OOXML changes was granted without further discussion and the delegates from 87 nationals that has gathered in Geneva are exhausted and frustrated with an agenda with over thousands points of order – Chaos seems one word on everyone’s lips according to several reports from the meeting.

How do you go through 6000 pages in one week; well you don’t and this has been proven by the ISO-organisations themselves. So what do they do then? Well, the next best seems to just take the formal decisions to accepting the suggested changes without any discussion - this ought to be good enough for everyone shouldn’t it?

“There just is not enough time to cover the large number of problems in the document. I believe that a lot of the nations are frustrated with the process in general.”

This might just be the strategy from Microsoft to present a massive documentation and hope that people actually won’t read it. Microsoft learned from the first round that it didn’t quite work out that way.

Microsoft has also argued that multiple standards are better than one and says OOXML’s higher specifications make it more useful than ODF. Problem is that OOXML neglects various standards in many parts and describes function that is already in an existing ISO standard so here Microsoft actually tries to change what already exists - it’s this stupidity that lots of the critics oppose to.

Above complicated and even workarounds are shown as well in the lately released Microsoft Office file formats and one would actually think that the documentation is deliberately obfuscated. The reason for this might just be that all of it were designed to be fast on very old computers and ended up as a patch quilt and it was just easier to make a plain Copy & Paste into the OOXML.

After the meeting, the 87 national delegations attending will have until March 29 to adjust their positions, giving Microsoft another shot at a two-thirds majority.

Bookmark to:

Most people have heard about card skimming and other credit card fraud but in Swedish media there are several interesting articles regarding how a local branch office to Swedebank manage to stop a fraud transaction in the last minute. The Swedish police won’t talk about it but media claims that a bank employee took notice off that the mouse pointer on his system was moving by it self. He then quickly looked behind the computer and finally found under his desk a hidden device that was connected to the computer to remotely control his computer. Pulling the cables stopped a transfer of several million Swedish Kronor to vanish.

First question that comes in my mind is how did they manage to set up this equipment without any one taking notice? Well, according to the Swedish police there was a break in during August last year where nothing was stolen… Why didn’t that itself not raise a couple of questions? And better up; the alarm did not go off due to that the alarm wasn’t activated?!

The question that should be asked within this organisation is why would actually someone make an illegal entry with the risk of getting caught and steal nothing? Either was the person extremely stupid or didn’t find what he was looking for or they intrusion had another purpose of for example hide or tamper with the system at the bank office.

The group of seven men where arrested this Monday and Tuesday and are currently under suspicion for attempt to bank fraud and as well for preparing new similar actions.

So far the police has been very silent regarding the technology used during this fraud attempt. But a guess is that since the perpetrator had to hide an “unknown device” under the desk one could assume that they used standard available technology such as pico-itx motherboard together with either gsm or 3g modem to be able to call home or to contact the “unknown device” from remote host by for example using open available remote access software between the two computers. So actually the components used to build a tiny system is not hard at all and I highly doubt that we’re talking about James Bond technology here such as tiny keyboard logger devices with remote capabilities.

The technology is available and has been since many years to build your own equipment or buy spy kit – it’s just a matter how much money you’re willing to spend and to what extent you’re willing to hide your activities.

Keyboard loggers has been around for ages as well most interesting enough most people have actually never seen one. Keyboard loggers can easily be obtained via the internet or you can either build your own using a simple PIC16F84, and a NVRAM chip. The left images shows a home made keyboard logger and the middle shows what a typical keyboard circuit looks like and the right image what a typical keyboard logger looks like that you can get over the internet for around $80.

So once again I ask myself – why would someone make break into a bank and not steal anything without any questions asked?

Kim Haverblad

Bookmark to:

Referring to the ongoing OS/2 Open Source Petition at OS2 World there is an interesting story from inside of IBM that goes back to 1998 when I worked at IBM in Stockholm and had the opportunity of meeting Jeff Smith who at that time had the short and consist titel as Director of OS/2 Business Line and Network Computing Software.

Jeff mentioned that there actually had been quite a bit of discussion if IBM should port the OS/2 WPS to Linux environment or not. Problem was that the top management wasn’t that convinced about this little project and felt that they already stretched check book enough with the WorkSpace On-Demand (remote boot of DOS, OS2 and Windows 98). Saddly, as he stated it; it was and still is a great piece of code.

Porting it to Linix might well have been a commercial activity for IBM; question if they had done that; I would guess that they would open-sourced that code sooner or later to the Linux community. So one way or another IBM could open-source parts of the code that both the OS/2 and as well the Linux community can benefit from and they have already done that earlier with the open-source of the JFS-code that came from OS/2 portion. Of course the OS/2 community gained by this by moving the open-sourced code back to OS/2 again.

Kim Haverblad

Bookmark to:

As a big enthusiast of open source and as well since I have earlier has been product manager for OS/2 at IBM Sweden; I really feel for this great operating system that have during many years been far more productive than for example Windows XP for me should be open sourced. IBM has so far been totally ignorant to an earlier petition where almost 12.000 people signed it and didn’t even bother to answer the letter sent to them together with the signatures.

What is the current position with OS2 today then? Well, the last release from IBM was version 4.52 for both the client and server. Did it stop there? No, US based corporation Serenity picked up an OEM license at IBM and has together with Mensys in the Netherlands continued to develop and enhanced the system with new features and components such as wireless network support and as well multicore CPU support; so this old work horse still does quite fine together with the endless work of porting application from the linux community. All the major application support is there and are up to date; what more could I ask for?

Well, I really ask IBM to open vital parts of the OS/2 core components and after talks with the OS/2 development community, we have found that the following three important components will be basic to the continued development of OS/2:

• SOM (System Object Model) Core. This will also be a good contribution to the open source community in general and to the computer science educational area.
• Workplace Shell (WPS). According to press documentation, the OS/2 graphical user interface (GUI) was developed 100% by IBM. There are no third party restrictions to open sourcing it.
• OS/2 Kernel.

IBM has earlier made comments about that there are way too much 3rd party code in OS/2 and this itself makes it impossible to release the code; above 3 mentioned core components should not fall under this category and be fully possible for IBM to release - if they just should a little bit of effort…

If you agree that OS/2 should be open sourced I then invite you to participate to sign the 2nd petition at OS2 World.Com and by signing you will also get notified on the progress made.

Kim Haverblad

Bookmark to:

Have you ever been trying to get commercial smart card solution available on the marked to work with more than just one operating system? Then you might be familiar with that it’s not a walk in the park to get it to work. During my evaluation of both hardware and software I quickly noticed that trying to mix hardware and software from different vendors wasn’t that great idea and didn’t work out that well - So much for standards.

Having used OpenPGP for quite some time and earlier PGP (OpenPGP derives from PGP, first created by Phil Zimmermann) on various operating systems I’ve quite often been looking into the possibility of using some kind of token to keep my encryption and ssh keys safe and a simple USB-memory isn’t an option. Problem is that it hasn’t been that easy earlier and as well it also depends on what kind of token you chose. From that start I’ve been looking at using smart card solution and while evaluating different smart card readers it clearly looks like that USB CCID (Chip/Smart Card Interface Devices) based dongle reader seems to be the best and actually the easiest solution when having several operating systems in mind (drivers are available for two of the operating system that I use; Windows and Linux).

When starting to look into this topic I gave it a try with GemPlus PC400 smart card reader which works fine under Windows and Linux, but unfortunately missing drivers for OS2 which is another operating system I still use. Linux drivers for the GemPlus PC400 smart card reader can be found at LinuxNet and there is an active software bounty available at OS2 World for those who wants to continue on that track.

There are various smart card implementations available and one of the widely available solution for at least Windows and Linux system is U.S. Department of Defense CIC, Common Access Card which is a Java Card OpenPlatform card with GSC-IS (Government Smart Card Interoperability Specification) applets which is primarily used to access email with varying levels of support for the mentioned operating systems. There are various manufacturers that sells this kind of smart card. For larger corporation or due to customer demand the DoD CIC smart card might be the track to continue on when selection standard to build ones solution around.

In my case since I wanted to use GnuPG I’ve choosen to use the OpenPGP Card based on the ISO 7816-4,-8 specification for smart cards.

Features of this card are:

• 3 independent 1024 bit RSA keys (signing,encryption,authentication).
• Key generation on card or import of existing keys.
• Signature counter.
• Data object to store an URL to access the full OpenPGP public key.
• Data objects for card holder name etc.
• Data object for login specific data.
• Length of PIN between 6 and 254 characters; not restricted to numbers.
• T=1 protocol; compatible with most readers.
• 40mm * 10mm sized writable field on the front matter.
• Specification freely available and usable without any constraints.

There shouldn’t be any problem to use DoD CIC smart cards; but I haven’t had the possibility to verify this myself and how well this card works together with GnuPG and OpenPGP. But, it’s my understanding that it works as supposed.

The GnuPG client and plug-in used for the mentioned systems supports PKCS#11 and by this it’s possible to get everything, with some tweaking, to work all together with a single smart card with a RSA-key for signing and ssh key handling. Getting it to work with Thunderbird and Enigmail is really easy and works more or less out of the box.

So by looking at open source utilities I’ve achieved my goal to get a working solution for secure handling of my encryption keys for at least two out of three operating system that I use.

Kim Haverblad

Bookmark to: