Archive for September, 2008

On the collapse of Lehmans

Few folk on the eastern side of the pond will have heard of Lehman Brothers, but for me the news of its collapse is a shocker. Henry Paulson talks about “soundness and resilience of our financial system”, but it’s clear to anyone with half-a-brain that times really are hard – this is certainly not “business as usual”.

In my professional capacity, I’ve had occasion to brush shoulders with people employed by Lehmans and, as I type, I’ll raise my glass of Laphroag to the 25,000 people who will shortly be out of work. All the best, folks. :-/

Tags: ,
Filed under finance : Comments (0) : Sep 15th, 2008

Audio support in J2ME and J2SE

So I’d like to capture some audio using a Java program, and play it back using a different Java program. I don’t care what encoding I use. Easy, right?

No, unfortunately not. Because the recording is to be done using J2ME (and JSR-135) on a mobile phone… but played back with a J2SE application on my desktop PC.

And guess what? There isn’t a single common codec! My phone only supports AMR, but the Java Media Framework supports everything but.

FFS! :(

Tags: , , , , ,
Filed under tech : Comments (0) : Sep 14th, 2008

Not Smile-ing about Verified By Visa

Verified By Visa“. Internet shopping saviour, or a dangerous tool which lulls users into a false sense of security?

On the face of it, VbV looks like a great idea. Before completing an online order, you need to enter a security phrase which only you and your bank know – so you can be sure that no-one can shop using your debit card without permission.

So what could possibly go wrong?

Where does the HTTP POST go to?

In the case of ‘dabs.com’, the VbV web form will be submitted to “secure5.arcot.com”. Who? Exactly. Not my bank, not the merchant, but a previously-unknown third party. And the location bar helpfully says “https://www.dabs.com/”. So that’s not much bloody use.

And the password will be sent to my bank for verification?

OK, let’s assume we trust “secure5.arcot.com”. How do we know that they’ll send the details to our bank for verification, and not to a bunch of Russian mobsters?

In the case of “dabs.com”, the bank’s logo is shown – so we can be confident, right?

Wrong! The first four or six digits of a visa card number comprise the “Issuer Identification Number” which are well known. So any Tom, Dick or Harry could stick the correct bank logo on a phishing webpage and ask for my VbV password.

And with Smile, it’s worse still

I guess they’re just trying to be helpful, but they failed miserably. The Verified By Visa password is set to be the same as one of my “Secure Personal Information” details… specifically, the “memorable name”. I have two problems with this:

  • First, many (most?) people would automatically use their mother’s maiden name, which is quite discoverable with a little social engineering
  • Second, this means that a piece of private login data – formerly used purely for online banking – is now going to be sent to other places, such as “arcot.com”.

On one hand, the bank encourages us to not write down passwords or share them with anyone, but now expect us to give the same password to a third party every time we do a transaction on the internet?

Finally, it appears that (with Smile bank, at least) I can neither opt out of VbV nor change the VbV passphrase independently of my online-banking login details.

I’m starting to wonder whether I want to stick with a bank with such a misguided approach to security.

Tags: , , ,
Filed under tech : Comments (10) : Sep 9th, 2008