian ones, and numerals, and punctuation marks), and so that they didn't do it in any of the Japanese, Korean and Chinese codings, plus EUC and Unicode too (that's over half a dozen coding sets) - without of course destroying the codings for Chinese characters, Japanese kana and Korean Hangul in the process. This would not only be tricky to do, it would be technically invalid, and would no doubt bring howls of protest from the standards bodies of all three countries (oh, and I think there are several other countries whose codings would have to be broken, too).

Sadly, I don't think there's a cure, beyond a very loud litany of "USER BEWARE!"

The genie is out of the bottle. Oh help! Oh bother!

Regards

Michael Poole


A simple lesson in how to mess with adwords:

In your article 'Botnets strangle Google Adwords campaigns' you describe what sounds like the first beneficial application of Botnets ;-)

Raphael


Though use of a Botnets is new, sabotaging online campaigns has been around for a number of years. Pay per click advertising has long been a target of those wishing to empty their competitors' marketing budget. Google's ad bid system just ads to the tricks that can be played. As you wrote, dropping the click rate to zero is one approach. Alternatively, the attacker can click ads. Since Google adword campaigns typically have a maximum spend per day, the attacker can quickly use up their target's budget. After the maximum per day limit is reached, Google will stop displaying the ad.

Daniel


"Beg pardon? You are going to sue people for what?" was the general tone of your responses to news that a games company is planning to seek legal redress from punters who messed about with stuff they'd bought. For no commercial gain, whatsoever.

Should I be worried that I use non-standard counters for playing monopoly in place of the manufacturer's choices (aka a peanut and a button)? What about the alternative chance cards that we use ("finish your drink" etc)?

Richard


Hang on. I go out and buy a nice new Ford. I then add furry dice, bung on a spoiler and paint the whole car a lovely shade of mint green. Being sociable, I take some photos and upload to the Ford Custom website so that others can see what I've done.

Do Ford sue me for changing the car they designed?

These developers should get a life (if that's not an oxymoron...)

Mat


Everybody has an opinion about NHS IT, but no one wants to have their name linked to that opinion. Interesting...

As a clinician (not a GP) working in the NHS and heavily involved in IT, I am always interested in articles about NHS IT and the particular slant being applied to it. What many people fail to mention (or understand) is that the NHS - and particularly Primary Care services - is more than GPs: what about opticians, pharmacists and dentists? GPs have been relatively pampered wen it comes to IT: historically, drug companies were falling over themselves to give GPs computer systems so they could get information on prescribing patterns, while the rest of the NHS was still using rocks and chisels.

Other than GPs, Primary care has suffered from a lack of IT investment over the years and our nurses, health visitors, physiotherapists, podiatrists and all the other non-hospital-based and non-GP-based services badly need the tool of IT, while GPs are in the enviable position of having all the IT they could possibly want, so have no real need to support NPfIT. Articles like this reinforce the misguided opinion of many people (including some GPs) that the GP is the be-all and end-all of the NHS. They're not, and the GP opinion is one of many, the rest being regularly shouted down by the battle cry "I'm a GP"

Perhaps it might be better if you didn't publish my name - I work with GPs and even have one myself :)


I read with interest the GPs have no faith in £6bn NHS IT programme, and the survey results linked to the story.

I work with what is called the "LIS" Team (who support projects for five Primary Care Trusts-PCT's) the as a member of IM&T department (which is the department mainly involved with all of the NPfIT stuff).

As always, the results were a little skewed by Doctors not wanting to change the way things are and admit their own shortcomings. I have been in surgeries where paper based health records are stacked high and could easily be taken without anyone noticing. Surgeries are meant to keep paper records secure, but in the vast majority of ones that I personally have been in, if someone broke in, it would be easy to take records. One in particular had the reception door (which had a keypad) wedged open, with no one to be seen in there, I could have easily walked in and taken a few.

