The other story in the Times that caught my eye is a leaked report from the Pentagon that 53.9% of the US Armed forces who are over 20 years old are too fat to fight. Can I suggest the Atkins Diet? [from: JB Ecademy]

When you're out on the road and get Internet access, whether by GPRS, WiFi, a borrowed ethernet connection or maybe a borrowed PC, what's the first thing you do? Well apart from surfing the web, it's to check your email. To do that you need to login to your email mailbox, and then you need to send email. Now there's a whole series of road blocks waiting for you.

If you don't want to read all this, here's what you should do.
1) Demand that your ISP or company email supports SSL protected POP3/IMAP with SMTP AUTH
2) Moan at Microsoft for not supporting the open secure login protocols.
3) Moan at Microsoft for not supporting SSL in Outlook CE.
4) Route round them all by running your own mail server or clubbing together with friends to run a group server and configuring POP3 and SMTP AUTH with SSL.

And now some justification.

Let's ignore hotmail and other web based systems for a moment. First, you're almost certainly using POP3 or IMAP to get to your email mailbox. And second you're almost certainly using a Microsoft Email reader. This is where the problems begin. There are numerous open schemes and protocols for authenticating a login on POP3 and IMAP such as CRAM-MD5, DIGEST-MD5, KERBEROS_V4 and so on. But MS support only two. The first is to use plaintext. The second is a Microsoft proprietary format known as SPA or NTLM. There's limited documentation available for this, and so by no means all POP3 Servers support it. If you're logging in to a corporate Exchange server there's no problem. But if you're using a public or private ISP it's very unlikely that they support SPA/NTLM.

So now that you're sending your ID and Password in plain text, it really ought to be protected via SSL/TLS just as if you were sending a credit card number to an E-Commerce site. But again we have problems. SSL is supported by Outlook and Outlook Express but not by Outlook CE. So if you're using a Pocket PC PDA you're now out of luck. And even though SSL is baked into virtually all other email readers, again very very few ISPs provide it.

Having received your email you now need to reply and send email. The problems of spam mean that every SMTP server that receives email for sending on, uses some authentication to make sure that the email is coming from a known source (This is known as avoiding being an Open Relay). There are 4 common techniques for this; Known IP or wire, such as a dial up or direct connection; Restricting send to emails with a from address of the server's domain eg @iomartdsl.com; pop before smtp where if an authenticated pop session happened from the same IP within a few minutes, SMTP is accepted; And SMTP AUTH where an ID+Password is used just as for POP3/IMAP.

That last option of authenticating SMTP is obviously the most flexible and the same set of authentication options are available. And again MS readers support only plaintext and SPA. And again SSL is available. And again Outlook CE can't support it. And again very, very few ISPs support SMTP AUTH and SSL. The other routes all cause problems of one sort or another. Known connection doesn't work when roaming and if I hook a WiFi connection on the end of a known connection (like my DSL), then the source is no longer known. Forcing an email address domain is a pain in these days of multiple identities such as a work email address and a home email address. And POP before SMTP is dangerous when I'm sharing an IP address with the other users of a WiFi hotspot.

What's really irritating about all this is that SMTP, POP3 and IMAP are some of the oldest protocols on the internet. SSL securing of internet communications is almost as old as the web. Secure SMTP, POP3 and IMAP login either by a secure protocol or by cloaking it with SSL is well understood and only it takes a small amount of extra work when implementing a server.

So what do we do? well
1) Demand that your ISP or company email supports SSL protected POP3/IMAP with SMTP AUTH
2) Moan at Microsoft for not supporting the open secure login protocols.
3) Moan at Microsoft for not supporting SSL in Outlook CE.
4) Route round them all by running your own mail server or clubbing together with friends to run a group server and configuring POP3 and SMTP AUTH with SSL.

This rant came about because I discovered that Boingo now support PDAs and they provide an SMTP server so you can send email on the move. But they set it up to use plaintext authentication without SSL and using your Boingo ID and password. Whoops! Then I was pointed to a security vulnerability in SPA and a rant from a Server developer about how hard it was to support SPA. [from: JB Wifi]

Syndic8 maintains a database of newsfeeds available in RSS XML which are checked and validated. this weekend they hit 10,000 validated feeds. Ecademy has a number of feeds available; just look for the orange XML gifs on all the pages. Our DailEnews is built from reading 100 or so feeds from outside.

And if this means nothing to you, have a look at Amphetadesk and Aggie. These are desktop news readers that make it easy to read news from your favorite sources. [from: JB Ecademy]

Glenn Fleishman's new book on wireless networking for small networks at home and at work:
Wireless Networking starter kit is published Dec 9 in the US. [from: JB Wifi]

Some good advice from Esther Dyson on Email Etiquette. [from: JB Ecademy]

Jonathan Greensted reports from Seattle.

---

If Chicago is the Windy City then Seattle has to be the WiFi City...
 
This morning I woke at a friend's house, lent out of bed and check my email and IM via WiFi at his home. We decided to take breakfast at Starbucks and again WiFi was available. I went to the Microsoft Conference Centre and WiFi was there too. Lunch was in a bar/diner called Chilli's.  This is located at a mall which is WiFi enabled! Finally I'm heading out to Vegas for Comdex so I arrive at Seattle airport and yes you guessed it!   Seattle airport is WiFi enabled!
 
(The Seattle airport solution is very neat.  You instantly connect to the WiFi network however the firewall
blocks you until you've paid $6.95 for 24 hours access.  The solution is implemented by http://www.wayport.net/)
 
I doubt I've been off air for more than about 45mins so far all days and that was when I was driving so I couldn't really do email or IM anyway.
 
It is totally amazing.   The 3G boys ought to be very, very worried!
 
I'll let everyone know how Vegas compares for connectivity [from: JB Wifi]

Paul Boutin on music swapping. Burn, Baby, Burn : The real threat to the music biz isn't P2P it's CD-Rs swapped on the street. He goes on to note that "the iPod is a pirate suitcase nuke"... "With an iPod in my pocket, I don’t bother asking for CD recommendations anymore. I drag and drop my friends’ entire jukeboxes. Rip ’em now, decide what to play later. " [from: JB Ecademy]

Wired has an article about a possible vulnerability in WPA that allows a fairly trivial DoS (Denial of Service) attack.

Now, silly me, I would expect Wired to publish reasonably well researched and accurate articles, but most of it is the same old "Shock Horror - WiFi dangerous" twaddle.

Now maybe I'm missing something here, but what really puzzles me about all this is the belief that a wireless connection can ever be as secure as a wired connection. And even more than that, that a wired connection can be treated as implicitly secure. We all use SSL, SSH, VPNs and such like to access important systems one the internet. Why don't we just do the same when accessing the same systems over wireless? It seems as though the thinking got stuck somewhere that we don't need to use encryption inside the firewall and when we started using WiFi we just assumed that we'd be able to do the same thing. Then when WiFi was exposed as inherently insecure we threw our hands up in horror at what we'd done and blamed WiFi.

There's a classic example in the article. "This past summer, electronics retail store Best Buy, removed the wireless scaners in their stores because of the security risks associated with WEP. They were more concerned about outsiders getting their customers' credit card information" So Best Buy's systems were shipping credit card numbers over the wire unencrypted? And then they put in WiFi? Like DOH!

On the basis that bad security is worse than no security, I'm tending towards an approach that turns off all security on WiFi. Don't use WEP, WPA, MAC authentication, IP authentication or whatever else they come up with. Do all your security at the application level. If you start by assuming that the transport layer is always insecure, maybe then you'll be more careful about what you send over it.

Am I completely off beam with this?

BTW. Are there any verified instances of WEP being attacked and broken in the wild? How about verified instances of more mainstream hacker attacks being launched over WiFi? [from: JB Wifi]

While he wasn't handing out AIDS donations or being menaced by a giant condom, Bill Gates also talked at length about Web Services to the Indian developer community.Web services to usher in digital decade; Gates describes 'digital decade' to Indian developers
[from: JB Ecademy]

Wacky things to do with Google #23. Do a Google search on your post code. You might be surprised what turns up. [from: JB Ecademy]

Want Faster Data Transfer? Get WiFi Speed Spray ;) [from: JB Wifi]

A while ago I pointed to a US government site because it had the most amazing logo and strap line. A giant pyramid looking down on the earth, Scientia est Potentia (knowledge is power) and a brief to attempt to achieve "Total Information Awareness". It's head is one John Poindexter who some may remember from the Iran-Contra affair as the guy who was indited for selling arms to Iran to free hostages and then siphoning the profits to the Contras in Nicaragua. Now the fact that the organization's initials, IAO (for Information Awareness Organization) are also part of a Crowleyan magickal formula is surely a coincidence. So far this sounds like the rabid mumblings of a conspracy theorist. Great fun but it couldn't be serious, could it?

But then William Safire at the NY Times has written an article about the Homeland Security act in the US, You Are a Suspect that points out how extreme the act is. "Every purchase you make with a credit card, every magazine subscription you buy and medical prescription you fill, every Web site you visit and e-mail you send or receive, every academic grade you receive, every bank deposit you make, every trip you book and every event you attend — all these transactions and communications will go into what the Defense Department describes as "a virtual, centralized grand database." To this computerized dossier on your private life from commercial sources, add every piece of information that government has about you — passport application, driver's license and bridge toll records, judicial and divorce records, complaints from nosy neighbors to the F.B.I., your lifetime paper trail plus the latest hidden camera surveillance — and you have the supersnoop's dream: a "Total Information Awareness" about every U.S. citizen."

Then this morning I read a piece in The Times from Tina Brown that had this to say. "IS AMERICA going to shoot even further to the right? A student of these matters at Princeton gave me his considered judgment: “You. Have. No. Idea. By the end of the year there will be a hyper conveyor belt in place to move every possible wingnut cause like greased lightning through the judiciary. Abortion? You better live on one of the coasts. Environment? I’d invest in gas mask futures — and it has nothing to do with al-Qaeda, let alone Saddam Hussein. Ever try to breathe in Houston?” The only consolation for liberal Dems is that the voters will now get what they asked for.".

But we all know that the US has these weird paradoxes of a bill of rights, freedom of information act and a written constitution while also being a police state with more citizens in prison as a percentage of population than any other country and a government that is in bed with big business and thinks nothing of spying on it's citizens while trampling all over their rights (ahem!). And it could never happen here, right? Wrong! the only difference in the UK and the EU is that we don't make a fuss about it and don't hear about it.

I think what really upsets me about all this is the asymmetry and lack of transparency. Let's say the IAO collected all this information but instead of hording it, they put it all in a big seachable database on the web. Let's say that every CCTV camera was turned into a webcam. Now everyone could know everything about everyone. This is the central tenet of David Brin's The Transparent society. I happen to believe that this would make for a more sane society than the reverse. But it's a belief. And one that is unlikely to be tested.
[from: JB Ecademy]

I just came across (UK) CWNP Certification from KSYS. They've also got a good reference section on security issues, books, a WLAN Glossary and a WLAN FAQ. [from: JB Wifi]

There's a fascinating loop happening at the moment. There's an SMS spam going around that promises a free holiday in Paris if you phone a premium rate number (£12) from an outfit called MobileMore. this gets mentioned in an Ecademy blog. Google picks it up and amazingly we're a definitive source as there are NO other references to Mobilemore on the web. People who've been getting the spam have been searching Google and coming to us resulting in 30-40 hits in the referrer logs. [from: JB Ecademy]

Like something straight out of science fiction. News of Argentina's post-apocalypse economy.

Bruce Sterlng's last two blog entries have done an amazing job of pointing to links about Argentina's post-economy order. Thousands of people "roadblocking" the thoroughfares with tent cities erected in the middle of the main highways, millions living off shadow barter-economies that are circulating their own laser-printed, barcoded scrip, middle-class matrons destroying banks in rages over currency-withdrawal restrictions... [thanks, Boing Boing Blog]

Home laser printed bar-coded money for berter transactions sounds interesting. [from: JB Ecademy]

stevenberlinjohnson.com is the new blog from "Emergence" author Steven Johnson. [from: JB Ecademy]

Glenn has a great summary of WiFi security. Wi-Fi News: Weak Defense :

This next bit needs repeating. I've trimmed the text to just show the highlights. Click on the link above to see the full text.

What To Do in the Meantime
Encrypt links. Use secure protocols for all critical communication. eg SSH and SSL for everything but especially email.

Use 802.1x/EAP in enterprises:

Wireless access points stay outside firewalls. Locate all access points outside firewalls and require VPN (virtual private networks) connections between clients and internal servers.

Be wary in public: You never want to send plain text passwords or other data over a public network. Especially email passwords.

Which all sums up to "everything on wireless is insecure" So secure it at the application level, run an additional layer of security on top or arrange the network so that even if the wireless security breaks, there's still nowhere to go. [from: JB Wifi]

Unstrung - The world wide source for analysis of the global wireless economy : According to market analysis by Synergy Research Group (SRG), Worldwide Wireless LAN equipment sales were $465.1 million in the Third Quarter of 2002. What's more, Enterprise WLAN equipment sales were down almost three percent sequentially and down nearly 13 percent year-over-year, while SOHO/Home WLAN Equipment sales grew 21 percent for the quarter and were up 66 percent from the same period a year ago. Additionally, the SOHO/Home segment represented more than 58 percent of the total WLAN market, up from 56 percent in Q2.

3Q02 market share in SoHo and Home
Linksys 19.6%
Buffalo 15.8%
NETGEAR 15.5%
D-Link 15.5% [from: JB Wifi]

David Weinberger and David Isenberg write in USATODAY.com - Don't prop up phone firms; let them fail : Instead of spending billions of tax dollars propping up the telephone companies and delaying the inevitable, let them fail - and fast. By doing so, an astounding new era of telecommunications will be launched that is just as inevitable.

Joho also writes that they mis-quoted him where he said "the telephone network "was not designed" to handle anything other than voice data, USAToday edited it to say that it "can't handle" non-voice data."

EU Governments should take note, but you can be sure that several ex-national monopoly Telcos will get all sorts of handouts. [from: JB Ecademy]

For years, you've been able to use MySQL from inside PHP. Now someone's written a MySQL UDF that interprets PHP so you can use PHP inside MySQL. MySQL has already got a pretty complete set of the C runtime calls exposed as SQL commands, but this takes it a stage further. And it probably takes it completely over the top! [from: JB Ecademy]