Original URL: http://www.theregister.co.uk/2005/03/22/letters_2203/
French firms rampage through Reg letters bag
All very Gallic
Letters Wanadoo got in lots of hot water last week for their advert showing teenagers snogging in a scrap yard. The advertising standards people said it was too risque and that scrap yards are dangerous places to play; so it slapped a ban on the ad:
You can see it now:
Kid one: "did you see the Wanadoo ad?"
Kid two: "Yeah it was so cool!"
Kid Three: "Lets go play in the scrap yard to mimic that really cool ad"
Kid Four: "Yeah I'd never thought about it before, 'cor ain't marketing wonderful"
All Kids: "Yeah!"
... hmmm don't see it myself but at least it keeps them from hanging around outside shops beating up anybody who looks like they may have a brain. Sounds like a good idea actually....
Oh good, another way for us to "protect" our children from everything under the sun. Of course a scrap yard is a dangerous place to play, but is banning the advert going to change anything? Too safe, too safe this society of ours.
When I was growing up I had farms and farm machinery all over the place to play on, and trees to climb, and yes, scrap yards to bugger about in. I had all manner of places to play in, and also to get hurt in. A good thing, too. The sooner someone learns that falling out of trees leads to a sprained ankle, or that scrapped fire engines have all manner of sharp bits to graze knees on or whatever, the better as far as I'm concerned.
Learning how to manage risk and danger is an essential skill that we all need. Take that away and before we know it, we've got adults that genuinely don't know that sticking your hands into the engine of a car is going to get messy.
We're getting to grips with the fact now that an ultra-clean lifestyle actually depletes our ability to combat illness. The old immune system needs a run round the block occasionally (witness my excuse for living like a slob). Same goes for physical danger.
I'm not suggesting we all give our kids live grenades to play with or anything, but let them graze their knees and sprain their ankles, let them earn the trademark tiny-scar-under-chin that surely anyone who ever had a BMX must have, before we end up living in 'Demolition Man'.
Right, rant over, I'm off for a bit of a climb of that tree over there.
Speaking of stupid children, as we almost were, it was revealed this week that technology doesn't make for cleverer kids, in fact quite the reverse, according to the UK's Royal Economic Society:
So, computers aren't a magical fix for the education system, and kids lose the ability to reason, eh? That's no surprise to me. Neither is the idea that our world is so awash with "facts", much of them contradictory, that "reasoning" becomes impossible and basic skills are lost. What I do find surprising is what appears to be a casual assumption that these two problems are linked.
As regards the kids: before I worked as a techie, I worked in a library, and it wasn't unusual to see parents drop their kids off at the library and go out to work for the day during the summer holidays. The kids would spend the day talking to strangers in chatrooms. Hardly the most "creative" social activity - or the most wholesome, because nobody knows who they were talking to. (Naturally the library staff could do nothing whatsoever about this because the kids had their parents' permission to do whatever they wanted.) If this is typical of how many parents treat their children - and unfortunately it seems to be more and more so nowadays - then I think the problem most likely goes a lot deeper than too much computing and too little creative activity at school.
As for "facts", various people have famously claimed as "facts" at various times: That the world is flat and is circled by the sun, that they have been abducted and experimented on by Martians, that their day-to-day fortune can be foretold by the movements of the planets, that O J Simpson killed his wife, that mobile phones are harmless, that GM crops are harmless, that asbestos is harmless, that thalidomide is harmless, that a human diet of cows fed on other cows is harmless, that cigarettes are good for your respiratory system, and that Saddam Hussein really did have weapons of mass destruction before we invaded Iraq. It's got to the point now where you have to be sceptical to the point of harmful cynicism about pretty much everything you hear, because there's no such thing as a "reliable source" anymore. Hardly an environment conductive to good reasoning skills.
Two huge problems, both of which could do with fixing as soon as possible. But related? Nope, don't think so.