When it comes to the computer based systems, most if not all require a site password and then a staff member password. Levels of access are granted, which means only certain things can be done or seen. This will still be the case with the NCRS (the NHS Care Register). People will only be able to see what is relevant to their role.

As for people saying that they haven't been consulted with regard the whole of NPfIT, I know for a fact that all the PCT's I support have had "NPfIT awareness days", where presentations are made showing the direction it is taking. Hardly any Doctors attended, even though it was over multiple days at multiple locations throughout the PCT districts and their running was well known. Also there have been numerous leafleting runs and a few bulletins taken to surgeries about the changes.

So, maybe the Doctor's should take up on the training and communication offered to them, instead of the old "I've done it this way for years, why should I change now" mentality that is rife with the majority of Doctors.

(don't publish email address if you use this on the site)


We're including this next letter for rarity value, but also in the interests of balance. Not everyone had a nightmare with tax returns:

After all the bad press the UK government receives regarding IT and their failed or over budget projects I thought I'd quickly share my current experience. I submitted my tax return less than 25 minutes before the deadline without any major problems (a little slow, but hey).

What surprised me was that they paid my tax rebate into my back account less than 3 days after receiving my return. £6000 straight into the bank without even a question or query and ready to draw on less than 3 days after receiving my submission is a pretty damn good turn around. I don't know if this is an 'average' result but I can't see any reason why I would be particularly blessed in this instance.

I feel the budding of a slight tinge of trust that the eGov initiatives might not all be a gross failure after all.

Seri


Big phones for the hard of seeing. What a good idea. Presumably it will also make them easier to find when you drop 'em down the back of the sofa. What? You mean that wasn't the point?

My parents would have appreciated this phone, if they could have got over not having a dial. The main bonus is having pushbuttons and display separate from the handset. (Of course most cell phones can take a separate headset.)

But I'd like to see a domestic cordless version for landline users - there are still some of us left. How about wi-fi, did that go away or did people stop talking about it? And BT may deliver a cell/Bluetooth phone this year.


Gap in market time.

If it had a USB port, there would be a lot of money to be made by selling a plug-in rotary dial unit to operate the thing properly. I don't see why Dad should accept anything less for doing his SMS.

They'll start producing those bogglevision square panel "whole page" magnifying lenses as used for reading the Daily Express, but specially made to fit the midget-sized screen, with very cheap suction caps on each corner for fickleness of adhesion.

Otherwise, superb.

Julian


Please don't think I am just a grey haired old fogey but at the age of 49, my eyes are not what they used to be. That Czech phone is a great idea although I would just like the phone manufacturers to consider the design of regular "mobes" as you folks like to say.

I have great vision when I am looking at something 36" away or further. However, looking at "little tiny buttons" the size of a pencil eraser with 4 alphanumeric characters on them and trying to drive while I dial my customers; has become quite challenging.

For what it is worth, cell phone manufacturers have completely forgotten that most people lose near vision as they get older. Apparently these manufacturers also lost touch with the underlying reasons for "Ergonomic" design.

I am quite dismayed that Nokia has decided that will discontinue the "candy bar" style of cell phone as this is the only type that is still readable to me. I have had to memorize the dialpad by touch, but I can still see where the buttons are, if not read them.

Cell Phone Manufacturers will probably change their engineering practices after I launch a class action lawsuit under the "Americans with Disabilities Act". But since they are obviously "discriminating" against older people as well, perhaps we can go for the gold and get them for "Age Discrimination".

My point is simple. Make the freakin' buttons larger, use brighter backlighting and allow the customer to choose when and how long it takes for the display and keypad backlighting to automatically turn off.

Oh yeah, STOP MOVING THE DAMN BUTTONS AROUND AND PUT TACTILE REFERENCE BUMPS ON THEM!

Either that or make every phone (including the "free" ones) numerically voice dial capable.

The alternative is a new form of income for lawyers defending their clients against lawsuits for accidents when "dialling while driving". Everyone does it, manufacturers know and encourage the practice by selling mobile phones to begin with and they HAVE to design properly for it or they (and/or the service providers) are legally liable for their poor "ergonomic" design!

