A place to put the overflow from my head.

2002-09-06T08:28:00.000Z

I can't help feeling smug and yet sorry all at once. This ZDNet UK article talks about "drive-by spamming"... spammers using unsecured wireless links to send spam. Ok, I'm definitely not the only person to have predicted this but I did blog it, back on 7/1/2002. I'm smug about that, but sorry that it's happening.

I was wandering through PC World again this week, picking up some bits and pieces and got talking to an assistant (a knowledgeable one for a change) about networking. I was looking for a switch and all they had were hubs... he understood the difference and fetched me one from stock. He asked me why I was sticking with 100B-T and wasn't putting in 802.11 and when I mentioned the security aspects he smiled. He said "I know, and you obvioulsy know, but we sell more Wi-Fi kit these days than ever before - it flies off the shelf."

Maybe one day there'll be a lawsuit against one of the Wi-Fi manufacturers for failing to warn, clearly and unambiguously, on the box: "This product will leave your network open to unauthorised access". Rather like the health warnings on cigarettes. We can hope....

2002-08-08T07:20:00.000Z

Myths Of The Modern World, No. 201: Broadband connections are fast.

Here at work (where I am now), we have a broadband connection. In fact, we're shortly to have two when we put in ADSL to backup the existing Tele2 fixed wireless link. So on the days when I'm in the office, I take the opportunity to download anything I need that's large rather than strain the 24/7 56k dialup connection at home. And hey... despite all the adverts, despite the hype and especially despite the analysts who tell us that broadband connections are the key to video-on-demand... broadband can be deadly slow.

Of course, it's not the fault of the local link - a quick test to a friend who also has a fast connection via the same backbone provider as Tele2 use shows that we can both saturate our local links to the full, advertised capacity. It's just that the nature of the Net means that there will be multiple "hops" between you and any source of data you wish to access. Murphy's Law (Internet Routing Clause) states that at least one of these hops will be a bottleneck.

So, last night, in the interests of research, I tried some downloads. I tried some ISO images (of Linux distros) from a number of servers and I tried some streaming video from three different sites in the states (no, not that sort of streaming video!). In oen download I got great throughput - 30k to 40k bytes per second. On all the others and on all the streaming video links I got average throughput of well under 56k bits per second... usually the best I got was around 40k bits per second. Modem speeds. And whilst in the case of the ISO downlaods this may have been because the ftp servers throttled the connection, the video streams were advertised as being broadband - usually 200-odd k bits per second.

So, next time you see one of those annoying BT ads for broadband internet (especially annoying to those of us who can't get ADSL where we live), bear in mind that all it gives you is a wider on or off-ramp to the clogged-up motorway that is the Internet....

2002-07-25T09:53:00.000Z

Well, work piles up and reduces blogging time, but that's ok... here's an article on C|Net about security in WiFi networks, raising again the same concerns I've logged here previously. It's nice to see a bit of a backlash against the uncritical acceptance of wireless.

Mesh networks... flavour of the month. Not such an original idea, that nodes in an ad-hoc wireless network all act as routers, relaying packets around for each other. Certainly it's a nice concept which could create very-wide-area ad-hoc networks in any place where a sufficient number of people have wireless devices. However, as is my wont, I started thinking about the downsides:

Billing: At some point, much of the traffic from wireless nodes is going to need to get to an Internet or other wired-network access point. Who is going to pay for that bandwidth? How might the users of wireless devices get billed for that access?

Availability: By it's nature, availability of a mesh network depends on ad-hoc groupings of devices that are under no central planning or control, so it's inevitable that "cold spots" will exist at the edges or in sparser areas. Consider the business area of a major city - what happens to a mesh network after 5pm when all the people leave? Or the restaurant-and-theatre zone in the early morning when nobody's around. One big fact about broadband that's emerged is that the always-available nature of the connection is at least as important as the speed. Mesh networks can't guarantee availability.

Security: Suppose I am Jo Malicious-Hacker and I walk into the middle of a mesh network with my wireless device. Perhaps I can tweak the routing parameters of my device so that other traffic favours using it as a relay. All that traffic that passes through my device can be logged by me. Yes, I'm sure lots of it will be encrypted (though the track record of vendors on implementing encryption is pretty lousy) but I can save it for later cracking. Some of it won't be, though, and I'll have full access to read and maybe even change that traffic.

