Hacking, downloading and bad Web design

Letters Last Friday, we reported that two Oxford University students at face suspension over a little hacking project they undertook to expose, they said, security flaws in the University's IT system. The pair could be rusticated (a great word, no? It means 'banned from college grounds') and fined £500.

Hi John,

These two oxford 'hackers' were able to access sensitive systems - yeah right. They were able to read all traffic on a Hub - not even a switch - by setting their cards in promiscuous mode, which is hardly rocket science. No proper hacking is involved, but this simple fact has evaded The Grauniad, Auntie Beeb, and just about anyone else who

All the passwords they managed to grab were sent in /plain text/ by network users not using security with their browsers - contrary to standing IT Advice that is received upon joining. The University email system now forces you to use https (no plaintext) and has done so since it's introduction in March. However, unencrypted IMAP is still permitted.

Other systems that were 'hacked' (Not really - just snooped on) were unencrypted CCTV footage using the data network.

The two students involved should also have been aware that they were breaching University IT rules, as they get a copy with their induction packs and they're on the web here for all to see.

Otherwise a chat with their IT person would have been enlightening - they'd have realised that networks are horribly insecure, unless you take precautions.

Cheers,

Name supplied

Your story says to me that Oxford's administration is very much of the same mindset as the Bush/Cheney/Ashcroft Administration here in the US; that is, if someone discovers that you have "screwed the pooch," ratehr than coming clean and attempting to fix problems with your own system, it is important to punish the whistleblowers whilst allowing the abuses and failures committed by your own staff to continue unhindered.

Apparently an "education" from Oxford these days is no better than an MCSE; if you can pass the tests and don't "make waves," actual *working* knowledge and experience are irrelevant.

Rich

Last week, Odeon decided to shut a long-running, and it now appears, popular accessible version of its website. The company said the site infringed its trademark, and asked for all copyrighted material to be removed.

Since them, two new accessible versions of the site have sprung up, thanks to a couple of Iains:

Hello, I thought that some Odeon-challenged readers might be interested in this perl-based browser I just wrote especially for viewing the Odeon listings.

It simply acts as a client for reading remote information and as such is, I'm pretty sure fairly unlikely a target for an Odeon law suit. Unless I've read the site small print wrong and it really *is* against the law to try and browse the Odeon site without IE5+!

Cheers, Iain

Hello Reg.Hacks

Seeing as the only cinema near me is an Odeon, but I refuse to allow virus-injecting software such as Internet Explorer to run on my machine, I was kind of shafted when the Accessible Odeon website shut down. So in a fit of exuberance, I went away and wrote my own. It's very rough and ready, and a bit ragged round the edges, but it does work, and I've made very sure to point out to anyone looking that it's not the real odeon website.

If you think any of your readers might be interested in such a site please point them here

Thanks etc

Iain

We've had a variety of responses to the news that an Excel auto-formatting function can introduce bad data into public DNA research databases. The following selection pretty much covers the full range:

Hello there,

I can almost see horrible monster creatures crawling through green (glowing) fields of GMO, wanting to eat me, because some boffin forgot to turn-off date conversions in the dammn Excel. I can almost see me in the electric chair as a result of crappy victim under-nail DNA analysis. But then again, maybe some Word will save my life turning "CHAIR(EL)" into ... "carrel" ....

Sincerely,

Abraham Zhane

That wouldn't be the first time Excel has induced moments of anxiety in scientists. One upon a time, we were compiling tabular profiles of various woody species, including the genus "Callitris" (an evergreen shrub). We very quickly learned that Excel's automatic spelling correction insisted on changing the word to "Clitoris" (fortunately before we published anything embarrassingly confusing). A check with Excel 2000 shows that "Colitis" is now the suggested replacement. While an inflammation of the colon could not be regarded as an improvement, at least Excel 2000 asks by default.

Antti

i think that excel is the bane of the internet revolution, and when i run my own IT department i will mandate that beancounters learn access instead of wasting time formatting stuff in Excel.

I just think that there are MILLIONS of people spinning their wheels out there, doing stuff in Excel that would fit better into Access

Access is soooooooo much more powerful, it is really ridiculous

Aaron

Excel also mangles credit card numbers. I'm currently a sub contractor working on software for fraud detection and we sometimes wanted to use a spreadsheet for sharing sample runs of transactions. The sixteen digit strings were converted to floating point losing the last digit of precision so all numbers ended in zero. (Try entering 16 digits and then changing the cell format to "text".

A major problem is the curious lack of any way of importing data from another file. You can only "open" files and then all manner of formatting and conversion decisions are silently made on your behalf in the "MS knows best" tradition.

Mitch

Why the hell are these people using Excel as their primary data collector?? Given that bioinformatics is now a recognised discipline (well, O'Reilly are writing books about it) and MIcrosoft is officially Evil, surely someone has written a better processing interface than bloody Excel. That's what postdoctoral employees are for.

Tanya (postgrad computational chemist)

Anybody retarded enough to use Excel for critical data deserves whatever happens to them. I can understand people using it who are not educated. This takes the cake.

If this is happening, can you imagine what other typical Excel boo-boos are being perpetrated? They need not be the fault of Excel of course. 1.) non-printing characters interfering with calculations 2.) improper selection of a range of data 3.) duplicate data <-- this is the really big one for Excel users

So one day El Reg. announces "Scientist who said we are related to squirrels retracts announcement. Says it was an Excel error."

