Month: January 2010

Welcome PDF comments in Evince!

Three months ago, I complained about the fact we can’t see comments made in PDF files in Evince. With a recent update to Fedora Core 12, Evince was also updated to version 2.28.2 and, among many improvements, comments (annotations) added to PDF files are now visible 🙂

Evince 2.28.2 with comments in PDF

Bye, bye, Adobe Acrobat Reader 😉

Belgian State Security report 2008

When I first opened the Belgian State Security Report 2008 (PDF in French or in Dutch), I had the a feeling of déjà vu: the cover picture is in fact a part of the Great Court of the British Museum in London, UK. Strange for a report on Belgian security and surveillance …

The British Museum as illustration for a Security report
Comparison between an actual photo of the British Museum Great Court (left, by Guillermo Viciano, under CC-by-sa) and the cover of the Belgian State Security Report 2008 (right)

Then I saw it’s only a light version for the web, not the full version. I had a look at the Justice website and the Security web page but I couldn’t find the original version (if you have the full version, I’m interested).

The report summarizes all the activities done by the Security in 2008, including the groups, countries and activities watched, a report on the cases where it was involved (Belliraj, Benali, Trabelsi cases, a.o.) and a broad view of what they did to check people background, protect some others and check various accreditations.

The most interesting part for me, however, was a short description of a bill about data collection methods by the Security. This bill was submitted to the Belgian Senate in December 2008 and was recently adopted (the full text is here, in French). It’s now submitted to the Belgian king for signature.

Briefly, this bill modifies an existing law from 1998 and, among other things, tells apart ordinary data collection methods from specific (articles 18/7 and 18/8) and exceptional ones (articles starting from 18/9). As expected, the bill allows the use of techniques to intercept and read private communications between persons. The bill also allows entering into computer systems, removing protections, installing spyware, decrypting and collecting data (but it does not allow their destruction).

All these methods are controlled post hoc by two different bodies, an ad hoc administrative commission composed of magistrates (renewed each year by the king following a suggestion by the government) and a permanent “R” committee. Specific and exceptional methods needs to be approved first by the administrative commission but there is always the possibility for the Security hierarchy to bypass this and send a written notice to the commission later on. How many times can this last step be forgotten?

Although it’s nice to have the reference to the bill and be able to look for it on the internet, I would have liked to see some statistics about how many times these specific and exceptional measures were applied, how many times they were refused by the administrative commission, how many times the hierarchy allowed a mission and informed the commission later on, etc. in the same way they proudly show graphs of the number of hours spent protecting VIPs. I know details are protected by secret but it would still have been nice to have an idea on how often these methods are used.

iPrison

Frankly speaking, I don’t really understand the passion for the new Apple iPad (an "iPhone on steroids"?). It’s a beautiful-looking machine but it also jails its user in the "Apple ecosystem". It’s just consumerism.

Apple has a record of launching beautiful-looking devices and shiny products. In the beginning of the years 1980s, they popularized the computer mouse and the graphical user interfaces as we know them today. In the beginning, one would love the simplicity of use of Apple computers and software, especially compared to the MS-Windows or GNU/Linux versions at that time (I’m speaking of the years 1990s). The end-user was then at the center of the "computer experience". But now, it seems the end-user becomes a (paying) consumer, nothing else.

Since a few years, Apple developed its own, closed ecosystem and is now cleverly taking advantage of the miniaturization of electronic devices to sell content via this ecosystem. Indeed, Apple first developed the iTunes Store that was initially only a music store but later offered other multimedia content and applications (most of them for a fee). Legally selling music via the internet was disruptive at that time when most music available on the internet was only personal copies from some individuals. With the miniaturization of electronic devices, phones became "personal digital assistant" with the ability to play music, play games, run office application, take photos and videos, surf the web, exchange e-mails and instant messages, etc. Computers also became miniaturized, giving birth to netbooks.

The great thing about these small devices is that they are usually forced to save data in common formats in order for their clients to be able to use these photos (jpeg), videos (3gp) and music (mp3) on other devices than their phone or netbook. However, nearly all manufacturers also created their own "Store", websites selling multimedia content and applications (not only music anymore) specifically created for a platform but also specifically locked to a platform. One may argue that Apple iTunes Store is easier to use and provides more content than any other platform (which is probably true) but nevertheless, Apple is locking its customers to its platform.

The advent of the iPhone and now the iPad further locks its users to use Apple Store thus to use Apple-approved content, Apple-approved music, Apple-approved applications, Apple-approved books, etc. Of course, there is a way to open some of your own documents previously saved in a more usual format. But there is no way to share the content you bought from a Store with your child, spouse, parents and friends. Apple owns the content you bought, you are just leasing it from Apple for your own personal use.

So, technically, the iPad may be a nice looking device but it’s also an iPrison for your data and what you can/can’t do. I agree computers and electronic devices needs to be user-friendly and shouldn’t annoy users with technical details. But I also would like that the same computers and electronic devices give the freedom to modify, share content, look at details if that’s the user wants.

Finally, I like this citation from Laurian Gridinoc, before Apple annoucement:

HAL-9000: What is going to happen?
Dave: Something wonderful.
HAL-9000: I’m afraid.
Dave: Don’t be. We’ll be together

Don’t be afraid, indeed: Apple will know what you want, dictate what you’ll like but won’t disable any life support systems as it needs your money!

3DSecure not secure

You may have seen in various places that “3-D Secure” (aka “Verified by Visa” or “Mastercard Securecode”) is not as secure as it says. The original paper is here (PDF).

Unfortunately, having implemented the 3-D Secure system via a third-party somewhere in Europe, I have to agree with the authors. I will insist here on one aspect – the inline frame – but the authors are giving more aspects and some solutions worth considering in their paper.

The first issue is that most merchants or banks embed the 3-D Secure page in an inline frame: the 3-D Secure page appears as if it was served by the merchant website although it comes from another website. This is similar to the hypothetical case where that image in your newspaper comes from another newspaper. You wouldn’t notice the difference (unless/until the image is completely different from your newspaper content). And, back to our topic, if a fake 3-D Secure page is given inside the inline frame, it’s difficult to notice it, the most common way of noticing it (a different URL in the address bar) is indeed hidden by the inline frame. During the development and testing, I put in place an internal, fake but similar-looking payment page and we sometimes have to think twice before knowing if we were on the fake page or in the test environment. Webpages at a merchant or a bank website are of course supposed to be kept far from crackers and villains 😉 But a man-in-the-middle attack (replacing on the fly the real payment page by a fake one allowing to collect card details) is rather easy to implement (considering actual villains know-how) and wouldn’t be noticed until they collected a certain number of card details …

To illustrate the above, please insert your card details below.

Card number:
Expiry date:
Secure code:

Fake 3D Secure

Apart from the fact this form was done in 30 seconds and doesn’t really look like a real a real payment form (and does nothing), how can you tell the difference? So, be careful when using 3D secure (with Firefox you can always right-click to see the security information about the form you are about to fill in). And always try to check the URL if it’s possible.

Happy new year 2010!

Happy New Year 2010!