Category Archives: geek

Universal Access

On Wednesday of this week, Minister Edward Nipake Natapei and Australian High Commissioner John Pilbeam jointly announced the creation of a telecommunications Universal Access Fund. Designed to ensure that communications services reach all parts of Vanuatu, the fund was rolled out with an initial contribution from AusAID of 215 million vatu.

The idea is to allow market forces to work in the vast majority of the country, providing mobile telephone services on a for-profit basis. Digicel’s license terms state that it must make its service available to 85% of the population.

Mobile telephone service costs are tiny compared to traditional land lines. Infrastructure is minimal, and it’s not as susceptible to damage by the elements. Digicel is confident that it can profitably provide services over such a wide area. They’re so confident that they’ve ponied up a significant chunk of cash as a performance bond.

In time we’ll see TVL and smaller, ‘boutique’ operators entering these once marginal markets as well. But there will always be areas in Vanuatu that simply can’t be serviced profitably. This is where government enters the scene. They’ve designated a basket of money that will ensure that everyone from Aneityum to the Torres islands has access to mobile phone services.

Continue reading

Trust Works All Ways

Over the weekend, I’ve been thinking about last week’s disclosure concerning Debian’s OpenSSL package, which in effect stated that all keys and certificates generated by this compromised code have been trivially crackable since late 2006.

There’s a pretty good subjective analysis of the nature of the error on Ben Laurie’s blog (thanks, Rich), and of course the Debian crew itself has done a fairly good job of writing up the issue.

The scope of this vulnerability is pretty wide, and the ease with which a weak key can be compromised is significant. Ubuntu packaged up a weak key detector script containing an 8MB data block which, I’m told, included every single possible key value that the Debian OpenSSL package could conceivably create.

The question that kept cropping up for me is: This one-line code change apparently went unnoticed for well over a year. Why is it that crackers and script kiddies never found it and/or exploited it? Numerous exploits on Microsoft Windows would have required far more scrutiny and creativity than this one. Given the rewards involved for 0-day exploits, especially in creating platforms for cross-site scripting attacks, why is it nobody bothered to exploit this?

My hypothesis – sorry, my speculation is this: People at every stage of the production process and everywhere else in the system trusted that the others were doing their job competently. This includes crackers and others with a vested interest in compromising the code. I should exclude from this list those who might have a reasonable motivation to exploit the vulnerability with stealth and to leave no traces. If, however, even they didn’t notice the danger presented by this tiny but fundamental change in the code base, well my point becomes stronger.

The change itself was small, but not really obscure.  It was located, after all, in the function that feeds random data into the encryption process. As Ben Laurie states in his blog, if any of the OpenSSL members had actually looked at the final patch, they would almost certainly have noticed immediately that it was non-optimal.

In all this time, apparently, nobody using Debian’s OpenSSL package has actually (or adequately) tested to see whether the Debian flavour of OpenSSL was as strong as it was supposed to be.  That level of trust is nothing short of astounding. If in fact malware authors were guilty of investing the same trust in the software, then I’d venture to state that there’s a fundamental lesson to be learned here about human nature, and learning that lesson benefits the attacker far more than the defender:

Probe the most trusted processes first, because if you find vulnerabilities, they will yield the greatest results for the least effort.

P.S. Offhand, there’s one circumstance that I think could undermine the credibility of this speculation, and that’s if there’s any link between this report of an attack that compromised not less than 10,000 servers and the recent discovery of the Debian OpenSSL vulnerability.

Kastom in the Virtual Nasara

In Vanuatu, Kastom takes a lifetime to learn. More complex than any set of laws, it’s a tightly woven fabric of behaviour that is in a constant state of redefinition. Defined by respect and mutual support, it is measured and arbitrated by our chiefs and enforced by the community as a whole. It is at once amorphous and innately understood.

Although it manifests itself differently from one island to another, the importance of one’s name is integral to finding one’s place in local kastom. Indeed, the highest honour an expat can earn in Vanuatu is to be given a name. A naming ceremony implies the attainment of (usually honourary) chiefly rank. One’s name, in short, is the ultimate expression of one’s place, standing and role in the community. It conveys the very essence of its bearer.

