Chris Blanc: Play and Projects: Blog

This is a slightly older interview (2008) that I was able to retrieve from the shattered remains of the mailbox I used during that year; the host got taken out by a configuration error, and it was some time before I was able to fix it and point the mail stream to the right location.

Matt Colebourne, CEO of CoComment, a leading company in outsourced discussion management for blogs and content management systems, gave a few answers on how anonymity on the web is obsolete — but how that’s not a bad thing. In fact, it could be the beginnings of something grand.

Take some time to check out his service at www.coComment.com and enjoy the interview.

Anonymity is necessary for certain types of communication, like whistleblowing, but it can also have its downside. In your view, what is that downside?

The downside is that it is hard to assess the credibility of an anonymous commenter. One way to remedy that is for the commenter to build a body of comments that allows others to determine how much weight to give their comments. However, the commenter who is prepared to backup their comment by coming forward and identifying themselves is still more likely to command attention.

Do you think that ISPs, webhosts and web sites will be held responsible for the comments of their users, and have they been already? How do we differentiate between users and casual commenters, as happen on many blogs?

In some jurisdictions, the UK for example, this has already occurred. This is actually one of our pitch points; by using a third party commenting solution like coComment we are then able to indemnify a site because we are a service rather than a publisher. The law in most countries differentiates between a service provider and a publisher with the former being held to removing comments only after the fact and only becoming liable in the event that libelous ones are not removed. Comments are not like ‘letters to the editor’ and should not be treated as such legally.

I don’t really see why one would want to differentiate between users and casual commenters from a legalistic perspective; it doesn’t really change the position in that respect.

What open source software does your business use, and what have the advantages been to using it? The disadvantages?

We are a big Linux, Java and Python user. The big advantages are that when problems are encountered there is a lot of readily available advice and support and people are prepared to share. We’ve also had keen users actually suggest improved coding to meet specific needs or to make the product work on particular sites. The disadvantages … well, very little that we’ve encountered so I’d have to consider those as more theoretical.

On open comment sites, a signal/noise problem emerges where for every informative bit of information published, a long series of flame wars and bickering comments follow. Does your service offer a deterrent to this behavior?

Yes and no. Sites can implement moderation and can also create bespoke banned word and phrase libraries that the comment system will block but we frequently advise sites against that because of the risks of then being held accountable for the comments themselves. We prefer to focus on giving the end user the tools to avoid having to read the flame wars which is why we’ve just launched ranking of comments. The idea is that, in future, end users will be able to choose to view only comments from commenters with a reasonable quality rating. If you like, it’s the equivalent to enabling the same behaviour as one would employ in the real world; the ability to ignore the idiot spouting off on a street corner and instead to focus on the quality conversations.

How will coComment make money? Not to ask too crassly “What is your business model?” but what’s the long-term plan, and what indicators do you see that the public is ready for this?

We have a two part business model. The first is from advertisements delivered on our site and on all the windows that are opened in other locations. We are going to, shortly, offer an ad-free service to end users for $5 per annum or $15 in perpetuity. The second business model is selling the research and management of conversations to brand owners. We will be launching that product, coComment Professional, to our beta partners in Q4 and to general release in Q1 09.

What other services involved with user participation do you think businesses will be willing to outsource?

I think that depends on which bit you mean about outsourcing … I think quite a lot of technology will be outsourced because it’s quite specialist, keeps changing and is non-core. However, the issue of interacting with your users is something that can only be outsourced to someone who really understands your brand values and how you want to present yourself to the world. Customers and users want to interact with someone who speaks for the company and can therefore commit to action and can speak with authority.

Do you feel competition from social networking sites, which seek to trap all the user participation they can, and enforce social rules through a lack of anonymity? How do you think the recent Lori Drew case will affect this?

Not at all. We are, in fact, in discussion with several with a view to working with them on the commenting side. I think that they are slowly realizing that whilst the “don’t let them out” mantra is effective in the short term it is far less so long term. Historically, walled gardens usually get demolished sooner or later and businesses which, instead, are open at both ends actually benefit more longer term.

In regard to the Lori Drew case, I think it would be unfortunate if this resulted in more legislation. The current law and practice provided enough data to locate the alleged perpetrator and we will see if it is also sufficient to secure a conviction. However, clearly, if it has provided that data and a prosecution is now ongoing it has worked effectively. It comes back to the personal responsibility issue again really; I think we are, and should, be moving to a situation where individuals are responsible for what they say and do online in just the same way as they are offline. Anonymity is important and should be protected but, as soon as you commit an offence, you forego that right to anonymity. If we, for example, store data about one of our users comments we would never seek to associate that with their real-world identity and we have no mechanism to do so. However, most people are aware that it is possible for law enforcement to make such an association and thereby ‘break through’ the anonymity.

Hackers have accessed Brazilian government computer systems and helped 107 companies obtain permits that enabled them to fell over £546million ($833m) worth of timbre illegally.

In what has come as a shocking revelation, it appears that hi-tech hackers have played an instrumental role in the illegal deforestation of 1.7million cubic meters of the Amazon rain forest.

According to reports from environmental organization Greenpeace, the hackers were hired by at least 107 different companies to access and alter timber export records held by the Brazilian government. As a result, it’s estimated that an area of forest the size of 780 Olympic swimming pools has been cleared illegally.^{^}

Hacker used to mean someone who pushed technology to do unorthodox things, in the same way that explorer, adventurer, woodsman meant someone who went beyond. Now, it means anyone who uses a computer illegally. The war to define this word is over and the good guys lost.

What this means for all of us is that we have to be aware that computer knowledge, including knowledge of computer security, is commonplace. You can run a powerful UNIX on your desktop computer, as well as many security-related utilities and password smashers. You can even do much of it from a Windows machine, with relatively little knowledge.

In fact, once you’ve mastered the basics of networking, SQL and variable injections, and buffer overflows, you have quite a bit of power. Equipment, operating systems and software are very similar, thanks to the standardization of UNIX and Windows, and the Web causing us all to use similar interfaces and set up networks similarly.

Almost every business needs a web site to serve data, offer clients login privileges, and then check it back in to an internal library that should be kept offline. But as anyone thinking rationally knows, machines that can connect to one other can be used to dominate the other.

For businesses, this is a wake-up call to make computer security part of their daily focus. I would argue that we also need to pay more attention to interface and the cleanliness of our configurations. Busy interfaces distract employees and make them lazy, and sloppy setups from the server room to the locations of files and the logicality of data storage cause people to ignore or miss potential problems.

To computer professionals, I’d say that if you think you’re good, you should realize you’re good in the legal realm as well. I wouldn’t feel well if I had killed acres of rain forest, even if the check was fat. Would you? Especially if you knew it was another 10% of work to get paid legally.

What they found is that, contrary to popular belief that Apple makes more secure products, Apple lags behind in patching.

“Apple was below 20 [unpatched vulnerabilities at disclosure] consistently before 2005,” Frei said. “Since then, they are very often above. So if you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple.” ^{^}

Apple’s vaunted security originates in two pillars: the UNIX kernel of its operating system, which others coded and tested for 30 years before Apple touched it, and the relatively scarcity of Macs. As that second pillar changes, so will the perception of Apple security, especially as we the consumers find that Apple has been relying on this perception to avoid fixing many of the bugs in not only its operating system but its software fundamentals.

In many ways, Apple has had the benefit of being smaller and having less public scrutiny allow it an advantage when competing with Microsoft. Now that these shields are stripped away, the criticism is mounting. This is the same dilemma that faced open source software developers who steadfastly refused to update some parts of their popular software. They were OK until they hit a tipping point, then suddenly, they faced a howling dervish of complaint.

Miller, best known as one of the researchers who first hacked Apple’s iPhone last year, didn’t take much time. Within 2 minutes, he directed the contest’s organizers to visit a Web site that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on. ^{^}

In a security contest, the Mac gets pwnt before the PC. However, this had to happen through a browser exploit. What this means is that the basics of both systems are fairly solid. It’s only since 1999 that most Americans have been using always-on connections, which caused the security crisis of botnets and trojan horses to become a serious game, and it’s only since 2004 or so that Microsoft has really faced that howling dervish. They’re starting to get it right.

As with many techno-memes, what people chatter about online is often wrong or gives a skewed view of the reality. People who attempt radical brand loyalty, especially to an underdog company, are damaging to the market because they deny basic facts and so allow them to go unfixed. Whether that company is Apple, Microsoft, or pizza-munching volunteer developers, remains irrelevant.

The password pressure of modern life means that 61% of us use the same password wherever we can, according to a survey commissioned by digital communications agency @www. In fact, with more than one in 10 people having 50 or more separate online accounts to log into, many are not only using the same password for everything, but also writing all their passwords down in one handy place, such as the noticeboard in their office, a document on their desktop, or a Post-it note stuck to their computer. ^{^}

The paradox of computer security is that we must consider the human element, which is that although security is a big concern, it’s something people expect to just work. We don’t expect our cars to blow up because we put a lot of effort into engineering them. Similarly, we expect security to “just work” with little investment by us.

However, it does require careful designing to make this happen. One part of careful design is accepting reality as it is. In the case of security, this is that users are forced to know at least a dozen passwords to do the minimum required for having an online presence. It’s no surprise that, after wasting a few hours finding lost passwords with the kind of barely functional features available on most websites, they start using the same password everywhere. I bet the number’s higher than 61%.

As we approach Web3.0 being christened, one idea that’s essential is some digital equivalent of Real ID. I think it should be based on an online identity, not a real-world one, so people can stay hidden if they prefer. It should be relatively centralized, and have an identity that other sites can then associate with internal records. But let’s stop ignoring the elephant, which is that when you require users to have dozens of passwords, they’ll use the same one in multiple places, and eventually this will lead to compromised systems.

“A compromised [multifunction printer] is dangerous for a number of reasons. First and foremost, no one in the enterprise pays attention to them. That lack of visibility makes for a very attractive attack platform,” said Brendan O’Connor, a researcher who was among the first to call attention to the printer security risk during a Black Hat talk in 2006. ^{^}

In Hollywood schlockbusters like Live Free or Die Hard, Hackers and Mission Impossible, hackers decide to bust into a major site, so they go attack the mainframe by smashing through routers, firewalls and impossible looking security screens with holographic cryptograms. In real life, hackers work like reporters researching a story. They nibble around the edges, then ask the right questions, then finally stage the big confrontation.

First, you gain entry to a site. Often this is by calling someone up and claiming you’re security and you need their password, or by snooping wi-fi networks for someone who might be using the same password on Yahoo! mail as on his corporate network. Then you get into the network, often through a printer or some simplistic trojan you mail to a secretary. Finally, you start by compromising machine around your actual target, so you can hide your traces and fake validation credentials. For the really big hack, the target should never know it was hacked if you’re good, because to it what happened was a normal transaction. Its infrastructure — the hacked network — can be all you need.

So much for the big screen. These common security annoyances are a bigger threat than the media fearmongering. Hacking is a task like any other, and it rewards research and diligence more than the ability to type cryptic commands quickly.

Litchfield took a look at just over 1 million randomly generated Internet Protocol [IP] addresses, checking them to see if he could access them on the IP ports reserved for Microsoft SQL Server or Oracle’s database.

He found 157 SQL servers and 53 Oracle servers. Litchfield then relied on known estimates of the number of systems on the Internet to arrive at his conclusion: “There are approximately 368,000 Microsoft SQl Servers… and about 124,000 Oracle database servers directly accessible on the Internet,” he wrote in his report, due to be made public next week. ^{^}

In Hollywood, hackers are people motivated by profit to ensnare others through ninja kung-fu style computer trickery that involves lots of fast and furious typing, as if it were military hardware in use through a virtual space that resembles the organic symbolic chaos of a dream more than the related structures of a machine. The machine may appear as chaos to us, but what defines a hacker is being able to decipher that chaos and so manipulate mechanisms behind the scene where others cannot see. It is as if life is a giant stage-piece, and the rest of us are crawling around on the painted skin, but a hacker can get inside and twist the wicker skeleton to create “magic” the rest of us can barely understand.

The movie vision as often differs from what you’ll find in your life. Real hacking will probably never sell books or movies, because it’s much more studious and also more boring than that view. Hacking is understanding the machine, and how it functions, entirely independent from what it looks like it is doing. Magicians are visual illusion hackers. Cooks are kitchen chemistry hackers. Psychologists are brain structure hackers. Martial artists are kinetic simian motion hackers. Artists are emotional symbolism hackers.

When the media says hackers, they mean black hat hackers with financial motivation, which usually means other roving digital criminals or no questions asked code warriors for hire.

Moore said what made the hacking job so easy was that 70% of all the companies he scanned were insecure, and 45% to 50% of VoIP providers were insecure. The biggest insecurity? Default passwords.

“I’d say 85% of them were misconfigured routers. They had the default passwords on them,” said Moore. “You would not believe the number of routers that had ‘admin’ or ‘Cisco0′ as passwords on them.^{^}

After having seen computer crime up close, and investigated instances of it that came out of the blue as far as the users were concerned, I have a different view of this situation than most. I don’t believe black hat hackers are illegal. Like spammers, they are people who choose to live outside of normal life, and they are looking for easy opportunities in almost all cases.

The exceptions are the rare hacks where a specific target is the reason for hire, and the hacker isn’t a free agent as much as a black economy contractor, sort of a digital Blackwater.

Spammers make their money by mailing ten million people with penis enlargement scams so that ten guys in Los Angeles write back with stubby sweaty fingers and get their oblong placebos. Hackers make money by prowlin for information people want, which is either monetary information or information that can be monetized like corporate and government secrets.

This means that as long as targets are plentiful, you can harden your business enough to make it a second-tier target, and escape the worst of the mess. This is one fundamental rule of security I have always tried to impart. There is a pyramid of opportunism, with the guys at top having the fewest hacks because they’ve made it the hardest, and the guys at bottom getting hacked frequently because they do what everyone else does, which is mediocre.

Seventy-five per cent of companies listed human error as the leading cause of security failures such as breakdowns and systems outages. Forty-eight per cent also cited operations and technology lapses as key causes of security failures. Problems resulting from third parties such as contractors and business partners, meanwhile, received 28 per cent of the votes as a root cause of security failures.

Misbehaving employees also figure prominently in IT fears: Ninety-one percent of respondents say the risk of employee misconduct related to information systems worries them. ^{^}

While there are security experts who will tell you to always update your patches and run a firewall, I think security advice is like dieting: you can’t escape the basics. These are:

I know this list isn’t what you get from other sources. They will tell you technological ways to make your company 100% safe, but those ways rely on software and hardware to have no active exploits, which is never the case. Expect parts of your security to fail. If you have a generally healthy policy, and people who are aware of the importance of security, you’ll be better off than trying to build a bulletproof fortress.

Everybody knows hackers are the biggest threat to computer networks, except that it ain’t necessarily so.

Yes, hackers are still out there, and not just teenagers: malicious insiders, political activists, mobsters and even government agents all routinely test public and private computer networks and occasionally disrupt services. But experts say that some of the most serious, even potentially devastating, problems with networks arise from sources with no malevolent component.

Whether it’s the Los Angeles customs fiasco or the unpredictable network cascade that brought the global Skype telephone service down for two days in August, problems arising from flawed systems, increasingly complex networks and even technology headaches from corporate mergers can make computer systems less reliable. Meanwhile, society as a whole is growing ever more dependent on computers and computer networks, as automated controls become the norm for air traffic, pipelines, dams, the electrical grid and more. ^{^}

Our computer systems mirror our minds in that they have a lot of power, but are disorganized and undisciplined, and as a result they fail frequently at the worst times. It’s easy to rant against Microsoft and assume Linux is better, or claim that you prefer Apple hardware to HP, but these are really degrees of the same great fat incompetent. There are a few people out there who will do things correctly, but they are rarely recognized because few people recognize how dysfunctional our technology is until it blows up and strands people for 17 hours in an airport.