James Galvin

With all the lovely apps you can get on a Mac, I still find it hard to believe that nobody has made a feedreader that is really nice to use. NetNewsWire Lite has failed me for the last time. I hope that Vienna does not let me down. What do the rest of ye Mac people use?

After all the coverage that Eircom got over their security problems, Irish Broadband have attempted to capitalise on the situation with this press release: “Irish Broadband routers are totally secure”. I don’t know whether they are trying to lure any confused/misguided Eircom customers to switch providers, or whether this is an attempt to console their existing customers, but this is an irresponsible message to send at a time when the public has finally begun to take note of internet security.

This line in particular is rotten to the core:

This password, being set by the customer, is not derived from the serial number of the modem or the network name and is therefore completely secure.

Ignoring the 58,700 results that I get in Google for “crack wpa”, even if the encryption method is somehow 100% unbreakable, just ask Paypal what happens when you allow the user to pick his own password.

When Eircom responded to their security issue last week, their reply was responsible and honest (for the most part). They qualified their statements with the standard disclaimer known to every first year computer science student and network technician: “it is widely recognised in the industry that no wireless access can be deemed 100% secure”, noting that through policy and advice to customers, they are making an effort to minimise the potential vulnerability. This is the textbook response.

Eircom gave their customers a false sense of security because some programmer made a genuine mistake (and he would have got away with it if it weren’t for those pesky kids). Irish Broadband are doing the same thing - unnecessarily allowing their customers to overestimate their security - but what is their excuse? Either they’re completely ignorant, or they’re blatantly lying.

Was over in London for the FOWA. I’ve been to London a few times in the past couple of years, but still can’t get over what an insanely expensive city that is. Breakfast in the hotel, for a basic fry: £21! That’s €30 or $43. Future of Web Apps conference was on in the Docklands, a long haul from Cork using just about every means of transportation bar skateboard.

At FOWA, the amount of Macbooks around the place was astonishing - I’d guess that at least 9 out of 10 laptops at the event were made by Apple. The business track was a little bit basic - people giving too much of the same old common-sense advice and not enough real examples and numbers. The developer track was a bit better and people were happy to give the facts and figures. Matt Mullenweg spoke a bit about the architecture behind WordPress.com. It is good to hear first-hand about what is involved behind the scenes - if I heard correctly they’re running 300 servers! Kevin Rose spoke about his experiences in launching Digg and Pownce - interesting to note that they moved from PHP (Digg) to Python (Revision3) to Python & Django (Pownce). The lads from Dapper gave a nice overview of practical aspects of the semantic web, although not everyone was convinced by their reliance on the community. Matt Bidulph from Dopplr spoke about integration with external sites & services, highlighting the need for portability in social networks, and open standards such as OAuth.

I won’t go into any more detail about the talks, but if you are interested, then I’m sure you can find some reports on Technorati.

The expo was disappointing - one or two interesting companies but hardly any free stuff. Had to settle for a few stress balls off Sun and some pens from Zoho. There was one Irish group there, Just Routes - a few guys from DCU(?) who have developed a route planner for public transport. Dublin routes are currently mapped, so this should be a handy tool for getting around the city. Good luck to Dave & co with that.

Without a doubt, the highlight of the event was Diggnation. At first I assumed it was just another podcast. I’ve seen some sturdy servers buckle under the weight of attention from Digg, but I still had no idea that there was such a large and passionate community. Long before the show was due to start, hundreds of people were packing at the front of the hall. “Those are the fan boys”, I heard someone remark. Soon enough, the place was literally crawling with student nerds wearing Diggnation t-shirts rattling off top 10 ways of running Ubuntu on the iPhone. These guys knew the ins and outs of every story that had appeared on Digg recently. A girl with a “marry Me, Alex” banner clambered on stage to get a hug from one of the presenters. They discussed the Halo 3 launch, YouTube ads, Amazon’s DRM-free music store, and other top stories from Digg this week (including the “fucked up” account of a boy who survived a two hour flight on the wing of a plane).

Conor O’Neill has these tickets up for grabs for the Web2Expo in Berlin.

This is the deal; the Irish (or Ireland-based) blogger who makes the best suggestion for an original Web Application with an Irish focus will win the tickets.

