Friday, December 15, 2006
Sunday, December 3, 2006
Saturday, December 2, 2006
It's amazing how far this subject has come in just a few years, yet how far it still needs to go as evidenced by the irregularities in the recent 2006 midterm election.
Slashdot | NIST Condemns Paperless Electronic Voting
Slashdot | Plastic Packages Cause Injuries, Revolt
The Seattle Times: Nation & World: He was naked, on crack and in alligator's mouth
"A gator's got me," Apgar replied, his voice faint in the background.
Mayid's call shortly after 4 a.m. sent four Polk County, Fla., deputies racing to the 2,150-acre lake just outside Lakeland, Fla., where they jumped into the water and wrenched Apgar's arm from the gator's mouth. The 45-year-old victim, who told authorities he'd passed out nude on the shore after smoking crack cocaine, was rushed to a hospital in critical condition.
Later Wednesday, state wildlife authorities trapped and killed a nearly 12-foot-long alligator thought to be the one that attacked Apgar.
Sheriff's officials have said Apgar, 45, suffered a broken right arm.
His left arm was nearly severed, and he had bites to his buttocks and
leg. He underwent surgery Wednesday afternoon at Lakeland Regional
Wednesday, November 29, 2006
Monday, November 27, 2006
Sunday, November 26, 2006
po-ru.com: Fixing ffmpeg on Ubuntu
It seems one can set DEB_BUILD_OPTIONS=risky to enable the missing codecs rather than editing debian/rules and building the package manually.
sudo apt-get build-dep ffmpeg
sudo apt-get install liblame-dev libfaad2-dev libfaac-dev libxvidcore4-dev checkinstall fakeroot
DEB_BUILD_OPTIONS=risky fakeroot apt-get source ffmpeg --compile
sudo dpkg -i ffmpeg-blah.dpkg
Friday, November 24, 2006
It's not really a typo but an intentionally left-out X separator forA Break for Code Breakers on a C.I.A. Mystery - New York Times
aesthetics on the sculpture that was intended to result in gibberish
when decrypted that would clue in the decryptors to reinsert a separator
and try again, except it ended up spelling something intelligible
instead of garbage so they thought they had decrypted it properly!
For nearly 16 years, puzzle enthusiasts have labored to decipher an 865-character coded message stenciled into a sculpture on the grounds of the Central Intelligence Agency's headquarters in Langley, Va. This week, the sculptor gave them an unsettling but hopeful surprise: part of the message they thought they had deciphered years ago actually says something else.
One of the best things you can do for your Windows security is to make sure you upgrade to IE 7.x which has been redesigned to avoid many classes of attacks. It is being pushed out by Windows Update (or Microsoft Update) You can also switch to Firefox or Opera to get better security but please don't use IE 6.x or older anymore!
Unfortunately, you have to be on Windows XP SP2 or higher to use IE 7. So, it will force Windows 2000 users to upgrade to XP first. That is probably also a good thing for security though.
Schneier on Security: Internet Explorer Sucks
--Washington AG Alleges Spyware Act Violations
(16 & 14 August 2006)
Washington State Attorney General Rob McKenna has filed a lawsuit against Movieland.com parent company Digital Enterprises alleging violations of the state's Computer Spyware and Consumer Protection Acts.
People sign up for a free, three-day trial of the company's software that allows them to download movie clips. After the three days, they are inundated with pop-up demands for payment, generated by software that has been placed on their computers without their knowing consent.
The pop-ups, which appear hourly or even more frequently, read "Click
'Continue' to purchase your license and stop these reminders." The
pop-ups remain on the screen for 40 seconds and cannot be closed during that time. McKenna also said that computer owners are not obligated to honor contracts entered into by others using their computers.
The worst part is that DHS didn't even try to hide the pork-barreling by making the inclusions and omissions clear and blatant. Oy. I reluctantly file this in the security category...
The Seattle Times: Local News: Dept. of Homeland Lunacy
When it comes to homeland security, I give up.
