No Such Weblog

I’m in New York, co-chairing the W3C Workshop on Transparency and Usability of Web Authentication. Quite a lot of interesting discussion so far; we’ll have minutes and a report shortly after the workshop. Phill Hallam-Baker is sitting across the aisle, and blogging in more detail than I can.Incidentally, the sight from the workshop location is marvellous.

My bank has gotten two-factor authentication badly wrong: In a move to have “what you know” and “what you get”, they’ve introduced “TAN cards”. These cards have a login and a 12 letter code printed on them. For each login, you need to type in three randomly choosen letters. In addition to that, you have to enter a password; this is also used to confirm every single transaction.Leaving the fact aside that nothing in these “TAN” cards is transaction-specific, the “system” is topped by demanding that the password is at least 10 characters long, and high-entropy — and that is even enforced.The result? Pretty much nobody can memorize a high-entropy password with 10 letters reliably. Hence, the system degenerates into two times “what you have.”Remember: If you want to do “what you know” style authentication, make the shared secret something that people *can* know.

The GPLv3 draft analysis at newsforge kind of proudly proclaims that the GPLv3 draft has 4500 words, when GPLv2 was less than 3,000. That means, there’s 50% more legalese to understand for the non-lawyers who deal with open source software.I’m not a lawyer. I’m a fan of concise and understandable legal text. I have seen the confusions that GPLv2 creates: For instance, Debian felt they were unable to distribute a version of mutt that was dynamically (!) linked against an OpenSSL library that was licensed under an advertising-encumbered BSD style license. (The success of dynamic linking depends on two libraries having precisely the same ABI. Theoretically, it’s possible to build an unencumbered library with the same interface. Hence, the SSL library was part of the system context that mutt expected, nothing more, nothing less.)But a new GPL with 4500 words and a hard to understand DRM clause makes me extremely nervous. It makes it ever more tempting to go for a concise BSD style license instead – but then again, the “virality” of the GPL is a good thing.

The FLOSSpols project deals with policy aspects of free / open source software.The project has recently published a new deliverable, An Economic Basis for Open Standards, in which they define the openness of a standard relative to the market in which implementors of that standard compete: Open standards: a natural monopoly arises (de facto) or a monopoly is defined and agreed upon (de jure) in a technology, but the monopoly in the technology is accompanied by full competition in the market for products and services based on the technology, with no a priori advantage based the ownership of the rights for the rights holder.This notion is then applied to the GSM market (with high costs of market entry) and the word processing market (where a proprietary product is dominant, and the most relevant competitor is open source). These differences between the two markets then lead to different notions of what “openness” means for a standard in either of these markets.In another part of the document, some immensely useful and reasonable requirements for public procurement are derived from this economic analysis.Overall, this deliverable is a good example for the power of economic thinking, and well worth reading.

Some call it security theater. Others talk about “promoting public confidence.”From a Scientific American article about an eventual flu pandemic: Screening incoming travelers for flu symptoms, for instance, “lacks proven health benefit,” the group concluded, although they acknowledged that countries might do it anyway to promote public confidence. Similarly, they were skeptical that public fever screening, fever hotlines or fever clinics would do much to slow the spread of the disease.

This quote from the IHT hits the point: One angry “customer reviewer” of Van Zant’s album put it another way on Amazon.com: “Boycott Sony!” he wrote. “It looks like it’s now safer to download pirated copies than to buy CDs!!”The music labels are on an expensive quest to reduce the value that they offer for the money they are paid. Music that you can’t copy on (or off) your ipod. CDs that don’t work in your car. Costly mobile content that expires together with this year’s mobile device. CDs that hack or damage your computer.The competition between labels and black market downloads is no longer just about price: It’s about the value offered. When downloads are universally useful (by just being MP3s), safer than CDs bought in the shop, and less of a hassle than walking to a shop or using a legal download service — where’s the value proposition that should drive customers to get music through legal channels?

The most fascinating phishing message in a long time is aimed at Barclays’ customers. It’s remarkable for moving away from fake web pages: Instead, it squats on UK area code 870 phone numbers used by Barclays’ by trying to convince recipients to fax a ton of personal information to a country code 870 phone number — an Inmarsat fax number, it seems. The difference that you can spot is a single digit 0 more in front of the fax number.The fax form itself includes bullet points with good advice on how to avoid web-based phishing attacks.

klm.sucks (despite being half of my preferred airline these days) has launched a new web site which is so heavy on JavaScript that it doesn’t even accept known browsers (Firefox) on unknown platforms (Linux). The solution: Set the configuration variable general.platform.override to the string Windows, and things will work. Of course, all this is, actually, entirely unnecessary.ObW3CLink: Device Independence

So my T43 lost its partition table upon reboot, again. It took me too long to find the note where I had jotted it down; next time, it’ll be easier to just search here.

sda1   1 ... 13sda2  14 ... 4864

The recipe is to re-boot the machine from the rescue DVD, use fdisk to write a new partition table. Reboot in rescue mode, let the rescue system mount the “old” system, chroot into it, run grub-install /dev/sda. Reboot again.(Yes, that can be done more elegantly, but I don’t want to remember all the lvm commands.)

… required a FreeDOS boot in between: I had that Thinkpad R40 sitting in a corner, with Windows XP installation media hidden in that protected IBM recovery partition, and with no particular reason to preserve the Linux installation that sits on that machine. So I decided to push the blue “Access IBM” button and tell the machine to re-install itself to factory settings.Interestingly, that left me with a system that still had remains of GRUB sitting in its MBR, and wouldn’t boot. Amazingly, the IBM startup menu seems to offer no way to do a simple FDISK /MBR. (It also doesn’t seem to offer the option to erase any existing data partitions — such as my Linux installation.) I ended up typing that command into a FreeDOS command line interpreter; after that, Windows would boot like a charm.Yes, the recovery mechanism is nice. But it wouldn’t have been very useful in, say, a hotel room without Internet connectivity and another machine to burn that boot CD.