We had a lot of mail from you lot about the wisdom of mixing phones and petrol stations. Firstly, our thanks to everyone (and you are many) who wrote in to tell us about the Brainiac episode where the loveable pranksters filled a caravan with petrol and mobile phones, then rang the phones in an unsuccessful attempt to ignite the fuel. For those who missed it, a man jumping around in a shell suit later succeeded in generating enough of a spark to send the cursed vehicle to oblivion.
Our thanks also to those who flagged up Discovery channel's Mythbusters programme, which has also demonstrated that mobile phone can't make petrol explode.
You try and tell the brain-dead button-pushers that work in the petrol stations that.
I've said for a long time that mobiles and petrol mix safely (obviously you can't dunk your phone in it and then use it, but you know what I mean) and even proven this to a forecourt attendant.
But, since the sign was on the wall, he told me that unless I put my phone away he'd call the police.
Treat 'em like zombies and they'll behave like zombies.
Can't we just take the warning labels off everything and let society's stupidity problem solve itself?
Surely you've seen the demonstrations - the spark from static in clothing *is* enough to trigger a petrol explosion.
Rather than banning the use of mobile phones in petrol stations, it would be far more safety conscious to insist users of petrol pumps are naked.
If the mobile phone rumors are groundless then we have a likely cause of the sparks :-)
Bit of a late contribution this one, but a valid point nonetheless. You might remember the arrest, back in January, of a 14-year-old who, it was alleged, made a hefty £20,000 flogging non-existent gear from his website:
Pesky Kids?? Certainly not much good at business?
"Scam" nets £20,000 - No plasma TV's were ever shipped, so I assume no Plasma TV's were ever purchased from suppliers. So he took around £20,000 in sales (I assume through Paypal ... Or maybe cheques in post .... Seriously, tell me no online "payment processor" gave him an account!!!?)
But - despite the fact that only (I assume) payments were processed, and nothing ever bought in or shipped out; WHY did he need an office and staff??!
You see, this is the state of today's youth; when a simple telephone line and net connection will do - Yes, Granny's will be fine - The youth of today just can't be bothered ... Even the small amount of work involved in scamming a couple of hundred punters, and answering a couple of "worried phone calls" requires the lazy little things "getting help in".
And I'll bet he wasn't employing UK located call staff was he!? The things they learn today - This outsourcing craze has gone far enough; offshore your Scam Operation with us, indeed!!
Shameful - I suggest he is sent on a course from his local Business Link as swiftly as possible; that'll teach him!
No-one wrote in to tell us how impressed they were with the idea of two-factor authorisation. Oh, wait, they did:
I read your article "Banks wasting millions on two-factor authentication" today and felt compelled to put ASCII to form field:
Schneier's analysis here is flawed and sensationalist:
1. Bruce is wrong; two-factor authentication WILL fundamentally drive down fraud by forcing attackers to use synchronous rather than asynchronous attacks.
The attack mechanism described by Schneier requires a synchronous, interactive connection from the attacker. This is a much less attractive proposition than the situation today where Trojans automatically harvest username/passwords for the attacker to use at their leisure. If I was a criminal I'd rather not wait up 24 hours a day on the off chance Joe Bloggs logs into his account at 3am so I can hijack his session.
2. 100% Security doesn't exist - Banks are in the business of risk management not risk avoidance. Introducing two factor authentication should stem the current tide. Even if criminals get significantly smarter and fraud levels recover, the introduction of 2-factor buys time. Time for other improvements to be realised that make Internet banking fraud relatively less attractive, e.g. increases in prosecution rates.
I would have hoped an "encryption guru" would realise that security isn't about making it impossible (you can't), it's about making it hard. Two-factor authentication may not be foolproof, but it does eliminate keylogger attacks and drastically limit the time window in which attacks can be carried out - from months to minutes. Of course attackers tactics will change, they always have and they always will, but that doesn't make two-factor authentication useless. I presume Bruce Schneier uses no security whatsoever, if he did it would "force criminals to modify their tactics, that's all".
Others thought a bit more sun would solve everything. And why not?
