Friday, January 23, 2009

World Economy Crash

These days you might be willing to be everything but a bank, or at least stay away as far as possible from anything just remotely looking like money. The world is in bad shape as it is with the credit crunch and the recession taking its toll, but I am noticing a rise in bad tidings as well.

Security Plan leak

Todays latest news is that the security plans for the renovated Dutch Ministry of Finance have accidentaly thrown out with the garbage in december. The plans contain checklists of camerapositions and many more details. (source

Credit Leak

Earlier this week, on tuesday, Ars Technica reported that millions of US Credit Card details may have fallen into the wrong hands.

...payment processor Heartland Payment Systems has potentially leaked up to 100 million credit and debit accounts into the black market. That number, if verified, would make this the largest data breach on record. It also means the United States has managed to set two national records in the same day. Guess which one folks are paying attention to? Awful convenient, that.

The giant leak may have been a result of a malware infestation, but according to the Ars Technica report, Heartland doesn't really know what really happened. That's hopefull (not!)

Russians launching attack on Dutch Internet Banking System

Another troublesome newsitem was reporting that the Russians are planning an attack on the Dutch Internet Banking system last monday.

According to the article Russian gangs would be increasing their activity in the Netherlands and other European countries according to Ultrascan, a financial research institute.

Ultrascan says the criminals are looking for ways to hack the banks systems, already probing the ABN Amro Wincor Nixdorf cash registers and are installing skimming software all over Europe as well as having developed software to launch an all out out attack on Internet Banking. According to the research institute the current operations appear to be unprecedented and urge banks to take precautionary measures.

Amidst a credit crunch and a recession where we see thousands of jobs disappear and billions of dollars evaporate due to bad banking, it is extremely sad to see leaks and security breeches on top of that. Our money is melting fast, too fast to handle for some. Maybe it's time to reconsider the gold standard?

Labels: , , , , ,

Friday, January 09, 2009

Crazy little thing called Privacy (1)

Privacy is such a crazy little thing. We love it, we ache for it at times, yet we throw it away like garbage every day on the internet.

To most people it has become clear that the internet isn't a sunny day at the beach without worries. In the past year we've all read the stories about identity theft, complete identities and credit cards to go with it for sale for a few bucks in Russia and what have you got.

Most of these stories we quickly forget and the ones that cling to us are the tales about children getting framed and abused through chatrooms. Mostly the discussion afterwards centers on how we need to teach our kids to be carefull on the internet, which is fine, but not good enough.

I posed the following thought on LinkedIn a few months back to ponder this idea:

"The failure of maintaining a shred of privacy is not the carelessness of the internet-generation. Primarily it is the ignorance of pre-internet generations failing to guide teenagers growing up with the net and secondly a flaw in the design of the internet"

It led to a number of interesting reactions

Interesting concept. The internet, like any consumable product, should come with a warning label "caveat emptor", but it doesn't. The pre-internet generation (the bulk of my end user community) don't generally comprehend the basics of internet use much less the imminent security concerns with using this public domain. They can't teach their children what they don't know but I do have to believe that any generation would chose to protect their offspring to the best of their ability. Going forward from here, the watchful eye of a parent certainly should be on minors using the internet and there are enough support and information tools out there to guide the less internet saavy.

Secondly, to comment on a flawed design of the internet - I have to revert back to the original intent of the internet being to provide a highly secure network for Government and use only. In designing that infrastructure it would be unreasonable to have thought that the internet would become so readily available. Clearly, the internet was never planned to grow as it has (as noted with the consumption of IP addresses leading to the IPv6 addressing plans). Perhaps flawed may not be the right word - outgrown may be better.

Liz Dowie Manager - Information Management Systems

In summary, the majority of organisations have been aware of the privacy issue for years but has taken the hard-nosed decision that it is not a priority. Even in states where there is a formal system of laws and regulations requiring adequate security, such regulations are routinely ignored and data security is compromised. I fear there is no likely change in this reality in the foreseeable future.

