Browser Ballots

For the past ten years or so, Microsoft has been engaged in an ongoing legal tussle with the competition authorities in the European Union over some of its business practices, including the bundling of the Internet Explorer Web browser with the Windows operating system.  (This was also one of the major issues in Microsoft’s dust-up with the US Justice Department, in which Microsoft was found guilty of violating anti-trust law, although the penalty was later gutted on appeal.)  As part of a settlement with the EU, on March 1 Microsoft introduced a “ballot screen” in Windows, which gives the user a choice of installing an alternative browser to IE.

Microsoft's Browser "Ballot" Screen

Microsoft has always maintained that there was no real need for this kind of mechanism, since users who wanted to use another browser could always download and install it.

Now the BBC News has a report that, since the introduction of the ballot screen, downloads of the Opera browser have doubled, and that most of the download requests are coming from the new screen.  Anecdotal evidence is that downloads of Firefox, Google Chrome, and Safari have also increased.

The default installation of Internet Explorer was never a problem for the technically-minded computer user.  Other folks, though, don’t really want to get involved in installing software, and are perfectly prepared to take Microsoft’s assertions that the browser is part of the operating system at face value.  Oddly enough, when they are told that they have a realistic choice, some of them will choose.

Honk if you’re Hacked

I’m actually quite surprised I haven’t seen a story like this before.  According to a post on the “Threat Level” blog at Wired, a disgruntled former employee of Texas Auto Center, in Austin TX, managed to disable about 100 cars of the firm’s customers, using a Web-based system that was intended to be a sort of electronic “Repo Man”.

More than 100 drivers in Austin, Texas found their cars disabled or the horns honking out of control, after an intruder ran amok in a web-based vehicle-immobilization system normally used to get the attention of consumers delinquent in their auto payments.

The system, called WebTeck Plus, is supplied by a company called Pay Technologies, uses a small electronic control box installed in the vehicle to allow an authorized user of the Web application to disable the car’s  starter, or honk the horn.  The central system communicates with the in-car control box via a wireless paging signal.  The security on the Web site appears to be a standard userID / password login.

According to the article, the former employee’s account had been removed when he was terminated by Texas Auto Center last month, but he apparently knew or guessed another employee’s password.  He was initially disabling customer’s cars one at a time, but then apparently discovered a data base of customer data, and began larger-scale operations.  At one point he had managed to affect more than 100 cars.  The immediate problem was finally resolved when someone at Texas Auro Center had the wit to change all of the passwords for the Web application.

The security provisions for this system are so lax as to be laughable. The vendor claims this is the first time the system has been abused, but I would be willing to bet it won’t be the last.  This incident also makes one wonder how well other aspects of the system are designed: could someone generate a bogus wireless signal to the car controllers, for example?

Occasionally one sees suggestions that systems should be installed on vehicles to allow stolen cars, or the cars of fleeing fugitives, to be remotely disabled by the police.  Incidents like this one should remind everyone that it is very easy to get this sort of thing wrong — and the consequences could easily be worse than having one’s horn honking at night.