Despite getting to my “daily reads” more or less daily, there hasn’t been a lot to post about recently. However, the Brothers in Arms demo should be worth a peek for those of you who don’t have the full version.

The Japanese retail bank Sumitomo Mitsui has disclosed that it has succesfully thwarted an attempt to steal US$424m through an unidentified “hacking” method that somehow involved the use of keystroke loggers on computers at its European sites. (No specific information has been disclosed due to the ongoing investigation.)

There are some fascinating implications to this news story. The concept of the “for profit” hacker (which has long been a reality, albeit much less glamorously than Hollywood and speculative fiction would have you believe) getting maintstream press is actually quite novel. If keystroke loggers were indeed used, then it’s somewhat inconceivable that they could have been of the software variety. This presents us with the upside-down reality that it was easier to install rogue hardware on the bank’s premise than to penetrate their network remotely. Even 5 years ago, to think that a bank’s physical security was a “softer” target than its information security would have been absurd - but in an age of contractors, outsourcing, and wide-reaching partnerships, faces come and go. In such an environment, it’s completely plausible that “social engineering” - the hacker’s euphemism for con-artistry augmented by technology - almost walked away with hundreds of millions of dollars.

What’s really interesting to me, though, is Sumitomo’s choice to disclose the attempted crime. Sure, there were no financial losses whatsoever - the attempted theft was a complete failure - but why talk about a vulnerability even if it wasn’t exploited?

Some “experts” have suggested that the bank’s choice to go public is an attempt to draw out other conspirators, but that seems non-sensical to me. I am not a criminal, but I do know something of investigative technique and I would think that every news channel in the free world broadcasting news of my partner-in-crime’s arrest (yet no details about me personally) would probably drive me further underground, not out in to the light of day.

I would also disagree that the move is intended to intimidate the thieves at large from trying to collect their shares. Risk management in the financial sector - especially for retail banks, where individual consumers are likely to be more emotional than logical about the safety and privacy of their life savings - is generally not discussed in public, for fear of spooking the consumers. The dirty little secret here is that huge - staggeringly huge - sums of money are planned to be lost each year. From offering customers credit card fraud indemnity to the good old-fashioned knockoff of armored cars in eastern Europe by criminal organizations, money loss is an expectation, not a fear. Some money is protected (when the cost to secure that money compares favorably to the chance the money will be lost or when such protection is required to obtain reasonable insurance) and some is written off as a cost of doing business. That doesn’t mean anyone wants to lose money, of course - the more of the “planned loss” that’s safely in the coffers at the end of the fiscal period, the better the bottom line looks.

In other words, losing this kind of money for a bank of Sumitomo’s size would be vigorously pursued, but ultimately it’d be a matter of course - and who wants to have consumers associate their banking brand with “the guys who almost got hacked”? US$424m in extortion money seems like a small price to pay to avoid that stigma.

Sumitomo’s duty is to provide value to its stakeholders, so I also doubt their disclosure was out of some sense of social responsibility. In fact, better security/risk management can be a competitive advantage in the industry if you’re significantly better at keeping your money safe than your peers. Of course the security community is ecstatic that the disclosure was made, for reasons ranging from altruistic (i.e. people/institutions need to know that these kinds of threats exist and are almost omnipresent) to devious (i.e. childish glee from the paranoia and infamy). Either way, anyone peddling information security products or services stands to benefit.

So, after a great deal of pondering, I can’t figure out why this made it to the news… there must be more to the story than is being discussed publicly. An interesting item to watch, then…

If you use Firefox as your web browser - and you should - or you’d like to, then head on over to the official site and download Firefox v1.0.1, which adds some additional anti-phishing security. If you’re a current Firefox user, then you can install v1.0.1 right on top of your current version and it will keep all of your history, cookies, preferences, etc.