If hardware token two-factor authentication is vulnerable to man-in-the-middle attacks, then maybe it is time to remember old-fashioned one-time-password authentication, and either use that, or use hardware tokens in a similar fashion.
My bank issues me a sheet of paper with a bunch of numbers on it: TANs, or Transaction Authorization Numbers. They're good for one and only one 'transaction' each - whether that be sending money somewhere, sending a message to my bank, or changing my login password. Every time I actually do anything with my account, I use up one of these TANs. That's in addition to login.
Yeah, all I have for login is a user number and PIN - different from account number and ATM PIN, of course. But an attacker could not 'pass along' her transactions along with mine. She could, of course, replace each of my transactions with hers, while fooling me into believing my transaction had been processed.
Tokens can be used in a similar fashion. The 60-second 'recycle' on most of them makes that aggravating if you're in a hurry - and if you cycle them every 20, old folks will complain. I'm fairly confident some 'boffin' can come up with a solution to that one, though.
In the end, however, it's not ever-more-clever user authentication that will save us. What's needed is a way for the bank site to authenticate itself to me. Which is fiendishly difficult to do in a way that cannot be easily faked, and makes it blatantly obvious to my mom whether this is the online equivalent of the 'real bank building', or a cardboard fake of it.
You know what? Forget all that online crap. Take a stroll down to the bank office and have a chat with the teller. It's nice and sunny out.
The threats mentioned are real, but I think Bruce is missing a couple of points. One of which is what kind of technology do we employ to prevent these kind of attacks? Should Banks require all Online Banking customers to install and connect through a VPN client? That takes away the flexibility of connecting from multiple locations. It also only prevents the man-in-the-middle attack and does nothing against the Trojan. I do not know of any technology right now that would stop that attack from working. Should we require users to have updated anti-virus in order to connect? Even that doesn't guarantee they are Trojan free.
The second issue I have is that the most common attacks today collect passwords through phishing. They are easy to setup on someone else's server so that you are harder to trace. As long as these attacks still work I don't see why the criminals would change. I think that these attacks will remain common until enough Banks provide security measures make them significantly less profitable. Why move away from a nearly automated process until you have to?
I also have to wonder at what point do we make the user responsible? Right now the courts are working on weather or not banks are responsible for keeping Trojans off customer workstations so I guess that may give us some answers.
Irish consumer group IrelandOffline was ranting this week that the emerald isle has some of the most expensive broadband in the world. There was no sympathy out there among Reg readers in the Seychelles, Gibraltar or South Africa:
Oh, how amusing!
40 Euros for 512k broadband - expensive?! You have no idea...
I work for a small international school in the Seychelles and we recently upgraded our Internet connection from dial-up to 'broadband'. Here's the deal (the best and only one available here!)...
256k link 4500 Seychelles Rupees per month
There are SR10 to 1GBP - yes! That's £450 per month for 256k access!!!
You lucky sods in Ireland don't know you're born!
I'm not sure the Irish realise just how lucky they are. Broadband prices in South Africa are in the region of £80 per month for a 512kb line capped at 3gb! Have a look at http://www.mybroadband.co.za and see just how unlucky and unhappy South Africans are!
Heh - Ireland thinks they have it bad - try here in Gibraltar! £59 a month for a 512/128k line that's up and down all the time...
Catherine (who's thankful her job pays for her home connection)
Attendees at an Industrial Cyber Security Conference in London this week were warned, by AV vendors, no less, that without proper anti-virus technology, the world could very well come to a sticky end. The Register's own anti-virus industry watchdog thought their arguments might just be a little self-serving:
I can see the OS Easter egg now. Hydro + Seattle + MS = Free
MS, bartering for a worse tomorrow, I wonder how much money they keep from the economy? I hate rich people that beat taxes and leave it for us regular people to float the government that screws us in the end for the Corporations.
The thing that has me concerned here, is why would anyone be stupid enough to connect critical computer systems in utility plants to the outside world, especially via something as unnecessary as the internet.
