Where magic lives

Thursday, August 31, 2006


This morning I passed my driving test, first time, and with 5 minor faults (out of an allowed 15).

Labels: ,

Monday, August 28, 2006

Bomb Scare

I just came across this really funny (or is it?) story about how somebody got a plane diverted by accidentally flushing his Ipod down the toilet.

It all started when I got out of my seat to go to the bathroom. I went to the bathroom, washed my hands, and returned to my seat. A little while later the two stewardesses on the flight crossed each other in the aisle. They had a quick conversation that I was in earshot of.

"I locked off the front lav. There's something in the toilet that's preventing it from flushing. Run some water and see if you can clear it." My face immediately turned red. The seat cover! I thought. It must have been too big to flush! I should have thrown it out!

I was so embarrassed. I tried to act normal ... I took a sudden interest in the contents of the seat pocket in front of me, acted nonchalant and all. I watched as the stewardess got on her hands and knees in the lavatory and did unfathomable dirty work.

Sometime later, I decided it would be best if I forgot the whole thing happened, so I went to put on my headphones and drown myself in iPod music. But ... no iPod. I panicked, checked my other pockets. Where was it? Not under the seat, not in the pockets, not ... anywhere. I looked up to the stewardesses. One of them had run past me in a decent clip. She was carrying a green handbook. She brought it to the other stewardess. They flipped through the handbook, read a page, then made a call. The other stewardess had retrieved a blue metal box and was removing some equipment from it.

I put two and two together. I knew what had happened.

So I walked up to the stewardesses, both clamoring over the handbook, and tapped one on the shoulder.

"So, I had an iPod before I went to the bathroom, and now I don't. I think I know what's in the toilet."

We had a quick conversation. I told them, "You don't have to call the TSA or anything, it's just my iPod." They said, "Oh, but we already did."

So now I'm starting to realize that this is turning into a big problem. They offer their condolences, tell me that it's unfortunate, and I take a seat. Okay. So far, not so bad. I return to my seat and spend the rest of the flight trying to act normal.

That is, right up until the pilot comes over the intercom.

"Folks, this is the captain. I don't want to alarm you, but we've found a suspicious device in the front lavatory. Now, we think it's probably nothing, but in this day and age ... you can never be too careful. We'll be landing at Ottawa, where we will await further instructions."

The cabin erupted with commotion. At that very moment, my face fell into my hands. What have I done?

We landed at Ottawa, and we were taxiing to the gate. Without warning, the airplane then lurched to a sudden halt.

"Folks, this is the captain. We've been ordered to make an immediate stop. Buses are coming to evacuate the aircraft." We were to leave all of our belongings on the aircraft; we would be shuttled by bus to the terminal, where we would receive our carryon items.

My face fell deeper into my hands. Next came the waiting. Waiting and listening to more worry and commotion. A lot of us wondered if we could bring cell phones, wallets, passports, or customs forms with us. The stewardesses didn't have any answers; they had never been through this before.

On the one hand, if I brought a cell phone, wallet, etc. etc., and they confiscated it, I would have to hunt and peck for it separately from my carryon luggage. But if I stuck all of that stuff in my carryon luggage, I would only have to find one bag when we clamored for our stuff in the future. I decided the smart thing to do was to stick everything in my carryon. But, I kept my wallet, because I knew I was in big trouble at this point.

It took them 45 minutes to round up not just a bus and air-stairs, but an army of police and customs vehicles. One of the stewardesses took me aside and whispered to me. "Get off the plane last, and talk to the constable."

So I did. I exited the plane last, and spoke to the Ottawa police officer waiting at the air-stairs. I told him that the device was my iPod, and he took down my license number.

I continued to the bus. After a brief wait, it did NOT take us to the terminal. It took us to some industrial facility, where they housed utility vehicles. There, in the open garage, we were instructed to sit and wait. And wait we did ... another 30 minutes or so.

This was possibly the worst part ... While we were waiting I got to overhear the passengers talking about me. Well, they didn't know it was me, but they knew someone had dropped an iPod in the toilet, and they made aaallll sorts of assumptions about this person.

"Why didn't he have it on a clip? He could have clipped it to his damn pants." Or, "Why didn't he tell the stewardesses? Why is he hiding it from them and making us go through this?"

I could have corrected them. I could have told them that it WAS on a clip and I DID tell the stewardesses. In fact, it was a lot of self-restraint to just keep my mouth shut and not make things worse.