What should have been the biggest tech story of yesterday - that a Chinese research team has “broken” the SHA-1 encryption scheme repeatedly and in far fewer attempts than brute force would require - was overshadowed by an announcement of another kind: that Microsoft will release Internet Explorer 7 for WinXP before the next version of Windows ships.

The IE7 announcement link above leads to the official Internet Explorer weblog, on which comments are enabled. As you might expect, the comments for the IE7 announcement are both numerous and, in most cases, inane.

Since no new specific features/capabilities have been announced other than a desire to make web browsing more secure, you’ll find the comment thread littered with begging, pleading, and cajoling to get IE to finally support the things that all other browsers support - the full CSS standard. Alpha PNG support. Support for the application/xhtml+xml MIME type. You know, the usual suspects.

There’s also a great deal of Firefox/Apache/Apple/Open Source vs. Microsoft bickering. There’s plenty of stupidity on both sides of the fence and I’ve been around the block enough to know not to get sucked in by trolls. However, one argument is made by the pro-MS camp with such sincerity that I believe it to be the genuine thinking of Redmond’s loyalists. Unfortunately, it’s so utterly backward, it’s motivated me to write this inordinately long post.

The thinking, to the best of my understanding, goes like this - “standards are for the weak - Microsoft is out front innovating and pioneering the web experience with IE and .Net and if a few standards get mangled or ignored along the way, so be it. I’d rather see ‘gee whiz’ technology coming from MS than every standard from slow, irrelevant standards bodies catered to.”

The problem with this line of thinking (other than the fact that anyone who thinks .Net is a compelling technology compared to Java is mentally ill) is that it has to be motivated by a very, very narrow worldview - I’m thinking the “technology experts” who hold these beliefs do not have any practical experience with large companies and the way that global commerce takes place on a meaningful level. In a small-to-medium sized company, you’re more than likely focused on doing your thing and doing it well - trying to establish yourself as a player. You’ve got to be very focused, because if you don’t develop your differentiators then you can’t get your foot in the door, and if you don’t build relationships based on high-quality interactions with customers and partners, you can’t stay there. In this mode, buying in to low-cost, proprietary software that can be supported by an abundant, cheap labor supply could not only work, it might even make sense - temporarily.

Once you’re in the game, though, there’s only two ways to increase profits - by growing revenue and by decreasing cost. Growing revenue can mean diversifying your product/service line and selling to your existing customer base, doing more of what you’re already doing, getting more customers, or some combination. Revenue growth isn’t easy, but reducing cost can be even harder - it requires innovation. It means finding ways to do the same thing faster and cheaper while maintaining a level of quality that doesn’t sink your relationships. This could be anything from automating tasks with technology to finding more efficient ways to interact with the people you buy from and sell to.

When you’re using technology to reduce cost and implement newer, better, faster business processes, you don’t want one hand tied behind your back. Maybe there’s an open-source piece of software that would be perfect for a new process you want to implement, or there’s a great piece of communications software that’s only available on a commercial Unix. Gosh, it’d be great if you could use the best tool for the job on a process-by-process basis and have all of those tools interoperate. If you’re using standards-based software, then you could… but no, you locked in to a proprietary system way back when - and now you either have to engineer your business processes around your software’s capability (the tail wagging the dog, to be sure, but you’d be stunned to learn how much time/money Microsoft spends on trying to convince companies to do just this), spend a lot of money creating custom interfaces between your tools, or re-engineer everything to phase out your proprietary systems and bring in open standards. None of those options sound particularly nice when the whole point was to think of newer, less expensive ways to do business.

Standards allow business leaders to use the best, most cost-effective tools available to support their business processes while minimizing the cost of integration. Standards are therefore essential within an enterprise for maximum cost efficiency.

Now let’s go one step further. Let’s say that there’s a very large company who wants to become your new biggest customer, and would like you to log in to their supplier extranet that’s powered by an xhtml+xml application. Oh wait, you’re using IE… never mind. Let me re-iterate: Buyers. Sellers. Relationships. There’s a whole commerce ecosystem out there, and the realities of 21st century business require you to acknowledge it. If you run your business in a vacuum, then it will begin to take on vacuum-like qualities - specifically, it will suck.