David Marshal Legal Consultant

The reduction in privacy in today's world (and not just on the internet) is happening because...

  • most people have no realistic idea of the degree to which it is happening and only the faintest grasp (if any!) of the technologies that make this possible.
  • in the past privacy of information was often the "default" state simply because it was too hard to do otherwise (compare and contrast the problem of opening, reading, re-sealing and forwarding millions of letters with the ease of storing and data mining hundreds of millions of e-mails)
  • too many people believe in the fallacious "if you have nothing to hide, you have nothing to fear" argument

It's not a design flaw in the internet. Technologies exist to protect much about you when surfing (Tor Project, cookie management softwarecetc.) and strong encryption for e-mail has been around for ever - just that hardly anyone bothers to use it.

Teaching children to act prudently on the internet is simply an extension of decent parenting into the modern world. And, as another has observed, the "risks" they face because of the internet are often as nothing compared with other risks they face and, I believe, often grossly exaggerated.

David Dingley IT Consultant

If communication passes from one place to another, and some part of that communication is neither protected (e.g. via encryption) nor destroyed (e.g. stored in a log), the privacy of the communicators is dependent only on the ethical integrity of both ends. When one end is a company, privacy depends on the integrity of every current and former employee at that company who has/had access to the data.

Since the Internet was not designed to hide the source or recipient of a network packet (i.e. via TCP/IP), this information is very difficult to obscure without a long series of trusted network proxies.

Sadly, most products - Internet or otherwise - that involve some level of communication are not designed with the privacy of the communicators in mind. This is true of everything from messages sent between national leaders in the ancient world to the original telegraph to the modern Internet. After all, communication is pointless if you don't know who you're communicating with.

As for teenagers on the web, most modern "social" websites encourage listing of personal information. After all, I can't "friend" you on MySpace or Facebook unless I know your real name, or at least your email address. Teenagers are usually aware that there will be some loss of privacy upon signing up for these services, but either accept the risk or do not recognize it exists. To their credit, these services do a decent job protecting those who do not want to be found. Hiding somebody who wants to be found, while still allowing them to be found by those who legitimately should find them is a difficult problem.

The use of aliases, which ensures some level of privacy via Instant Messenger, represents a severe hindrance to any real social networking. This would be analogous to you and all of your adult friends going to a bar, wearing black hooded robes and voice manipulators, and then referring to yourself only by ever-changing code names.

Devin Rosenbauer Software Engineer

There is privacy on the Internet depending on the choices you make. In most cases an online transaction be that purchasing something online, joining a social network or sending emails has privacy as an element of that transaction. In order to buy those goods you surrender your privacy surrounding your personal details to recieve those goods, you also probably use a credit card which means that you transactions are noted by your credit card issuer and finally sites may keep track of your activity to suggest recommended goods on your next visit.

This is no different from the physical world where you purchase items by credit card and perhaps use a loyalty card in the store. Joining a social network, e.g. Linkedin, also has its privacy transaction costs. You want the benefits of a social network then you need to surrender your personal details to become part of that network. In real life you join social clubs, meet friends in public places where you also trade part of your privacy to take part in the group.

Some will argue that governments monitoring of Internet usage etc. is a breach of privacy, e.g. EU Data Retention Directive and that your ISP knows all your activity from their system logs, e.g. the recent Phorm controvery in the UK.

This is true but you can still take measure to protect your privacy online using various techniques such as anonymous proxies, never using your real name online, never purchasing items online and not joining any social networks or forums. You can control your privacy on the web, the question needs to be asked, at what cost?

Brian Honan CERT Team head

(All respondends agreed to be named in this article)

As I realize this piece is getting longer than anyone wants to read on the internet I'll go into these responses in follow up posts. I also would like to dig into the phenomenon of lifebloggers like iJustine who have a near 24/7 internet presence and what impact that has on privacy.

Meanwhile, I'd like to invite you to comment and add your thoughts on Privacy on the internet.