The architect I.M. Pei once took LSD to understand how to design mental hospitals (Fun Job, eh?) I suggest that ALL design engineers be required to wear glasses that simulate the visual disabilities of their customers while they design devices that require "human input". (Not to mention Auto manufacturing designers being required to repair the cars they design before releasing them to manufacture)

Cell Phone manufacturers seem to be "turning a blind eye" to the problem! Too bad, for old age, like death and taxes, is inescapable.

Dan


A small debate broke out this week about the importance of cell chip architecture. Our San Franciscan Vulture sent us a breakdown of events. Seems it all began when an interested party dropped him a line in response to the story.

I think what you find is the Cell architecture will be fast, understandable, and useful for many applications. The cell could do as many as 1TFLOP per chip. This sort of speed in the hands of motivated developers all racing away from what they perceive as the new starting gate (no not gates) will result in a technical and economic reset. I predict true human level intelligence from cell based systems by 2008. Who knows what companies will invent with modeling and simulation at 100 times better cost performance.

The Cell may turn out to be the biggest step change in technology ever -never to be repeated again. We may view history divided AC and BC :)

I am getting involved. I never liked X86 architecture but used it. I have read the cell patent and all the reviews and from what I see, it will work.

I also predict X86 will be out of production by 2008.

I have put up www.cellsupercomputer.com plan to build Cell - PCI cards at first then stand alone systems as an OS etc develops

Jim

Andrew, ever the diplomat, wrote back:

Jim,

> I predict true human level > intelligence from cell based systems by 2008.

Don't be silly.

Jim retorts:

The entire economy of the world will change over next 10 maybe 15 years.  People will no longer "do" anything. The absolute best that can be hoped for is people will "manage" intelligent systems which actually do everything.

If you think I am crazy - then DARPA is insane

Says Orlowski: "You must check out his website, for it has the ascent of man - from reptile, to ape, to computer operator."

Um, right. Good. Moving on...


So let me get this right, you're saying that the cell chip architecture can use it's broadband connection to offload processing cycles onto other cells.

And in but a couple of years every other household will have one of these boxes quietly sitting in the corner of there homes.

With there wireless network capacity anything in the home will open to communication with the playstation!

Don't these fools know what they're doing?

It's the rise of the machines all over again!

All it'll take is a slight mis-programming in the next bit of online games AI and the world will be at the mercy of "Cellnet" I tell you.

Ohh and withhold my name.. Wouldn't want to outside world to know I'm onto them...

Yes, it is the rise of the machines, again. And there is more...as we reported, the Machines are now resorting to camouflage to infiltrate our homes. But, wait! There is hope:

DO NOT PANIC!

It is clear from a rigorous scientific investigation that the ZOGG invasion force will find their endeavour hampered by stupidity or at least flaky intelligence. According to page 5 of their manual (http://www.bitfurnace.com/TheCuddlyMenace/target4.html) they're expecting to increase the nitrogen content of the atmosphere by 900%.

As any graduate of GCSE science will know, our atmosphere is approximately 78% nitrogen already, so a ninefold increase would involve the atmosphere being 702% Nitrogen, and therefore presumably around -600% Oxygen...

Yours Sincerely, Dr. Thaddeous Munsch, Cos, Gem, Iceberg.


And finally, you'd think we'd be safe with a reader survey, wouldn't you? But no. Our efforts to probe your views on Windows vs. Linux have got us into more hot water. First people wrote in complaining that we hadn't included Macs. (We had included a disclaimer to that effect, but maybe using a Mac makes you go blind...we're not sure. ) Anyway. It turns out even our disclaimer was a bad idea:

As a gay mac user, I am distraught that not only have you not given me an option to support my platform, you've also insinuated that I'm more attractive to the opposite sex!

Outraged of Wimbledon. :o)


Enjoy the weekend. ®