Sunday, November 7, 2004

Welcome to Jesusland

Interesting talk on The McLaughlin Group this week about the division between the "Jesusland" parts of the country (who mostly receive more Federal $$ than they pay in, BTW) and the other "non-Jesusland" states that could give rise to a revolt over the next four years, especially if fundamentalist judge appointments appear during this second term.

The Blogging of the President: 2004: Jesusland

Wednesday, November 3, 2004

Strange blog spam?

I have gotten two spam blog posts (aside: so, should blog spam be called spog or splog?) recently that I can't figure out what the person's motivation is. They were very similar in style:

  • They were both posts consisting of one line of text

  • They both had a first name as the user name

  • They both included a URL that was not registered or accessible that was related to their name

  • They both used name-based hotmail IDs (not sure if they are even valid) for email addresses

  • They were both posted within just over 2 hours of each other

  • They both were posted to old posts

  • Neither had anything to do with the post itself

All of these factors lead me to conclude that they were bogus and so both were rejected.

(MT-Blacklist ROCKS, BTW!!!)

One of the comments said simply:

"Does this form work like a guestbook?"

The other said:

"First time reading this blog, just wanted to say hi."

I could perhaps understand if the URLs they provided were valid, but otherwise, I can't understand what these posts were trying to do. Perhaps they were just trying to see how they could slip in under the radar for future spam attacks?

Other evidence culled from the logs confirms my suspicions that these are not legit:

The first one has a user-agent of PERL's LWP module: - - [03/Nov/2004:13:08:11 -0800] "POST /blog-bin/mt-comments.cgi HTTP/1.1" 200 1794 "-" "libwww-perl/5.65"

Hmmm. Same thing with the next one, but from a slightly different IP and using an older LPW module: - - [03/Nov/2004:15:23:23 -0800] "POST /blog-bin/mt-comments.cgi HTTP/1.1" 200 1794 "-" "libwww-perl/5.64"

Monday, November 1, 2004

One thing I agree with the President on...

The Daily Show pointed out that in a recent speech on the campaign trail, the president laid out this gem about the recent missing 380 tons of explosives in Iraq:

"The investigation is important and it's ongoing. And a political candidate who jumps to conclusions without knowing the facts, is not a person you want as your Commander-in-Chief."

Indeed. At least I can agree with the president on this statement. It does not apply in this context, but there is this debacle going on in Iraq...


To all of you who are claiming to this day that with current security knowledge and technology we can have all-electronic voting equipment and still have a meaningful recount, read this story. Un-be-freaking-leivable. - News - 13,000 Ballots Rushed From Voting Site, Must Be Recounted

Be prepared on election day: Find your polling place

A great site that will tell you where you should go vote and other information about your polling place. You can even get text message reminders on voting day.

Be prepared, and know your rights for Election Day 2004


some interesting thoughts about Election Day that are worth keeping in mind heading toward -- and on -- Tuesday.

Also, check out the similar information in the Voter bill of rights

Pathetic GOP deception tactics in Florida

Just pathetic. Amazing how the GOP will stoop to any level to try to re-elect W. From deception to outright lies on the campaign trail, to continued distortion. But I guess their end justifies the means? What kind of an America is it that you stand for again, Mr. President?

Joshuah Bearman: How They Do, Part III

The ruse, apparently, was supposed to target this church-going Democratic crowd by misrepresenting Kerry�s politics. It was a little surprising at first; but then again, that�s the only way Republicans can win: by misleading people.

Saturday, October 30, 2004

Know your rights: State voter leave law summary

Many states allow voters to take time off of work to vote. In Washington state, this allows up to 2 hours off in certain cases.

Time To Vote | Voter Leave Laws

Thursday, October 28, 2004

My award for "best adaptation" goes to...


Of course the original is hilarious and knowing that this was the original makes the image all the more humorous.

Wednesday, October 27, 2004

Mosh the vote

the politics of Mosh is a great, in-depth review of Eminem's new video for the song "Mosh" that is now the top video at MTV. Whatever you may think of Eminem, his music is always forceful and powerful and this is no exception. The video is exquisite. You can watch it online at

If it rains let it rain, yea the wetter the better
They ain't gonna stop us, they can't, we're stronger now more then ever,
They tell us no we say yea, they tell us stop we say go,
Rebel with a rebel yell, raise hell we gonna let em know
Stomp, push up, mush, fuck Bush, until they bring our troops home

Motherly reasons for opposing Bush

Yes, it makes me want to swear too.