Labels: , , ,

Friday, January 02, 2009

How to crack online banking

It's time to check your bank if you are banking online. With a bit of bad luck, it isn't safe anymore. Last week I ran into an article on Dutch Tech Magazine Emerce on a security breach in SSL.

SSL Certificate Security Breach

To most people, SSL sounds like a privacy guarantee on the web. Sites like webshops and banks have a secure connection to the internet and have an SSL certificate issued by a CA (Certification Authority) like Verisign or DigiNotar. Hoewever, a team of researchers from the Dutch University of Eindhoven, the CWI (Center of Mathematics and Computer Science), EPEL in Switzerland and independent researchers from California have discovered how to crack the code. They discovered

...that one of the standard cryptographic algorithms, which is used to check digital certificates is subject to abuse. The algorithm in question is the MD5 algorithm. Malicious persons may create a file with a digital signature which is trusted by all major web browsers. The researchers made this use of advanced mathematics and a cluster of more than two hundred game computers.


The researchers discovered the security breach which, in combination with the known KAMINSKY vulnerability in the Domain Name System (DNS), can make it difficult to detect phishing attacks.

Crunching Fortis all the way.

In short, if your bank uses an MD5 based SSL certificate, your privacy may be compromised. A quick survey of the methods used by Dutch banks learns that most of them already use the SHA encryption. One of the few exceptions is the troubled Fortis Bank. Fortis is going to a lot of bad weather ever since the acquired (part of) the ABN Amro bank. They were the first Dutch bank to get in trouble due to the credit crunch and the Dutch and Belgian parts have been separated, the Dutch part being taken over by the Dutch Government. They also had to settle for nearly a billion dollar in the Dutch mortgage scandal and also lost about a billion in the Madoff fraud.

MD5 and SHA algorithms

To most of the digitally educated it has been clear for some time that the MD5 encryption in passwords for instance isn't the best practise on the web anymore and have moved over to the more secure SHA-2 and the upcoming SHA-3 encryption algorithms.

  • Read the original Emerce article in Dutch here.
  • Read the Google translation here.

Labels: , , , , , ,

Thursday, December 11, 2008

Personal Data Expiry

Today the Dutch technology Magazine Emerce published an interesting article on privacy and expiration date of personal data:

It's time for marketeers, banks and other institutions to consider the disposal of personal data says Tom Kok of the DDMA. According to Tom not all collected data is always needed to serve customers.

"There must be a principal discussion about the clearance and clean up of databases. Actually I prefer talking about a clean up duty. That discussion is not limited to one single sector, such as Direct Marketing but across multiple sectors."

This is said by a former CEO of a Dutch insurance company, FBTO and former D66 Party Chairman Tom Kok in an interview with Emerce. Currently he is the chairman of the DM-DDMA organisation.

Read the Google translation of the full article here, or the original Dutch version here.

The DDMA is a Dutch Direct Mail branche organisation which also launched a new privacy code recently, effective January 2009. I think this is a very important issue. We leave tons of personal data all over the web, often without thinking, or without remembering. These bits and pieces can be pried together quite easily and lead to identity theft.

Just recently I was confronted with this issue when I received an update from Fortune City, where I registered an account in the early 90's. I haven't used that account since 2001, but they still have my data and just recently send me a mail to keep their records up to date.

Same goes for domain registration. I received an email earlier this month by a US Based registration company with the offer to renew a domain registration. The specific domain name was registered by me in 1997 when I was thinking of setting up a business directory on the internet and ended the registration in 2000. I registered with a completely different company, here in the Netherlands, but the email I received this month contained my full address and all sorts of personal detail. Okay, they didn't know I had moved, and I sure as hell didn't tell them, but it's been over 8 years, and still my personal data lurks in dark database corners across the ocean.

It doesn't take an expert in computer forensics or information security to piece things together and sell your identity for a couple of bucks on a Russian site. So first and foremost, think about where you leave your private data in signing up, secondly, the industrie needs to take a first step to clean up obsolete data a lot sooner than 8 years but eventually a whole new concept of identity management needs to be applied to the internet and online identities.

