Au Péché Mignon

[Editor’s note: The author was afflicted at the time of writing with a pinched radial nerve, which has led to chronic pain in his right hand. As a result, he has left off his normal florid prose to write in the concise ‘telegraphic prose’ of the young Earnest Hemingway. We apologise for the inconvenience.]

[Editor’s other note: Originally posted in October, 2005. Copied to the Scriptorum because the author [sic] thinks it’s worth keeping.]

The café is a clean, well shaded place. The kind of place a man appreciates once he’s lived long enough to appreciate good, honest coffee. The kind of coffee picked by hand by the good, honest people of Tanna.

The cafe is named Au Péché Mignon. The man likes to call it the little sin. The kind of sin worth living for. The kind of sin people forget about when they are searching for something to die for. It is a good sin, the little sin. An honest sin.

The waitresses are both named Marie. They stand together at the end of their shift, waiting for the man to leave. Their dark faces take on a copper hue as the sun sets over the bay.

Marie, the younger one, says, ‘There he is. Just like yesterday.’

‘And every day,’ says Marie, the older one.

Uncommon Sense

Throughout history, the distance between technology and society has been a defining characteristic of nations, empires and peoples. While it’s tempting to say that the most technologically sophisticated societies represent the pinnacle of human achievement, that’s not necessarily true. Some would argue that keeping social values paramount and learning how to adapt technology to human needs is a more effective means to ensure the health of a society.

Unfortunately, health, happiness and social justice can’t always be judged using objective economic measures. How does one measure crimes that don’t happen, meals that don’t get missed, sick days not taken?

Economic indicators do serve a number of useful purposes, of course. The Pacific Economic Survey – I wrote about it here – includes some extremely useful and instructive data concerning the effects of market liberalisation on communications. It also pointed out some inherent weaknesses in Vanuatu and elsewhere in the region, particularly with regards to technical know-how.

People in Vanuatu could teach many an economist a thing or two about what makes for a meaningful and contented life. But isolation is part of what has made life in Vanuatu simpler and more relaxed, and as that isolation erodes, we find ourselves facing significant technical challenges, some of which have a steep learning curve.

The small group of individuals who have taken leadership in opening the telecommunications market in Vanuatu have been remarkably successful thus far. People close to the process agree that the settlement agreement and the new licenses are extremely well framed. They have learned by the example of those countries who went before, and have created a comprehensive and detailed framework with very little ambiguity. This allows Digicel, Telecom Vanuatu and future entrants to focus on doing business rather than bogging themselves down in legalese, negotiation and other distractions.

But there remains much to be decided, and much to be done:

The Pacific Economic Survey

Earlier this week, Australia unveiled the Pacific Economic Survey here in Port Vila. Present for the event was a delegation from all around the Pacific Region, including Melanesia and Polynesia as well as senior politicians from Australia. AUSAid’s chief economist was also there to present the findings.

The report is the first of a series of annual surveys that will provide an overview and update of economic developments in the Pacific island region and Timor-Leste. It collates and summarises public data on various aspects of the region’s national economies, performs some comparative and collective analysis with the results, then provides a few basic recommendations.

The theme for this year’s report was Connectivity. The survey focuses on aviation, shipping and telecommunications. It argues that liberalisation, more input from the private sector, and a cooperative regional approach to the problems inherent in improving connectivity are keys to improving Pacific economies.

The findings in the area of telecommunications do much to validate the Government of Vanuatu’s market liberalisation strategy and provide every encouragement to expand upon them. It addresses some potential pitfalls that might be encountered, primarily where access to technical expertise is concerned. And that is where it risks missing the boat.

Power and Politics – a Sketch

Chief Vincent Boulekone with Duncan Kerr

I had the privilege this week of being asked to take some photographs at the Vanuatu unveiling of the Pacific Economic Survey. The event was attended by two Australian Parliamentary Secretaries and by a number of fairly senior individuals in Vanuatu. The photos I took will be collected here.

I was proudest of the photo above. It’s of two veteran politicians whose approach and presentation could hardly be further apart.

