Tuesday, July 19, 2005

Drooling over my 7mbps / 892 kbps DSL upgrade

broadband Speed Interpretation

Just upgraded from 1.5mbps / 768kbps to 7mbps / 892kbps. Yum.

2005-07-19 21:32:27 EST: 4427 / 719
Your download speed : 4533441 bps, or 4427 kbps.
A 553.3 KB/sec transfer rate.
Your upload speed : 737104 bps, or 719 kbps.

Rick Santorum: Blame the victims of clergy sex abuse


This is an utterly disgusting rationalization.

Friday, July 15, 2005

Non-English Internet Domain Names Likely Delayed Due to Phishing Concerns

Non-English Domain Names Likely Delayed - Yahoo! News

Social engineering attacks using similar characters to trick users are called homograph, or semantic attacks Also see this article on IDN Homograph Attacks.

Concerns about "phishing" e-mail scams will likely delay the expansion of domain names beyond non-English characters, the chairman of the Internet's key oversight agency said Friday.

Vint Cerf, head of the Internet Corporation for Assigned Names and Numbers, would not speculate on when such characters might appear but said Internet engineers must now spend time "trying to winnow down, frankly, the number of character (sets) that are allowed to be registered."

"In some of the early tests, ... it became clear we had opened up the opportunity for registering very misleading names," Cerf said in a conference call wrapping up
ICANN's meetings this week in Luxembourg. "This kind of potential confusion leads to parties going to what they think are valid Web sites."

Back in February of this year, the ICANN announced a request for Public Comment on issues with the proposed Internationalized Domain Name (IDN) standard and recognized homograph attacks as a likely attack vector.

Bush Administration may be responsible for botching effort to thwart London bombing

AMERICAblog: Bush admin may be responsible for botching effort to thwart London bombing

Seems as if the Bush Administration has a habit of leaking confidential information.

ABC News just reported that the British authorities say they have evidence that the London attacks last week were an operation planned by Al Qaeda for the last two years. This was an operation the Brits thought they caught and stopped in time, but they were wrong. The piece of the puzzle ABC missed is that this is an operation the Bush administration helped botch last year.

One senator told CNN that U.S. officials should have kept Khan's role quiet.

"You always want to know the evidence," said Sen. George Allen.

"In this situation, in my view, they should have kept their mouth shut and just said, 'We have information, trust us.' "....

I agree with the senator. We had an operative INSIDE Al Qaida! And this leak destroyed that advantage that may have helped prevent not only this attack, but other future attacks.

Tuesday, July 12, 2005

UN inspector "god told him" where the weapons in iraq were

Sybil the Soothsayer

Good Grief.

So, where's your God now? Perhaps where the WMDs are?

I wonder if he still believes that his God is omniscient?

Another study showing real danger of cell phone use while driving

I no longer work for a large US cellular company, so I am free to write about this topic. Even better, I can write about how the lobbying by the cellular phone industry has been what keeps laws from being enacted to protect the public. Now, I do agree with the position that there are a lot of things drivers do that are just as bad, if not worse (reading the newspaper on your steering wheel, reading email on a blackberry...) so why pick on cellphones, but the fact is that from a public threat perspective, there are way more people doing stupid shit while on their cellphone than all other distracted driving combined, I guarantee.

I have made it a habit to note how many drivers doing stupid shit are talking on their cellphones when I see them and it is, no joke, almost 100% of drivers. I challenge you to do the same and you'll be horrified at how many common dangerous and annoying things are related to being on a cell phone at the time:

  • Driving too slow

  • Unable to stay in lane

  • Swerving

  • Not letting you merge (not paying attention)

  • Etc. etc.

CNN.com - Study: Drivers on cells more likely to crash - Jul 12, 2005

A study released Tuesday said drivers who use cell phones -- even hands-free models -- are four times as likely to be involved in wrecks involving a serious injury than are drivers who do not use cell phones.

