The first I read on the alleged MilitarySingles.com hack was this:

With the usual link to pastebin for more details. So far a simple hack story. Nothing to see here. Time to move on.

But then the same story came up at The Office of Inadequate Security, along with a denial by the company that runs MilitarySingles.com. The denial reads:

“After a thorough investigation by our company programmers, it is our conclusion that our database was not hacked and that the claims of the Lulzsec group are completely false. Here are a couple points to note:

1. The total number of users in our database does not even closely match the number they have claimed to have exposed.

2. All user passwords in our database are encrypted and secure.

3. The location of the file the above user posted is in a repository directory on our website for user’s photos. The above user simply uploaded a photo of the Lulzsec group and does not mean in any way whatsoever that they were successful in actually hacking our service.

4. MilitarySingles.com was down for a few hours on March 25th due to regularly scheduled maintenance, not due to any outside activity.

We have taken measure to confirm our website and it’s database is secure and safe for our members, and will continue to do so. We are unable to confirm that the so-called checklist of email addresses have actually come from our user database.”

Sounds like a pretty comprehensive and categorical denial.

This was followed by:

Now things are looking interesting. Hackers claim to have hacked a website and downloaded everything; the company that runs it claims that they didn’t.

So Were They Hacked?

A quick look at the files (which, since the company wasn’t hacked, presumably aren’t theirs) reveals:

• A file MilitaryDatabase.rar which is a compressed SQL file containing a 500MB dump of a database. It contains an administrator password (in clear and hashed), recent chat sessions, user profiles, email addresses, and hashed passwords. The chat sessions often make references to US military deployments and bases.
• A file Military.rar which is a compressed 57 MB text file containing user email addresses, names, and hashed passwords. There are 170,937 records.

The IQ Security Blog has analyzed the database dump. It contained the unsalted MD5 hashes of user passwords. This makes them particularly easy to crack, because it’s possible to pre-compute the hashes of common passwords. IQ Security report that they managed to crack 151,972 of the 163,792 password hashes in just 9 hours.

“It Never Happened”

I guess we can all breath a big sigh of relief that the breach never happened, because, as MilitarySingles.com’s FaceBook page read on April 1st.

It’s still possible LulzSec hackers had an extreme case of obsessive-compulsive disorder and put together 570MB of fabricated data in some form of elaborate April Fool’s joke.

The Problem of Denial

What will happen if the hackers were correct?

That’s the problem with a categorical denial like the one above. It’s a rookie PR mistake. You do well if you are right, but you are damned if you are wrong.

A better approach might have been to use a non-denial denial, as popularized by Woodward and Bernstein in their book on the Watergate Scandal, “All The President’s Men“. Say you don’t have any evidence yet. Say that LulzSec are known to issue misleading statements designed to mislead and confuse. Recommend everyone change their passwords as a precaution.

But don’t issue what sounds like a categorical denial and then go silent as conflicting evidence mounts. Who is going to believe or trust you now?

As it is, it’s going to be quite interesting to see how this one plays out.

There’s often far too much credibility given to the wisdom of crowds.

The original much-quoted observation by Francis Galton that the average of a group’s estimates of something (beans in a jar, weight of a butchered ox) can be much better than an individual estimate may often be true, but in some circumstances it may be much worse. This is frequently forgotten.

I just came across an excellent ten minute presentation by Tom Scott which explains some of those other circumstances, providing a convincing live demonstration using audience tweets. It’s worth having on hand for those occasions when you are tempted (or told) to simply average people’s estimates of the likelihood of an event or of the impact of a disruption.

.

If your had to transport something worth $4.9 billion dollars, you would do so in a pretty awesome vehicle, wouldn’t you? Perhaps you would use something like the Marauder, pictured above, to do the job.

You certainly wouldn’t leave it in the back of a car, would you? But that’s what happened recently to something worth $4.9 billion belonging to the the U.S. Department of Defense.

So what is worth $4.9 billion dollars and fits in the back of a car?

The answer is data. According to this report in the Army Times backup tapes containing personal medical and financial data on 4.9 million people being transported by an employee of Science Applications International Corp disappeared from the back of a car while in transit to a secure facility on September 13th. A class action lawsuit is claiming $1,000 on behalf of every person whose data was lost, as well as free credit monitoring for each of them for a year.

Is the data worth $4.9 billion: probably not. Is there a potential liability of $4.9 billion. Perhaps.

It’s certainly something that should be considered when transporting or storing data. The question to ask is not just “how much is this data worth to us?” but “how much might this data cost us if it gets stolen?”

(If you enjoy their sense of humor, you might enjoy this road test of a Maraudercarried out by the UK BBC Top Gear team. Their road test includes a comparison with the Hummer, including the effects of a charge of 7lbs of plastic explosive placed beneath the vehicle.)

Until Apple released IOS5, which broke it.

Which would not matter too much, except that the company which produced Stanza, Lexcycle, was acquired by Amazon – maker of that well-known competing eBook reader, the Kindle. So Stanza development has stopped, and the likelihood of the app being fixed for IOS5 appears to be zero.

Unfortunately some of us had a lot of books we liked stored inside that Stanza application.

How do we get them back and into somewhere we can read them, such as iBooks?

(If you don’t have eBooks tied up inside Stanza, skip the next bit…)

This Wired article pointed me at the right tool (Stanza Book Restore Tool ) to extract the books from unencrypted Apple iTunes backups.

However, it didn’t work (java.lang.IllegalArgumentException: Cannot find backup folder) on my venerable copy of Windows XP.

This posting identified the nature of the problem – a bug in the Java code or the Java environment.

An 80Mbyte download from Oracle of the Java Development kit later, and I had a patched version. (If you need it, you can download my patched version here.)

Assuming you have java installed, the command line you need to run it is:

java -jar stanzabookrestore.jar

Make sure you specify an existing folder for the Book Output Folder. Don’t use the default unless you want a desktop full of eBooks.

Once you have extracted the books, you can select the books in Windows Explorer and drag them into the Books section on iTunes. Sync with your iDevice, and you are back almost where you started before IOS5   – except that the interface on iBooks appears to be designed for people who don’t own more than a dozen books.

I hope the above directions are useful for other Stanza fans.

The risk lessons here appear to be:

• Don’t just assume your software application is not obsolete and is still being maintained. Even it if is still available for download and the company’s website exists, it may be obsolete. Nobody is going to write and tell you when it becomes obsolete!
• Beware of firmware and operating system upgrades – you never know what is going to break, and something always does.

“War is not merely a political act, but also a real political instrument, a continuation of political commerce, a carrying out of the same by other means.” Clausewitz – On War

Recent history has produced some interesting innovations in the concept of war.

First there was the war on inanimate objects — the War On Drugs.

Then there was the war on abstract ideas — the War On Terror.

Now we have the concept that an act of hacking a computer may be considered an Act Of War.*

Perhaps we should be happy that war is finally being democratised. No longer will you need to be a nation-state with an army to declare war: just a person with a cheap laptop and an Internet connection.

War is about intimidating and killing people to achieve political ends. We let people pretend otherwise at our peril.

The answer, of course, is only if you are buying property. If you are selling, then the price you can get for your property will be affected by the perceived crime rate.

Which is why this report by Direct Line insurance cited by the Guardian newspaper makes so much sense: people will under-report crime if they think it will affect the local crime rate statistics and thus have a negative effect on their property’s market value.

So publishing maps of high crime areas may in fact deter the reporting of crime. No doubt a future corollary of this will be claims by politicians and police that publishing crime maps reduces crime.

Always good to see examples of the Law of Unintended Consequences in action.