Battery life: The battery life of wireless devices is a big deal. People (especially here in Europe) are used to the longevity of mobile phones which use a wide variety of tricks to conserve power and, more importantly, are not always sending and receiving data. Why would I want my wireless device, sitting in my bag or pocket, to spend my battery power on relaying traffic for people I don't even know?

References for mesh networks: Technical article from MobileMesh,
another from Comms Design and New Scientist on fixed-node mesh networks.

2002-07-11T08:09:00.000Z

Cnet has this story about ISPs invoking their terms and conditions to prevent broadband users sharing their connections via wireless to anybody who happens to wander by. Another point where idealism and generosity meets the harsh world of big business. Well, since I've rambled on incessantly about the negative points of sharing access to your LAN via WiFi I guess one more Reason Not To doesn't hurt.

2002-07-10T13:21:00.000Z

Bruce Ediger once wrote The only "intuitive" interface is the nipple. After that, it's all learned. And he's wrong

Now, afore everyone starts flaming me for defaming the greatness of a UI expert, let me clarify. I only want to take issue with the semantics of that much-misused term "intuitive". As with so many of these comments, this was started by a conversation with a friend who quoted Ediger to me and got me thinking. The quote is wrong because "intuitive" for interfaces means that one can work out an interface using the knowledge one already has. Replace "intuitive" with "instinctive" and Ediger would be right on the money. An instinctive interface is one that you know how to operate without being told. An intuitive one you learn, but the basic operations, visual cues and assumptions are the same as the other interfaces you encounter on the same platform.

What this leads on to is an observation on a problem that many people know about but which doesn't seem to ever get solved. This should be written in letters of fire (and probably on a Ring of Power, but hey, all we have is HTML): Engineers, including programmers, cannot design interfaces. In fact, most can't even design icons worth a damn, let along think through task oriented flows or click-routes. I should point out that I speak as a programmer for many years and I'm proud to call myself an engineer.

I see this failing mostly in the open-source world. Here there are many projects for which the code flows artistically, an elegant construction of objects interacting gracefully to perform their apportioned tasks but with user interfaces that would fail a first-year college UI design course. On occasion larger-scale projects such as KDE will involved designers and people who think about UI and achieve greatness but on the whole it's not a pretty sight. And it's this as much as anything that's making it difficult for Linux to get onto the desktop. Microsoft invest a lot of money in interface design. Maybe they don't always get it right but their tools are pretty damn intuitive; if you know how to work one, you have a damn good idea of how to work any of them. In contrast, there are open-source tools around which appear to have been written by programmers who were convinced that it was a good idea to write the entire interface from scratch according to their understanding of how it should operate. This is almost without fail a retrograde step.

Take Blender for example, which was at http://www.blender.nl/ a while back btu may have moved. An open-source 3d package with tremendous capability but with an interface that broke every rule in the book. The learning curve for it was so steep that there must be many people who never discovered just what it could do because the functions were hidden away behind obscure mouse movements and modes.

2002-07-01T14:18:00.000Z

Wow... it's nice to spot a story. Here is a nice article on C|Net about the risks of opening up your wireless LAN to anybody who wanders past. Some lovely war stories of badly secured networks leaking data. Of course, I'm feeling smug because of the blog entry I wrote on June the 19th (following on from bending the ear of many people about the subject).

Once more with feeling: you leave your LAN open, whether it's a home network or a business setup and someone somewhere will find a way to take advantage of it. If that happens to involve lawbreaking, the trail ends with you. It's rather like setting up a callbox outside your home connected to your domestic phone line. Feel free to do it. And when someone makes an abusive call from that callbox, the buck stops with you.

I think the biggest opportunity for mayhem with WiFi is spamming. Consider - you have an open WiFi access point to your LAN. No doubt your ISP has a mail relay. Like a good, security-aware ISP, they have it set up so that they'll only send email from their subscribers, like you. This will almost certainly be done using source IP filtering. But anyone who hops onto your LAN using that nice open relay will appear to your ISP to be you and will therefore be able to send email at whatever rate your Net connection will support. Cheap and easy for the spammer, no need to keep looking for insecure mail relays in China when there's probably a nice open broadband connection within a few blocks. You saw it here first...

2002-06-26T15:55:00.000Z

How really, terribly, thoroughly depressing.

Eric Raymond, author of The Cathedral And The Bazaar and Open Source luminary is someone who's work I've read with much interest over the years. I don't always agree with him but I've always repected his opinions as well thought out and a tribute to clear thinking. Now I find he has a blog at Armed And Dangerous. Reading down, I come across the entry called "The Elephant In The Bath-House". What a load of ill-informed, reactionary and fundamentally offensive homophobic nonsense he quotes. It's destroyed my faith in the ability of intelligent people to consider issues...

Probably not very appropriate for a blog that's about ideas... but anyone who swallows the "homosexuals=paedophiles" bigotry that he has... Ah, against stupidity the Gods themselves contend in vain.

Oh, and just before anyone goes making assumptions - I'm not gay.

2002-06-25T08:26:00.000Z

Microsoft working to put PVR functionality into XBox. This one's fun.

First of all, take a look at the amounts of money MS stands to lose (internal MS estimates, mind you, not analyst figures) on XBox; $750m in the remainder of 2002 and $1.1bn in 2003. That's THREE-QUARTERS OF A BILLION DOLLARS in the rest of this year. Now, Bill is not stupid, and doesn't give money away for nothing (despite what the chain letters say), so what is he buying with that?

A history in the console market, so that XBox 2 won't be tagged with "Microsoft enter market"? Won't be a very good history, then.

People being used to seeing Microsoft's name in consumer electronics stores next to Sony?

A saving of face because now XBox is out there, MS can't pull out? Doesn't seem to have stopped them in other areas.

Actually, I think that there's no Master Plan at Microsoft. Yes, there are a lot of very smart people there but also, by all accounts, vast amounts of politics and managerial manouvering. I suspect that some things just get chosen to be a Business Venture depending on many other circumstances than fitness-for-market. Once a project becomes the personal fiefdom of some ambitious manager, it's on its way. Perhaps the combining of UltimateTV (which hasn't exactly set the PVR world on fire) and XBox (which hasn't blown anyone's socks off in the console market yet) is more about making the best of what they have than the next move in some elaborate game of World Domination Chess.

Anyway, this also got me thinking about the PC as the "hub of your digital entertainment world", as suggested by Steve Jobs but endorsed by Bill & Gang in projects such as FreeStyle. Let's think about your PC or Mac for a moment. For a single user, seated in front of the machine, it may work well. But it still crashes (even running XP). It can be tied up fulltime when someone wants to play a game. It gets clogged up with all sorts of addons and extra bits of software that one downloads to try out. It's a single user device. Why on earth would one want to use it as the main route into the home for digital entertainment? Why would I want to have my PC as my PVR when my TV watching could be derailed by someone wanting just one more game of HomeWorld?

Odd logic.

2002-06-21T09:26:00.000Z

Games Consoles next hacker target. Moderately interesting, but it got me thinking about the whole Connected Home deal from a security point of view.

People want security but won't put up with any complexity to manage it. That is, people as individuals won't; many an IT manager spends a long time working out how to keep things secure and yet allow work to go on efficiently. Of course, a home doesn't usually have an IT manager (geek homes excepted).

Consider the track record of upgradeable devices - that is, computers. Windows Update does a pretty good job of making it easy to keep up with security and other patches and yet there are still widespread vulnerabilities that can affect your average PC user; it's still too difficult for most people. Most technical folks I know can tell you how they keep devices like Sky+ boxes up to date with the latest software. Most non-technical people have no clue; a good number of those I've talked to have no real understanding that there is software in these devices, let alone what upgrading might imply.

TiVos are an interesting exception; they update themselves automatically and don't leave it up to the user. This is probably by far the best approach for dedicated devices but it does of course shift the entire burden onto the vendor. Vendor's don't have a terribly good record for responding to security issues; it's often seen as a public relations issue as in Microsoft's trumpting of "military grade software" for the XBox.

So, what sort of issues might there be when all manner of home devices connect to the Wild And Scary Internet? I guess it's inevitable that given a wide enough market penetration of any device, black hats will start looking for exploits. When they're found, such exploits will be passed around and people's fridges or ovens or televisions will start crashing or misbehaving, which is not at all what people expect of domestic applicances. Kettles don't crash. Televisions just work - they don't need patches.

This all feeds one of my tentative predictions for Things To (Possibly) Come; the rise of closed networks. The Internet may just not be safe enough to be used as a general transport network for the general public's home devices. We may see more and more companies going the way of Sky with their walled-garden "Open..." service, or Microsoft with their closed network for XBox gaming. Think of it in the same way as FedEx relates to the general post system - you could put your important letter in the post box, but if you want to be absolutely sure, you pay the extra and use the proprietary delivery solution.

2002-06-19T13:13:00.000Z

I went to the Internet World show last Tuesday and Wednesday. Ah, how the mighty have fallen. A mere shadow of the glory that was Rome... er.. the same show two years ago, when the Web Was Waiting to Change The World.

Ah, but it's nicer in the post-dot-com era. There was a refreshing sense of practicality about much of the stuff being said; a sense of people having identified real problems that could be addressed by real solutions as opposed to the "boil the ocean" ideas of yore. Actually, I'm disturbingly fond of that phrase - a boil the ocean idea is anything that will work if only everyone changes the way they do things. For example, "if only everyone will upgrade their phone to one that supports our clever device, we'll be millionaires". I'm sure you can pick your own example.

Still, the show was, as ever, enlivened by the presence of many salespeople creatively disconnecting punters from reality by dazzling them with technology. I was shown a phone with video capability by a shiny-suited salesman who made it display a trailer for Men In Black II. Now, I'd seen the same trailer only a couple of weeks before on the big screen in Manchester and then my reaction was to turn to my wife (who was of course sitting beside me) and say to her "that's a must!". On this occasion, the blurry video and scratchy sound were completely underwhelming. The salesman was not betting on this reaction - I think he'd had a succession of techophiles all morning who had been entranced by the idea of video on a phone without thinking much about what the video showed.
I do think that the mobile phone world is currently at one of those turning points where the technologies are being built without any clear idea of what they will be used for. There are of course many precedents for this (and I'm sure I'll get around to a History Of Technology entry sometime) but it's always an interesting thing to see happen. The entire industry is painfully aware that SMS just happened and was never designed to take off like it did. They're all searching for the next SMS.

2002-06-19T12:37:00.000Z

Today I am looking at the Wonderful World of Wi-Fi. That's 802.11 wireless networking to you. Now, this is one of those phenomena that someone has already called the new black, so tremendously cool is it but I wonder; am I missing some basic points here? Let's get bullet-pointy about it:

Your LAN is that part of your network on which you usually assume that nodes are trusted. That any device on it is more-or-less okay by you. You put firewalls between your LAN and other, less trustworthy networks (like the Nasty Ole Internet). So why would you then connect wireless access points to your LAN and open it up to the world? Yes, it's terribly convenient to be able to wander around with a laptop, but you've just opened up your LAN and everything on it to anyone who fancies driving by your office or house.

Ok, you know what you're doing and you've opened up your Net access to anyone local who'd like to take advantage. That's very generous of you. Now, what happens if Jo Bad-Person comes along and uses your access to download stuff that you'd far rather not be party to. Or maybe to use a public-access Usenet server like Google to post something objectionable? The traceability of who did that stops at your ISP, with your network connection. And it's you that your friendly neighbourhood law-enforcement operative will want to have a chat with.

Of course, it's true that any network administrator worth her salt will ensure that wireless access points have some security set up and that access via them to a LAN is properly VPN'd. But how many home users will do this - and how many home wireless kits even support VPN? What about the cheap little access points that one can buy in PC World for a couple of hundred; how many of these are finding their way into offices, installed by some executive who contentedly bypasses the poor IT department's attempts at control.
Ah, I'm probably far cynical :-)

2002-06-19T12:23:00.000Z

So; time to start a new blog. I wonder what proportion of blogs start, falter and then peter out from general I-can't-think-of-what-to-write syndrome. Now there's a post-graduate study waiting to be done.
Let's start with some sort of mission statement. I say this not because I have any great faith in mission statements per se, but because I'm a firm believer in the adage "How do I know what I think until I hear what I say?". So, why am I doing this? Simple: I get paid (and quite well paid too) to think for a living; to make connections amongst the billions of bits of comment, content and conversation on the subjects that I work in. That means that I have to spend a good couple of hours (or more) per day just reading, thinking and generally following things up. That in turn results in far more information that any one person can possibly keep track of, thus overflowing my head. In a vain attempt to keep some sort of thread together, I shall see how putting it in here works out.
One complication is that my employer trades in ideas. This means that sometimes I'll be forced to keep obvious conclusions to myself in case they result in anything patentable. Should be interesting! Or possibly not.