Cell phone service temporarily disabled in NYC for "security"

CNN.com - Cell phone service disabled in New York tunnels - Jul 12, 2005

Cell phone service was disabled inside the four tunnels leading into Manhattan after the terrorist bombings in London, but Mayor Michael Bloomberg questioned Monday whether the move "makes the most sense."

I'm with Mayor Bloomberg. I don't think it makes sense at all for at least four major reasons:

  1. Terrorists don't necessarily have to call a cellphone in order to use it to detonate a bomb. I have read about them using the built-in timer. And this article actually corroborates this.
    In the Madrid explosions, alarms in cells phones were set on vibration, which sent electric impulses to the copper detonators connected to the explosives, Spanish authorities said.
    So, this measure indicates that someone does not understand the threat.

  2. More importantly, suppressing cellular service only can serve to incite panic--especially if there were to be another bombing or similar terrorist attack. I remember on 9/11 how distracted and distraught everyone was who knew people from New York when they could not get through to anyone to make sure everyone was alright. Now, if that isn't terrorism, I don't know what is. So, shutting down cell phone service really is going to help the terrorists with their mission

  3. Cellphones on the front lines can be a great help in reporting attacks. Faster reporting and more accurate directions to authorities can save lives if there were to be another attack.

  4. The Department of Homeland Security said that this goes against their guidelines of keeping the cellphone system up and working for rescue authorities to use in the event of an emergency
    The Department of Homeland Security said the decision in New York to cut off cellular service was made without any recommendation by the federal government's National Communications System, which ensures communications are available during national emergencies.

And while we're on the subject of anti-terrorist governmental reactions that don't make any sense... (Bruce Schneier is really going to have a field day with these):

PCWorld.com - Feds Seek Wiretap Access for Mobile Calls on Planes

If cell phones and other handheld wireless devices are allowed to be used on aircraft by the U.S. Federal Communications Commission, the U.S. Department of Justice wants built-in terrorism-fighting capabilities to allow fast wiretaps and quick ways to disconnect conversations between terrorists.

EFF Legal Guide for Bloggers

Now that I may actually be somewhat consistent in posting, and will be posting more if I can help it, reading up on the EFF: Legal Guide for Bloggers would be prudent.

Reduce Fear != increase security

This appeared in the October 2004 crypto-gram and is a very good description of how the current "security" measures at airports, etc. serve only to "reduce fear" and don't actually "increase security". The latter is the hard problem....

From: Anonymous
Subject: Fear and Security

This is in response to the letter you published last month by Wayne
Schroeder: Fear and security are closely coupled in simple situations, like riding a motorcycle. The way to reduce the fear is to increase your safety, such as by driving more slowly. Millions of years of evolution have evolved fear as a mechanism for keeping us alive, but millions of years of evolution never had to deal with a 767. It evolved for simpler things, like bad weather, high speeds, and scary animals.

When it comes to the more complex security situations of the modern
world, our natural instincts are inadequate. People still rely on them to guide them, though, like in the now-notorious Annie Jacobsen
freakout. That's why we have security theater; people are trying to
reduce fear, not increase safety, and they don't realize those aren't
the same anymore.

That is also why people are reluctant to confront their poor choices.
When you force them to do so, you are taking them from a place of
reduced fear to one of heightened fear; as far as they're concerned,
you're causing the fear. The rational perspective is clearly that you
are making them safer, but they don't see it that way.

The motorcycle example just doesn't work because it maps easily to our
evolved instincts. Modern security problems are so complicated that
the ways to reduce fear have diverged from the ways to increase safety. Trying to map these primitive emotions to modern threats can't work; the gap is too large. Relying on our fears to guide us won't make us safer; it will only make it more shocking when our defenses are breached again.

Homeland security terror alerts

Good to look back on in light of the raising of the alert (and only for public transportation...) Is the best our intelligence can do is to assume that the next attack will be the same MO and style as recent ones?

Schneier on Security: Do Terror Alerts Work?

