saush

Free books

Posted in general by sausheong on March 26, 2006

I love reading on my O2 mini, using the Microsoft Reader. In fact I read mostly on it nowadays, as a supplementary to my printed documents. It’s a handy little device, though there is much to complain about the reader software itself (lousy interface, bad bookmarking etc), it’s the best and most popular in the market now. Adobe Reader sadly sucks so badly on the Pocket PC I don’t even bother to read anything on it anymore.

Here’s a tip if you plan to read using the Microsoft Reader — you can convert your documents from Microsoft Word! Just download the Reader plugin at http://www.microsoft.com/reader/download_rmr.asp and install it. When you save the document in Word you will have an option to convert it a .lit format readable on MS Reader. This is how I read most of my documents and articles.

For PDF files, you can do a conversion from PDF to Word or TXT or RTF (using any tool in the market — there’s plenty) and do the same thing.

Another tip — if you like classic books check out the Gutenberg Project, if you like Science Fiction or Fantasy books, a great collection of books is offered by Baen, for free! (I kid you not). There’s plenty of free and good stuff out there if you take some time to sniff around.

Drop me a note if ever you find anything interesting to share!

[The Lands] – The Battle

Posted in Stories, The Lands by sausheong on March 23, 2006

The day was bright and hot. Not a single cloud drifted across the lightly coloured sky, below which the gently rustling grass of the wide plains sigh in sensitive serenity. A talkative plains-bird, slightly mottled and almost invisible among the grass, chattered away loudly. A beetle wandered foolishly before the excited and suddenly still bird. A bit closer … then snap and crunch! Another meal, the diminutive bird continued his proud chattering. Some crickets creaked in agreeing reply but kept a cautious distance from it. Another rustle this time. A second plains-bird flapped clumsily and dropped in to the loud protests of the original bird. Mine! Mine! Mine! Clacked the first bird indignantly. The invading bird clacked rudely in return. The first bird snapped and whirred at his enemy, preparing to defend his claim. A worm wriggled unwarily out of his little heap in the ground. The argument stopped abruptly as all four beady eyes snapped quickly to the delicious delicacy that was bestowed upon them.

Thud. The ground shook slightly. Thud, thud and thud. Thud – crash! The quarrelling birds startled away with undignified squawks as strong muscular hooves pounded furiously across the plains, crushing all that was beneath them and squashing the innocent earthworm. All previous arguments were gone as they fled for their lives as fast as their little wings could bring them. Thundering and swift went the bridled horses, war-horses driven to a foaming loyalty to their masters, driven forward into direct confrontation with an approaching horde. And more, and more and more, as the flood of riders flowed frenziedly forth. Their hoarse battle cries resounded into the clear blue afternoon. A horn trumpeted mightily and drums beat a relentless rumble, urging all within earshot, to war! To war and glorious war! With a collective shout, the simple white and blue flag was unfurled and whipped at the wind, flapping in staccato snaps, to war! To war!

At a far distance the oppressive rumble of an impending horde began to reverberate, a sea of green, grey and red, their ominous approach corrupt and arrogant. The riders continued without hesitation. The horizon changed from soft peaceful plains minutes ago to a throbbing and unyielding wave of grey and red as the war cries of the enemy screamed at their senses. They’re coming! Slowly at first, but inexorably, the tide of grey advanced, the harsh bugle of the allied clans challenging the riders to battle. Come, went the drums cruelly, come taste the bitter edge of our axes and piercing points of our spears! Fight us, snarled the horns of the horde. Fight us and die like beasts! The riders raised their voices in a grim, defiant chant and blasted an equally threatening echo. For the glory of the Kingdom of the Named, the High King and the Lands! To war, to war!

With mindless clockwork precision six-foot long lances tipped in hard steel snapped sharply forward. In a timed perfection, the thunder of horses drumming a rushing rhythm, the riders plunged headlong into their hated enemy. The men, without heed, without mind, crashed like a steel bolt into the horde, cutting deeply into the mindless formation. The point of contact erupted into a raging storm of destruction and pure anarchy. Squeals of pain and howls of agony followed quickly after as hundreds of bare-chested brutes were impaled upon the charging lances, lifted up completely from their feet and hurled back, skulls smashed, backs broken and whole shoulders torn away from the body. The lances shattered at the impact, some of the riders flung backwards off their horses to the ground with a wrenching crack, never to rise again.

Like a knife slicing through red dripping venison, the knights tore the horde sharply into two, cutting a swathe left right and through to its foul core. All close-ranged weapons now unsheathed; the riders in their shiny hard armour wielded battle-axes, morning-stars, maces and long swords. Enraged shouts filled the crisp afternoon air following screams and grunts of pain. All thoughts away from their minds, no friendly words from comrades, no gentle touches of caring mothers, no soft caresses from lovers. Only blood filled their eyes, the taste of fear and anger and hatred, the overpowering smell of hard sweat and bitter blood, the sound of death and destruction crowded into a mad rush of rage. Feeling only the sharp rush in their warm blood, the stinging jar of their first stroke, an axe through the tender neck of the brute, a mace crack open a skull or a sword spike through an eye. A spurting gush of rusted blood tainted with anguished cries, the mad and wild, wild exultation of power over life and death.

The brutes replied with unfettered savagery, rude clubs battered at the horseback knights, throwing them off. Blunt obsidian axes slashed cunningly at the bare knees of the war-horses, bringing them shrieking down with their masters. The creatures threw themselves wildly at the horsemen with little thought of their own safety and forcing them down to the ground with inhuman strength. Once the knights with their bright armours were helpless on their back, they were torn from limb to limb and butchered brutally like animals. Pausing only to rip out an eyeball of their fallen enemy and crushing it with their sharp teeth, the monsters continued their slaughter. Each of them had the strength of two men and the berserk bloodlust of battle was upon them, transforming them from rational beings into deranged beasts; none of them expecting to live and none of them expecting mercy just as they had none. War was their God and to worship Him was to purify themselves in the blood of enemies, to send prayers the wailing cries of their dying defeated, to exalt Him the burning blaze of a ravaged city as sacrifice.

It was not the manner of a crisp duel between two swordsmen, nor the grappling intensity of two wrestlers – not even the rough and tumble of a street brawl but the maniacal hacking of flesh and bone. No system, no method, no technique as the battle devolved into full-scale chaos, the bedlam and pandemonium, silencing every other living creature for miles. Blood covered the muddied plains – crimson mud thick with the blood of the fallen as the day continued wearily on. But wait! The knights now backed their steeds slowly away from the horde – what are they doing? The knights continued their hurried retreat to the opposite side of the plains, to the triumphant cries of the bloodthirsty horde. Some of the more unfortunate withdrawing men were cut down as they disengaged from the battle and rode off, leaving the raging horde in milled confusion and still in bloodlust. Where do they think they are going, the motherless cowards! But their impetus was broken – a portion of the horde raced ferociously after the fleeing knights while most of the monsters stopped as they encountered conflicting commands from their war-leaders. What shall we do now and who do we kill? They shrieked. Slowly they drifted into clans once more as violent arguments erupted among themselves. We shall burn and plunder the weakling creatures towns and villages! Rape and rip their women apart, gut their old and feast on their young!

The smoothly sailing hail of carefully fletched arrows flew gracefully in a gentle arc, paused for a still moment then sped downward with a determined rush and found surprised targets. Even as the first storm of arrows reached the pinnacle of their flight, a second barrage left the hands of the longbow-men and a steady rain of arrows fell upon the unsuspecting creatures. In a single body a full third of the horde gave a startled sigh and collapsed. Enraged, the remaining brutes surged forward once more, leaving their dying and dead untended, for what is more glorious than to die for your God? Like a field of new sprung wheat, the battlefield where thousands lay dead sprouted crimson arrows among twitching and cooling bodies.

Before them, the longbow-men fled and with a roar, the horde chased! But the feeble legs of the weakling creatures were not the equal to the might of the horde! See how they stumble as we crush their skulls in vengeance of our brothers! Only one half of the archers survived to fall back a few hundred yards behind another group of heavily armoured men with pikes as twice as long as themselves. Raised resolutely before them, the pikesmen advanced slowly but surely against the horde. Without any semblance of indecision or hesitance the horde poured once again into the marching men, howling for more blood. The first wave threw itself into a raving frenzy and gored themselves at the pikes, snarling, their flailing hands still lashing out to claim more victims. And more and more and more until the front pikesmen were overwhelmed and their dead bodies piled up to a grisly wall of death. Still the horde pushed insanely at the wall of pikesmen and the men were torn down and thrown forward like ragged dolls. Behind the front pikesmen however was another wall of pikesmen but will it stand the unstoppable force of the charging horde?

But wait! The knights who fled during the first clash have returned! In full force the grim riders charged at the rear of the unprepared horde and smashed into them. Finding themselves trapped between a full charge of knights and a wall of pikesmen, the horde finally broke and was torn asunder. Each clan ripped themselves away from the main horde and tried to escape by their own means. Like beasts in a slaughterhouse, the brutes were ran down and mercilessly executed, the nauseating carnage littering the plains as a horrifying reminder to the battle. Those who survived fled the battlefield wailing and howling in despair across the dead plains into the forest and the mountains.

With an enormous shudder, the surviving men laid down on the field, totally exhausted. Soon it will be dusk and many of the ragged returning army will not see another sunrise. Even as the less injured men picked themselves and their comrades up, all was quiet, the sobering sight of tens of thousands of bodies lying upon the bloodied plains made them wish that they were home. For every one of them who limped, crawled or stumbled away, another four did not. Soon, the only sound to be heard in the tranquil evening as the sun gazed lazily at the pink plains became the shrieks of circling carrion-eaters in the sky.

The feast of the victors has just begun.

I am 34 today!

Posted in general by sausheong on March 23, 2006

Almost reaching the middle of my 3rd decade of living. Makes me think what I have achieved for the past 34 years? I suppose quite a lot. Paid my way through university on a bank loan and working as a tutor and freelance systems admin. Finished my loan repayment taking 2 jobs after university. Got married, bought my first apartment with my blood and sweat. Started up an Internet startup, got its bubble popped, but moved on to become a real software company. Had a son. Wrote lots of software in between, and software that got SOLD! Software that people used! That’s the sweetest I suppose. Bought my own flat here now. Changed job, managing developers now. Wrote lots of articles in between. Bought a car. Son in primary school now. And now I’m 34.
Wow time flies.

[Securing Internet Banking] Part 4 – Phishing

Posted in payment & banking by sausheong on March 11, 2006

Phishing is probably the most well-known and familiar method used to compromise Internet banking sites. The Gartner Group estimated that the direct phishing-related loss to US banks in 2003 to be $1.2 billion though indirect losses are much higher. The word ‘phishing’ comes from the analogy that Internet scammers are using email lures to ‘fish’ for passwords and financial data from the sea of Internet users[1]. The term was coined around 1996 by crackers who were stealing America On-Line accounts by scamming passwords from unsuspecting AOL users[2].

There are various phishing methods but at a basic level phishing tries to get the Internet user to reveal personal, financial or password information by pretending to be something else. The phisher will usually pretend to be the official website of the bank or organization and tries to persuade by fear, threat or working on the greed of the Internet user, to reveal his personal details.

A typical trick is to send an official looking email or instant message to a bank customer that links to a website that looks like the actual Internet banking application, but is in fact, a replica of it. The replica is designed to steal passwords when the bank customer tries to log into the Internet banking application. The replica can be exactly the same as the original website down to the images that are linked directly from the original website. The only difference could be that any forms submitted from that website would be posted to a different application than expected, which will harvest the personal and confidential information of the bank customer.

Figure 1 – Typical phishing attack

If done well, the bank customer will not even realise that he has been ‘phished’ as the fake application will redirect him to the real application. Phishing is not unique to Internet banking – it is widespread in many Internet-based applications including PayPal and eBay and the information that is phished varies from credit card numbers to bank account numbers to identification numbers such as social security or passport numbers.

Most methods of phishing use some form of diversionary deception that tricks the user to believe that the email or website belongs to the actual organization. Phishers often use misspelled URLs such as or sub-domains. Another common trick uses the @ symbol. In the URL syntax the @ divides the actual URL from a username and password. A casual observer might assume that this is the bank’s website whereas it is actually the scam website, which replicates the bank’s website. A variant of this trick inserts a null or other unprintable character before the @ symbol, which prevents the host information from being displayed at the address bar. These methods have since been closed off in the new browsers. In a simpler trick, some phishers do not even put in a URL, instead they use an IP address, which normal Internet users will not check for its validity.

Type of deception Example
Misspelled URL http://www.c1t1bank.com
Sub-domain http://www.citibank.com.fakesite.com
Using @ http://www.citibank.com@ fakesite.com
Using @ with null http://www.citibank.com%00@fakesite.com (will be shown as http://www.citibank.com)
Using IP address http:// 202.123.34.211

Table 1 – Common URL deceptions

These methods work for some because links are often (and designed to be) clicked than typed, and there is no correlation between the text on the website and the actual link that it will go to when clicked, other than a small status bar display at the bottom of the browser.

Slightly more sophisticated tricks use Javascript, the client-side scripting language used by many web applications, for various deceptive hiding or camouflage. For example, the phisher might use the onMouseOver event handler to show a fake URL in the status bar. Other tricks with Javascript include using Javascript to close the address bar, while the fake site contains a very similar looking ‘address bar’ that is in fact part of the web page, or even open another smaller browser that completely covers the address bar.

Another related phishing attack is IDN spoofing or a homograph attack[3]. IDN stands for internationalized domain name and is a method that allows characters other than English to be displayed as the domain name of the website. However in some languages the characters look the same as in another English character but in fact represent a different character. For example, газета.ру is the Cyrillic equivalent of gazeta.ru. The Russian letters а,е,р,у are indistinguishable in writing from their English counterparts. Some of the letters (such as a) are close etymologically, while others look similar by sheer coincidence. For instance, Russian letter ? is actually pronounced like English r, but the glyphs of the two letters are identical. This leads to situations where the URL might look the same on the browser but in fact are completely different websites!

Many people make the mistake by assuming that phishing attacks on Internet banking services does not cause harm if no unauthorized transactions or funds transfers occur. Funds transfers is probably the lesser harm done because generally if money is taken from an account, the account owner will likely know relatively quickly and act to stop the transfer or prevent further harm. Also, funds transfers will normally go to another bank account and is often traceable and recoverable.

The greater harm comes in the form of identity theft activities. The phished account might be used for money laundering or other illegal activities. Other information might also be extracted such as credit card information, account and personal information. There is also evidence that ATM cards are falsely reproduced from information ‘phished’ from the unsuspecting victim[4]. The kind of damage and the extent of the damage are not immediately evident and can be dormant for a long period of time, which will make it very difficult to trace and stop these illegal activities. For example, money can be transferred from a larger corporate account that is compromised, to more than one phished accounts, after which ATM card transactions and withdrawals can be made throughout the country or even outside of the country using cross-borders electronic funds transfers facilities such as PLUS or Maestro.

Phishers usually actively target multiple systems and organizations at the same time, and are well organized[5]. There is also evidence that organized crime is getting increasingly active in phishing and a thriving market for phished data trading exists[6]. Amateur phishers who were previously balked by their inability to convert the data to monetary benefits are now able to Phishing was originally predominantly by amateurs and adolescents, but this activity has ‘grown up’ and is considered one of the more dangerous online security threats[7].

[1] From Word Spy at http://www.wordspy.com/words/phishing.asp

[2] From the Anti-Phishing Working Group at http://www.antiphishing.org/word_phish.html

[3] See Evgeniy Gabrilovich and Alex Gontmakher (February 2002). The Homograph Attack. Communications of the ACM 45(2): 128 and Johanson, Eric. The State of Homograph Attacks Rev1.1. The Shmoo Group. URL accessed on August 11, 2005.

[4] See Christopher Abad, The Economy of Phishing : A survey of the operations of the phishing market (2005) at http://www.firstmonday.org/issues/issue10_9/abad/

[5] See The Honeypot Project & Research Alliance, Know Your Enemy: Phishing (2005) at http://www.honeynet.org/papers/phishing/

[6] Id.

[7] See the Anti-Phishing Working Group at http://www.antiphishing.org

Comments Off

[Securing Internet Banking] Part 3 – Rationale and Risks

Posted in payment & banking by sausheong on March 11, 2006

The banking industry could be seen as an odd bedfellow when read together with the Internet. Banks are generally known to be conservative, highly sensitive to security, risk-adverse and values stability and reliability. The Internet on the other hand moves at such a high speed that it prompted the term ‘Internet time’ to be coined. The Internet is usually unsecured, mostly uncontrolled by any single authority, often unreliable and generally seems to be the anti-thesis of everything banks symbolises.

So it is surprising to note that Internet banking services today form a large bulk of the activities on the Internet. In a survey done by Eurostat in 2003[1], about 40% of all Internet users in Europe use Internet banking. This is in comparison with email, which leads at 80%.

There could be a number of reasons why Internet banking became successful. Firstly for the customer Internet banking is an incredible innovation that simplifies the process of transacting with the bank. Previously, a bank customer needs to physically appear before a bank teller in a branch during his office working hours (meaning he will either need to sneak out or take some time off). Internet banking on the other hand can be done any time, any where. Convenience is probably the most compelling reason for the bank customer, driving them to adopt this new technology with relish.

For the bank, there are a few evident reasons. As their customers increasingly demand convenience, it is inevitable that the banks need to bow to their wishes and move into this direction or be edged out by their competition. The fear of being left behind alone is a main driver behind many banks’ move to the Internet banking services.

At the same time, Internet banking allows the banks to extend their current market and to reach out to more customers where it could not have been possible without incurring high costs previously. Traditionally banks are limited by their geographical coverage and their operations increase exponentially as their branches are located further and further away. Internet banking on the other hand is without any real boundaries other than the legal and regulatory restrictions that prevent banks to operate in multiple countries without the approval of that country.

However, the most compelling reason for banks to move into Internet banking is probably the allure of a significant cost reduction in providing the banking services. In 1996 Booz-Allen and Hamilton conducted a survey in the US and found that the cost of a full banking transaction over the counter was $1.07 while it was 54 cents via the telephone, 27 cents for an ATM but only 1 cent for Internet banking[2]!

However, as with most things the benefits of Internet banking is a two-edged sword and comes with a different set of risks that were previously not significant to the banks. As the geographical reach of the bank increases through Internet banking, it becomes more challenging to verify their customers and make good credit decisions. The business case for Internet banking services, especially for Internet-only banks, remains unproven[3] as banks struggle with unforeseen operational costs and issues that they were familiar with.

Regulatory issues on Internet banking are mostly unclear at this point in time, which increases the overall risk of doing business on the Internet. For example, much of the existing legislation around the world still treat Internet banking alongside ATM or phone banking. The bank’s liabilities concerning Internet banking are still unclear today as well. In cases of fraud and security breaches, the liabilities of the bank customer and the bank are still a matter of contention. To protect the consumer, most governments tend to shield the bank customers from any negative effects even though bank-customer contracts usually disclaim liability. In any case, any negative issues with a reputed bank’s Internet banking services will usually drag their name and their brand through the mud. For the bigger and more prestigious traditional banks, this poses a tremendous risk in damaging their brand assets.

Most banks do not have significant expertise on Internet technologies or in implementing and maintaining an Internet banking application. Unfortunately it is also true for most organizations – enterprise-level Internet applications are relatively new and sophisticated. One of the most serious risks faced by the banks however is the issue of securing access to the Internet banking services.

The tremendous number of banking transactions that occur daily over a medium that is basically unregulated is an open invitation for criminal and fraudulent activities. In a 2003 survey of financial institutions around the world, 39 percent of respondents said their computer systems had been ‘compromised’ in some way the previous year.[4]




[1] See Christopher Demunter, Internet use in Europe: security and trust (2005)

[2] Booz-Allen & Hamilton, “Consumer Demand for Internet Banking” (1996)

[3] Robert DeYoung, “The Performance of Internet-Based Business Models: Evidence from the Banking Industry,” Journal of Business, University of Chicago Press, vol. 78(3), pages 893-948. (2005)

[4] See Laura Bruce, Online banking security: Who’s minding the vault?, http://www.bankrate.com/brm/news/emoney/technoguide2004/ebank-security1.asp

Follow

Get every new post delivered to your Inbox.

Join 448 other followers