Wednesday, March 31, 2004

BBC NEWS | Wales | Cash machine scam spreads
Unfortunately, the kind of scam that Russell mentions below involving compromised card readers has already happened - fraudsters have attached scanning devices to the slots of cash machines that read the card as it goes in. The PIN for the card is also obtained by simply watching or having a concealed camera in place. A cloned card can then be used to obtain cash.

So, no we can't always trust the machines. The only comfort in scenarios such as this is that the customer would not usually be liable for any losses.

Chip and PIN - technology and trust
Following on from Peter's comments, the chip and PIN is a great idea - if we can trust machines. With signatures, someone has to sign the card, and the merchant is at risk of being defrauded by the customer, and the legitimate cardholder by the person who's pinched their card.

The PIN will solve all this, the card companies cry. But now we have to trust the mobile card reader - after all, it gets both our card information from the magnetic strip and the PIN number we key in. So now there's the risk of fraud on a massive scale, aided by that little reader. Are you sure it's not storing your details?

(Unintentional) phishing - the problem is that most users are all too eager to divulge their details
Banks in the UK are currently rolling out a system intended to reduce credit/debit card by requiring customers to enter a PIN into a card reader instead of signing a receipt - the idea is that PINs are more private and secure because they cannot be forged and never get written down or made otherwise visible to fraudsters.

But there's a human tendency to think about when rolling out this kind of system, and it's the same tendency that means many people will respond to emails asking for their log in details (see below). The problem is, when we are asked a direct question, we will tend to respond, especially if it is asked in the right context. So when I made a payment at a store that had a card reader the other day, the salesperson asked "Do you know your PIN?" to which I said no, and signed a receipt instead. But apparently a typical response to that question is "yes, it's 9492" or whatever... so much for PINs being secure and private! And this isn't the only area with this problem - I know because I've done it myself. My last call to my telephone banking service had the operator ask "Do you know your telephone PIN?" to which I replied "yes, it's XXXX", and then realised they were only going to ask me 2 specific digits from it.

Of course the real lesson here is for the retailers and operators - don't ask leading questions that might lead to people divulging their PIN or other security details. The proper cue should be something like "If you know your PIN...".

Phishing for phoneys
Phishers target the unwary. There's nothing too sophisticated in their
scams - they simply pretend to be your bank or building society or similar
institution, and ask for your details. A typical scam is to send you an
email with a forged From: address (and many web-based email clients allow
you to type your own From address into them, so it's not hard to do) so that
it looks like it comes from the bank. The message often says something like
"There is a current fraud happening - and to stop it please go to this
address (some URL given) and enter all your details". By noting that there
is a scam around it tries to fool you into trusting it. The cleverer ones
make it appear that the URL you are going to is real by using a flaw (for
which a patch is available) in Internet Explorer - a url of the form

http://www.bestbankintheworld.com%01*AT*fakersRus.com
will display as
http://www.bestbankintheworld.com in unpatched browsers, but will actually
take you to the fakersRus.com site. This fake site copies the graphics and
layout of the true site, but your details are captured and stored before you
are forwarded to the genuine one.

(interesting aside - *AT* should be @, but if I put that in the page then my virus scanner picks up that a URL spoof is occuring and gives me a warning message about the HTML file! So there's another lesson - keep your virus scanner up to date as well because it protects you more than you (or I!) know)


How to spot this? Basic awareness, really: no genuine bank or other
organisation will ever, ever ask you for key information by sending you an
email and telling you to go to a site. Moreover, they'll never ask you for
account names, numbers, passwords, pin numbers and key words all to be
confirmed on one page. And in general, the phishing emails are badly spelt
and quite obvious to spot. If you look at the source of the
message, you can often tell it to b a fraud: one doing the rounds at the moment has a link of the form
<a href="http://218.44.251.101/h/formslogin.html">
https://www.halifax-online.co.uk/_mem_bin/formslogin.asp</a>

so whilst the link appears okay, the page actually goes to 218.44... etc. - this even comes up in the address bar!! I
keep getting emails from organisations I'm not even a member of!!