Practices vary from island to island, but choosing – and using – a person’s name is rife with overtones about one’s relation to others. Expats are often confused, and sometimes amused, by most ni-Vanuatu’s unwillingness to address others by name. People are instead referred to in terms of their familial relationship to the speaker. Where relationships are unknown or ambiguous – between strangers, for example – a local default usually exists. It’s common to be addressed as ‘tawi’ in Tanna, though strictly speaking that would make you the person’s brother or sister in law. In a delightful example of linguistic drift, young women in North Malekula are almost universally addressed as ‘uncle’.

So why, when names possess such a strong tabu here in Vanuatu, do we put no stock at all in how Vanuatu’s name is used on the Internet?
Continue reading

Steaming Piles

I give up. I can’t support OpenOffice Write any more, and it’s nobody’s fault but their own. For anything more than simple tasks, the application is terrible. Their only saving grace is that Microsoft Office has its own brand of polished turd, named Word. Collectively, they are racing to the bottom of a decade-long decline in useability.

No, that’s too generous. The thing is, they’re at the bottom. They are useless for any but the most trivial tasks, and the most trivial tasks are better accomplished elsewhere, anyway.

Yes, I’m ranting. Let’s put this into a proper context:

I hate word processors. For any but the simplest tasks, their interfaces are utterly ridiculous. I haven’t liked a word processing interface since WordPerfect circa version 5, and if I had my own way, I’d author all my documents in either emacs or vi, depending on the circumstances.

Why do word processors suck so badly? Mostly, it’s because of the WYSIWYG approach. What You See Is What You Get, besides being one of the most ghastly marketing acronyms to see the light of day in the digital era, is ultimately a lie. It was a lie back in the early 1990s when it first hit the mainstream, and it remains a lie today. The fact of the matter is that trying to do structuring, page layout and content creation all at the same time is a mug’s game. Even on a medium as well understood as paper, it’s just too hard to control all the variables and still have a comprehensible interface.

But the real sin that word processors are guilty of is not that they’re trying to do WYSIWYG – okay it is that they’re trying to do WYSIWYG, but the way they go about it makes it even worse. Rather than insisting that the user enter data, structure it and then lay it out, they cram everything into the same step, short-circuiting each of those tasks, and in some cases rendering them next to impossible to achieve.

Learning how to write, then structure, then format a document (or even just doing each through its own interface) is easier to accomplish than the all-in approach we use today. For whatever reason, though, we users are deemed incapable of creating a document without knowing what it’s going to look like right now, and for our sins, that’s what we’ve become. And so we are stuck with word processors that are terrible at structuring and page layout as well as being second-rate text authoring interfaces. They do nothing well, and many things poorly, in no small part because of the inherent complexity of trying to do three things at once.

It doesn’t help that their technical implementation is poor. The Word document format is little better than a binary dump of memory at a particular moment in time. For our sins, OpenOffice is forced to work with that as well, in spite of having the much more parse-worthy ODF at its disposal these days.

There’s no changing any of this, of course. The horse is miles away, and anyway the barn burned down in the previous millennium. The document format proxy war currently underway at the ISO is all the evidence I need to know that I’ll be dealing with stupid stupid stupid formatting issues for years to come. I will continue to be unable to properly structure a document past about the 80th percentile, which is worse than not at all. I will continue to deal with visual formatting as my only means to infer context and structure, leaving me with very little capacity to do anything useful with the bloody things except to print them out and leave them on someone’s desk.

Maybe I’ll just stop using them at all. Maybe I’ll just start doing everything on the web and never print again.

I’m half serious about this, actually. At least on the Web, the idea that content and presentation are separate things isn’t heresy. At least on the Web, I can archive, search, contextualise, comment, plan, structure and collaborate without having to wade through steaming piles of cruft all the time.

At least on the Web, I can choose which steaming piles I step into.

I’m going to start recommending people stop using Word as an authoring medium. There are far better, simpler tools for every task, and the word processor has been appropriate for exactly none of them for too long now. Sometimes you have to destroy the document in order to save it.

Clearing the Ground

The Vanuatu National Training Council (VNTC) recently presented their vision of an industry-driven training regime here in Vanuatu. The approach is based on what they call Competency Based Training. In simple terms, this approach is aimed to help people learn relevant and useful skills, and importantly, to be able to earn formal recognition for skills they already have. By measuring these skills using well-understood benchmarks, people would be assured that their skills are recognised by employers throughout the Pacific and even beyond.

Continue reading

Stop Bad Errors

I recently upgraded to Ubuntu 8.04, which comes with the most recent beta of Firefox 3.0. The new version of Firefox has a number of interesting features, not the least of which is a set of measures to reduce drive-by infection of PCs.

If they wander from the beaten path, people now see a big red sign warning them about so-called ‘Attack Sites’ – websites that are reported to have used various means to infect visiting systems with malicious software:

The graphic is fairly well done, but interestingly, there’s no obvious way to over-ride the warning and go to the site anyway. Not that one would want to, but it does raise the bar for circumventing this anti-rube device while raising questions about who gets to decide what’s bad and what’s good.

The ‘Get Me Out Of Here!’ button smacks of Flickr-style smarminess, sending (in my humble opinion) the wrong kind of message. Either be the police constable or be my buddy, but don’t try to be both. That’s just patronising.

I followed the second button to see how the situation would be explained to the curious. I was brought to a page providing a less-than-illuminating statement that the site in question had been reported to be infected by so-called ‘badware’.

The StopBadWare.org service tracks websites whose content has been compromised, deliberately or not, and provides data about these sites to the public in order to protect Internet users from drive-by infection. With sponsorship from Google, Lenovo, Sun, PayPal, VeriSign and others, the service is obviously viewed in the corporate community as a necessary and responsible answer to the issue of malware infection.

At the time of this writing, the Stop Badware databases listed over a quarter of a million websites as infected.

The report page itself was less than a stellar example of information presentation, especially about a security-related topic. In the top left corner is a colour-coded circle with three states:

Safe StopBadware testing has found badware behavior on this site.
Caution One or more StopBadware partners are reporting badware behavior on this site.
Badware No StopBadware partners are reporting badware behavior on this site.

So the difference between red and yellow here is not one of degree, it’s based on who reported it. Not only is this useless as a threat measurement, it sends the wrong message to people using the service, implying that there’s a distinction to be made between what Stop Badware finds out for themselves and what their partners find. By treating the sources differently, they’re inadvertently creating a distinction between gospel and rumour, implying that some sources are less reliable than others.

The report page for the domain in question is populated using the GET method, meaning that you can plug any domain name right into the address bar (if you know the URL components) and get a report on it. Unfortunately, it never occurred to the good people at Stop Badware that some might want to use this capability to check the status of an arbitrary domain. (Amusingly, this method also circumvents the captcha on the ‘official’ report page.)

When I checked the status of my own domain, I was informed that, in effect, I’d recently stopped beating my wife:

Google has removed the warning from this site.

It’s interesting when you’re faced with a sentence in which nearly every word is wrong. Google has removed the site? Where am I? Isn’t this Stop Badware? Removed the warning for this site? There never was one. And even if there was a warning at one point in time, people don’t need to be told that. This message is a bit like saying, ‘So-and-so is a great guy! He doesn’t drink at all any more.

I applaud the Stop Badware service and the concept, and I look forward to the day when someone actually does a bit of usability research for them.

P.S. Could we please do something about the term ‘badware’? It’s almost sickeningly patronising. Some might argue that terms like ‘virus’, ‘trojan’ and ‘malware’ are too arcane, but I say we should just pick one and stick with it, regardless of how accurate it actually is.

People know and (ab)use the term ‘virus’, so why don’t we get the geek-stick out of our lexical butt and just use it? It’s a virus. You’ve got a virus. Who cares what it is or how you got it. You got a virus and now your computer needs to be treated before you can use it safely again. Now, how hard was that?

Cargo Culture

The phrase ‘cargo cult’ is well known here in Vanuatu, and probably better understood than anywhere else in the world. Pop anthropologists, TV crews and trivia hounds love to belittle the ‘silly’ idea that performing the proper rituals will result in good things happening. They snicker at the uniformed, marching figures in Tanna, wondering what kind of person could believe such a simple tale.

The fact is, we are all, to some degree or other, members of a cargo culture.

Magical Thinking is the term applied to the kind of behaviour that assigns more importance to a sequence of events than to actual causation. We indulge in this kind of behaviour when we put on a ‘lucky’ shirt on important days, or avoid stepping on spiders for fear of bringing the rain. It’s in our daily horoscope and a significant number of expressions that we use everyday.

We use Magical Thinking when we touch wood, say ‘God bless’ to someone who sneezes, keep a rabbit’s foot on our key chain, or sing a certain song to ward off bad luck. We also use a certain degree of Magical Thinking when we smoke a cigarette, drink too much or practice unsafe sex. We assume that certain rituals can make good things happen or keep bad things at bay.

We also use a fair amount of magical thinking when we start our computers in the morning, when we make a phone call or send an email.

Continue reading

A National Plan

I have a confession to make. I’m a snob. At least, I am where technology is concerned. Okay, maybe I’m not the type to cross the street when I see someone with last year’s doohickey du jour. But I do notice when your smart phone looks (or acts) like a brick. I can tell at a glance whether your machine is a cutting edge screamer or the technological equivalent of East Germany’s Brabant automobile, legendary for its poor quality.

I like good engineering, good design and efficient performance. In short, I like things that do their job well, whatever that job may be. I like it so much that I hate to settle for less than the best. Not the biggest, necessarily, nor the most expensive. Just the best.

This focus on tools made me lose sight of a couple of important things: First, while doing things perfectly is a commendable ideal, it happens exactly 0% of the time in the real world. Second, Vanuatu is more, er, ‘real world’ than many other places on Earth.

In case you haven’t noticed, I’m a bit of a leftie when it comes to computing. I like to see as much power in the hands of the people as possible. While it’s nice – and often necessary – to rely on services provided by others, I’ve always believed that DIY is the most empowering way to go. So, when the news began to percolate out that Vanuatu would have truly national mobile phone services, I was interested mostly in how that might help the spread of computers into the islands.

What I didn’t consider is that the mobile might actually become the computer.
Continue reading

The Soft Computer

Let’s forget about technology for a moment. Let’s quit thinking about contraptions that rattle more than they hum, often alarmingly. Let’s not talk about technology at all.

Let’s talk about people instead.

‘What a piece of work is a man!’ says Hamlet. ‘How noble in reason! How infinite in faculty! In form and moving how express and admirable! In action how like an angel! In apprehension how like a god!’

This speech has always puzzled me, because many of the human beings I know may qualify as a ‘piece of work’, but lack somewhat in the expressive, admirable, angelic and god-like categories. It only follows, therefore, that if humans are less than angelic in their actions, the things they do with technology might likewise be flawed.
Continue reading

Uncommon Sense

Throughout history, the distance between technology and society has been a defining characteristic of nations, empires and peoples. While it’s tempting to say that the most technologically sophisticated societies represent the pinnacle of human achievement, that’s not necessarily true. Some would argue that keeping social values paramount and learning how to adapt technology to human needs is a more effective means to ensure the health of a society.

Unfortunately, health, happiness and social justice can’t always be judged using objective economic measures. How does one measure crimes that don’t happen, meals that don’t get missed, sick days not taken?

Economic indicators do serve a number of useful purposes, of course. The Pacific Economic Survey – I wrote about it here – includes some extremely useful and instructive data concerning the effects of market liberalisation on communications. It also pointed out some inherent weaknesses in Vanuatu and elsewhere in the region, particularly with regards to technical know-how.

People in Vanuatu could teach many an economist a thing or two about what makes for a meaningful and contented life. But isolation is part of what has made life in Vanuatu simpler and more relaxed, and as that isolation erodes, we find ourselves facing significant technical challenges, some of which have a steep learning curve.

The small group of individuals who have taken leadership in opening the telecommunications market in Vanuatu have been remarkably successful thus far. People close to the process agree that the settlement agreement and the new licenses are extremely well framed. They have learned by the example of those countries who went before, and have created a comprehensive and detailed framework with very little ambiguity. This allows Digicel, Telecom Vanuatu and future entrants to focus on doing business rather than bogging themselves down in legalese, negotiation and other distractions.

But there remains much to be decided, and much to be done:

Continue reading