By this time the sense of guilt had left me. This wasn't my fault. Anyone could have dropped his stupid iPod in the toilet. It's really the government here. I mean, at this point the building contained six customs officials, an army of policemen, people from various security agencies, a bomb squad, and a couple of detectives. No one was doing anything. No one was taking charge. *I* didn't create this mess.

The whole time, the officers were watching me. They had told me to keep in sight of them at all times.

Finally, five or six customs officers set up a table and made an announcement. "We will be interviewing each of you one by one. Please form a line. Before we have our chat, make sure you have your ID, passport, and customs information with you."

One person asked, "What if that stuff is still on the plane?" The customs official responded, "Then we will have a more formal chat."

I got in line with the rest of the people, but shortly thereafter two police officers took me out of line. "Come with us."

They took me to a discreet corner. They brought out a tape recorder. I was told to put my hands up on the wall and spread my legs, and I was frisked from head to toe. They removed my wallet, disassembled it completely, and placed each of its contents in its own plastic evidence bag.

"Now Tim, for the sake of the tape recorder, I want you to state your full name and address." I did. "Now, each of us will state our name and position into the tape recorder." There were two detectives from the police department, a detective from Customs, and two members of the bomb squad.

Then started the questions. They were easy at first. They asked me where I lived. What do I do for a living? Why am I unemployed? How come it's taken me 4 months to find a job?

They asked me why I was visiting Canada. I was to visit a friend I met on World of Warcraft, Cara. They took down her name and what I could remember of her address. They asked me how we met.

"In an online game."
"What online game?"
"Umm ... World of Warcraft," I responded meekly.
"What kind of game is this?"
"It's a fantasy game ... it takes place online."
"Fantasy ... like it's got wizards and warlocks?"
"Well, it's got warlocks." (And they need to be nerfed.)

They asked me to describe my relation to Cara. I told them that people meet up in the game and go on adventures together, and that Cara and I were in a guild together that I was the leader of. They confused the concept of a guild with the game, however, and I had them believing that I was the Lord and Leader of all of WoW until I was able to correct them, and explain to them what a guild was.

So, when they put the pieces together; namely, that I was visiting a female person that I had met over a computer game, their next line of questioning went down an obvious path.

"So you and Cara are friends?"
"How long have you known her?"
"About 5 months I think? Maybe less."
"Do you have a romantic relationship with Cara?"
"Do you want a romantic relationship with Cara?"
"OK, so ... if you and Cara were drunk together, and she turned to you and said, 'Tim, let's go--'"

I interrupted him. "Excuse me ... what's the point of these questions?" The detective hardened. "Let me make things clear. I ask questions. You answer them. Do we have an understanding?"

"Yes." I paused. "I just don't see how this is relevant."

He spoke right in my face. "I've got 5 good men going into that airplane right now. Five of my best bomb squad guys. If there is any reason that I should be concerned for their life, then I need to know now. So just answer the questions, and do as I say."

Now the questions became really pointed. What do you think about 9/11? What are your views on the Iran issue? Do you think government is too big, too powerful? Would you ever "make a point?"

He asked me if I knew how to make a bomb. "I have a degree in physics, and I'm not an idiot." Of course I knew how to make a bomb -- what kind of question is that?? The better question is, WOULD I make a bomb? The answer is no.

They tried to trap me with some of their questions. I noticed they would try to get me to contradict myself. Like, I had earlier mentioned that I had never met Cara in real life, so they would later nonchalantly ask me when I had last seen Cara. Stuff like that.

He told me there was a similar bomb scare in LA today. He asked me if I was connected with it. He asked me if I was connected to the "liquid" thing from Britain.


Sunday, August 27, 2006

The Office: Extra episodes

Microsoft UK commissioned Ricky Gervais to produce two videos about their company values as the character David Brent. The videos were for internal use anyway but have been leaked and are available on Google Video. Definitely worth a watch.


Saturday, August 26, 2006

Lima 3

The sequel to Kilo 17, Lima 3 tells the story of Harry Ferguson's work "taking on the heroin traffickers" in his new position at the Customs and Excise Investigation Division.

This book was also a very exciting read and almost impossible to put down in much the same style as the first one. Unfortunately the end of the book ends with quite a depressing twist. Again, the story is based on real-life events, and this twist is politically very interesting, Harry even recommends a book by a different author for further reading on the matter.

Harry seems to be on the way to getting his marriage back on track. Health reasons have caused him to move to a different, less stressful job -- hopefully it will be exciting enough to be worthy of another book.


Sunday, August 20, 2006

Google launches Writely Beta

Google has now made the Writely beta publicly available.

I still maintain that Google are missing the point on how the software industry should move away from thick desktop software to web-based applications. They have edged one step closer to implementing all features that one expects from a desktop application on the web (Writely even has a nice right click context menu). However the main problem still remains that everything uses their servers, their downtime is your downtime, their data loss is your data loss and their privacy policy is your privacy policy. This will be unsatisfactory for many users, and hopefully all businesses (isn't most money made selling software to businesses?).

When will Google start to license server software so that users can implement their own GMail, Writely, etc. system? I would also assume that there is nothing anywhere near as proprietry as Googles search engine within the code to Writely, so they shouldn't even need to insist on locking it away in their own metal box before selling it on either (as is done when Google licenses its search technology to businesses). Hell, if they are so up on their "do no evil" policy and trying to be the anti-Microsoft... why not open source it?


Thursday, August 17, 2006

Kilo 17

A while ago the BBC made a brilliant program called SPY which unfortunately only lasted for one series. It involved a set of candidates being trained in espionage by three ex-intelligence officers, one of them was ex-MI6 and Customs and Excise officer Harry Ferguson. I have also seen Harry speak at the Oxford Union and he was very interesting to listen to so I was encouraged to read his book.

Kilo 17 is the story of Harry's first job in the Customs and Excise Investigation Division. The book is action packed and left me constantly wanting to continue to the next chapter; I pretty much read the entire book non stop. Knowing that it is based on real-life investigations makes the story even more exciting.

The main plot is intertwined with description of the changes Harry made because of his new job and how this effected his personal life. The book ends with Harry being promoted to a new team; a more exciting yet possibly deadly role that could also be the breaking point for his marriage. No doubt I will read this soon.


Tuesday, August 15, 2006


In high school English classes I would have been critical about being tasked with reading a book like George Orwell's 1984. However, the subject did seem interesting and I had seen it referenced in recent more technical writings so I thought I would give it a try.

I actually very much enjoyed it. Although slow off the ground at the beginning from when Winston had met Julia onwards it was more engaging. I found it hard to put the book down, always wanting to know what happens next and always intrigued by the bigger picture, wondering how the story could possibly end.

Towards the end I started to realise that there probably was not enough pages left to reach a happy ending; I was correct. Unfortunate, but maybe necessary because of the authors political agenda.


Friday, August 11, 2006


My analysis of the HSBC "flaw" yesterday has sparked quite a lot of interest.

The writer of the original story in the Guardian, Bobbie Johnson contacted me to discuss the situation in general and my post further. He has written a follow-up piece today (in which I am the "independent internet [sic] security expert" mentioned). In my opinion to still puts too much focus on HSBC and not on keylogging in general, although I did get the impression Bobbie has an understanding of the wider picture and aims to write more on that.

Also, Slashdot accepted my submission and a link to my post was featured on Slashdot. This resulted in a lot of traffic, however my server did stand up against the "Slashdot Effect"!


Thursday, August 10, 2006

Analysis of HSBC Vulnerability

It is all over the news this morning about a "security flaw" in HSBC online banking.

Being an HSBC account holder myself (not that I actually use the bank; they offer pathetic interest rates) I was encouraged to investigate this further. I was put at ease the moment I saw that each article was hinting at the researchers having made an assumption that every target has been infected with a keylogger. A bit of an unreasonable assumption if you ask me, and I think at this point it stops being "news" however the vulnerability is quite interesting...

When you logon to HSBC banking you are asked for your date of birth and for three digits from your security number. The three digits you are asked for are randomly selected by HSBC but the digits requested only seem to change after a successful login. Also the instructions that tell you which digits to enter are sent over HTTPS and we will assume are invisible to the attacker. Now for the important part: the digits are always requested in the order they appear in the security number. For example you might be asked for digits 1, 2 and 3 in that order, but you would never be asked for digits 3, 2 and 1 in that order. This leads to the vulnerability...

Let us use a random example, assume that an HSBC customer uses the security number 4921576876, we have a keylogger running on his machine and have now watched him login to HSBC 22 times seeing the following partial security codes: 416, 458, 496, 286, 925, 976, 487, 476, 157, 987, 476, 576, 217, 915, 178, 976, 491, 476, 428, 915, 917 and 176.

From the data above we can estimate how often we expect each digit to appear in the users security code. We would expect to see each digit in the security code a total of (|dataset| x |partialcode|) / |availabledigits| = (22 x 3) / 10 = 6.6 times. For example we saw the number 6 ten times in total, so would expect it to appear in the security code 10 / 6.6 = 2 (0 d.p.) times. Using this strategy we can deduce the following frequencies for each digit in the security code: 0 x 0, 1 x 1, 1 x 2, 0 x 3, 1 x 4, 1 x 5, 2 x 6, 2 x 7, 1 x 8, 1 x 9. This statistical analysis has introduced some uncertainty and we may need to come back to these distributions if the procedure below leads to errors.

Now we can start to piece together the original code. Let's start with the digits that only appear once, the code contains a single 1: 1. It contains a single 2 and the partial 217 tells us that the 2 comes before the 1: 21. Similarly there is a single 4 and we know from 416 that it is before the 1 and from 428 that it is before the 2: 421. There is a single 5 and the same method tells us that it comes after the 1: 4215. Similarly we can deduce the positions of the single 8 and 9: 492158. Now we need to deal with the sixes and sevens, some uncertainty is introduced here but the state space stays manageably small. There is definitely a 7 after the last 8 (because of 487): 4921587. The other 7 comes either immediately before or immediately after the 5 but we cannot tell which. The first 6 could appear anywhere after the 9 (from 496), and the second six could appear anywhere after the 1 (from 416) but if you chart all the possible locations they can be seen to be statistically more likely to appear after the 57/75 so let us assume this.

Based on the above (which assumes our frequency distribution to be correct) we claim that the code begins with 4921 is then followed by 57 or 75 and is then followed by 6876, 8766, 8676, 6687, 8667 or 6867 (all of the possible arrangements of the sixes at the end of the code). This gives us only 12 possible codes and indeed does contain the correct code: 4921576876.

I have chose to publish a worked example rather than general code because it is easier and wont get me accused of publishing working exploit code but it can be seen how the above procedure can be generalised. It is at this point where you could debate the subject as well as not being newsworthy, not being academic research but just simple maths. We'll see where their research gets published "later in the year"!


Tuesday, August 08, 2006

Google is not a verb

The end of this post on the Microsoft Jobsblog made me chuckle:

And the Number 1 intern myth shattered after working here for 3 months is … Employees use non-Microsoft products and won’t be fired for it. I know, I know. It’s a scary thought, but Bill Gates does allow iPods on the premise … There are all types of non MS products that employees like, and you won’t get fired for saying so! Employees are encouraged to be passionate about technology, not just brainwashed into only drinking Microsoft’s Kool-Aid. One word of advice that I learned the hard way … when in a meeting, don’t share with the team that “Maybe we should just Google it and we can find the answer.” The word “search" works just fine. :)


Thursday, August 03, 2006

Very Easy Blogger Categories [Making a Backup]

Donny Bahama posted this comment about my Very Easy Blogger Categories:

This is the best looking categories solution I've seen. I haven't liked any of the blogger search or del.icio.us methods. Only one problem with it... If you ever stop hosting the database and php file (or even if your server goes down), everyone's blog categories will stop working! I'd be much more comfortable with this knowing that my categories will work as long as MY server is working. I don't suppose you could be persuaded to post your php code and database schema?

First off I should mention that I don't intend to stop hosting the service, note that it is running on the same server as another free service that I provide: QuizSender.com and this has been up and running since 2002. I should also mention that the same problem exists with del.icio.us or any other similar method.

Maybe this has not put you at ease though? Well I am afraid I don't want to publish the source code but how about a compromise?

I have modified the script so that you can easily backup your section of my categories database. If I ever do disappear of the face of the earth you will have your own copy of your categories database that you can import into any alternative categories system.

Just go to http://da.vidnicholson.com/blogtags.php?backup=yourdomain.com as often as you like and save the XML file that you are given. So, for example, to see my backup file go to http://da.vidnicholson.com/blogtags.php?backup=da.vidnicholson.com


Wednesday, August 02, 2006

GPU Water Cooling

Both graphics cards in my computer are now also water cooled. I purchased two GPU cooling blocks and fitted them on each of my graphics cards (in place of the stock Nvidia fans) and daisy chained them with my existing CPU cooling block. So now water goes out of the radiator into the case (just under the PSU), through the CPU cooling block into the first GPU cooling block, then into the second GPU cooling block back out of the case and up to the radiator.

Now there are only two fans running in the computer, the one built into my PSU (maybe that will be the next change!) and the quiet one built into the water cooling radiator. I have the fun in the radiator set to its slowest speed and have a CPU temperature of 27°C, GPU temperatures of about 46°C and ambient case temperature of 44°C.