When Attorney General John Ashcroft came to Minnesota recently, he said the fact that there had been no terrorist attacks in America in the three years since September 11th was proof that the Bush administration's anti-terrorist policies were working. I thought: There were no terrorist attacks in America in the three years before September 11th, and we didn't have any terror alerts. What does that prove?

VIM as an XML Editor


A great HOWTO: Vim as XML Editor

I'm not sure I'll give up a GUI for XML editing, but you can do quite a lot with VIM that many GUI XML editors can't.

Monday, July 11, 2005

Avoid losing web form text

Scribe, Mozilla Firefox Extension looks like a handy extension to add to Firefox. How many times have you lost a long textarea posting? No more typing in VIM or Notepad and then pasting into the web. No need to constantly save to the server to avoid losing text.

Example given uses movable type... I'll definitely be checking this out.

UPDATE: I just lost a great posting due to accidental hitting the back button... Aargh.

SecureUML, with Visio templates

Mark Curphey's Blog

I am very methodical when it comes to security design and security reviews so I am sure that these templates will come in very handy to ensure uniform coverage of requirements and mechanisms.

My only quibble so far is that they call this "SecureUML". The UML isn't Secure, nor is having a well-defined Authorization model imply security (look no further than the Sarbanes-Oxley efforts that define wonderful processes and models, but the auditor testing never covers the effectiveness of the underlying mechanisms implementing these controls...)

There are a few simple steps that can help when defining authorization requirements and an extension to the Unified Modeling Language called SecureUML that is very powerful for documenting unambiguous authorization models, specifically RBAC (roles based access control). My colleague Rudolph Araujo (Security Developer MVP) has built a Visio template for creating SecureUML models that is also available here. One of the things I specifically like about UML and SecureUML is that it forces you to really think about things and promotes best practice where you are not operating on undocumented assumptions.

First things first, lets define some simple steps to creating an authorization model.

1. Identify Users (actors)
2. Identify Application Specific Roles
3. Map Users to Roles Based on Business Function
4. Identify Resources
5. Identify Actions
6. Identify Authorizations Constraints

Free Open source tool released for web services security scanning

Foundstone, Inc.� Strategic Security

Have not checked it out yet. Sounds promising. Although it would be nice to have a scanning tool that can do application security checks regardless of the protocol being HTML over HTTP, XML over HTTP, SOAP, etc. Many of the attacks and scanning signatures will be the same. Only the formatting and perhaps the detection of success/fail of a test. I'd be interested in knowing more about what they encountered as to whether the differences are significant enough to warrant a separate tool.

Thursday, July 7, 2005

Unintended consequences of improved SSL UI in browsers

SSL Organization Vulnerabilities

The following example web site spoofs demonstrate the vulnerabilities that exist if First-Generation vetting practices for digital certificates are used in combination with new browser enhancements which bring the certificate Organizational information forward and displayed next to the SSL Lock symbol.

Spoofers these days are adapting very fast to new technology to counter their tactics. This is one in which adversaries are generating certificates with Organization information that matches a target site to spoof, and dumb "Trusted" third party CAs happily sign these certificates. Some browsers, such as Opera, are now providing the organization information directly to users to help them make better trust decisions. Unfortunately, this is rearranging deck chairs on the Titanic since the SSL TTP model is totally broken--it does not allow for adequate authentication of sites to end users, hence the rampant phishing attacks and soon to be man-in-the-middle attacks (my prediction).

Study: Users becoming more security-conscious

Fear of Spyware Changing Online Habits - Yahoo! News

Internet users worried about spyware and adware are shunning specific Web sites, avoiding file-sharing networks, even switching browsers.

Many have also stopped opening e-mail attachments without first making sure they are safe, the Pew Internet and American Life Project said in a study issued Wednesday.

Some good indications that end users are gaining levels of awareness of the security problems in today's Internet environment. Go read the full report It has a lot more meat than the wire stories.