Note that it's not enough to assume that because you are on a secure site
(https url, and padlock in the bottom right of the IE browser) you are safe,
since anyone can set up a secure server. But you should never enter
security information into a non-secure site.

How else to protect yourself? Patch your system and keep it up to date. If
users kept their systems current then many of the technical tricks that are
played would not work. But I know it's a pain to do it. Simple awareness
is required - be as suspicious of anything in your inbox as you would of a
stranger who knocks on your door. If you're in doubt, ignore it - if urgent
the bank will write you a letter - or phone the bank to check.

There's another one just landed in my inbox, slightly cleverer than many - it's an HTML email so it
shows automatically in my preview pane, and all the obvious links in it
refer to the actual e-bay site - clicking on them takes you to the official
site. It also has a forged email address header. But since ebay never send
out such emails, it must be a fake. Inspecting the code (right-click in IE)
shows that the submit button at the bottom takes you to

<FORM name=Simple action=http://209.197.232.11/~narghile/d.php method=post>

i.e. some person's page that will record your details and then forward you
almost immediately to the ebay official site, to the signin page (it's not
clever enough to actually sign you in). I know cos I tried it (with a fake
id).

And why? cos sellers with good ratings are valuable commodities on ebay -
they are trusted - so capturing one or two of them allows somebody to shift
a lot of stuff.....


Tuesday, March 30, 2004

BBC NEWS | Business | Spammer's Porsche up for grabs

Fantastic! AOL is giving away (in an online raffle) a Porsche that was seized from a spammer last year. They say it has 'symbolic value'... indeed it does. This can only be a good thing: the big ISPs putting up a united front against those who would fill our inboxes with endless promises of organ enlargement, free degrees, and the chance to become a Street Bishop (don't ask).

now where's that raffle page...

Monday, March 29, 2004

'Witty' worm infects, dies quickly - News - ZDNet
It's just a thought, but instead of posting news of vulnerabilities on a website, which is bound to lead to turnaround attacks like this, why not construct a worm yourself that seeks out such vulnerable machines and patches them automatically? After all, we're happy with LiveUpdate and other such systems offering us updated virus protection - why not take it a stage further for firewalls and so on? And then most of the traffic will be solving the problem, not simply chatting about it or being virrulent code.

Laszlo - Products
"Seek, and ye shall find". (should be attributed to Google, but actually Matthew 7:7, (according to Google)).

In checking out weblogs that are interesting (see the link on the right) I find this stuff - internet polling application that provides a toolbar experience. Much like the Sidebar, in fact.
LPS Developer Edition is available for free, serves up to five remote client connections per hour, and operates on the following software platforms: Windows, Unix, Linux, and OS X.

How great is that - I find something that meets a need, then it appears. I love serendipity. Will check it out in detail - and thanks, Sarah Allen!

Sunday, March 28, 2004

UK ADSL Guide
I'm actually looking at this because our exchange, against all the odds, has reached its trigger level. Registrations have shown an exponential growth in the last few months as the low-level campaign had its effect, and we're going to get broadband soon. I quite liked the campaign - sitting in the pub talking about broadband and getting others interested - my kind of work. Others did leaflets and the odd poster, and suddenly we'd shot up to the trigger. Now waiting for an RFS (ready for service) date from BT and then will have to see what service I can get. Anything will be better than 56k dialup.

It's not just speed that is the issue - it's the always on connection, permanent access to my home and work email accounts, availability of documents and information whether they are stored on home or work machines, leading to reduced cognitive load in trying to manage my work and life between different places. It makes using tools such as Wiki's much more sensible - if it becomes a major adjunct to your memory then you need to be able to access it everywhere - and this helps that.

It's new kit time too - to take advantage of this, I'm adding in full wireless access over the house and garden, and probably a media server and new desktop. I suspect that I'll actually create two wireless networks: one secured against unauthorised access, and one open - I'll see how many neighbours use it and if it causes problems will close it down, but I suspect it'll get only marginal use, possibly even only passing use as people pause to check their email - it also means that when friends come round I can give them internet access without opening all my files up to them, without hassle.
And the virus/worm/trojan problems so prevelant now mean that using a Mac becomes the best choice for first machine: funny how things change. Just got to find the windows sidebar equivalent for it.....