Yahoo! Confirms MS Merger, Name Change

April 1, 2008

Sunnyvale, California

Yahoo! CEO Jerry Yang told reporters today that the board of directors of Yahoo! Inc. had met earlier that morning and agreed to the sale of the company at a price of USD 66.6 Billion. Yang took the opportunity to defuse speculation about what this move means for the company.

Said Yang, “Honestly, it’s not that big a deal. The truth is that we used to show up at the company HQ every day, see that Yahoo! sign up there and get excited. But recently that just hasn’t been the case. I must be getting old or something. Anyway, I figured, ‘they want it? They can have it. I’m stinking rich anyway, why should I have to work?'”

One of the conditions of sale was that the Yahoo! name be changed.

“Let’s just admit it,” explained Yang. “It’s a stupid name. It was fun for, like, 20 minutes. Then we all sobered up and realised we felt like dorks whenever we told someone where we worked.”

Yang then took the opportunity to unveil Yahoo!’s new name: Meh… Its logo, Yang said, will be a giant emoticon consisting of the ‘8’, ‘-‘ and ‘/’ characters. When pressed by reporters, he admitted that it would not be easier to spell, and would still cause problems with grammar checkers.

“On the bright side,” he added, “we might finally be able to fix this, now that we’re part of… Meh… Microsoft.”

Microsoft’s CEO, Steve Ballmer, was not present at the press conference, due to a ‘minor’ chair-related injury. He instead released a taped message stating his satisfaction with the negotiations, which ended with a cryptic reminder to Yahoo! employees that their families would be safe, now that they’d shown some sense. Yang would not speculate about the comment’s meaning.

Letter to a Young Turk

I’ve been arguing for the last few weeks that what’s needed most for Vanuatu is to invest significant time and effort into the creation of a new crop of technically savvy individuals who can help Vanuatu bridge the growing gap between life in the information age and life as we’ve always known it in the islands.

There’s a pressing need for people to assist with this transition. The barriers have begun to fall that once allowed life in the village to remain consistent, with change seeping in slowly and in tiny doses. Very soon, most everyone in Vanuatu will have access to mobile telephony. We’re already hearing stories about Tannese in Middle Bush bringing their mobile to the garden with them, just in case someone wants to reach them.

Only weeks ago, nobody really got fussed about waiting days or even weeks to hear a bit of news. But now that we can actually get it, we want information immediately. It’s a universal human trait to want to keep caught up on the latest. In the past people here have been content to let information and gossip arrive at its own pace, confident at least that nobody was getting the jump on anyone else. But now, someone who owns a mobile phone holds a distinct advantage over those without. In this culture – and most others – knowledge is power, and in Vanuatu, a new arms race has begun.

Walk Like a Dinosaur

Michael Krigsman’s most recent entry in the IT Project Failures blog is an interesting, colourfully-illustrated and upside-down look at the relationship between IT and traditional business.

His question, based on numerous similar postulations, is whether IT is becoming extinct. His answer (you knew it was a rhetorical question, right?) goes like this:

Since the days of punch cards, IT has believed itself to be guardian of precious computing resources against attacks from non-technical barbarians known as “users.” This arrogant attitude, born of once-practical necessity in the era of early data centers, reflects inability to adapt to present-day realities. Such attitudes, combined with recent technological and social changes, are pushing IT to share the fate of long-extinct dinosaurs.

The list of arguments he offers in support of this thesis are all valid to some degree, and all supportive of what he’s positing, but he somehow manages to miss the point that means most to business:

Monolithic, top-down, IT-as-bureaucracy approaches are being subverted by recent changes in technology and services, but so too is business in general.

No Borders

I made a mistake this week, or rather a misjudgement. I wrote about a new threat called Goolag, in which a malicious person could use Google to find servers on the Internet that are vulnerable to attack. The servers are infected with malicious code that causes anyone who visits them to be exposed to compromise. This is how many an innocent person’s computer becomes a spam-bot, remotely controlled by hackers and used to send spam, and sometimes to infect its neighbours as well.