Let me guess, the plant operator needs to the computer to email everyone to let them know a meltdown is in process, or perhaps he just wants to play online games. Who knows? But my guess is that if the something as critical as a nuclear meltdown is in process, the people running the plant won't need an email to let them know it's happening.
Whatever possible benefits using Windows boxes with easy network access, surely the downside is so far worse, that by even considering such a course of action you would have to be a/insane or b/on the receiving end of a massive bribe.
There is no 100% effective way to secure a networked computer, especially one that has internet access. So what the f%&$ is going through these idiots brains when they decided to do away with virtually impossible to hack proprietary systems, and replace them with computers that can be attacked by script kiddies?
French news gatherers, the Agence France Presse, announced that it will sue Google for unauthorised access to its copy. The agency says Google is linking to its stories, and that this amounts to a breach of its copyright:
I think Google should comply with AFP's demand. By blacking out the websites of all online publications that carry AFP content and referring anyone who tries to get to an AFP article page to a simple page saying "AFP doesn't want to be in our search engine. If this is a problem for you, the publisher's home phone number is xxx-xxxxx and his mobile number is XXx-xxxxxx) and the head of their law firm's home. . ."
Publications will think twice about carrying AFP content if the price is exclusion from most of their potential readers and advertising income.
While IMHO, AFP's case is completely without merit, the worst punishment that can be visited on a person or company is frequently giving them what they demand.
Just for giggles I went to AFP's website and was going to send them a nasty e-mail when I noticed the following on their contact page:
N.B.: Any use of AFP services is prohibited without a licence from AFP
Now it seems to me that I've just violated their TOS - if that's the proper wording here - by not having "a license to use their service" as no prior license was granted before I viewed their website.
Seems like a really cheesy ( no pun intended ) way to generate a bit of publicity about your site. Maybe when I start a business I'll sue Google to stop indexing my site too, just for the free advertising.
Wouldn't a robots.txt file have been easier?
Finally, we have the latest on the almost unstoppable Rise of the Machines. The good news is that there is a means of defending ourselves from enraged French automobiles: pull the plug. Now. Before it is too late:
Dear Mr. Haines,
It is not only the French who make interesting cars.
In the late 1960s I owned a 1962 Triumph Sports 6. It was designed so that it could be built either as a left hand or right hand drive vehicle without having to have too many left or right hand parts.
The gas peddle was attached to a "Bordon" tube which went through the firewall to the throttle. A "Bordon" tube is a wire inside of a narrow hollow tube. The tube is fixed at each end and the wire can be pulled to move a component such as the throttle. This allowed the car to be built without left/right hand specific mechanical linkages.
One evening while I was traveling, on an Interstate highway, the throttle stuck in the wide open position. I was doing 65 MPH, accelerating, and going down hill. I later realized that the wire was stuck or binding against the inside walls of the tube. At the time I had no idea what was going on. Pressing the gas peddle did nothing. The tube/peddle was at maximum extension and pressing the gas peddle did nothing.
Putting in the clutch just made the engine race. After about a minute of panic I finally realized that I could simply turn off the ignition key! I did that, steered the car over to the side of the road, and caught my breath before starting to tinker with the wire attached to the gas peddle.
I suspect that your Frenchman might have been able to fix his problem the same way - by turning off the ignition.
The terrifying Gallic plot to enslave us all is slowly coming to the surface. After the would-be killer Renaults, we have French PM Jean-Pierre Raffarin (a man with all the charisma and sex-appeal of wet putty) speaking English with an accent last detected chez the late M. Distel.
Does this mean I should immediately take steps to have my Agèd Mother locked up before she succumbs to this stealth-charm offensive.
Yours from the outside of a rather nice half-bottle of Montbazillac ;)
Am I missing something, or has the Lizard Alliance conspired - dare I suggest coerced, even - Renault into replacing the ignition mechanism in the Laguna with something more easily controlled from the mothership, preventing the poor sap from simply turning off the ignition and coasting to a stop in neutral?
The plot certainly thickens. More letters later, so keep 'em coming. ®