Jonathan's blog

A friend of mine spotted that his bank claims to use “the highest security available” when actually they use ARC4 and 1024 bit RSA. He sent them this:

Dear HBOS security

I have recently received the below message in regard to your paper-free service. While the message was genuinely sent by yourselves, I do take issue (and most strongly so) with the statement that “You can access our paper-free service safe in the knowledge that it uses the highest level of security available.” In fact, your SSL security is bordering on outmoded; if you took security seriously then you would certainly use 128- or 256-bit AES (rather than ARC4) and 2048- or 4096-bit (rather than 1024-bit) RSA. I very much hope you already know that NIST will consider 1024-bit RSA (equivalent to an 80-bit symmetric key in terms of the effort required to break it) officially obsolete as of 2010, so I would certainly have expected that you would transition to 2048-bit or longer RSA keys by now, although I still hold out hope that you will finally do this before the new year is upon us. Until then, I would suggest that you do not allow misleading statements such as the below to be issued as regards your security provisions.

Yours faithfully
B S T

Having received no response after several weeks, he then sent them this:

Dear HBOS security

Since I sent the below message over a month ago, I have received no response but for an automated acknowledgement which has not been followed up. However, I have received another message seeking once again to inform me that you supposedly use the highest level of security available. With 2010 almost upon us, and with Christmas cheer in my heart, I decided to give you the benefit of the doubt and check to see if, in fact, you have at last dragged yourselves into the 21st Century as far as encryption algorithms are concerned. It was with disappointment, then, albeit little surprise, that I found no change since I had sent the previous e-mail. It is pertinent, although perhaps somewhat ironic, that even the Web-based interface through which I write this message is served along with DHE-RSA-AES256-SHA encryption.

Perhaps it was not clear enough to you lackwits the last time, but a viable security policy consists in practice of more than simply claiming that something is highly secure and hoping that nobody will notice otherwise. On the other hand, perhaps I should not have such high expectations of the competence of a bank that invested heavily in US mortgage-backed securities, which anyone with an ounce of common sense could see had been vastly overvalued due to a financial mania, and failed to make a sufficiently early exit from this market, with clearly disastrous consequences suffered as a result. If you insist on continuing to pursue these games of brinkmanship not only in your financial dealings (alas, supposedly your primary competency) but also in respect of basic consumer protection such as website security, then perhaps I shall be better off to take advantage of the recent market corrections to withdraw all but a nominal sum from my current account and make sounder investments by acquiring additional gold, silver, and foreign currency instead.

Yours, with much disdain
B S T

He has yet to receive a response, but we shall see what they say in the end.

As someone who frequently makes online purchases, I am a frequent user of courier services. But on this occasion, the seller that I bought from used a courier that I haven’t experienced before – Interlink Express. And I have to say, they’ve done everything right. I am impressed by their level of service, and I think other couriers should follow suit. It’s not exactly rocket science – it’s taking care of the little things.

Firstly, they sent me an email the day before my parcel was due to arrive. This is really handy, as it gives me time to make arrangements to be at home – rather than the usual scenario where it turns up without warning and oh – I’m at work. Commence long drive at inconvenient time to wherever their depot is.

They also sent me an email on the day to let me know the parcel was on the van.

I was also impressed by their online order tracking. It seems to me that most couriers who offer this service have very vague entries such as “Dispatched” and nobody is quite sure what this means. They also never seem to update their status. City Link are pretty bad at this – once I received a parcel from them and for days afterwards it still claimed it was on the van.

Interlink Express provide detailed information on their tracking page and seems to be updated promptly. Of course there’s no excuse for it not to be, in the age of barcodes, databases and PDAs. But it makes a nice change nonetheless.

Here’s what their tracking page says about my order:

When it arrived, I was asked to sign on a touchscreen PDA, and was delighted to find that within a couple of minutes the tracking information had been updated. This is how it’s supposed to work

I was musing today about the lifetime of my data, and what might happen to it after I die. I’m a jolly character, aren’t I?

But there are two questions here. First there’s the question of my private data – e.g. online banking stuff and other personal documents that I want to keep to myself for now, but may well have to be released to the executor of my will or whatever.

