Wednesday, December 1, 2010

How to shop!

Coming back to Australia after living in London for 7 years was an eye opener into tariffs and duties. Typically people tend to think of London as being very expensive, which it is, but what many people don’t realize is that Sydney is comparable, and for many things, even more expensive. The main reasons for the high cost of buying general retail goods in Australia are tariffs and duties, and it appears that people are generally ignorant about what they are and why they are in place, so I thought I'd write a quick post about it, not to explain all the economics behind it, but simply to point a few things out. This ignorance about tariffs was highlighted when I recently bought my Boxee box and read the outrage on their forums about the different costs of the unit all over the world. I’ll use the boxee box as an example for the confusion.
The boxee box was initially selling for $199 USD in the US, 199 pounds in the UK, and $300 AUD in Australia, to name just 3 of the discrepancies. The boxee forums were in an uproar, as very few people seemed to understand that you can’t just sell an item at the same price all over the world. I won’t go into the economics of it all, but basically every country has it’s own set of tariff’s, duties and taxes, for example the UK has VAT, Australia the GST, then you have the government trying to protect local industries in some cases incurring additional tariffs and the like to try and "level the playing field". Then you have shipping, which is relevant to a place like Australia and last but not least you have what the local market will bear, in the case of both the UK and Australia, they are both used to paying over the odds for the majority of “luxury” items bought, and thus distributors have learnt to take advantage of this and put an additional premium on top. This has reached a point where recently I was looking to buy some climbing gear from Wild Country. Wild Country is a welsh company, that manufactures locally. Amusingly the cost of their products at discounted stores in the UK, was still ~25% more expensive then going to online stores in the US. How’s that for duties and leveraging what the market will bear?
Ofcourse the solution to this is obvious to most people, buy it where it’s cheapest and then ship it to wherever you are! In most cases, for luxury goods, that means buy it in the US. Now interestingly, in Australia, unless something costs more then $1000AUD, you can bring it into the country without any additional taxes or duties, which in effect means that once you cross a threshold of cost where the savings from buying it in America plus the cost of shipping is less then buying it locally, you’re ahead. That mark is typically at around ~$130AUD, which ofcourse means that the majority of things that most people buy would be cheaper to buy from oversea’s. Now I’m hardly the first to note this, and thus enterprising individuals have started business models around this, for example check out www.myus.com, which gives members a US address (many US stores refuse to ship internationally, supposedly due to fraud issues, more commonly because they have agreements with their suppliers who want to ensure that their local distributors have the market cornered), will repackage all parcels, stripping unnecessary packaging, and then collate a number of parcels into one shipment all for express delivery leveraging their scale to get reduced rates from various couriers. All in all I’m absolutely astounded that more Australian’s don’t buy from oversea’s, I guess it’s just the relative lack of net savvy that pervades over here that is the cause, that and concerns around getting “support” for the product you buy in the event that there is a problem.

All of this has recently started to be brought to the attention of the public as local retailers are starting to complain about being unable to compete, and there is now a campaign underway to try and lower the threshold of where duties and tariffs are applied. My advice to anyone living outside of the US, buy what you're after sooner rather then later!

Monday, October 11, 2010

Is virus even the right term?

I just (belatedly I know for the rest of the security industry, but I tend not to read things daily, but rather I batch my news so I get it a bit later then everyone else!) read about Stuxnet. The malware I mentioned a couple of months ago is the same thing, but now I have a name! This is some seriously impressive software. For those of you that don't know this has been linked to all kinds of conspiracy theories, from the US government writing it to sabotage Iranian nuclear power plants, right through to Israeli's attacking their neighbours. The best technical explanation I've found is over at Symantec or for an overview check out Schneier's blog. Whichever way you cut it, if you don't understand the technical breakdown, or simply can't be bothered reading it, trust me when I say it's a whole new level of malware. It's quite literally malware done right, and every single component of this thing has had a LOT of thought put into it.

Thursday, August 19, 2010

Succinctly put!

Just read a presentation that very succinctly put why I'm so pessimistic about security. Way too much press goes to the trivial, easy attacks with little to no sophistication. Ofcourse this by design as the professionals simply don't indulge in the type of behavior that makes script kiddies famous. About the only caveat I have to the presentation is that in most cases their success is predicated on one of two things, either having the talent in house to be able to break in, or access to specialized attack tool chains. It is possible, albeit not probable, that in some cases the in house talent might refuse (if they knew!) to break in on behalf of a nefarious entity. That's about the only hope you have against the real pro's.

Wednesday, August 18, 2010

Industrial Malware

I just read an article over at cnet about malware that is targeted at major industrial infrastructure. In summary there are now virii / malware that is automating attacks against specific things like Oil drilling platforms and the like. I wonder if governments (and major companies) will get to the state that the benefits of having major infrastructure on the net are outweighed by the negatives.

Thursday, August 12, 2010

Train Announcements

Living in the UK for 8 years, specifically London, opened my eyes to train announcements. In fact Londoners take great pride in the nature of the quirky announcements that happen on the Underground ( Living in Ealing we had a particular announcer that loved the sound of his own voice and used to regularly entertain the entire station with his antics.) and there are many sites around that list some of the antics. For the sake of those with some interest here's a link that contain a few amusing ones.
Now I'm back in Australia and I'm wondering how Cityrail can have mismanaged the trains infrastructure such that it is impossible to even hear the announcements. I'm currently catching trains for ~2 hours a day and so each day I'm in a position to hear various announcements, some of them important (it seems fairly commonplace for trains in Sydney to have their destinations changed mid-route so that if you don't hear the announcement you can often be caught out!) and yet without fail, I've been unable to hear any announcements clearly. It seems that there are a few problems. Firstly the speaker volume on most of the trains is set so low that you'd need a bionic ear to hear a thing. Secondly, there aren't enough speakers around, and so unless you're near one of the few that is in working order, you're just SOL. Finally it would appear that Cityrail need to invest some money in public speaking classes for their train drivers as the majority of them seem to be intimidated by using the speaker and invariably mumble, rush and shorten what they are trying to say in an effort to have it done as quickly as possible. In 2010, surrounded by technology with technology playing an ever increasing role in our lives it's a little disconcerting to see that in some area's we still can't even get the ~60 year old technology implementation right.

Friday, July 23, 2010

New beginnings and old problems

So it's been a while (again) since I wrote anything, and I felt that it was time that I had a look around at some of the other blogging software rather then continue to use the horrid wordpress that I had been running up till now. I've always been against using services on the net to host anything personal (i've always insisted on running my own email servers for example) but I've changed my mind when it comes to blogging. The main reason in this case is security, as trying to keep up with the slew of wordpress vulnerabilities was proving to be a full time job and one that I didn't have an interest in. On top of that, I'm a fan of googles work in a variety of area's and thought I'd give this a try, so here I am at my new blogging home on blogger.com. Hopefully the transition will be relatively transparent to most of you as I'll do a few technical things in the background.

I've been inspired to start writing again for a few reasons. Firstly I've just had about a year off from regular work and I'm feeling rested and fired up to get stuck into problems and generally start working again, which means that I start to think about more challenging things then "When will I get up?" and thus some of it might be of interest to a wider audience. The other reason is that a few friends are also starting to blog a bit and ask some questions that I have some interest in trying to answer, so the combination means I think I might, finally, start writing a bit more regularly again :)

Something I read recently amused me and served as a good example of what I've been warning my non technical friends about for years. I'm referring to the well publicized attack on twitter. This was something that passed my by until now because for starters I've been on sabbatical from all things security while I've been "off", and secondly because everytime I see the word "twitter" my mind tends to shut down and ignore everything it see's for the following 5 seconds. You could say I'm not really a big fan of the concept ;) Still I couldn't think of a better example as to why reusing the same passwords and security credentials across multiple sites is a bad idea then the linked article. If you want to avoid re-using credentials with your web related applications but don't trust your memory then consider the following steps.

Firstly go and get a decent password safe application. Once you've installed that, each time you are prompted for a password for an account somewhere, use the random generate password function and put that into the requested field.  Now whenever you are prompted you can simply double click on the right entry in password save and it will then load the password into your copy and paste buffer for use.

Normally I wouldn't recommend the following, because it is a slight lessening of security, however, if you're using a lot of different accounts and you find it too onerous to use password safe to manage all of them, then try the following additional tip. Generally it's a bad idea to let your browser save passwords, however, if you have a mechanism of encrypting all of the passwords it saves, or it does it automatically for you like Firefox does, then configure a master password (using a random one from password safe) and let Firefox now save your password for each of the sites you go to. Now firefox will automatically fill in your username and password for any given site you go to, however, you will have some protection over the username and passwords being stored on your local computer (or where ever your firefox password repository resides).