There are a whole web of partnerships and complex business arrangements among companies today, even more subtle than the Japanese keiretsu (think of it as a corporate street gang - imagine if General Electric, General Motors, IBM, Disney, and Coca-Cola got together and agreed not to compete with each other, cut each other sweetheart deals, and actively undermine each other’s competition - and you’ll get the idea). As loathe as I am to use stupid buzzwords, today’s climate is more like “co-opetition”, where two companies may be close partners (or have a supplier/client relationship) in some areas yet be fierce competitors in others. These seemingly non-sensical relationships are all a part of the constant refinement which fuels global economic growth - the never-ending quest for lower cost and higher benefit. With all of these companies going through the IT and business process optimization mentioned above, global business is itself a system of heterogeneous systems that need to communicate with each other. Throw in governments (which outside the US are increasingly distrustful of proprietary systems) and industries like retail where direct customer interactions are important too, and you have a mind boggling set of different technologies all trying to talk to each other, and the number of technologies that could benefit from interoperability is growing exponentially.

As a result, standards are the only sustainable way to facilitate the most cost-effective technology interactions between the greatest number of enterprises/individuals.

So to all you posters on the IE blog saying, “Just make neat stuff! Screw standards!”, be careful what you wish for. The further Microsoft arrogantly pursues a one-size-fits-all “lock-in” strategy (which not only denies the current or future possibility of business processes that aren’t well-supported by MS software but also turns a blind eye to potential business partners/customers that don’t use MS products), the more their customers will find themselves locked out… and then what would your MCSE be good for?

Extrasonic is now running Wordpress 1.5, with only a few minor problems/irritations…

• For some reason, the names of the link categories on the sidebar are enclosed in h2 tags, and they weren’t in WP1.2. This was undocumented, and therefore a dumb thing to do (although a brief hack of the css fixed it in short order).
• Word/line wrapping is broken, making long lines of text without whitespace bleed out of the columns they should be in. Maybe this was a problem in 1.2 also, but I am just noticing it now. Does anyone (CF?) have a solution to this? I saw some suggestions on the WP support forum but haven’t had time to go through them yet.
• Extrasonic has been in a half-finished state for quite some time (for example - category icons have been missing for 3 months), but what little effort I had made in customizing the comments pages has been lost. Note that I had not customized the wp-comments.php itself, just the stylesheet. I suspect this was due to more undocumented diddling with the tags used on the default comments page, so it’ll take me some time for me to reverse-engineer the new source and get the right tags in place.

I’m hoping that some of the problems I was experiencing with WP1.2 will be fixed - mostly around sending notification that my weblog has been updated and receiving notifications that other weblogs have been updated - and fortunately, when I get some time, the new theme system seems really nice. Now I just have to search ColdForged’s archives to figure out which plugins he’s using that I want to steal…

From the “if something sounds too good to be true…” department, something Jeff over at Gravity Lens would get a kick out of - respected scientist Ray Kurzweil predicts that not only will medical technology advance to the point where humans will be immortal, but that you should take care of yourself now because immortality will be achieved within 20 years.

It does make for an interesting sci-fi plot concept though - what if all your friends and family were going to live forever, but you weren’t going to join them because of your (inevitably lifestyle-induced) health problems that the state-of-the-art couldn’t repair before they were fatal?

An interesting* article about Google’s server infrastructure architecture; talks at a high-level (i.e. no “secret sauce” is revealed) about how their servers are organized, why they took this approach, and at an even higher level about the problems they have to deal with as a result (although, of course, no solutions to those problems are suggested). I would have loved to see more detail, of course, and had more networking and storage - particularly their custom filesystem, which is reportedly very innovative - discussed, but still a good read.

*To me: interesting. To most: dull.