Friday, March 26, 2004

Clippy and Friends
Hidden features discovered in Micorsoft Office. Known to usability pros for a while, these shortcuts have been exposed to the wider world. Most users will appreciate them for what they are.....

Texting reaches across the gulfs

I'm fascinated by new technology and how it changes the ways we interact. Moreover, I find it particularly rewarding to look at how these same technologies can be used to reach across the gulfs that can separate us. These gulfs can be physical, like distance or time, they can be social, like nationality or age, and they can even be something more intangible than that, like the generation gap, or the gulf that separates disengaged students from their education.

I heard some inspiring stories recently at a workshop organised by ALT about how SMS text messaging had reached across this 'engagement gulf' and brought students who were in danger of slipping through the educational system back into touch with their classmates and teachers. This wasn't about sending out learning material by text, or by offering them homework support, but about including them in the educational environment. A few texts from their teacher "changed [his] relationship with them overnight".

This is particularly close to my own interests: I'm looking into using text messages to enable wide-area learning games with the aim being to increase participation and engagement. What I'm doing however is about explicit engagement; it looks like something much more implicit can go on as well. I've heard anecdotal evidence of children and young adults resisting attempts to join in with their social communications - it seems they view things like texting and instant messaging as something only for the young 'uns. But if we do reach, it looks as if they respond. If anyone reading this has any other success stories about texting in this context, I'd be very interested to hear about it: p.lonsdale@bham.ac.uk

E Ink/Sony release 'First Generation' E-Paper display

This looks like the first commercially viable product to come out of research into 'e-paper' - it's basically an ebook reader that stores about 500 texts and lets you read them on an epaper display. Note that in this case the display is a single 'sheet', ie the device looks just like a Palm or iPaq PDA, it just has an 'e-paper' display instead of an LCD one.

so how is this e-paper? and what's the gain over just having an LCD screen? well, one goal of e-paper is to offer a much more 'readable' medium for the display of text - even the best LCDs have low contrast compared to paper, and they suffer from restricted viewing angles and reduced viewability under bright light. The e-paper display in this device claims to offer enhanced, high-contrast readable text from almost any angle.

But at the end of the day this is just an ebook reader with an improved display - the real 'e-paper' will be when we have a paperback book that changes its text when you wave it over a download pad. until then, unless I want to carry 500 texts around with me (hasn't happened so far), I'll be sticking with paper for my books and LCD for my calendar.

Unlimited Freedom - Interesting Uses of Trusted Computing
This article is interesting on two counts: firstly, because what it says is interesting, but secondly, because it is clear that techncial issues are viewed as having the most impact in the interactive space.

Thursday, March 25, 2004

Desktop Sidebar Home Page
Great application for Windows - and it's free. A sidebar that integrates with Outlook and web services and other apps to give you one click access to critical daily information. It's a 3rd party app, but is very very much like earlier work done by Microsoft's social computing research group and set for release within Longhorn.

It provides a single column on the side of the screen which acts as a repository for dynamic information - clock, rss feeds, calendar, messenger, weather and so on. It's very much like earlier ideas on web snippets and so on that I worked on a while ago (scroll to web snippets)- the closest I came to coding it up was to implement a web scraping algorithm in php and then call that to grab certain bits off different websites and present them on one web page (though works, the formatting isn't ideal :-)). I can see me retaining this app on my desktop, mainly for the neat RSS presentation, weather info, and so on. It is an application that supports the monitoring part of internet behaviours (for more on this see the introduction in this paper) and so is likely to be very successful. There are also rumours that MS will push this 3rd party app as part of Longhorn because it's good to help others and not be anti-competitive.....

It's a bit buggy still - repaint isn't quite right - and I can't get the plugin's to work in visual studio, so can't see the interfaces that are needed for it - but I'm hoping that we will get this resolved shortly. This app is so useful for me that it may even affect my recent thoughts of buying a Mac - cos this is Windows-only software.....

Monday, March 22, 2004

PCPro swips theoretical computer science
Dick Pountain, writing in PCPro this month, takes a well-aimed swipe at the becoming-dumber BBC, and hits at computer science as well. I quote

"...computer science is following the same absurdly acceperated lifecycle as the hardware itself: after a promising start with Turing and von Neumann in the 1930s and 1940s, through the glory years of Tony Hoare and Niklaus Wirth in the 1970s, it has already arrived at senility..."