I've tried to highlight the absurdity of trying to protect every cranny of our country from al-Qaida attack. I've critiqued everything from the waste of buying anti-terrorist locks for Sammamish City Hall to the illogic of not having security cameras outside our airport. And yes, I've resorted to that columnist stock-in-trade: mocking and satirizing.
But it turns out nothing I can make up is as ludicrous as what the Department of Homeland Security is actually doing.
I happen to have a lock that I forgot the combo to that this will definitely come in handy for...if I can only find the lock...
Airport Security Oversights | The Onion - America's Finest News Source
Sept. 3, London to New York: A few Muslim people may have slipped through with their dignity
U.S. Cryptographers: 'FrpX-K5jE-Oc4n-e5Dn' | The Onion - America's Finest News Source
WASHINGTON, DC—In a carefully phrased, 128-bit encoded announcement that has challenged U.S. security agency procedures, top officials of the National Cryptography and Information Security Council warned that "FrpX-K5jE-Oc4n-e5Dn" if "Ha4d-87gH-uiH3-gB5r-g8Bh" late Monday.
- No pleated pants Get rid of your pleated pants in favor of flat-front pants. Flat-front pants are simpler, more modern looking, make you look slimmer, and not like an old man.
- Clothes should look new and fresh If your sweaters are pilled and your pants have wallet or knee wear marks, or the cuffs are frayed, it's time to get some new clothes. Buy something new and donate the old.
- Get pants with the proper length If you don't know your length, get measured or fitted in a store sometime. Your pants should "break" at the ankle and continue down slightly over your shoe. If you can see your socks when standing, your pants are too short!
- Appropriate sock color White socks are generally not going to work with any business casual attire, unless is Miami Vice white suit day, but even then you probably would be better going without socks...but I digress. The general rule with socks is they should not be noticeable! If your socks stand out, they are wrong for your outfit. I mostly wear neutral socks that match my pants to not draw attention to them. If you are wearing athletic socks with slacks you need to go to Costco and get some Gold Toe dress socks and save the nike socks for the gym.
- Your shoes tell all They say you can tell a man by his shoes--they make or break an outfit. You can be totally put together elsewhere but if your shoes are crap, it's game over. What do your shoes say about you? Are they tired, scuffed, worn and dirty or new, sleek, stylish and shiny? It sucks but you really should have several pairs of shoes so that you can rotate them. Avoid wearing one pair day-in and day-out so that they will last longer and look fresh when you do wear them. I've even bought two of the same less expensive pairs of shoes that I liked to keep them looking nicer longer. Oh, and invest in a shoe brush and some instant shine pads. Esquire recommends using black polish--even with brown shoes.
- Wear the right size shirt This is another one of those things you're never taught: how to know you have the right size shirt. Here's the best way to know: Where the sleeves attach to the main body of the shirt, it makes a line. That line should roughly be even with the very edge of your shoulder blade. More than a 1/4 inch past that and your shirt is probably too big. I often see this with people who wear golf shirts (even PGA pros are bad offenders. Tiger Woods does it right though). Another way to tell if your short-sleeve shirt is too big is if your sleeves extend far past your elbow. They should probably end short of your elbow if it is sized correctly. Having the right size shirt means a sharper, put-together look. Oversized shirts tend to look sloppy or overly-casual.
- Dress for the position you want, not the one you have. Hey, I've been there where I loved being able to wear jeans and a T shirt because, hey, nobody sees me in the server room. But, if you have higher aspirations or if you interface with business folks who tend to dress nicer than you, then your clothes can be a distraction from you and your message. If anything, your clothes should be neutral or enhance your message. Beware of some managers who get nervous if their underlings dress nicer than they do, but that isn't really your problem--it's theirs for not dressing to their level in the organization!