Then there’s the question of the data I’d love to share. For example my photographs and musical recordings – I’d like to think that they will persist long after I’ve gone. Maybe even wind up in a futuristic museum so people can marvel at how we used to live. Perhaps.

Private data

If I died tomorrow, would my family be able to get at my private files? It’s a bit more involved than looking in a box-file on top of my wardrobe. Nobody has an account on my home server and PC except me, and nobody else knows my root password (I hope).

But I don’t want to give anyone access to my data today. I don’t want to create accounts for other people that can access my stuff, and I don’t want to tell anyone my password. Can you imagine telling somebody all your passwords and saying they weren’t allowed to use them until your death?

That’s not to say that my data is totally inaccessible. My disks are not encrypted so booting from a live CD would be an easy way to read the data without having to log on as me. This would be an easy job for most of my geeky friends, but I don’t think my parents, brothers or girlfriend would be able to do it. Would my next-of-kin have the initiative to ask one of my colleagues or friends to “hack” my systems in the event of my untimely death?

I expect if the circumstances of my death were suspicious, police would confiscate my computers anyway and examine them. A police computer expert would have no problem in extracting the data, but whether or not they would hand it over to my family is a different question.

Of course for accounts I hold with third parties, such as online banking, email companies and of course my employers, it is usually possible to present a death certificate and the account will be opened for the executor.^{[1, 2]} But this doesn’t apply to my systems.

The flip-side of allowing access to my data is that the executor or next-of-kin gets access to all of my data. After I die, I may well be happy for the executor of the will to browse my financial and legal documents, but what if I don’t want him or her to know about my plans to take over the world, or my illegal downloads? What if I have some embarrassing secrets that I don’t want my family to find out about?

The only two approaches here are to specify in my will which files should be deleted and which should be kept^[3], or to encrypt everything that I do not wish to be read. Bear in mind that if you wish to make the encryption effective, you will also need to encrypt the backups.

Maybe the best idea would be to write down my password and some brief instructions for accessing my data if necessary, and then seal this in an envelope to be kept in a safe place with my will. Anything I don’t want seen, ever, can be encrypted. Then it should be straightforward for the relevant people to get access to my private documents, with minimal risk of abuse.

Public data

As I touched upon in the introduction, the second section is to do with the longevity of my created data. A large part of this is to do with choosing an appropriate format, and ensuring that the format stays current.

For example, my photos are currently stored on a hard disk, formatted with the ext4 filesystem, and saved as TIFF images. They are backed up, but that’s mainly irrelevant here. The point is that I don’t expect my hard disks to still be working in ten years’ time, and there’s a fair chance that today’s popular filesystems won’t be in widespread use after a decade either.

While I’m alive, it’s easy for me to move my things around. Let’s suppose next year hard disks start to become obsolete and a new type of memory card becomes commonplace. It will be easy for me to copy my photos from my hard disk onto this new memory card. I can also convert my images from their TIFF format to tomorrow’s shiny new format if necessary.

But who will do this after I’m dead?

It was easy for me. After my grandad died, I inherited a box of 35mm slides, as well as some 35mm negatives and some 6″×4″ prints. Things you can see with your eyes don’t tend to go obsolete in a decade. Provided I look after these physical photos and protect them from heat, light and moisture, they are likely to last for decades or centuries.

I’ve also scanned them in and archived them on disk – where they are safe from paper-curling humidity, but still prone to obsolescence as I mentioned above.

So long as I have backups and I keep with the times and convert my photos to whatever format is appropriate and save them on whatever media is current, I can’t see a problem. I could even make prints of all my photos and store them securely.

The snag comes when I die, and I will have to entrust my photos to a descendant. Hopefully they will treasure the photos and look after them, as I am doing with my late grandfather’s work – but there’s no guarantee. If I didn’t have an interest in photography myself, it’s entirely plausible that I might have declined my grandad’s slides.

It seems here that the best approach is to preserve my data while I’m still alive and kicking, and make it known to my family that I wish my photos to be looked after when I’m gone. Hopefully they will take heed!