I’m not a Luddite by any means (and I certainly don’t think of myself as the cranky old man who doesn’t “get it”). Still, I’m amazed by not only the rate of technology adoption, but also - and somewhat more impressively - how deeply ingrained technology has become imbedded into younger markets’ lifestyle.

Case in point: this morning I found myself watching MTV for some reason. (I haven’t really been a fan of MTV since the early ’90s, but just go with me on this.) Confirming my “unhip” status, I’d never heard of the show that was on called Video Clash. While the videos were annoying - except for “Mr. Brightside” by The Killers, which I rather enjoyed - I was intrigued by the concept of a video show where viewers could vote on which of two videos gets played next, either via a web browser or by texting their vote in via mobile phone. I amused myself by imagining what kind of server and network infrastructure I’d design to support an application that tabulates and reports on votes from multiple protocol gateways, how “real-time” the vote percentages on screen were and what the tolerance for error was, and as one vote was narrowly decided after a come-from-behind win and another bounced from 51%-49% to 49%-51% and back again, what MTV might do to the numbers (including complete fabrication) to make each contest seem like a close race. After all, reality TV is “edited for hightened drama” or whatever the standard disclaimer is these days, so why not a video voting contest? TV shows where producers claim text messaging can determine the outcome are already old hat in Europe, so is this a small piece of what interactive TV is going to be like? Is interactivity what will get people to stop TiVoing and start sitting through the commercials again?

I was in the midst of contemplating these questions when it happened - a commercial came on that told you where to send a text message if you wanted to get the Hamster Dance as a ringtone for your mobile. Yes, that Hamster Dance.

I’m tied to a computer all day, so I haven’t really had a need to learn how to send text messages from my mobile. So the first thing that struck me about this were the instructions “text ABCXYZ to get this ringtone!” I’m sure it would only take me a few minutes and a couple tries to figure it out, but the fact that a 30-second TV commercial is giving me technology instructions I don’t immediately know how to follow is a bit disconcerting to me. This was quickly superceded by the abject horror I felt when I realized that there were a sufficient amount of kids of MTV-watching age who knew what the Hamster Dance was (and wanted it as their ringtone enough to pay for it) to justify airing a commercial on MTV.

Taking a step back, I put this commercial in the context of the show I was watching, and I thought about what it meant that people were online or using their mobile phones to vote for the next video. This show airs at 7am Eastern time - that’s 6am where I’m at. Yet there were people already watching TV and enhancing their experience with Internet connectivity. What does it say about the younger market that they can laugh at me for just flipping on the TV but not having the wireless laptop or phone nearby to play along with the show… at 6am!

In a world where overly-cutesy 5+-year-old Internet memes become rigtones for mobile phones which are used to select content on major cable channels before most people want to be awake, technology and technnology/Internet culture are becoming even more a part of our 24x7x365 lives. While I have a hard time getting my head around the idea that my mobile phone might one day be my Internet access appliance of choice, it’s hard to reconcile my bizzare early-morning MTV experience with anything but optimism about the long-term market prospects for technology - especially Internet-capable consumer electronics. Ubiquitous computing - it’s come out of the MIT media lab and into the MTV multimedia lifestyle.

Well, it’s not often I get to disprove a statement made at Tom’s Hardware, so allow me to refer you to page 2 of the Linksys WRE54G review, where they say:

One other “feature” is that the Expander does not have an Ethernet port. This means that it can’t be used as a wireless bridge to a wired LAN and you must set it up from a wireless client.

Well, I just did it… and I can say without reservation that the proceeding statement about needing a wireless client to set it up is not at all true.

As a result of moving to a new house (which, as you may recall, Desiree and I did in October) our wireless network had to cover a lot more territory through a lot more interference. The repeater seemed like a sensible way to improve coverage, so we purchased a Linksys WRE54G to add some more ‘oompf’ to our Linksys WRT54G’s range.