- Skip ironing -- use the cleaners! Nothing says sloppy like a button-down shirt that has not been ironed or is poorly ironed. The difference I found with people who truly look sharp is not just tailoring but well-maintained clothing. It is so cheap to have someone else iron your shirts and it looks 1000 times better than if you try to do it that it is well worth the investment. And you can usually get a couple of wears out of each shirt before it needs to be sent back for cleaning and ironing. I pay $0.99 / shirt. If you have nice pants, you can usually get away with ironing them yourself but professional pressing also looks a lot better and holds longer than home ironing.
The Passport number
The Date Of Birth of the holder
The Expiry Date of the Passport
Bruce Schneier advises US passport holders to renew your passport NOW before the RFID requirement goes into effect so you can avoid being tracked or hunted down in our country or a foreign country. Otherwise, how will you still be able to claim you're a Canadian in foreign countries?
The latest version of RFIDIOt, the open-source python library for RFID
exploration/manipulation, contains code that implements the ICAO 9303
standard for Machine Readable Travel Documents in the form of a test
program called 'mrpkey.py'.
This program will exchange crypto keys with the passport and read and
display the contents therein, including the facial image and the
personal data printed in the passport.
Also see this news story.
These are the fatal flaws of patents--that they are often used these days to stifle competition or to patent ludicrous things like 1-click shopping or automatically launching active content in a webpage. The whole system needs to be revamped.
The theoretical justification for patents has seldom worked in practice.
Most patents are flagrantly bogus, always have been. Of the few
legitimate patents, the vast majority merely obstruct the development
and application of the technology, without in fact making money for the
inventor. The normal outcome of patenting a genuine innovation is that
people construct second rate workarounds, as Microsoft just did. The
destructive effect of patents is merely most visible in those fields
that are advancing most rapidly - cryptography being such a field.
This is an article from a year ago that showed how each vendor was able to respond to key virus outbreaks. They also show the data from the previous year.
I personally recommend F-Secure's product. The base product gives you everything you need for anti-spyware and malware and is inexpensive. It is not a huge fat pig like some of the products out there (McAfee...) I've heard from others who enjoy Kapersky as well, so either of those would be good choices and happen to both top this list.
I also personally got rid of McAfee products after a multitude of issues:
1. The product is seriously bloated and the Security Center product seems geard toward selling other products by McAfee than providing normal users with value.
2. Many of the products in the suite are not well integrated. They often had their own installers and were a real pain to uninstall.
3. Lots of errors resulting in having to reinstall the product (without there being an easy way to do so).
4. Their website security is horrendous. My wife forgot her password to their site so she used their "forgot my password" feature. Guess what? They emailed her, not a new random password, but her _actual password_ This from a security company! They either store passwords without encryption or store them with reversible encryption--both of which are seriously bad ideas and McAfee should know better.
5. Their suite product line is very expensive and the price seems to go up every year. They have since reworked their product line and it seems to be better now.
6. I read the F-Secure blog and can tell those guys really get security.
7. McAfee was the company with the poor QA that removed critical Office files to "protect" you and also mislabeled a legitmate ISP software program
8. McAfee products, like Symantec, have suffered from some local privilege escalation vulnerabilities or remote buffer overflows. The cure is worse than the disease?
Ranking Response Times for Anti-Virus Programs - Security Fix
5. Develop Reusable Security Architectures that cover common scenarios and include appropriate protection by design
Tools are sexy; secure design is hard. That's why you see so many tools and vendors hawking tools but not as much work. I hear from people all the time who talk about this tool or pen testing or scanning some server or how you need to hack your wireless network to be secure. That is a bunch of crap in general because trying to audit your way to security is bottom-up grass-roots and can only get you so far. It's an early maturity model to be spending so much time and energy on audits and pen tests instead of security design reviews and developing security architectures. It's a lot easier and sexier to say you hacked a wireless network. We need to get to where it is just as cool to say you developed a wireless network security architecture such that you don't care who is connected to the wireless network because your security is not so brittle as to lose sleep over it. