Thursday, July 31, 2008

What is U-Haul up to?

I moved - a pain, but not really blog-worthy. Except: I rented a U-Haul truck to carry our belongings across town. One of the big ones, fun to drive, gets 7mpg if going downhill with a tail wind.

There was this mystery box on the side of the cab, below the dash, just next to my left calf. Had a digital readout, two LED digits, that perhaps were tracking time, they went from 70 to 74 while I was using it. I'm remembering vague stories about rental car companies charging a fortune because their secret GPS tracked the guy going 80mph (which is a little amazing itself, my GPS once tracked me doing 150MPH even though I was doing about 60) so I watched my speed.

I asked the guy when I returned it: "so... what's that little box there with the readout". "Oh, it's for the brakes... you know... the brakes on these big trucks". I replied "yes, I know about air brakes, but what's that box *for*"? He's kind of blustery: "it's the brakes, you know... These big truck brakes...". I didn't question further.

I'm pretty sure it isn't for the brakes: it's an add-on box, and brakes are pretty integral. Plus, I don't think a gradually increasing pressure from 70 to 74 would be a good sign.

The question is: what is it? What sneaky data is U-Haul capturing?

And as long as we're on this subject, did you ever notice that Nickelback's song "Leader of Men", when played on the radio, leaves out the half verse that states "Turn your television off, and I will sing a song, and if you happen to have the urge, well you can sing along". It's a conspiracy between the music industry and U-Haul, I tell ya....

I'm going to go make a tin foil hat now.

Wednesday, February 13, 2008

An honest mistake?

I was watching the City Council on television one night, and they were dealing with restaurant owners who had failed the City's sting operation and served alcohol to a minor. One owner's defense - "It was an honest mistake" - was ignored (and probably correctly so).

But something happened recently that made me realize there are errors and there are errors, and perhaps an honest mistake is different than intentional malice.

Suppose we are managing a database of CDs, just a listing of CDs, their artists, titles and track names. Input comes from the community at large. Someone puts a new CD in their computer, it looks it up in the online database (via the Internet), and if it isn't found, they type in the info and it is submitted.

Suppose that instead of typing "The White Stripes", they enter "The White Stirpes". Or suppose that instead of entering all the track info carefully, they enter the first one, then get bored and then enter "track 2", "track 3", ... or worse, "asdf", "lkjh", ...

If the database is smart, it will recognized that "The White Stripes" and "The White Stirpes" are the same artist. And by carefully culling data from the online community, it can recognize that "The White Stripes" is correct, and "The White Stirpes" is a misspelling. Anyone else asking for info about "The White Stirpes" will then receive information about "The White Stripes", which is almost certainly what they want. (Yes, it's possible that Weird Al Yankovic will for a new band called "The White Stirpes"). This kind of error provides valuable information to the database.

But "track 2", "track 3" or "asdf", "lkjh" are not as valuable. "Track 2" is recognizable as filler, but random characters aren't. Neither provide the same information that an "honest" misspelling does.

In this case, honest mistakes are far better than intentional malice (well, intentional laziness).

Any other cases? Counterexamples?

Thursday, January 10, 2008

Spam from Coffee shops?

Bruce Schneier, one of my heroes, wrote that he runs an open WiFi at his home. One of his reasons was:
I can count five open wireless networks in coffee shops within a mile of my house, and any potential spammer is far more likely to sit in a warm room with a cup of coffee and a scone than in a cold car outside my house.

I run my own mail server at home, and originally configured it to accept the STARTTLS command. Running an open relay is a no-no, and so unless you have authentication credentials, connecting to my server from outside will only allow local delivery. With the credentials, you can send mail to anywhere.

One day soon after configuring this, I was sitting in a local coffee shop (I think it was Caribou, but I am not sure), sending an e-mail and got a strange error message: it didn't recognize the STARTTLS command. After a few minutes head scratching trying to understand why my server wasn't recognizing it, I realized that I wasn't connecting to my home server. The coffee shop wireless (on top of their auto-sign-in process) was stealing all port 25 traffic and feeding it to their own server. I'm just guessing, but I'd bet a lot that this is to prevent someone from walking in, grabbing a delicious cup of coffee and a scone, and sending a few thousand e-mails saying "Dearest one, I am a 200 year old senile senior citizen who wants to give you a 25,123,999 (twenty five million, one hundred twenty three thousand, nine hundred ninety nine) U. S. Dollars".

I began running a second mail server on a different port, and now it works fine. Port 25 is still for anyone sending me mail (including, unfortunately, spammers) and the other port is for me when I'm away from home.

One of the reasons I set up my own mail server was security: checking e-mail is done via secure IMAP, sending is done via encrypted SMTP, and theoretically, I can send myself a message and later read it, from anywhere in the world, securely. I don't have anything that really requires that much security, but it's cool to have it.

And yet, it's not perfect. A coffee shop/hot spot could run a man-in-the-middle attack by carefully watching my outgoing traffic, and if I'm not careful about certificates, they've got me. I'm not sure why they'd want to, but it's possible.