Our home network topology is tailored to our needs; our primary gaming computers are wired directly into to the LAN, as are our 3 infrastructure servers (a topic for another time). This allows us to eliminate the latency inherent in wireless networks and go beyond the 54mbit/sec bandwidth limit of over-the-air 802.11G. [Believe me, when you’re poking your head around a corner in a tense LAN game of Raven Shield you’ll want the lower ping time, and if you’re streaming movies to multiple clients off of a fileserver, you’ll be happy for the bandwidth.] The upshot of this is that our only wireless clients are our Xbox, our Tivo, and Desiree’s Apple G4 Powerbook. None of those are going to be able to run the windows-only setup disk, so what are we to do?

How to configure a WRE54G with a wired client
(Note: this explanation will assume you know how to make IP address and subnet mask configuration changes to both your AP/router and your wired client. If you don’t, then ask a friend who does for help, or seek to learn more.)

1. Log in to your wireless access point/router from your wired client.
2. Disable WEP on your AP/router. If this scares you, then remember it’s only temporary. If you don’t have WEP configured on your WLAN, then do the world a favor and either start using it or unplug your WLAN from the Internet.
3. Change your AP/router’s subnet to the Linksys default - 192.168.1.0/24 - and give it an IP address in that range (if you’re not already configured to use it), then save your changes. Make note of your router’s settings before you change anything.
4. If you had to change your subnet to 192.168.1.0/24, then you will also have to change the IP configuration of your wired client. If you are configured to use DHCP, request a new IP address. If you are using a static address, then give yourself an address in the 192.168.1.0/24 range that isn’t the address of your router or 192.168.1.240. Make note of your client’s settings before you change anything.
5. At this point, both your wired client and your AP/router should be on the 192.168.1.0/24 subnet. Verify this by logging in to your AP/router’s administrative interface from your wired client.
6. Plug the repeater in at the location where it will reside.
7. Press the “auto-configuration” button on the repeater and hold it down until the link light starts blinking.
8. Wait 60 seconds, then go back to your wired client and point a web browser at the repeater’s default address, 192.168.1.240. (Log in using no user name and the password “admin”.)
9. If you weren’t using the Linksys default subnet before, change the repeater’s IP address to something on your preferred subnet and the default gateway to the default gateway on the preferred subnet. You will be temporarily unable to connect to the repeater from your browser after you do this.
10. If you changed your AP/router’s IP subnet in step 3, then change it back to its original settings.
11. If you changed your wired client’s IP address information in step 4, then change it back to its original settings also.
12. Now your AP/router, wired client, and repeater should all be in the same subnet. Verify this by logging in to the repeater at the IP address you assigned to it in step 9.

At this point, everything should be working fine - your repeater should be amplifying your wireless network’s signal. However, WEP is still disabled, so you’ll want to turn it on, starting with the repeater first.

13. From the repeater configuration screen, enter the security settings and use the same password and encryption type you plan to use on your AP/router. (If you were using WEP before, then use the same password unless you feel like reconfiguring all of your wireless clients.) Don’t forget to generate the keys and save the config. You will be temporarily unable to connect to the repeater from your browser after you do this.
14. Log in to your AP/router and configure it with the same encryption type and password. The keys you generate should match the keys generated on the repeater.
15. Verify connectivity from AP/router to repeater by logging in from the wired client, through the AP/router, and to the repeater. While you’re there, change the default password for goodness’ sake.

It worked for me, so hopefully it will work for others in this somewhat unusual situation.

Here’s an interesting tidbit - some hosting companies (including Pair, Total Choice, and TextDrive) are turning off their users’ Moveable Type weblogs because the combination of Moveable Type + MT-Blacklist + comment spam is effectively causing a denial of service issue on shared hosts, consuming massive amounts of memory and jacking the IO wait up to the point where these shared resources are unusable by any customers.

Looks like we made the switch to WordPress just in time, especially with ColdForged’s anti-comment spam plugin recommendation.

Now if only I could get the new index.php and stylesheet done…