Is Microsoft Exploiting the Innocent?

I'd never heard of the UK government's Child Exploitation and Online Protection Centre (CEOP), but that's not surprising, since I'm allergic to organisations whose approach is "truly holistic" as CEOP brightly claims. But as well as being susceptible to embarrassing cliches, it seems that the outfit is naive, too.

For, as part of the "Safer Internet Day", CEOP is promoting Internet Explorer 8 on its front page. And what exactly does this famous panacea for all human ills offer in this context? Well:

Download the 'Click CEOP' button into your browser toolbar to provide instant access to internet safety information for children and parents.

Of course, it's rather a pity that to access the information you have to use Internet Explorer 8, scion of a family of browsers that has probably done more than any other software to expose young people to harm on the Internet through woeful security that allows viruses and trojans to be downloaded so easily - one still riddled with flaws.

Strange, then, that CEOP didn't offer a much better way of protecting vulnerable users by suggesting that they switch to a safer browser; it doesn't even offer that same instant access to safety information for Firefox users, thus encouraging people to use IE8 if they want to see it. Moreover, it does this by providing - oh irony of ironies - a link to a .exe file to download and run, the very thing you should be teaching young people *not* to do.

It couldn't be that the young and innocent Child Exploitation and Online Protection Centre has allowed itself to be, er, exploited by that wily old Microsoft here, could it?

Follow me @glynmoody on Twitter or identi.ca.

Misinformed about Malware

I was moaning recently about the appalling sloppiness when it comes to viruses et al.: they are practically all for Windows, and yet nobody mentions this fact. Here are two more egregious examples.

First:

Researchers at BitDefender have discovered a new type of malicious software that collects passwords for banking sites but targets only Firefox users.

The malware, which BitDefender dubbed "Trojan.PWS.ChromeInject.A" sits in Firefox's add-ons folder, said Viorel Canja, the head of BitDefender's lab. The malware runs when Firefox is started.

The malware uses JavaScript to identify more than 100 financial and money transfer Web sites, including Barclays, Wachovia, Bank of America, and PayPal along with two dozen or so Italian and Spanish banks. When it recognizes a Web site, it will collect logins and passwords, forwarding that information to a server in Russia.

Firefox has been continually gaining market share against main competitor Internet Explorer since its debut four years ago, which may be one reason why malware authors are looking for new avenues to infect computers, Canja said.

Bad, wicked Firefox, bad wicked open source...except that this trojan *only* works on Windows...which means it's bad wicked Windows, yet again. But the article never mentions this, of course.

Or take this:

BATTLEFIELD bandwidth is low at best, making networks sticky and e-mails tricky. American soldiers often rely on memory sticks to cart vital data between computers. Off-duty, they use the same devices to move around music and photos. The dangers of that have just become apparent with the news that the Pentagon has banned the use of all portable memory devices because of the spread of a bit of malicious software called agent.btz.

...


The most remarkable feature of the episode may not be the breach of security, but the cost of dealing with it. In the civilian world, at least one bank has dealt with agent.btz by blocking all its computers’ USB ports with glue. Every bit of portable memory in the sprawling American military establishment now needs to be scrubbed clean before it can be used again. In the meantime, soldiers will find it hard or outright impossible to share, say, vital digital maps, let alone synch their iPods or exchange pictures with their families.

And yes, you guessed it, it only works on Windows. So that bit about "[t]he most remarkable feature of the episode may not be the breach of security, but the cost of dealing with it" is really about the cost of using Windows - well, it's The Economist, what do you expect, accuracy? When will they ever learn?

Give Me a Platform...

...and I will infect the world:

Symantec has warned of a security hole in Adobe's Flash Player that is already being exploited by web sites to install trojans onto users' computers. Adobe is still analysing the bug and has not yet been able to release an update.

...

The malicious code only appears to be attacking Windows at present. ISC reports that it downloads the files ax.exe and setip.exe. However, the vulnerability probably affects Flash Player for other operating systems as well. It is therefore likely to be just a question of time before malware coders are distributing malicious code for Linux and Mac OS X.

Another reason to flee Flash.

The Economics of Information Security

On Open Enterprise blog.

On the Necessity of Open Access and Open Data

One of the great things about open source is its transparency: you can't easily hide viruses or trojans, nor can you simply filch code from other people, as you can with closed source. Indeed, the accusations made from time to time that open source contains "stolen" code from other programs is deeply ironic, since it's almost certainly proprietary, closed software that has bits of thievery hidden deep within its digital bowels.

The same is true of open access and open data: when everything is out in the open, it is much easier to detect plagiarism or outright fraud. Equally, making it hard for people to access online, searchable text, or the underlying data by placing restrictions on its distribution reduces the number of people checking it and hence the likelihood that anyone will notice if something is amiss.

A nicely-researched piece on Ars Technica provides a clear demonstration of this:

Despite the danger represented by research fraud, instances of manufactured data and other unethical behavior have produced a steady stream of scandal and retractions within the scientific community. This point has been driven home by the recent retraction of a paper published in the journal Science and the recognition of a few individuals engaged in dozens of acts of plagiarism in physics journals.

By contrast, in the case of arXiv's preprint holdings, catching this stuff is relatively easy thanks to its open, online nature:

Computer algorithms to detect duplications of text have already proven successful at detecting plagiarism in papers in the physical sciences. The arXiv now uses similar software to scan all submissions for signs of plagiarized text. As this report was being prepared, the publishing service Crossref announced that it would begin a pilot program to index the contents of the journals produced by a number of academic publishers in order to expose them for the verification of originality. Thus, catching plagiarism early should be getting increasingly easy for the academic world.

Note, though, that open access allows *anyone* to check for plagiarism, not just the "authorised" keepers of the copyrighted academic flame.

Similarly, open data means anyone can take a peek, poke around and pick out problems:

How did Dr. Deb manage to create the impression that he had generated a solid data set? Roberts suggests that a number of factors were at play. Several aspects of the experiments allowed Deb to work largely alone. The mouse facility was in a separate building, and "catching a mouse embryo at the three-cell stage had him in from midnight until dawn," Dr. Roberts noted. Deb was also on his second post-doc position, a time where it was essential for him to develop the ability to work independently. The nature of the data itself lent it to manipulation. The raw data for these experiments consisted of a number of independent grayscale images that are normally assigned colors and merged (typically in Photoshop) prior to analysis.

Again, if the "raw data" were available to all, as good open notebook science dictates that they should be, any manipulation could be detected more readily.

Interestingly, this is not something that traditional "closed source" publishing can ever match using half-hearted fudges or temporary fixes, just as closed source programs can never match open ones for transparency. There is simply no substitute for openness.