Keywords
Citation
Ellis, B. (2004), "Internet commentary", Microelectronics International, Vol. 21 No. 1. https://doi.org/10.1108/mi.2004.21821aag.001
Publisher
:Emerald Group Publishing Limited
Copyright © 2004, Emerald Group Publishing Limited
Internet commentary
Gone Fishin [1]
Keywords: Internet, Security, Lead-free soldering, Hybrid circuit, Substrates
As I write this, we have gone through 2 or 3 weeks of security hell on the Internet. I make no apology for bringing up the subject of security yet once more, because it seems clear that many people simply do not care.
Certainly, the least publicised but most insidious example that has been perpetrated is one of "fishing". This has deprived a company of a large sum of money. How does it work? In order to protect the identity of the companies concerned, I will lay down a scenario with entirely fictitious names.
Dramatis personae:
- •
Joe Bloggs Manufacturing Company Inc. – a large company somewhere in the US Midwest;
- •
James Smith, Chief Accountant for the JBMC, a slightly overweight person having worked his way up from a simple clerk, over 30 years' service. He is solid, reliable, methodical, unimaginative and a very dull person, but he knows the company's business inside out;
- •
First International Midwest Bank – a large financial institution used by JBMC for its 120 years of existence;
- •
John Doe – an Internet crook.
The First International Midwest Bank has, as most such institutions, a Web site offering the usual services with the URL of http://www.fimwbank.com [2]. By negligence, it has not secured all possible domains with a similar name.
John Doe registers the domain www.fimwbank.net in his own name and address, which one could imagine are both fictitious. He sets up a Web site, using this domain, copying much of the bank's own Web site. He adds to this a questionnaire with a large number of questions, mostly innocent but, hidden amongst them are some more doubtful ones that we will look at in a minute.
Using the fimwbank.net domain, John Doe sends James Smith an e-mail worded as follows:
The First International Midwest Bank is conducting a survey of its major customers, to ensure that its operating records are totally up-to-date. This will enable us to ensure that you have the best personal service of any bank in the USA. You will find a simple questionnaire on the secure site https://www.fimwbank.net/servicesurvey.asp. We request that you fill this out and submit it at your convenience.
Harry Jones
Vice-president, Major Account Counsellor
Of course, the signature and title are those of the appropriate bank officer.
James Smith, perhaps a little naively, opens up the Web site page and notes that the little padlock on his browser is closed, showing that the site is secure. He starts filling out the form with the name and address of the company, telephone number and so on. This is followed by a section of each of the accounts which the bank holds on behalf of the company. He then gives the names of the executive directors, their functions, private addresses, telephone numbers and the number of their company credit cards issued by the Bank, along with a couple of pages of other, anodyne, questions. The rest you can imagine! James Smith unsuspectingly submits the questionnaire and the damage is done. John Doe immediately goes on a beautiful spending spree over the Internet, with the information that he has learnt and it is not until a few days later that the credit card company questions the unusual spending of the executives, but the damage has been done and the credit card company will take no responsibility because the causal fault was within the JBMC.
This technique is called "fishing". There are many ways of doing this and the fictitious example which I have given, based on a real case, cost the company in question a sum well into the six figures. In reality, there are many other practices that the unscrupulous use to "fish" on the Internet. For example, one may be asked to register to visit a Web site; in most cases, this is quite innocent, although I detest doing it. If any of the questions that I am asked are indiscreet and beyond what would normally be necessary under the circumstances, then I baulk. However, I have been known to give a false name and address, such as MickeyMouse@Disney.com, if I do not expect a communication from the company! It should be pointed out that it is not necessarily for financial gain that many companies "fish". It could be for targeting e-mails and spam to the most appropriate places. It should be needless to say that one never gives credit card details over the Internet, except to known companies with secure sites that can be trusted. I can also give you a little tip: if your credit card company does not offer you fraud protection on Internet transactions, then obtain a second credit card account with a small limit, such as a few hundred pounds or dollars, so that if you meet a John Doe or similar, then the losses cannot amount to much. Remember that spyware may transmit your credit card number in clear to a third party, as you type it on a secure site (although this should never happen if you have followed my discourses on security)! I am given the opportunity to understand that some "free" pornographic sites ask for credit card numbers in lieu of proof of age; if this is so, then they may be less free than the surfer might hope for.
Four different viruses or their cousins have caused considerable damage over the Internet and through e-mails over recent weeks. Without doubt, one of the most serious was Blaster or MSBlaster. This was an insidious worm which could install itself on any computer which was running one of two specific, popular, versions of Microsoft Windows. It exploited a security hole in the operating system. Microsoft had issued a patch to close the hole a few weeks earlier, but how many people update their operating systems on a regular basis? In actual fact, the patch was probably used by the authors of Blaster to identify and exploit this security lapse, knowing that few users would have updated their system. This particular worm tried to install itself on any computer, by accessing TCP port 135. On the day that it hit the world, I checked my firewall and found that there were 132 attempts to install it on my computer. Of course, the firewall stopped them all. At least as many attempts have been made since, and are still being made over 2 weeks later. As it so happens, even if the file had been loaded on to my computer, I would not have worried
- 1.
because the operating system and e-mail client I use are immune from it; and
- 2.
the anti-virus system would have picked it up and deleted it.
If it were not so tragic that things like this can happen, the msblaster.exe file contains an undisplayed message in the compiled code, I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!!. If only! However, Microsoft themselves were also targeted and were forced to close down their OS update site for a day.
Slightly more amusingly, somebody thought that they should play a joke and issued a relatively harmless virus which was supposed to install the patch that would immunise the computer from Blaster! Of course, this was a hoax, but even a BBC commentator was taken in by it.
Another very nasty one of recent date is Sobig.F. This is a complex worm which not only replicates itself from an infected computer, but installs its own Trojan Horse. This can be used for any number of nefarious purposes and can even transmit password information to third parties. Even worse, it can seek updated versions of itself, so that it can evolve faster than the anti-virus systems that take care of them. Like many others, the replication uses multiple spoof "From" addresses, so that there is no way of knowing the origin, should you be careless enough to allow yourself to be infected. This means that innocent people may be seeing hundreds of messages from unknown people accusing them, wrongly, of propagating viruses. Even worse, it can use any one of a number of ports. Perhaps one of the more obvious manifestations is that the Trojan Horse transmits the infected site's IP number which becomes a "magnet" for spam mail: users apparently received many spams within a very short space of time, as well as infected attachments. The worst aspect is that Sobig.F has the fastest propagation rate of any virus, to date. What is amazing is that even organisations like the Swiss Federal Railways were taken down for over a day by this beastie.
A less likely one to be encountered by readers of this journal, unless they are afficionados of MP3 music files downloaded from KaZaA, is HLLW.Lemur. This replicates itself through the file-sharing network in the form of any one of a number of .exe files.
What is trifle worrying is that, after every major virus release, there are inevitably a number of copies, variants, mutations and simple "wannabes". These "sons" often have a lifetime of a few weeks. With such a raft of new viruses, we must be particularly vigilant to make sure we are not lulled into a false sense of security, knowing we are fireproof against the "father".
By the way, have you thought about clearing all the junk from your cookie file lately? It is amazing how much accumulates there.
One of the great stories on the World Wide Web is what is undoubtedly the most successful search engine, Google. From a small beginning in September 1998 to today's giant, it has marked success all the way and it is rumoured to be going public in the near future. Do you know why it has been such a success when other dotcoms have been biting the dust or losing their market share (including rivals Alta Vista, Yahoo and so on)? Well, I have a theory: it is a combination of technical efficiency and one of the simplest Home Pages on the Net. They do not need fancy Flash or other such long-to-download trash, hefty graphics (their Home Page logo is only 8 kb), audio or video and they have limited their script to two short lines. They have eschewed graphics- intensive publicity for a page that downloads from a fast series of servers in 1 s, even through a phone line modem. If only others would emulate this notion; their Web sites would be more popular and effective.
For my review section, I have been thinking a lot about the use of lead-free solder on hybrid circuit substrates. Most of the fuss has been made around its use on printed circuits. To put things into perspective, I believe that the EU Directives on this subject are a big mistake. It will reduce the reliability of many electronics devices, it will make them cost more and it will seriously reduce the sustainability of the environment for little positive impact. Notwithstanding, it is here to stay and our industry has to conform within the European market. Oh! And did you know that a recent estimation suggests that it has already cost industry USD 700,000,000 in worldwide research and development in the matter? Guess who pays this bill? Not the European Union, that is for sure!
http://www.delphi.com/pdf/techpapers/2000-01-0017.pdf
In reality, this first offering does not have a real place here, because it mainly deals with printed circuits, but it is a brief summary of some tests done in the automotive industry. At the time this paper was written, no definitive conclusion was reached. However, it does bring up another notion which is relevant here. Some components and pastes used in thick film circuitry also contain lead glasses and these must also fall into the RoHS Directive, banning the use of lead (and some other metals) in electronics. One has heard much less about this than lead in solder, but it is every bit as serious.
http://www.imaps.org/adv_micro/2002may_jun/5.html
At least when I tried it, this was horrendously a slow page to download. It is the conference programme for an event which was held in Cracow, Poland in 2002. If you are after technical information, then you will be disappointed, but it gives reference to two relevant papers that can, presumably, be found in the proceedings. A search on the IMAPS Web site did not find an electronically published version of the papers, unfortunately. What amused me was the session with these papers was entitled "Environmentally friendly Electronics", as if lead-free soldering were kind to the environment. I would have thought that most people would have learnt, by now, that it is detrimental to the environment.