Perhaps undermining the tone of this whole article, I might add that I’ll be dead so why should I care!

References

1. https://windowslivehelp.com/community/t/150085.aspx
2. http://www.news.com.au/technology/story/0,28348,26303927-5014239,00.html
3. Maybe this could be automated, and my will could specify the path to a script that deletes some things and preserves others.

I was flicking through the user manual for my 1981 Canon AE-1 Program. Some of the pages are illustrated with sketches of two characters–a man and a woman–having discussions. In every case, the “stupid” woman is confused, has made a mistake, or doesn’t know what to do.

Her hero, a dashing young man, always comes up with the answer.

What's a woman to do?

I don’t know about you, but I’m glad that today’s user manuals have simple labelled diagrams and bulleted lists of instructions.

I have a secondary current account with Halifax, which I use for paying bills and rent.Today I received a letter from them. Here’s an extract:

From 6th December 2009 we’ll no longer be paying the 0.1% AER/gross interest we pay you on the balance in your account, or charging you debit interest on any overdraft you use. Instead, we’re introducing new, simple and easy-to-manage overdraft fees.

• If you use an arranged overdraft up to £2,500, we’ll charge you £1 a day
• If you use an arranged overdraft over £2,500, we’ll charge you £2 a day
• If you use an unarranged overdraft, we’ll charge you £5 a day
• We won’t charge you any interest on an overdraft, whether it’s arranged or unarranged.

I’m no financial expert and I’m sure Halifax have their reasons for implementing this policy. But to your man off the street, the expected way that banking works is quite simple.

• You are rewarded for saving with a bank
• You are penalised for borrowing from a bank

By these rules, it seems that Halifax have increased their penalties and totally stopped their reward. So there is now no incentive to have a current account with Halifax. My account is almost never in overdraft but I don’t wish to be charged £5 every time my broadband company sends a larger-than-expected bill. I also don’t wish to go without my 0.1% interest, as a matter of principle.

Surely they realise that people will flock away from such a proposal? I for one plan to close my account immediately and move it to a different bank. No doubt a run on the bank will cause them to collapse, and demand a bail-out from the government, but oh well.

They are always talking about information overload when working in IT.

So imagine the explosion that nearly occurred in my head when I took a break from writing perl, stepped out of my office, and saw this…

Too many signs

The Post Office really is an inconvenient organisation.

Last night I sold two items on eBay and consequently had two (fairly large) parcels to post. This was around 9pm so I put the parcels to one side, and decided to post them on my way to work in the morning – pushing my bike and carrying the parcels to the post office on Lodge Causeway – around half a mile away from my home.

When I got there, the post office was shut and there was no visible sign with the opening hours, because the shutters were opaque. Useless.

I didn’t know the whereabouts of any other post offices in the area, so I decided to proceed onwards on my bike, and post the parcels in Broadmead – which is on my route to work, although around 5 miles away.

So I cycled cautiously and slowly, and eventually arrived at Broadmead, thankfully not having dropped either of the parcels. I got to the post office around 9am, but according to the sign, it doesn’t open until 9:30am. Useless!

Of course these post offices both shut at the end of the working day too, so I have no way of posting anything unless I take time out of my working day – and since the Queens Road post office was closed last year, that involves a decent walk from my office. It also means taking all my parcels to work in the first place.

And while I’m on the topic, how about the opening hours of the Royal Mail parcel collection depots? Usually something like 8am until 12 noon. How come these open so early? Why can’t they open normal post offices at this time?

Why can’t they have any services open in the evening, when people actually want to use them? Because they’re useless.

</rant>

One thing that often annoys me, particularly in my line of work in IT is the frequent muddling-up of the words deprecated and depreciated.

According to Wiktionary…

Depreciate

Verb

1. (intransitive) To reduce in value over time.
2. (transitive) To belittle

Deprecate

Verb

1. (formal) to express disapproval of.
2. (computing) to recommend against use of.
3. (archaic) to pray against.

So when a module or feature of a computer program is outdated and has been replaced by a new one, it is deprecated.