Well Conor, as much as I’d love to go to Germany for that conference, if I thought up a truly great idea for an Irish web app then I would probably keep it reasonably quiet until I’ve got something started. I would worry that if I publicly announced my great Irish web app idea: “Christy Moore Song Generator”, someone would come along and steal it.

In the two days since I posted about the security flaw in Eircom broadband routers’ default configuration, coverage has spiraled to the front page of the Irish Times and elsewhere. In the words of a former roadie for Metallica: “new shit has come to light, man”. Bart got a reply from Eircom. I am surprised to say that it looks like everyone’s favourite Irish telecoms operator (excluding BT Ireland… and Smart Telecom) are taking this seriously and responsibly. I am obliged to nitpick, however, at a particular section:

“This vulnerability makes it possible for a person with an advanced working knowledge of encryption and coding techniques to access an eircom customer’s Internet connection”

Eircom, you are missing the very crucial point here. We are not worried about the person with an advanced working knowledge of encryption and coding techniques - WEP is no protection against these guys to begin with. We are worried about the guy with NO knowledge of encryption and NO coding techniques, who can simply wander over to s4dd’s Eircom WEP Key Generator website and type in his neighbour’s SSID.

A lot of people missed the issue here, focusing instead on the demerits of WEP encryption. Here’s the analogy: someone sells you a new car with those old-fashioned locks on the side of the window that you push down / pop up. Anyone who knows what they’re doing can break through this security mechanism simply by using a coathanger, but at least your car is locked, right? What if everyone in Ireland had the key to the car? The fact that there are better ways to secure your car than using those push down / pop up buttons suddenly becomes irrelevant.

This is not about the strength of WEP - it is about being sold short. It’s about thinking you have a Cornetto when it’s really just a Wibbly Wobbly Wonder. It is also a funny story about an over-enthusiastic programmer who spent weeks thinking up an elaborate key-gen algorithm but was so distracted by the Hendrix solo in his head that he overlooked a pretty significant weakness in his magnus opus. But more importantly, it is about a false sense of security (albeit partial security) given to Eircom broadband customers.

So how will Eircom respond? According to the letter sent to Bart, they’ll contact everyone affected outlining the issue, with advice on how to handle it. They’ll be upgrading the security on their routers and will also try to improve the general security awareness of their customers. Could we ask for anything more? This does not sound like the incompetent Eircom I’m used to dealing with. Business development mangers at Monster.ie could take note!

Today, Monster.com have taken one step closer to their goal: becoming responsible for all the spam on the internet. They spammed just about every internet user in Cork (except me, hehehe). Tom Raftery has the details: Monster steals email addresses and spams it@cork membership.

It was not too long ago - 2 months? - that these guys were fighting the most miserable PR battle, as they tried to convince the world that they do care about the integrity of your confidential information (your personal details, your email address). 1.6 million+ people got their names tacked on to some Ukranian guy’s spamlist thanks to Monster’s inadequate security policy. These 1.6 million people are now being contacted by Nigerians peddling phony job opportunities (remember those 419 scams in the Examiner jobs section?) Millions of people trusted Monster.com with their information - not only their home phone number and email address, but practically their entire life story. Their work experience, their strengths, their education history, even their hobbies. Monster make huge profits from selling this information, and in return you get an inbox full of V|agR4 spam.

I’m trying to put myself in Monster.com’s shoes - how would I react to something like this in the media. I can really only see one route: I would change my attitude towards data protection - I would make it my top priority. I would audit my operations, make policy changes wherever necessary and I would launch a campaign to tell the world that we will do our best to protect your privacy. I really cannot understand how Monster’s business development manager in Ireland cannot see this. Not only does he blatantly spam a lot of very vocal people - he thinks he is justified in doing so!

Tom makes an interesting point:

The Irish Data protection Commissioner takes a very dim view of this and has the power to levy fines of up to €3,000 per address spammed (so potentially €570,000 in this case).

It is so rare that anyone is held accountable for breaches of the data protection act. This is such a perfect example with no excuse. Michele reckons this kind of thing can destroy a company’s reputation. Well, a company like Monster doesn’t have much left to destroy. I’d just like to see how the Irish Data Protection Commissioner responds.

Update: Michele has more information here. Digg it.