"Seriously" 30-second ad

Missing WMDs an impeachable offense?

Another one intended to be posted long ago, and even more interesting with the election a week away.

FindLaw's Writ - Dean: Missing Weapons Of Mass Destruction

President George W. Bush has got a very serious problem. Before asking Congress for a Joint Resolution authorizing the use of American military forces in Iraq, he made a number of unequivocal statements about the reason the United States needed to pursue the most radical actions any nation can undertake - acts of war against another nation.

Now it is clear that many of his statements appear to be false.


To put it bluntly, if Bush has taken Congress and the nation into war based on bogus information, he is cooked. Manipulation or deliberate misuse of national security intelligence data, if proven, could be "a high crime" under the Constitution's impeachment clause. It would also be a violation of federal criminal law, including the broad federal anti-conspiracy statute, which renders it a felony "to defraud the United States, or any agency thereof in any manner or for any purpose."

Tuesday, October 26, 2004

The high price of bad diplomacy

Written almost 2 years ago, very poignant today.

But what about Poland? Ugh.

BW Online | March 24, 2003 | Commentary: The High Price of Bad Diplomacy

The U.S. has already lost the prewar battle over Iraq, whatever the outcome of a further U.N. vote. Even if it wins a fig-leaf majority vote in the Security Council, America will be entering its first preemptive war faced with opposition from nearly all of its allies and much of the rest of the planet. A world that rallied to America's side in unprecedented demonstrations of support after September 11 increasingly perceives the U.S. itself as a great danger to peace. How did things come to this? The failure of the Bush Administration to manage its diplomacy is staggering, and the price paid, even if the war ends quickly, could be higher than anyone now anticipates.

Sign the Petition: Stop the Florida-tion of the 2004 election

ActForChange Petition: Stop the Florida-tion of the 2004 election

"Today, there is a new and real threat to voters, this time coming from touchscreen voting machines with no paper trails and the computerized purges of voter rolls.

Urge your friends to join SCLC President Martin Luther King III and investigative reporter Greg Palast in opposing the "Florida-tion of the 2004 Presidential election" by signing this petition."

Memory errors trick virtual machines

Interesting paper on how to use memory errors to attack a virtual
computer. The attack exploits the fact that a "time of compilation"
check is not necessarily valid at "time of use."

This happens to be the theory behind the Java ByteCode verifier. I just heard Whit Diffie talk yesterday at SecureWorld Expo about how the run-time check of the bytecode is intended to validate that proper array bounds checking is going to be done, for example.

SecuritySpace monthly reports

Monthly reports on security and non security-related items, such as analyzing SSL webserver usage, apache module usage. Very interesting. I like to see Apache having almost 80% of the market share now :-)


SSL unsafe for users?

"99% of SSL users have no idea how SSL works and consequently make informed decisions"

Browser manufacturers try to make things easy for users but end up diluting the security properties of the hierarchical trust model.

A lot of talk in recent years on the cryptography mailing list indicates that this model is too broken and perhaps should be replaced with an ad-hoc mechanism, such as the SSH model, with all web servers installing _some_ sort of certificate by default--even self-signed. The thoughts are that some confidentiality protection with reasonable MITM detection is better than so few sites supporting encryption since they don't want to pay Verisign blood money for a "real" certificate.

You'll notice on my site that I have always used my own cert. I should probably regenerate one that is not expired...

-----Original Message-----
From: InfoSec News [mailto:[email protected]]
Sent: Monday, March 24, 2003 12:39 AM
To: [email protected]
Subject: Re: [ISN] Is SSL safe?

Forwarded from: Kurt Seifried

None of this really matters because 99% of SSL users have no idea how
SSL works and consequently can't make informed decisions when faced
with attacks such as:

1) Older SSL clients that don't check certificate constraints, i.e.
CAN-2002-0828, CAN-2002-0862, CAN-2002-0970, CAN-2002-1183,
CAN-2002-1407 and so on. If you don't understand what this sentance
means you are potentially vulnerable. I have yet to see a GOOD plain
english description of this problem that my mother would understand.

2) Verifying certificates that are out of date or issued to the wrong
common name (i.e. hostname). This happens a lot, my web based banking
provider (one of the big 4 banks in Canada) used an out of date SSL
certificate for about a week last year. Perhaps an insider attack at
work, perhaps an innocent mistake, I never got an answer out of them.

3) Verifying that certificates are issued from a trusted provider.
Most common web based SSL clients (like Netscape, IE) have over 100
root certificates. Have you ever heard of "Certisign Certificadora
Digital Ltda." (doesn't expire until 2018) or "IPS SERVIDORES" (good
until 2009). It seems to me that an intelligent criminal could subvert
one of these small firms (hostile takeover, get employed there, etc.)
and then have a grand old time issuing certificates to themselves.

4) The eternal "who cares about SSL" argument, web servers and back
end infrastructure is so poorly secured that most times an attacker
can spend a week breaking in and get a few (tens, hundreds, etc.) of
thousands of credit cards with all the personal data in one fell
swoop. This applies less so against "secure" corporate/gov/mil/etc
infrastructure like SSL encrypted POP email, against which targeted
SSL attacks are useful (to gain a password to gain further access,

5) All the old old stuff I covered in:


Which still largely applies. *SIGH*.

Kurt Seifried, [email protected]
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574

History of buffer overflow protection

A great (old) post to Risks 22.74 about the past issues with designing solutions to buffer overflows in hardware. Also, a link to a paper describing the history of these efforts that I'll be looking to check out.

Crispan was just spotted at SecureWorld Expo in Seattle today...


Date: Sat, 10 May 2003 19:19:12 -0700
From: Crispin Cowan
Subject: Re: OpenBSD ... protects against buffer-overflow ... (Ardley, R

>What is not so apparent is why technology that was developed and
>operating over 30 years ago is just being re-invented in software.

Because what was developed in operating systems over 30 years ago was
use of heavily segmented architectures. Over 20 years ago (the Intel
432) it was discovered (the hard way) that such architectures run
horribly slowly compared to RISC architectures. Since the debacle of the
432, even CISC processors such as the x86 have migrated towards RISC
style instruction processing.

What OpenBSD is implementing is a variety of software schemes to make up

for the lack of hardware protection for array bounds. Some of these
schemes (Openwall's non-executable stack) are
performance neutral: just mark the stack segment non-executable. Some
(ProPolice, a re-implementation of StackGuard
) are very cheap
, much cheaper than
enforcing memory safety in hardware.

Unfortunately, one of these enhancements (W^X) is not so cheap. Here,
they try to make all writable pages non-executable, and vice versa. This

is problematic on the x86 architecture because waaaay back in the day,
Intel decided that memory pages did not need separate Read and Execute
permission bits in the TLB (only segments have separate R and X bits,
not pages). The W^X hack has to do a lot of work with TLB faults to
compensate for this simple omission.

>The Burroughs 6700 implemented a hardware solution to the problem by
>assigning 3 bits of very 51 bit memory location to the type of data

The 432 did something similar, and the performance penalty was
astronomical. For a survey of buffer overflow attacks and defenses,
check out these papers:

"Buffer Overflows: Attacks and Defenses for the Vulnerability of
the Decade". Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie,
and Jonathan Walpole. DARPA Information Survivability Conference and
Expo (DISCEX), Hilton Head
Island SC, January 2000. Also presented as an invited talk at SANS
2000, Orlando FL, March
2000. PDF

"Software Security for Open Source Systems". Crispin Cowan. IEEE
Security & Privacy Magazine,
February 2003, Volume 1, Number 1,
pages 35-48. PDF

Crispin Cowan, Ph.D., Chief Scientist, Immunix

PKI 'not working'

I still run into people who believe that PKI is a viable end-user authentication solution for the masses. My favorite were the systems that tried to solve the certificate portability problem by allowing download of certs from a website -- with only a password! The vendor couldn't see that it was no more secure than the password itself. Another case of "But this one goes to 11".


PKI 'not working'

The e-envoy's office has started searching for new ways to authenticate the users of e-services as existing technology is "not working", a senior UK Government official revealed on 11 June 2003.

Although PKI (public key infrastructure) and digital certificate technology has played a major role in leading projects such as the Government Gateway, there is now growing recognition that it is unsuited for wider public use.

While digital certificates would not be scrapped, and would be retained as an option for e-service users, one possible alternative being suggested is that employers, banks, the voluntary sector and other "trusted organisations" would verify a person's identity before transacting online for services.

Crying 'security'

And now candidates are crying "security" to win elections... It works on both sides apparently.

-J - Companies Cry 'Security' to Get A Break From the Government

In Kansas, utilities want to raise rates without having to tell their customers why. Elsewhere, grocers and mall owners seek tax breaks for equipment purchases. And at sports arenas, teams want to keep banner-trailing planes away from their stadiums.

Sept. 11 to the rescue.

Across America, special-interest groups are using the threat of terrorism to help them get what they want from elected officials. In framing their requests as being in the interests of national security, these groups are benefiting from lawmakers' fear of another terrorist attack in the U.S.

Maher Arar releases details on how the US sent him to Syria to be tortured

An update to this story: As of Sept 2004, a heavily-redacted report was released that reportedly found fault with some of the RCMP's handling of the case, but, according to the CBC timeline, claims that the RCMP did not know that the US was planning to arrest and deport him to Syria.

"Prime Minister Jean Chr�en tells the House of Commons that the U.S. government's deportation of a Canadian to Syria was "unacceptable," but he is adamant that he will not allow an independent inquiry into the case of Maher Arar. He says his government has asked U.S. Secretary of State Colin Powell for an explanation and that the government also wants to find out whether Canadian intelligence officials played a role in the deportation of Arar."

National Story - network

Wikipedia: Maher Arar

CBC News: Maher Arar Timeline

Homeland Security measures ignore fiscal responsibility

Catching up on draft postings, this is one that is very timely today, although it was originally penned over a year ago.


Message: 6
Date: Sat, 20 Sep 2003 14:26:14 -0800
From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah"
Subject: Cost/benefit

In commenting on yet another pointless "homeland security" proposal, the
INFOCON mailing list passed along this quote:

"The number one threat to American national security during this long
war is neither anthrax nor truck bombs . it is uncontrolled spending. We
cannot afford to put guards on every bridge and at every critical node
of our infrastructure. We cannot afford a sophisticated chemical and
biodetector in every government building. America cannot afford a
risk-free society in a world of global terrorism. The enemy's strategy
is to destroy our economy. We must not facilitate their efforts. America
will need to spend considerable sums of money to ensure our security .
but we must do it wisely . there will be no money to waste on irrational
fear and unconscionable pork. We must develop a strategic plan to guide
our efforts. This must include federal, state and local governments,
plus the private sector. Since 9-11, more than 130 bills regarding
homeland security have been introduced in the House of Representatives.
This is not the example of spending based on a strategic plan.

"The outcome of this war will determine the type of nation our
grandchild will know. I do not want that to be a nation that is

Randall Larsen, Director, ANSER Institute for Homeland Security, at the
National Defense University Symposium on Quadrennial Defense Review 2001

====================== (quote inserted randomly by Pegasus Mailer)
[email protected] [email protected] [email protected]
Allowing an unimportant mistake to pass without comment is a
wonderful social grace. - Judith Martin or

Find your elected officials by zip

This is a great site that will show you who your legislators are by submitting your 9 digit zip + 4.

Project Vote Smart

"VOTERGATE" film premiers today online

If you have fond memories of recounts from the 2000 election--I know I do!--then you need to see this film. The 2004 election is going to be _worse_ because of the explosion of electronic voting machines that do not produce a Voter Verifiable Paper Ballot. Without a non-electronic storage mechanism for recording official vote tallies, there will be NO WAY TO HAVE A MEANINGFUL VOTE RECOUNT.

Votergate is the investigative documentary feature film uncovering the truth about new computer voting systems, which allow a few powerful corporations to record our votes in secret. But Votergate is not just a warning. The film strongly concludes that elections are harder to defraud when voters turn out in big numbers.

Votergate will continue filming through the Nov. 2nd election and release a 90 minute feature film / DVD. This 30 minute Special Edition is designed specifically to help viewers navigate past the fear and spin being thrown at this critical issue.


Every American who cares about democracy must see this film before the
election! These filmmakers decided to create a 30 minute "Special Edition"
of their feature film as a free public service to get this information out to
the public - in time for the Presidential election and it premiers OCTOBER 26,
2004 online at (www.votergate.TV).

Critics of these e-voting systems protest that the machines are not
transparent to the voters and provide no paper ballot/receipt or any way to do a
meaningful recount. But Votergate is not just a warning, the film strongly
concludes that elections are harder to defraud when voters turn out in big numbers.
Just as public interest and news about these election issues are exploding, the
Votergate Special Edition is the
must-see film that educates citizens about how to keenly observe, question
and protect the process on Election Day!

Back in the saddle

Well, this site has gone stagnant for almost a year now for reasons that I'd rather not go into.

But that's not the important thing--it's back online, on superfast hardware now, and should get more regular updates.

Hope you enjoy!