Labels: , , , ,

Saturday, October 04, 2008

Enterprise mode? Why Bother?

After I heard 3Di is releasing an Enterprise version of Opensim, I read up on a couple of blogposts about getting the virtual workspace ready for business to prep my blogpost on 3Di (previous post). Most of these blogposts (including my own ramblings about making things fit for business) are very serious about this with all sorts of tea-circles and self-help-group-like things like the Interoperability Forum and groups like Professional Second Lifers, Virtual World Roadmap and Association of Virtual Worlds on LinkedIn and so on.

Don't get me wrong here. Virtual Worlds need serious pondering to make them fit for business. Companies do need privacy in certain areas. Think of what would happen if you could walk in, or eavesdrop on a session between a bank and a wealthy customer on how to invest his money, but every once in a while it would be good to take a step back, look at what you're doing and have a good laugh. Raph Koster did a very nice blogpost in which he wonders why we would have Enterprise VW's. Here's some quotes:

Enterprise VW's - do they suck ?

Second Life technology continues its slow move towards being an enterprise solution with the announcement that the SL-derived OpenSim project is getting commercialized by 3Di. Enterprise was a big buzzword this year at the Virtual Worlds conf in Hollywood. (Of course, in the midst of it, someone had to ask “what is enterprise anyway?” It means “selling VWs to businesses”). The penny has also dropped for some users that SL itself seems to be trending in this direction — as Tateru Nino writes on Massively,

When you look at the hiring of Tom Hale, the ongoing hiring of enterprise sales and marketing staff, and the licensing of the Immersive Workspaces product from Rivers Run Red, this all seems to signal a clear direction for where Linden Lab is taking Second Life. Clearer than anything else we’ve seen in a year, certainly.

Of course, we have also seen Forterra and their OLIVE platform (derived originally from the codebase) continue to focus on this area over several years, with particular success in work for the military.


"So, no, the dream isn’t dead. Consumer virtual worlds are still coming on strong, despite the focus on enterprise lately. It may be that part of the reason why these slightly older worlds and platforms are having to shift is that they are simply the wrong design for the consumer space, and the future belongs to stuff that looks more like Lively, Whirled, SmallWorlds, Vivaty, and yes, Metaplace. I sure hope so, because the very different architecture choices made there can grow back to the big immersive experiences, but I am unsure that the big architectures can shrink down to the smaller needs of the ordinary person."

read the full article

Labels: , , , , ,

3Di moves OpenSIM into Enterprise mode

Last year many of us thought that Second Life would be the virtual walhalla for companies to conduct business. Yet over the past year, we've seen that in many cases a public, open world does not work out for businesses. ABN Amro was among the first to acknowledge that they needed more privacy with their customers and went to Active Worlds. Meanwhile IBM has been working on getting Second Life ready fit for business and made succesfull attempts to get Second Life running behind a Firewall. A parralel track has been the development of Open Sim, a reverse engineered open source version of Second Life.

Regarding the Open Sim project, 3Di, a Japanese subsidiary of the NGI Group, announced yesterday that they will be releasing an Enterprise version of Opensim. Based upon 3Di technology it is a reworked and extended version of Opensim, and prepped with additional tools and support under the name 3Di Opensim Standard.

Virtual World News has the following thoughts on this special Enterprise version:

"There's already been significant development on OpenSim, on both a consumer level and, as in IBM's integration with Lotus Sametime, for business. OpenSim itself is available as server software, so I'm interested to see what 3Di's model is to set its own software apart. Either way, I look at the commercialization of OpenSim as a pretty big step towards adoption.

