10 November 2011

News Limited and security of your passwords

News Limited has had a lot of problems this year, and I predict that there is plenty of potential for more.

One cause may well be the fact that it stores its subscribers passwords in the clear, rather than hashing them or using other techniques to ensure that a username and password database can’t be stolen.

How do I know? I recently signed up for a trial subscription with The Australian newspaper. After signing up, they very “helpfully” sent me an email with my password in it!

So:

  1. - my password is stored as plaintext on their system; and
  2. - it was emailed in plaintext across insecure systems (the internet).

These are clear security threats. To quote Hitachi ID Systems, Inc.:

Security threats

Passwords are simply secret words or phrases. They can be compromised in many ways:

  • Users may write them down or share them, so that they are no longer really secret.
  • Passwords can be guessed, either by a person or a program designed to try many possibilities in rapid succession.
  • Passwords may be transmitted over a network either in plaintext or encoded in a way which can be readily converted back to plaintext.
  • Passwords may be stored on a workstation, server or backup media in plaintext or encoded in a way which can be readily converted back to plaintext.

The moral of this story? Don’t give News Limited any personal information that you don’t have to, and don’t use your News Limited password on any other site or system.

© 2011 Andrew Calvin

03 November 2011

The decline of Usenet

Optus recently posted the following on its web site:
Message posted at:
2011-10-18 16:27
What:
Optus News Server removal

Impact:
Optus has previously provided usenet service (Optus Newsgroup) to customers. However, following evaluation of the services that we offer to our customers, and the declining usage of usenet by our customers over the past several years, it is no longer viable to continue to provide this service. As a result, the usenet service is in the process of being disabled and removed. This service will close as of 21/11/2011. If you still want to use usenet, there are a number of commercial usenet providers that will be able to provide this service to you.
You might know these as newsgroups. usenet was one of the earliest systems available on the internet - it is, more or less, an incredibly large bulletin board with many thousands of topics and many, many posts within each topic. It was decentralised, so an organisation could choose to run its own server, and then subscribe to all or just topics of its own choosing, and in turn, share its own posts with other usenet servers.

There is a sense of hierachy, so comp.networking.tokenring was part of networking, which was part of computers. There are roughly nine major top levels, such as comp, news, rec and alt.  Many years ago I used to frequent rec.sport.mountainbiking and aus.legal for example.

The system was clever, in that a server didn't need to be online all the time. It could dial up another server or ISP, exchange posts, then disconnect again, much the way email used to be transmitted using UUCP.

As you can see, Optus is decommissioning its usenet servers, but various sources how that the amount of data posted per day continues to rise. However, I suspect that much of that data is unlawful sharing of binary data, such as movies, software, TV and music.

Usenet also helped give birth to actions for defamation on the internet. The most famous cases revolve around Dr Laurence Godfrey, who sued a number of internet service providers and universities who hosted usenet servers. In each case he requested that a defamatory posting be removed from the usenet server. Of course, since usenet posts are propagated across the world very quickly it is almost impossible to control them. If a usenet server is subscribed to a particular newsgroup it will simply receive all the posts.

His first action against Demon Internet Limited (Godfrey v Demon Internet Limited [1999] 4 All ER 342) was relatively novel, dealing with the "secondary publisher defence" under the UK Defamation Act 1996. Demon failed to take down a posting after being notified of its existence, and the UK High Court upheld Godfrey's argument that it ceased to be a protected secondary publisher once it was on actual notice. An excellent analysis of the British law at the time and proposed reforms can be found here. The case has been followed many times since, and formed the foundation of changes to laws all over the world.

Various organisations have attempted to archive usenet postings, including Google Groups, where I can find things I wrote in usenet from 1994 onwards, such as those celebrating the birth of my daughter, and issues using HyperCard 2.2 with Oracle 7.

So, while not being a huge user of usenet any more, I'll be sad to see its demise.

02 November 2011

Cyberspace November 2011


Web sites
You’re a (or part of) a small firm, and you’re busy. Does your firm have a web site? Can you articulate the goal of having it? Who maintains it? Who is responsible for each piece of content on it? Has the content been carefully designed so that it achieves your goals?

Web sites can have many functions: an electronic white pages so your clients can look up your contact details; a yellow pages so potential clients can find you based on your location or expertise; a place to provide information on areas of law to current and potential clients; and a portal for communication between clients and lawyers. Understanding why you have a web site will help you ensure that you have the right information on it. Let’s say that you use it to provide contact details only (and that’s a perfectly acceptable use) - does it have all your details? How about a Google map?

Have you thought about how it looks on a mobile phone? Many web sites are simply unusable on smaller screens. It’s easy to have a web site that detects the type of device in use and formats the content appropriately. For mobile pages you might take care so that on appropriate devices a user can simply tap your phone number to call, or your address to switch to maps or a GPS. Avoid large images, background images, and technologies that don’t always work well on mobiles, such as Flash.

Design

Getting some marketing and design advice will assist in getting the best out of this important marketing tool. Don’t talk to a tech person - speak to someone with a proven track record in design. Make sure it’s clearly laid out, free of clutter and uses fonts and colours that make it readable to all types of human conditions.

Consider what your core messages are, and what images (no clichéd images, please) might be appropriate to provide an attractive and appropriate presence. Don’t have an annoying landing page that does nothing except require someone to click on it -  and they often cause problems on a mobile browser.

Information

If you want to give clients some basic grounding by linking to other sites, such as, say the NSW Fair Trading home page (http://www.fairtrading.nsw.gov.au), then make sure that link opens the page into a new browser window, rather than replacing your own.

What are your core competencies? Consider writing a primer for your clients to read before they come in to see you - it will help them be a better client and save you time on routine matters.

Content value

Don’t clutter the site - don’t add anything unless it has a purpose and enhances the core messages. Consider “search engine optimisation” which, although often spruiked by unsalubrious types, can be very important if you want to come up in a search “Newcastle small business lawyer.”

Diarise to review your site at least every month. Make sure all the content is owned by someone, and that they understand it is part of their job to care for it. Make it easy to add and alter content by using a quality content management system.  A CMS, whether commercial or open-source will assist in SEO, avoid technical errors and eliminate broken links.

Process

To get going: How much money and time do you want to spend? Do you need to get someone to do everything for you, or can you (recognising you’re a lawyer and not a marketer or technologist) contribute? Some people may be able to go to a reputable hosting company, register a domain name, and have a CMS running within an hour. There are many of these (eg www.dreamhost.com) who offer tools that require low-medium technical skills for a quality self-service site. You may find that a blog alone is all you need (eg: http://blog.calvin.it).