http://www.leadfree.org/library/LibraryPage.htm
This page is entitled the Dead Lead Scrolls and is part of a sub-web of the IPC. It has a listing of links to a good number of papers on the subject. As is well known, this organisation vociferously opposed the introduction of lead-free solder when the subject was proposed in the US Congress over a decade ago, but did a complete volte face when the Europeans chipped in, while acknowledging there was no direct benefit to be gained, other than ...all available scientific evidence and US government reports indicate that the lead used in US printed wiring board (PWB) manufacturing and electronic assembly produces no significant environmental or health hazards. Nonetheless, in the opinion of IPC, the pressure to eliminate lead in electronic interconnections will continue in the future from both the legislative and competitive sides. IPC encourages and supports research and development of lead-free material and technologies. These new technologies should provide product integrity, performance and reliability equivalent to lead-containing products without introducing new environmental risks or health hazards. IPC prefers global, rather than regional, solutions to this issue and is encouraging a coordinated approach to the voluntary reduction or elimination of lead by the electronic interconnection industry. This dichotomous, paradoxical, approach is, I am afraid, beyond my understanding when one considers what the IPC members have had to pay and will pay in R & D costs. Although I am not a member of the IPC, I have been supporting their activities for nearly four decades and this is the first time I have held a strongly divergent view from their policy decisions – and I am not alone in this matter. However, it is now too late, the EU Directives appear as if they will enter into force and one must be as a reed in the wind. This page is therefore a very useful starting place to research the subject, albeit more oriented to printed than to hybrid circuits.
http://www.turi.org/PDF/AIM_Suraski_at_BTU_workshop.pdf
This is a purely commercial slide presentation extolling the virtues of an Sn/Ag/Cu/Sb alloy. It has the virtue of being extensive in its scope and, as such, could be very useful to anyone wishing to study this alloy.
http://www.smta.org/files/smtai02_opening_ceremony_lead_free.pdf
This is another presentation, but much more general in its scope. It indicates that there are still a number of issues to be resolved around various hybrid technologies, but it does not go into details.
http://www.argonide.com/microelectronics_b.html
What a fascinating page this is, devoted to materials with a nanometre particle size! Did you know that the melting point of tin falls to 216°C at 20 nm particle size and 160°C at 10 nm? No, I did not, either. Sorry, all! No, you can not solder at these temperatures, but what about sintering? It is a thought. This company is already offering nano-copper for sintering at 500°C on hybrid substrates, so why not flux-free nano-solder alloys sintering at under 150°C? It is a thought.
http://www.npl.co.uk/ei/iag/leadfree/literaturepbf.html
This is a long list of references to papers and other documents written about lead-free issues, without being specific to microelectronics, although some of the papers are listed. It is a pity that there are no hyperlinks to any of the references that may exist on the Internet.
http://www.welwyn-tt.co.uk/news/new/patchwork.htm
This page extends a commercial presentation of a technique named Patchwork. This consists of a thick copper layer on a thick-film circuit for power distribution and conventional thick film technology thereafter. This is designed essentially for the automotive industry requiring a wide operating temperature range. I admit that it lost me off at one stage, when it mentioned "high temperature soldering at 150°C" but I assume this is a typographical error. It later mentions an Sn/ Ag/Cu alloy, so I suppose it should read 250°C, but is this really high-temperature? Maybe the authors were so enthusiastic that their pens overtook their logic?
This review of ostensibly lead-free soldering, specifically for hybrid circuit techniques, on the World Wide Web, has come up with a remarkable paucity of technical information. There is any amount of information, tens of thousands of sites, related to printed circuits but a search using "hybrid circuit" "lead free" produced only 46 responses, some of which are mentioned above and many were useless. Why should this be? Have hybrid manufacturers and assemblers already solved all the problems that plague those using printed circuits? I can hardly think so. Are they more secretive about publishing their successes? Are they just hoping that WEEE and RoHS would not apply to them? If so, I hate to disillusion them, but ... the fatidic date is galloping towards you, ever faster, faster, faster.
Brian EllisCyprusb_ellis@protonique.com
Notes1 Title song by Nick A. Kenny and Charles F. Kenny (1950). The best rendering, recorded in 1951, featured Bing Crosby, vocal; Louis Armstrong, trumpet, vocal; Jimmy Dorsey, trombone, orchestra and Jack Teagarden, trombone, orchestra.2 At the time of writing, the URLs and domains in this fictitious account have not been registered and do not exist. I suppose that it is possible that they may be registered by the time this goes into print. If so, I ask the owners to accept my apologies for the unwitting coincidence.