About Me

I ramble about a number of things - but travel experiences, movies and music feature prominently. See my label cloud for a better idea. All comnments and opinions on this blog are my own, and do not in any way reflect the opinions/position of my employer (past/current/future).

14 October 2010

Brilliant phishing email

Phishing emails are dangerous - they are effectively misleading, fraudulent emails that aim to lure people to giving away passwords or other important data; which can then be used to defraud the associated account.

Most phishing emails are actually easy to spot - they either take advantage of the person's gullibility (419 scams that claim you can help some obscure price/businessman/politician to transfer money) to the more direct; your banking account has expired; please enter your password in this site. Modern phishing sites are even more advanced and often replicate, very closely the target website's look and feel.

This morning, I got a phishing email which was frankly amazing, not only how it is constructed; but how well it is disguised with an air of legitimacy. An email, asking you to download software, to protect you from phishing is simply brilliant!

For me it was easy to spot this as a phishing email; and I was impressed that Gmail also picked it up. The from address is suspect (Standard Bank after all is a South African company, not polish), the reported from address is not Standard bank's website; and the link in the email is not to a Standard Bank website. And lastly, I am not a Standard bank customer. But I suspect, others may fall for it - and thus this post is both a warning and at the same time an admiration for a very well directed phishing scam.

12 October 2010

SA 'needs more PhD graduates'

I found this article on IOL this morning, and it is also featured on other news sites. The basic synopsis - to grow the economy South Africa needs more PhDs. The data seems to stem from the graduating class of 2007 - and since I belong to that club; I ought to comment :) I do however note that I do not fit the overall trend - I am not White; and I got my PhD before my 25th birthday and not in my 30s.

The 'need more PhD graduates' needs to be contextualised; and I feel that none of the news reports trully delve into were the need stems from. But since the overall thesis is, we need PhD graduates to grow the economy, it can be assumed that PhD graduates are required by:

  1. Industry, to enable it to develop competetive products and services

  2. Academia, to enable a higher quality of education and research; feeding industry with higher quality university graduates, and

  3. To create new industries and services, through start-ups etc

In my graduating class of 2007, there were 3 PhD graduates (in December at least, and for Computer Science only). Of us 3 - I am the only one who remained in South Africa; and all of us work in industry. Most South African companies in South Africa do not really value PhD graduates - it is clearly seen in the recruitment drives and for that matter in industry itself. This is also seen by the relative lack of R&D institutes in South Africa, that are fronted by industry. In fact, other than Sasol, I do not really know of any other South African company that has a big R&D setup in South Africa. Without viable R&D labs, are South African companies really interested in employing PhD graduates for their skills? And without a need for PhD graduates in industry, the pool of students wanting to do a PhD drops due to a lack viable job opportunities.

I agree that deploying PhD graduates within South African universities would have a significant impact on a number of factors - and not just acamedics. However, for this to successfully work out, South African universities need strong post-doctoral programs; ideally on an international exchange basis - that can be used to hone in the research skills and widen the research skill base.

Nurturing start-ups and protecting research outputs are things that South African universities and research institutes just do not seem to be good at. From my experiences at UCT, there was no drive for patents or setting up startups from the research outputs. This is a vital cog in the research process that can trully contribute to the economy. If I compare my experience at UCT with my internships at German research institutes in 2007, my actualy research output was actually higher for the time: I had one paper at ACM DRM 2008, one patent application and contributed towards 2 OMA standards for the mobile industry; all in 3 months at one research institute.

Tied into the last point, I think there is also a need to have focused research programs instead of the ad-hoc research that happens in many SA universities. It is hypocritical on my part to say this - when my own research was ad-hoc and very much removed from most other research at UCT - but if I compare my PhD experience in terms of the actual research project; to my peers in my research field around the world - formal research programs where a team of students, post-docs and academic staff work on the same research topic has a tremendous impact on the quality of the work produced. I think the outputs discussed above, with regards to my internship can also be similarly attributed - there my team was 5 persons (including me) in my specific stream and a total of 10 persons in the research program as a whole.

So yes, I agree that more PhD graduates will have an impact on economic growth - but I do not think that can happen without the supporting environment from both universities and industry. Other factors such as primary and secondary education are also important - but for PhD graduates to have meaningful impact on the economy there needs to be mechanisms for them to contribute meaningfully.

11 October 2010

ZaCon 2

Last year, a bunch of security techies (mostly from Sensepost it seems) banded together to form a technical security group, called ZaCon. In seemingly no time, they had organised a conference/get together - which I could not attend due to work commitments. ZaCon 2 was the newer, bigger conference event. It is not really a novel concept in many respects - a bunch of people get together (on the weekend off course), organise a venue and discuss their common interest for a day - and all for next to no cost (the organisers funded some of the equipment hires; the rest was either sponsored or non existent). It is the purest form of participation really - being there because it interests you.

As with all conferences; there was the mixture of the superbly interesting to be boring - but that is to be expected. With a strong technical focus; many of the talks focused on IT vulnerabilities - how they can be exploited and/or mitigated - from Google Apps to Java JAR files.

There were a number of highlights. On the attack front, Ivan Burke's talk on the usage of Google Apps to create features similar to botnets (though, as he willing admitted, he was not a good speaker) was a great example of how cloud computing facilities not only create security challenges with regards to confidentiality of data (stored in the cloud) but also create a platform for future security exploits. Jurgens van der Merwe's talk later about the use of Selenium expanded further the potential of attacking web based systems. In fact, a potential that wasn't explored in great detail - the combination of Selenium and cloud based services such as Amazon EC2 and Google Apps could create a significant assault on data confidentiality - through exploiting gaps in web based services. Also on the attack front; Daniel Cuthbert's talk on banking website security was a sobering reminder on vulnerabilities that are created by sheer incompetence as opposed to oversight.

Ross Simpson's talk on the use of jailbroken iPhones as a means to infiltrate wireless networks did not really explore major new ground - but was a very practical walk through on the power of smartphones and a new attack vector. Like the attack vector of cell phone cameras where normal cameras are not allowed; this is yet another attack vector that is easy to deploy and hard to mitigate against.

Ollie Whitehouse discussed the forming of UnCon 10 years ago (security community in the UK, and seemingly the idea that gave rise to ZaCon) via Skype - and was impressive not only in the content of the talk (I think there is a lot of things that ZaCon can "copy") but also the fact that the technology worked. Using two different computers (one to control the screen and the other to conduct the Skype call), each with its own 3G connectivity definitely helped in this regard.

The last talk, Barry Irwin's analysis on the propagation of Conficker was quite interesting - especially the patterns on the network traffic correlated to the spread of the virus. The fact that Conficker has gone quiet is itself a worry - and the correlation of Conficker to other viruses; including Stuxnet, could be interesting research.

Overall, it was a great event - and a great learning environment. I do think, however, that there is a need to shorten the number of speakers and instead open up the floor for a lot more debate and discussion. Congratulations to the organisers for a great event!

10 October 2010

Movie: Small Town called Descent

A new South African movie (I think it is yet to be released for general theatrical release); the movie centers around a Scorpion investigation into a xenophobic murder in a small town (called Descent). Intertwined within a fairly good crime drama, is an exploration of corruption (from the town's main mayor), police indifference/corruption, xenophobia, alcohol abuse, remnants of apartheid legacy and for some inexplicable reason, the politics of Mbeki-Zuma (I suppose the Scorpions is a link - but it has no relevance to the story).

The plot itself is quite good; but the script wasn't polished enough; and often features over-acting/posing/theatrics that end up ruining perfectly good storylines. Added to this, the dialogue also sometimes does not seem to fit the characters. And finally, the movie finishes without completing all the story arcs - and unlike good stories where this technique is usually a mechanism for the reader/viewer to make their own conclusions - this just leads to confusion. For example, the corruption angle is never finalised and thus the exact reasons and collusions behind the corruption activities or the end impact on the participants are just not explored - even though it is the driving force behind the movie.

Overall, from a plot and cinematography point of view; it is a great movie. However, the acting and the script writing detract from the positives; and does not really make it worth watching.

Movie: The Red Chapel

I stumbled across the Tri-Contentinent Human Rights Festival, now in its 8th year, at Rosebank while waiting for the traffic to subside on Friday afternoon.

The Red Chapel is a documentary made by a Danish reported, posing as a theatrical director, who takes two Danish comedians (of Korean descent) to North Korea on the pretext of a cultural exchange program. One of the comedians, Jacob, suffers from Cerebral Palsy; which creates two contrasting points in the documentary - firstly his speech impediment allows Jacob to truly express his feelings in Danish without anyone else understanding; and secondly, it contrasts with the rest of North Korea where there does not seem to be any other handicapped person around.

While the documentary's aim is to expose the dark evilness of North Korea, I found that, in many respects the movie fails and it is largely due to the director, Mads Brügger. Mads comments in the film, that he has no moral qualms about anything to do with North Korea - and thus forces both comedians (Jacob and Simon) to do things they are clearly not in favour of doing. Furthermore, while Mads comments on various claims (which are most likely to be true), such as death camps and starving children; the documentary has no supporting evidence to back up its claims. Another problem with Mads' thesis, is that, he gives no credit to the actual talent on show from North Korea - especially children that ends up participating with the team; and instead seems to brush it off as simply a product of the evil regime.

All said, the documentary still provides a fascinating insight into North Korea - and a great example of media and propaganda management. There are many touching moments within the movie - especially the interaction between Jacob and the translator/minder from North Korea; but in my opinion, it does not really serve as documentary evidence of North Korea's evilness.