I wrote, “Making simple mistakes is the easiest way to expose yourself to attack…. You won’t be targeted so much as stumbled across.”

Within two days of writing about the issue, an online security blog reported a wave of attacks affecting approximately 200,000 web servers. The single most important part of comedy, as they say, is timing.

This latest wave of attacks is important to us for a couple of reasons: It demonstrates that the democratising effect of information on the Web respects no single set of ethics or morality. The very same information-sharing tools that have so empowered people everywhere are being used by vandals and criminals for their own selfish ends as well.

It also means that there are no safe havens online.

UPDATE: How wrong could I be about the severity of this threat? Very wrong, apparently. I haven't confirmed it yet, but it's hard to imagine how this week's mass server hack could have happened without tools like the one described below. I'll write more about this in this week's column….

Heh, cute:

Cult of the Dead Cow Announces Goolag Vulnerability Search Engine.goooooolagOnce you get past the Chinese porn silliness, there’s a real story here:

Google’s effectiveness as a search engine also makes it an effective… well, search engine. Common website weaknesses are exposed by search engines such as Google, and anyone can access them by using specially crafted queries that take advantage of Google’s advanced searching capabilities. As the cDc press release indicates, there are approximately 1500 such searches published and readily accessible on the Internet. And now the cDc has built a(n a)cutely satirical web front end and are offering a downloadable desktop search application for Windows, giving script kiddies the world over something else to do with their time.

What effect has this had on website security? It’s difficult to tell. The principle of using Google as a scanning tool has been common knowledge since at least 2006, but according to Zone-H, who record large numbers of website defacements every year, the only significant increase in website attacks since then was the result of an online gang war between various Russian criminal factions, back in 2006. Ignoring that anomalous rise in activity, the rate of attack actually fell slightly in 2007 compared to recent years, relative to the number of active websites.

Zone-H’s latest report proves only that the percentage of insecurely configured websites scales on a roughly linear basis with the number of available websites, and that the choice of technology has almost no bearing on the likelihood of a successful attack. Indeed, most exploits are simple attacks on inherent weaknesses: guessing admin passwords or copying them when they’re sent in cleartext, misconfigured shares and unsafe, unpatched applications. Attacks requiring any amount of individual effort are not very common at all. Man-in-the-middle attacks rated only fifth place in the list of common exploits, representing only 12% of that total. But researchers have elsewhere noted that cross-site-scripting attacks are on the rise, and are being used mostly by spammers to increase the size of their bot nets.

The lesson here is fairly obvious: Making simple mistakes is the easiest way to expose yourself to attack. And search tools like Goolag make finding those mistakes remarkably easy. You won’t be targeted so much as stumbled across. Given the recent rise in the number of websites being used to inject malicious software into people’s computers, spammers and other online criminals appear to have a strong incentive to use even the less popular websites to ply their trade.

Your choice of technology won’t save you, either. Most popular web servers are fairly secure these days and though not all server operating systems are created equal, the big ones have improved markedly. But the same cannot be said of the applications and frameworks that run on them. The old adage that ease of use is universal still applies. When you make things easy for yourself and your users, you are liable to make things easy for other, less welcome guests as well.

The lesson for the average website owner: Do the simple things well. Don’t waste your time trying to imagine how some intrepid cyber-ninja is going to magically fly across your digital alligator moat. Just make sure your systems are well-chosen and properly patched, pay attention to access control and treat authentication seriously. Statistically, at least, this will drop your chances of being Pwned to nearly nil, or close enough as makes no never mind.

Splash and Ripple

Drop a stone in the middle of the pool. Watch its ripples spread wider and wider across the surface. Inevitably – sometimes sooner than later – the ripples mingle and apparently disappear among the others. Cause and effect: A simple action creates immeasurable, unpredictable and unforeseeable results.

Among development professionals, this provokes roughly equal amounts of fascination and frustration. Fascination, because anyone with a mote of interest and natural curiousity is quickly engrossed by the flow of events as human cultures mingle and change. Frustration, because at some point it will be necessary to say to a donor, ‘Your money will have exactly this effect.’

And that will be a lie, of sorts.