Bob Calder

What a bunch of horse's asses. This problem could have been easily avoided if they had simply tested the data using a small data set comprised of all of the values that would appear in the full data set. Most people don't comprehend that a spreadsheet is a computer program in and of itself. They probably assigned creation of the spredsheet to an assistant instead of hiring a computer programmer with exertise in database design. If they had done that they would probably ended up using an enterprise class solution such as Oracle or Sybase. Instead they spend untold amounts of money acquiring the data and then use a relatively cheap tool to store the data.

Kevin McDonald

We here at El Reg occasionally have to go back and correct, or update a story. Sometimes it is because we made a mistake, sometimes it is because a story has moved on, and sometimes it is because people (not all people) take us altogether too seriously. This was the case with our JOKE poll about the amount of illegal downloading going on out there.

Very amusing. Your poll is (deliberately?) making the same mistake that the MPAA (deliberately!) made in the results of their "study". You should instead be asking:

Q) Have you or have you not downloaded ILLEGAL (unlicensed, etc.) video material from the Internet? A1) Yes. A2) No. A3) No, I prefer my pornography in stills format.

Too many so called studies trap the unwary into answering the way the poll taker wants.

Jair

Hmm... As usual, you non stats majors forgot. The world is not just yes, no and maybe. What about those of us who run our own news servers, and have pr0n sent directly to our own news servers? I certainly don't have to download anything, it's all sent to my server. This is the push versus pull technology at work, guys.

-Tai

Regarding "illegal movie downloads", atleast here in Finland it's complitely legal to download music and video from the internet, copyrighted or not. However downloading software (and in some cases, making backups) is illegal. Only sharing/uploading copyrighted material is illegal.

Qwerty

[Perhaps not his real name? - Ed]

this vote is absolutely wild! you guys are grade AAA cynics. I had to read the article 2-3 times before I fully understood how subtle your disbelief is.

But you do bring up a valid point. From the voting it is clear you are correct, however I suspect if we changed the question to determine how many have downloaded non-erotic material... Much more difficult to find movies which aren't sticky...

Elmars

You should add the option of, Yes, I did download a motion picture from the internet, but after waiting 3 days for the thing to come down, with 7 restarts, I played it, realised the quality was crap and just spent the money to either get the video out or watch it in the widescreen, digital dolby of the cinema.

Really, movies aren't MP3's. The quality is crap so you may as well watch it properly in comfort either on you TV or at the cinema. I used to get a 10 quid monthly pass at Staples Corner in Cricklewood. Cheaper than a broadband connection...

Jason

I have downloaded about 250 Movies from the web, HORRORS, but that's all over now. The saviour of Movie Industry (Ta Da) is Netflix as far as I am concerned. Why download what is often a lousy copy when you can rent the real thing so easily.

Why download or rent at all? Because I won't buy it until I try it. I'm to old to negotiate a noisy kid-filled theatre. I am building a magnificent movie collection of the ones I want. Emphasis should be on I....something the record and the motion picture industry have as yet failed to grasp.

If the record industry would sell their complete catalogs as singles for a reasonable price with their infernal digital rights schemes to boot, they would make money. How much are they making on their out of print music?

I buy movies for the quality, the bonus features, the cover art and, if you wait sometimes till the bloom of a movie has faded, a good price. Heck if I want it now, I pay the higher price. CDR copies don't come close. Send this to the RIAA and the MPAA and see how a consumer really feels.

Tjalda

Dear Mr+Ms+Mrs Register. Any online family should know that people who are savvy enough to download movies would not submit to an online poll with the potential to record IP addresses. Then again, one could anonymise that stuff. The arguments either way are too tiresome.

In fact, I'm submitting this little blurb knowing full well you'll have me by the short and curlys, even though I haven't admitted to downloading. Clearly, I fit into that self-proclaimed savvy underbelly of the e-commerce-net.

I'm all confused.

Gummi

:x

No cookie/ip based poll? NTL use proxys that you can't bypass so I can't vote! (Well, you can - but I've reformatted, and have lost the other cache addresses to put into IE)

On a side note (Sort of), check out www.suprnova.org - Especially check this site out when big games/movies come out. Scary numbers - For big releases, it's not unsual to see upwards of 10,000 people downloading new items within the first 24 hours. When Far Cry came out, I did a quick MPAA style calculation and took the total downloaders of 3 or 4 games, and came up with over a million pounds worth! (£30/copy)

Even though I am a frequent downloader, I know it can't go on this way. I'm not sure how much a game is worth in profits, but it's fairly obvious that 10,000 less copys per game is a fairly heavy loss. I know a game-mag editor who tells me doom 3 will hit US shelves in 3 weeks. Keep your eyes peeled on suprnova.org for the downloading stats.

The ONLY way to stop piracy, and I do mean the ONLY way - Is to do what Quake 3 did and use a master server browser and cd-key to play online. No-cd cracks and patches will always defeat safecast and the other useless protections they use - A lot of people are not willing to pay for a single-player game, but they will gladly fork out good cash for a worthwhile multiplayer game that needs a cdkey.

Suprnova's intuitive mirror system ensures they can't be taken down from a single source, and they are very persistant. This problem won't be going away any time soon.

Name Supplied

That's all folks. Letters will be back with another batch on Friday. Until then, enjoy the week. ®