Month: October 2007

My long haul travel habit began five years minus a week ago, with the ICANN meetings in Shanghai, and a visit to the Shanghai Museum. Particularly memorable from that trip, the taxis: Plexiglas barriers between drivers (in white gloves) and passengers, spotless white fabric covering the back seat, and recorded messages that would welcome you to Dazhong Taxis when entering the cab, and remind you to not forget your “receipt and belongings” when you left it. To tell the driver where you wanted to go, you’d keep a stack of little pieces of paper, with various destinations for the day written out in Chinese, prepared by the hotel front desk. Very reassuring, then, the English-language signs posted at the highway (right next to a crashed cab), reminding people to drive carefully. Overall, like many ICANN meetings, that week had a strong feeling of life in a bubble. (Lost in Translation only came out later, but, yes, that’s the theme movie for these kinds of conferences.) I haven’t had an opportunity to get back to China since.In Ups and Downs, Tim Bray has a hilarious account of his first-time-in-Shanghai experience, and it’s good to see that not everything has changed over the last five years. In particular, the taxis seem to be still the same. Including the white cloth that covers these ugly seat belts on the back seat…

I guess a conference counts as good fun when you go there to listen and end up giving two lightning talks and a not really lightning talk. So, for the record, here we go:

• The MITM diagnosis lightning talk was just xterms on a beamer, no slides there. The files I showed are all in that blog item, though.
• I followed up to Nitesh Dhanjani‘s talk with a quick overview of the work that W3C’s Web Application Formats Working Group is doing on enabling cross-site requests with XMLHttpRequest.
• When one speaker couldn’t get to the conference, I found myself helping to fill the void with a quickly updated version of my “what do they think they’re doing” talk from the Hungarian Web Conference.

The slides should be linked from the conference program sooner or later.

In Pwned @ hack.lu, Didier Stevens has a nice screenshot of what a lot of people saw at the conference yesterday. Not trusting the crowd in the room, I had configured my Web browser to go through an SSH tunnel elsewhere, so the software that was affected for me was fetchmail — which I had fortunately configured paranoid enough that it noticed the wacky certificate that was “shown” by my personal server on port 995, pop3-s, and simply died with a nice error message.So, what happened? As I said in a spontaneous lightning talk after that session, my diagnosis was that somebody was running a man-in-the-middle attack on a room full of security people. The tool they were using rewrote the TLS certificates that were shown by servers, but tried to keep the human-readable information in the certificate intact. (As Benny K notes in a comment, “the certificate seemed fine”.) The tool used was most likely ettercap.Incidentally, I don’t mind that this prank was played on all of us. Attending a hacking conference means you’re fair game to some extent — there will be packet sniffing, and there will be active attacks. As long as no lasting damage is caused, and as long as the attacks don’t interfere with the conference talks, that’s fine. What I found disappointing, though, is that the responsible party didn’t have the stomach to give a lightning talk about the results gathered. For instance, I’d love to know how many of the (security-minded!) people in the room actually clicked past the errors that their browsers and mail clients showed. That would be first-class input for the Web Security Context Working Group. (Anecdotal evidence suggests that a few people got rather nervous after they heard the lightning talk…)Now, for the details…

At hack.lu, the best talk so far is Nitesh Dhanjani‘s talk Breaking and Securing Web applications.Random notes below the fold.

Alex von Tunzelmann’s “Indian Summer. The Secret History of the End of an Empire” is a captivating read — I didn’t do much else this Sunday but read it.This is not a novel: It’s an extraordinarily well-written historic narrative of the tragedy, drama, and, yes, farce that surrounded the end of the British Raj and the creation of India and Pakistan as independent states.Tunzelmann tells this piece of history by often focusing on some of its key players.There’s Gandhi’s struggle between political judgment and his personal spirituality, there’s Jinnah’s career from being a champion of Hindu-Muslim unity to being the father and first governor-general of Pakistan (which Tunzelmann suggests might have been a bargaining chip that Jinnah didn’t actually aim to get). There’s Nehru, who starts out as a young English gentleman (and English native speaker), to become the country’s first Prime Minister — and who sometimes excels as the author of scathing political polemics against himself, published anonymously.And there are the Mountbattens: Louis, a gentleman of impeccable courtly manners, high intelligence, but sometimes questionable judgment, known as the “Master of Disaster” in Royal Navy circles during World War II, cousin of the King, last viceroy of the Raj and first governor-general of the Dominion of India, oscillating between political achievements (notably, the accession of the princely states to India), and petty distractions. Edwina, socialite, heiress of an immense fortune, turned into a skilled organizer of humanitarian aid during World War II and in the midst of the catastrophe that the India/Pakistan split was – and, in a politically explosive ménage à trois, Nehru’s close friend (and lover?) within weeks of the (often adulterous, never divorced) couple’s arrival in Delhi; a political force in her own right.Despite this colorful cast of historic characters, and despite Tunzelmann’s interest in their motives, the personal stories and portraits remain a tool for telling the bigger story and painting the historical picture of Britain, India, and Pakistan. This book is not court reporting, but serious, yet eminently readable historical work.Don’t start “Indian Summer” if you have other plans for the day. It’s near impossible to put down.

I got William Gibson’s Spook Country at 20% off, in Palo Alto, in the middle of a recent business trip. It provided good entertainment when, later on during that trip, seat pitch was too tight to even open a laptop.The story that Gibson tells in this book is a fun tale of intricate, expensive, and illegal pranks, spiced with technology, pop culture, politics, and geotagging taken to the extreme (“locative art”). It’s an entertaining story well-told.Gibson knows enough about today’s technology (and is a good enough writer) to get away with talking a lot about MacGuffins without making me wince. Unfortunately, however, his prose is ridden with trademark and technology babble: The security guard has one ear Bluetoothed. Hollis hauls around her PowerBook. Tito is told to escape through the restaurant of the W. Bobby doesn’t bother to WEP his wi-fi. The cool characters fly Virgin. While all that is preferable to Stephenson’s sometimes ridiculous name obfuscation in Cryptonomicon (“Finux”, anyone?), it’s still annoying this reader. As Joe Gregor puts it, it’s like a year of boing-boing, with a plot.I’d have preferred the plot with a somewhat smaller dose of boing-boing, I guess.

Last Chance to See by Douglas Adams and Mark Carwardine is an extensive late-1980s trip report: Adams and Carwardine traveled around the world to find species that were about to be extinct, and the people trying to preserve them.The book is a snapshot of the late 1980s, and interesting alone for the things that have changed (or not!) since then. Consider a Shanghai whose soundtrack consists of Richard Clayderman mixed with bicycle bells (as opposed to Volkswagen clones’ horns, and construction noise — but even that was 5 years ago), at a time when the Baiji is the subject of conservation efforts further up the river, and a favorite local brand for all things from beer to hotels (to fund the conservation effort). Today, the Baiji is functionally extinct, and the conservation efforts focus on the finless porpoise which is only mentioned in passing in “Last Chance to See.”Consider New Zealand’s obsession with clean shoes at immigration (no change there as of last year), and the threatened Kakapo — a species whose entire population is indeed catalogued on Wikipedia, by name; yet, that population has actually doubled since the book was written.Adams was a master story teller. The stories he tells here — many of them hilarious, despite the sad subject matter — are worth being read and remembered.

I was checking out the ICANN Meetings page and noticed that they’ve recently added a “ICANN meetings update” mailing list, with a pretty prominent form for subscription.Of course, just an e-mail address isn’t enough for ICANN: Mandatory information for subscribing to the list includes name and company; they also ask for the country. The subscription form claims that “ICANN will not sell or make available any of your information to a third-party without your consent” — however, the list is actually hosted at Constant Contact, an e-mail marketing company. Of course, no indication is given for what purpose the name, company, and country information will be processed, and what Constant Contact (not ICANN!) will do with the information.Somehow, it’s fitting that the organization that’s been dragging along WHOIS policy making for ages behaves that cluelessly when it comes to dealing with community members’ data protection.