It seems like 3Di's target audience is "corporations and academic institutions" looking to create their own virtual worlds. Possible use cases cited include real estate showrooms, education, and offices for collaboration. All of that would be much simpler with the browser-based interface 3Di is developing, but, as a feature, that's shared with all OpenSim worlds and, eventually, other platforms as well. It's not unique, but the upside of that is that it should help build an install base." (read more)

Massively provides a few techspecs for 3di Opensim Standard

3Di Opensim Standard version 1.0 runs on Windows Server 2003 or Red Hat Enterprise Linux 5 (with Mono support). Requirements include a dual-core 2Ghz processor or better, 4GB of RAM and 10GB of hard-drive space. Standard Second Life (or compatible) viewer software is required to connect to and use the virtual environment.

3Di Opensim Standard appears to go for a little under $5,000USD.

More info is hard to find as 3Di operates a fully Japanese website, illegible to us US and European bloggers.

Labels: , , , ,

Tuesday, March 25, 2008

Wipro Innovation = Redundancy?

Today's last expedition led me to te Wipro Innovation Isle (I guess it they'd love to abbreviate it to Wii - but that one's already taken in SL). For people working in the IT Services a well known name as it is one of India's giants when it comes to IT services.

"Wipro Tech is an information technology service company established in India in 1980. It is the global IT services arm of Wipro Limited (in operation since 1945, incorporated 1946). It is headquartered in Bangalore and is the third largest IT services company in India. It has more than 79,832 employees as of December 2007, including its business process outsourcing (BPO) arm which it acquired in 2002. Wipro Technologies has over 300 customers across U.S., Europe and Japan including 50 of the Fortune 500 companies." (Wikipedia)

Near the end of 2007 there were speculations of Wipro Technologies considering to take over Capgemini and thus Sogeti as well, but in the end it was a no show. The corporate website puts focus on 'applied innovation';

"At Wipro we have fine-tuned the science of viewing innovation through the lens of practicality to design unique solutions for end customers. Applied Innovation is the ability to infuse newer ideas and newer ways of doing things into all parts of the organization, and improve business outcomes, often without major disruptive change. It is a 360-degree business approach covering process, delivery, business and technology Innovations that help Wipro to work
collaboratively with clients for cost take-outs, speed to market and new business opportunities."

It is this theme that is the starting point for the Wipro presence in Second Life, which looks to be in the first stage of the experiment. It is a 3 sim cluster, of which only one is fully build, one only holding an expo stand and an empty sim.

Applied Innovation is the ability to infuse newer ideas and newer ways of doing things into all parts of the organization, and I can well imagine this applies to their Second Life expedition as well. I do believe we have to bring Virtual Worlds (newer ways) beyond the average marketing department (i.e. into all parts of the organization). The question remains how to do this.

Let's see if Wipro can bring the answer. The sim is filled with an assorted array of buildings, with two larger builds standing out. The first of these is the 'Learning Center' and is shaped a little like the Sydney Opera (not really, buyt you can see which building I'm referring to).

Please reread the lines on the triple sim: "One build, one half build, one empty." This is pretty much the case with the Learning Center as well. It holds two auditoria, and right outside there's an amphitheater. Also, at the second level it has several empty officerooms.

Further onto the campus we see various buildings, like a 'Client Engagement' building, a library and a datacenter each filled with several workstations / cubicles.

Finally I arrived at the second large building, a four storey square concrete office block which looked a little cramped when I walked into the hall and up the staircase. It made me wonder how much of the build is actually shaped like their real life offices... This building is labelled 'Offshore Development Center' and that is what interests me, what would bring innovation to the virtual workspace.

I was a little disappointed though when there were more rooms with workstations, and more and more. But no show. One of the great benefits I see for Virtual Worlds is what they potentially can do for the offshoring industry, as offshoring projects often require a lot of attention; extra management, extra communication, extra code checking etcetera and in the virtual workspace where you can collaborate while both in offshore and rightshore location would greatly aid this process.

Yet I'm fully aware of the limitations Second Life has in this regard. There's no real integration with development suites or management tools. Then there's always the issue of security. I can't really blame Wipro for not finding the solution for Second Life, but I had hoped for more info, more ideas.

The last redundancy in the sim was when I moved from the cantine inside the ODC to 'the Glacier', a cafe on the campus.

As for the build itself, I find it of average quality. It is a melee of textures (a lot of default SL texturing) and styles. As I said, I'm under the impression that part of it is based upon real life buildings, so maybe they had to work with what they had. Otherwise, I'd say the triple auditorium, the cramped staircases etcetera don't really utilise the 3D-ness of a virtual environment.


Labels: , , , , , , , , , , , ,

Monday, March 10, 2008

New HOAP for Second Life

I had lost a little faith in Second Life, but there's new hope coming about when it comes to Second Life being a serious tool for business: Html-On-A-Prim.

Gwynneth Llewelyn wrote an excellent article on this new feature and its implications, here's a short extract:

"A few months ago - not many in terms of “real life”
hours, but an eternity in Second Life® - a brief discussion with Linden Lab exposed the rumour that they were planning to integrate an HTML browser inside the Second Life application client. This is not a revolutionary breakthrough - things like ActiveWorlds or OpenCroquet have done it ages ago, and the world did not shatter and end at that time.

Some eager residents of SL were happy about the idea. At the very least, you would be able to exchange notecards with “rich text”. Perhaps even have a way to browse a bit while in-world - no more need to open up your browser to check the Help pages, do some forum posting, or even insert events directly from in-world.

On a second stage (according to Linden Lab®), HTML may be directly drawn on top of a prim face. This would mean, for starters, a way to get outside information on top of a 3D world. Older platforms already allow for this usage of HTML. Things like proper text management on top of a prim are finally possible - books, slide-show presenters, coreboards, even clothes vendors, will be able to get away with textures for writing text, and use HTML-rendered text instead.

The third stage is full integration. Prims with HTML pages (and LL is still thinking on how this will happen) will be point-and-click browseable. Neither we nor Linden Lab have yet figured out how exactly this will be implemented..."

HTML on a Prim boosts options for virtual workspace

Although the features at this time are pretty basic, it has brought Second Life back into focus for me as a possible platform for serious collaboration. My frustration with SL was mainly caused by lack of real collaboration possibilities.

What it all boils down to is that you rez a prim and put a webpage on it. Now you can look at a webpage with others. Nothing spectacular, but it gets more serious when you can look at secure webpages. I've done some tests with a colleague displaying secure content. Through the built-in media browser you can access and log into secure sites, then use the option to 'send current URL to parcel' and it will display set itself at the parcel media URL and display at the screen. Your fellow observer won't see the webpage unless he's logged in as well. Today we started working through some of our project tools (like JIRA) in which we can monitor our projects.

It works. We could both look at 'classified content' and discuss the status of a project, manage service calls and have a look at the time budgets for the project at hand. At the end there was one question nagging me: Security? Anyone?

The thing is, Second Life doesn't have the reputation of being a safe and sound business environment (remember ABN is partly moving to Active Worlds because they need a secure environment). What happens with my username and password when I enter this info in the built in browser?

A Quick HOWTO:

Maybe it's me, but it took me some time to fiddle out how it worked. And because there's a little bug (it can crash your sim) I thought I'd do you the favour of a quick 'howto'.

The feature only works with the new Release Candidate 1.19.1 client (March 6th) and there are a few new features that are obvious - such as the extra media tab next to the talk settings - and some little settings to tweak in the 'Preferences' bit.

The basic element for displaying web content is in the estate management settings, the 'About Land' configuration where you have the option to set the media url for the parcel. The downside is that you can only set one URL per parcel. Remember to select the texture that will be used on the prims to display the content as well. If you're working behind a firewall or proxy, you now have the option to set proxy stuff as well in the preferences bit (pic right)

Then build the prim, select the desired texture (in this case the new *default media texture) corresponding with the texture set at the media options in the previous step. Then go to the general tab and select prim properties. Where you used to have buy, open and sit options, there are now two extra's: Open Media Content and Play Media Content.

Labels: , , , , , ,