Saturday, May 31, 2008

Software Tools Used by Criminals

I am always throughly paranoid by the time I leave a meeting of the SDForum Security SIG, and the May meeting was no exception. After the meeting, I stopped at a gas station. Immediately I was suspicious as their price was several cents less that the gas station on the other side of the intersection. Next the pump did not ask me for my ZIP code, and finally the pump let me get more gas than my credit card limit. What kind of scam was this?

The source of my paranoia was the fascinating presentation on "Software Tools Used by Criminals" by Markus Jakobsson, a Principal Scientist at PARC. Marcus led us through the history of software and internet scams, starting with the first computer virus and internet worm, to the present day where sophisticated criminals are making targeted attacks on individuals and businesses.

Marcus also led us through the crime cycle, starting with 'data mining' of public data sources to get the information needed to make an attack, through ways in which the criminals can get money from a scam without identifying themselves. He also described the results of several experiments that he and others had done to measure how easy some of these data mining exercises were, and experiments to measure how gullible people are when they are set up in the right psychological way for a scam.

Finally Marcus came to his recent work on a password reset system. This is usually done with a security question, the answer to which can often be guessed or found out. For example, data mining of public data from Texas had discovered the mothers maiden name of about half the population of Texas. Markus and his team propose a new technique based on preferences which is both easy to remember and is unlikely to be guessed by outsiders.

Monday, May 26, 2008

Pull Dressed as Push

We have been watching with some degree of schadenfreude the problems that Twitter, the incredibly popular microblogging service, has with scaling, or even providing a reliable service. Yesterday Steve Gillmor suggested in his TechCrunch post that the problem has been caused by FriendFeed. FriendFeed is a new social service aggregator that either enhances or engulfs Twitter depending on your point of view. Here is my take on what the problem is.

First some background. Publish and Subscribe (pub/sub) is the underlying goal of all these services. I, as a client subscribe to something, and when the publisher has something that matches my subscription, they Push it to me. This is efficient because stuff is only sent to me when it exists. The problem is that the publisher may not know where I am when they want to do the Push. So many pub/sub systems work on the Pull by Polling model. That is, every so often I ask the publisher if they have anything new for me. The Polling part is that I repeatedly ask for new stuff and the Pull is that when new stuff exists, I Pull it from the publisher. This works reasonable well as long as I do not poll the publisher too often.

For example, RSS works this way (as I discussed some time ago). To prevent the original publisher being overwhelmed by requests for new information, part of the RSS protocol describes how often someone may poll the publisher and not overwhelm the publisher with too many requests.

Now back to Twitter and FriendFeed. Twitter provides an API so that other services can be built upon it. FriendFeed is an aggregator of social networking services that uses the Twitter API to aggregate information for its users. The Twitter API is based on XMPP, which is a high performance API for instant messaging that supports, for example, instant messaging between large service providers such as AIM and Yahoo Instant Messaging. However XMPP also has a low performance option based on HTTP for polling XMPP servers. This turns XMPP into Pull dressed as Push, which strains the servers when the poll rate is too high.

It turns out that the Twitter XMPP API is based on the low performance HTTP option. Thus FriendFeed is polling Twitter for each of its users, and polling frequently to give the appearance of instant response, which may be the reason that the Twitter servers are overloaded. Twitter has a feature in their API to throttle polling to no more than once a minute, however this could also be a problem if it is badly implemented.

By way of disclosure, I do not use Twitter or many of these other toys. I get quite enough information overload from RSS.

Sunday, May 18, 2008

Blog Ennui

It is Sunday morning and I notice that TechCrunch has a couple of new posts. One is a stream of consciousness piece from Steve Gillmor called "Bill's Gold Watch". This one was better than the stream of consciousness piece Steve wrote last week called "The Blood Brain Barrier", mainly because it was shorter. Steve can write conventional blog posts, for example on Saturday morning he had an excellent piece called "Facebook's Glass Jaw" which comments on the Facebook - Friends Connect fracas.

So what is Steve trying to do with "Bill's Gold Watch"? Is he trying to create a new Journalism? To me, it reads more like poetry. Even if it does not make complete sense, it sparks off thoughts and associations, and that appears to be the intention. Another commenter suggested it reads like rap. If it were printed as blank verse we would see what was going on and Steve could concentrate in getting the rhythms right as well as avoiding some of the more tortuous and interconnected thoughts.

In other blog thoughts, I have completely given up on Vallywag. Shortly after I wrote about Vallywag a year and a half ago, the then editor Nick Douglas departed and it has been downhill ever since. Now it is just a load of social claptrap of the sort that fills the gossip column of a tabloid newspaper.