therning.org/ magnus

Just the other day I found a letter from my bank regarding a new company they’ve partnered with, PrivacyGuard.

As I see it, PrivacyGuard is a prime example of the misplacement of liability when it comes to information gathered by companies that I somehow interact with. They are, for a monthly fee of £6.99 (I get the first month for free) selling access to my Credit Report. This Credit Report is what financial institutions use to base their decisions on, e.g. when you apply for a new credit card.

Once you know what’s on your Credit Report, PrivacyGuard(TM) keeps you in control of verifying the accuracy of your records. You could correct any discrepancies, before they prevent you from getting credit.

They are using the general fear of “identity theft” to try to sell this “service”:

Every year thousands of individuals fall prey to credit fraud, and a growing number to identity fraud.

So, to sum it up, some company is collecting this information about me. Selling it to financial institutions. Then I have to pay to get access to the information in order to verify and update it.

Should I really have to pay to increase the value of their product?

In a sane world I’d be paid to offer this service to them!

The only reason PrivacyGuard exists is because I’m the only one suffering if the data in the Credit Report is incorrect or if someone defrauds me. The company collecting the information doesn’t suffer at all, and the company that allows the fraud to occur suffers only marginally. Clearly a case of misplaced liability!

Here’s a sure-fire way to make sure users choose bad passwords:

• Force passwords to have a minimum length.
• Come up with some arbitrary rules regarding “complexity” of the password. E.g. that it contains at least one upper-case character and one digit.
• Keep a history of passwords. Make it huge, say at least 20.
• Force users to change passwords every 3 months.
• Prevent users from changing passwords for a number of days after a change. 5 days is good, it translates to a full week in most cases, plenty of time for the user to forget the password.
• Make sure that you hire only lazy people for the corporate helpdesk. “Lazy” in this case means that they invariably choose passwords like Acme123ⁱ when your users call in saying that they’ve forgotten the password they chose yesterday.
• Layer this on top of a centralised user database like ActiveDirectory to make it really difficult for your lazy helpdesk personnel to temporarily change the no-change-in-5-days rule for a specific user.

1. Change Acme to whatever company you work for.[back]

I’m not entirely convinced about Google’s evilness but I spent some time checking out Scroogle anyway. It is a bit difficult to use Scroogle as the default search engine in a browser since it uses POST requests in the web form. However, I found AutoPOST (yes, I used Scroogle to find it) and now I have the following bookmark in Epiphany:

http://www.io.com/~jsm/nph-ap.cgi/http://www.scroogle.org/cgi-bin/nbbw.cgi?Gw=%s&n=2

Now, some things to ponder for the paranoid out there:

• Is Scroogle not evil? Does it log your IP?
• What logging does AutoPOST do?

[Edited 06-10-2006 17:46 BST] It turns out Scroogle already offers this.

It seems I never quite learn. I like a clean system, so when I get a chance I remove unused packages. This practice has gotten me in trouble before. It got me in trouble again just the other day.

My now second machine used to be my primary. When it was demoted I left GNOME installed on it since you never know when it might come in handy. Over the last few months I’ve had no use for a GUI on it at all so last Friday I decided to remove GNOME. That got me in trouble because sudo is installed as a dependency of GNOME’s, and it’s marked “automatic” in aptitude. Couple that with my habit of locking the root account and I ended up with a system that I don’t have full access to anymore. Not good!

My immediate thought was to boot a live CD, chroot to the root filesystem of the installed system and unlock the root password. Except the damn box refused to boot from CD. I tried all my live and install CDs, Ubuntu (Breezy and Dapper), Knoppix, STD, Debian install (Woody and Sarge). Nothing worked.

A short search later and I found muLinux. A one-floppy live system that on paper seemed capable of doing what I needed. Now I had another problem, where do I get a floppy nowadays? The system admins downstairs had one they could spare. Good! Next problem—where to find a machine with a floppy drive that I can use to create the floppy?

That’s when it hit me. This plan wasn’t the best one, it just happened to be the first one that popped into my mind. I had been too focused on my first idea to take the time to stop and think of other ways of getting my root account back.

In the end I didn’t need to use a live CD/floppy, I could just use the system already present on the box:

1. Boot straight into bash by sticking init=/bin/bash on the boot line in GRUB
2. Remount the root filesystem, mount -o remount,rw /
3. Unlock the password, passwd -u root

Martin forgets one important thing, my being a computer professional doesn’t mean I can fix every computer in the world.

Everyone was talking about tricking an ATM into believing $20 bills were $5 bills. There’s even a clip from CNN on YouTube. But why isn’t anyone pointing out what a bad idea it is to make maintenance functionality fully available via the same UI that customers use?

I guess I’m being pedantic but this is starting to irritate me. For all you people who create web content out there: iso8859-1 is not equal to windows-1252!

I’m increasingly coming across pages where this is an issue. It seems most browsers (IE, firefox, possibly Opera too) treat iso-8859-1 as windows-1252, which means most users don’t have to deal with pages like this. I can’t understand why FLOSS people can’t get it right, and it’s downright embarassing when Debian-related sites get it wrong