Since the people mentioned are (mainly) theorists, I wonder if my theory colleagues would like to comment?

Making things easy: airport signage and remembering those who speak different languages

Having spent most of last week travelling between airports and train stations both in the UK and abroad, I noticed something that seems (sadly) indicative of the UK's atttitude to our neighbours. In Munich airport, the signs are in German and English. In Genoa, they are in Italian and English. At many other airports signs may be in 3 or more languages. At Genoa train station, I was able to use a ticket machine that offered Italian, English, French, and German text. In so many places, signs are available in multiple languages, with unambiguous symbols for those who do not know any of the languages used. I have never struggled to find a toilet in a European airport.

In Birmingham airport, I was looking for the toilet, and found signs only in English, pointing in the wrong direction past a corridor labelled "WC", with no other symbol to clarify this. I had nearly walked past when I remembered this quaint synonym for lavatory. Why do we make it so difficult for people? I'm sure there are many British people who aren't exactly sure what a "WC" is or at least what the letters stand for ("water closet", just in case it's puzzling anyone), and it must be even harder for anyone whose first language is not English, and it would have to be UK English at that.

I also noticed that the check-in machines for BA offered nothing other than English, so despite my little grumble about the Italian ticket machine below, I feel duty-bound to highlight the fact that although it had to remind me to take my card out, it did so in perfect English.

Friday, March 19, 2004

Old problems still out there: Why do ATMs give you the card back first?

When cash machines first appeared, they suffered from one major usability problem: they gave people the money before giving the card back, which meant that lots of people walked away without their card. In cognitive terms this is known as task closure - when you get the money, you've completed your task, and you forget about the card because retrieving it was never one of your original aims. So now ATMs won't give you the money until you've taken the card out first. This is a classic example of a real-world problem that caused some real consternation, but was easily fixed with a design tweak.

So I was quite surprised this week when I bought a train ticket from a machine in Italy, and found that this problem is still around. Instead of making me take my card back first, the machine displayed a message in bright red letters telling me to take my card before taking my tickets. But there was no forcing function, the message disappeared even though I didn't take my card. luckily I was paying attention, but I wonder how many cards get left in these machines.

Disabled parking

The University's idea of disabled access - near to the building, but the only way onwards is up the steps..... :-)

BBC NEWS | Technology | Net chatbots to catch paedophiles
The Turing test is passed? Alan Turing proposed a test in which a user had a conversation with a machine without knowing it - and if they couldn't tell if it was a computer or another person, the system would pass the Turing test and hence could be called truly intelligent. This BBC story tells of the Chatnannies program that inhabits chatrooms trying to catch paedophiles, and which no-one has caught out.

Other approaches have been taken - sting sites have been set up to catch offenders, and we've talked in this blog before about search engines passing info on to the police. The web is becoming a less safe place for paedophiles.

Thursday, March 18, 2004

NASA - picking up subvocal speech

Voice recognition as an input method has never caught on, for 2 main reasons. Firstly, it's not very accurate, but hopefully that wil change over time as more processor power can be thrown at the problem and more accurate models of human speech and language can be deployed.

The second problem is a practical one: unless you are in an environment no-one minds you talking but everyone else is quiet, it's a bit tricky to use voice input reliably and politely. NASA's on picking up subvocal speech might be the answer - by measuring the nerve impulses sent to your throat as you read or speak silently to yourself, their system is able to recognise words without you actually making any noise. of course, with systems like this around, you'll have to be careful what you say to yourself when writing an email about your boss :)

Wednesday, March 17, 2004

Meta-Knowledge Engineering Server for Intelligent Cognitive Systems
Blimey wot a sight (site) :-) Some interesting stuff here, but not the most friendly interface you'ver ever seen. If you're feeling visually (or intellectually) unstimulated check this out. It's a case study all on one page.