Musings on the Horrible bombings in the UK

I hope we have better reason to suspect Al-Qaida than this. And can't the press do better than push a ridiculous assertion such as this below with a weak justification by an anonymous source? Why the need for an anonymouse source anyhow? It almost seems as if the reporter was trying to squeeze in a link to Al-Qaida no matter the questionable "logic" being used to make that assertion. But, perhaps it came off this way due to too much pruning by the editor.

A senior U.S. counterterrorism official, speaking on condition of anonymity, said that because the attacks were well-coordinated and appeared fairly sophisticated, they were consistent with al-Qaida's methodology.

So, are there not any other terrorist groups that can be "well-coordinated" and "fairly sophisticated"?

Seeing that the terror alert level was only raised after the bombings occurred indicates that our intelligence is still in pretty bad shape. I'm sure that if the US knew about a threat against the UK in advance, they would have raised our alert level in anticipation.

From the AP: U.S. Raises Alert to Orange for Transit

Monday, July 4, 2005

The Rise of the American Taliban

Daily Kos: State of the Nation

I was just talking last week about the rise of the American Taliban and how hypocritical some brands of "christian" are about who gets to have freedom of religion in this country. This article is very apropos.

Funny how the wingers try to claim American liberals are in league with crazy fundamentalist Muslims.

Reality is, we hate everything Islamic fundamentalism stands for. On the other hand, the Dobson's of the Republican Party -- you know, the people running the show -- have far more in common with the enemy than they'd ever like to admit.

Sunday, July 3, 2005

More TSA idiocy

Following up on my earlier posting on TSA idiocy... Supposedly this was also at SeaTac.

Just met with some friends tonight and the subject of airline/airport "security" came up. A true story about a recent run-in with TSA:

85-year-old resident of Washington state arrives home after an international flight where he had successfully taken about six different flight legs without incident carrying on a small watch/clock repair toolkit with him in his carry-on luggage. On the final leg, he is accosted by TSA because he is carrying a 2 inch hammer in this kit with a metal head and wooden handle!! The TSA tells him that tools are prohibited and that they are going to confiscate this tiny hammer.

Well, they pleaded with TSA:

  • The man is 85 years old and lives in Seattle

  • Oh, by the way, he had no problems on the other six legs of our flight and this is the final leg.

  • He had made the hammer himself with his own hands years ago--both the handle and the metal head. It is a one-of-a-kind and a cherished family heirloom.

  • Are terrorists (or _anyone_) known to attack people with 2 inch hammers?

But, the TSA, protecting all of us from 2 inch hammer banditos, refused to budge. The family got several levels of TSA and airport staff involved to press the issue yet their pleas still fell on deaf ears.

To make matters worse, the TSA staff were nasty about the situation too. For example, when asked what they were going to do with the hammer after confiscating it, they said that it would be "discarded", as if it were something with only utilitarian value. No thought about the real human lives in front of them that were being negatively impacted by this policy. I guess "things have changed after 9-11":   Americans are self-righteous and don't care about the American public? No thought is expended to question whether the TSA Policy that does actually prohibit bringing quote-unquote "hammers" on board, but I'm sure the policy writers did not intend for this to apply to 2 inch hammers! Think people!! Sheesh.

Yeah, people supposedly trying to protect us are maliciously obedient to policies that address false risks not based on a threat model, let alone a reasonable one. And, they only care about the letter of the law and not the spirit. The risk mitigation lies in the spirit of the law. Stupidity and a police state lies in strict interpretation of the letter of the law, especially in the case of the TSA where Americans have no ability to confront their accusors and ensure any sense of just treatment under the law.

A great quote I have heard someone say (about "no tolerance" school gun/knife/drug/etc. policies) is that "no tolerance" polices like these are really "no thought" policies. They allow people to be maliciously obedient to idiotic policies and take away any hint of a rational thought process that would normally prevent humans (formerly known to be rational actors) from arriving at ridiculous conclusions to benign situations.