Tuesday, March 16, 2004

Canon EOS 300D
Well, the camera has arrived, and excellent it is too. Some very neat design features which I'll detail some other time, but it feels just like any other recent Canon SLR (of the film variety) despite having more and different functionality to offer. Still no progress on making it wirelessly connect with the computer, however. Canon don't have a UK email address, so I'll call them soon.



Monday, March 15, 2004

Kaleidoscope etc.
Apologies for the silence for the last few days, but meetings abroad have taken all the time. Kaleidoscope - the future of learning with digital technologies - is a major EU network of excellence, and it had its kick-off meeting in Grenoble. Some good collating work going on, though much of the meeting was administrative rather than content-rich, but it is important to understand some of the big issues.

Whilst it brings together a lot of work in the educational field, it seems to be missing some key stuff too which troubles me. There are a number of current EU FP5 projects doing good stuff that are not incorporated, and one or two speical projects that are rather too parochial for my liking. But in such a major network, this is only to be expected.

For some institutions the cost of participating is high: all acocunts have to be audited, and for some groups it looks like that cost will be higher than the amount they get paid for their work in participating. I can't work out whether overall this is a good thing, especially coming from the EU which hasn't exactly got the best record in producing detailed accounts. If I'm feeling generous, then this is a step in the right direction.

Papers have been submitted to various conferences, though Kaleidoscope scuppered our efforts for Ubicomp, which is a shame. Not good enough network access and too many distractions. Still, using a wireless LAN in a XVII'eme chateau is a cool experience.

And the weekend I escaped from it all by boarding in Les Deux Alpes. Tough old life.

Thursday, March 04, 2004

ACM: Ubiquity - Correct by Design A call for professional standards in programming

This is an interview with Jesse Poore, who proposes in a recent paper that software developers should be held to the same kinds of rigorous standards and levels of accountability as 'real' professionals such as doctors, plumbers, electricians etc. the interview, and paper, make interesting reading, not least because of the acknowledgement that the majority of the industry think that achieving 'perfect' software is impossible. Poore suggests that, for specialist applications at least, comprehensive training will be required. will this lead to a sharp division between DIY programming and the more professional sort?

the image that springs to mind is one of me having spent a considerable amount of time on my 'DIY' programming project, only to have to call in a 'professional' programmer to fix what I've done wrong - the analogy is something like the plumber you end up calling when you've stretched your pipefitting skills just a little bit too far. so, will the next generation of software engineers stand around a lot, inhaling sharply through clenched teeth and asking questions like "oh dear oh dear oh dear! who's done this?" before giving us horrendous quotes for tiny jobs? let's hope the DIY programming movement isn't over yet...

Design and HCI
What is HCI all about anyway? Having been told yesterday that my research was too eclectic (I disagree, but that's another story) I got to thinking about what HCI is really all about. One indicator is the things that make me stop and think - and the latest example is a new disabled parking space. Two of them, in fact: the University here has gone to a lot of time and expense to rip up part of the earth, flatten it out, and build two disabled parking spaces that are close to the buildings. Great idea. Except that you have to go up some steps to go any further. Us HCI people notice things like that.....

Wednesday, March 03, 2004

BBC NEWS | Technology | Row over how to junk spam
Well, they say that great minds think alike, and fools seldom differ. I join Microsoft, Yahoo and others then, but I'm not sure what as. This mimics parts of my just-being-formulated spam system, though mine extended checking the source of messages with automated public-key encryption, and I was considering hitting not the spammers but the people who use their services: a large denial of service attack on the very website that asked you to visit it is surely only doing what they asked - but doing it so well it becomes useless. Take away the commercial advantages of spamming, and it will become obselete too.....

Tuesday, March 02, 2004

Vice City motors home in Baftas
Not only are there now Baftas for interactive games, they are awarded on artistic content as well as gameplay - a marriage of aesthetics and interaction. And whilst Bond leads the charts in its first week of release, the Vice City sequel is planned for October. Fans, watch out. But for the older folk, Pacman is making a comeback, proving that you can't keep a good game down. If it influenced a generation, then we'd expect them to like hearing repetitive music, jigging backwards and forwards in the dark, and munching bright yellow pills - who says games are not important?

This page is powered by Blogger. Isn't yours? (c) 2003-2005 Russell Beale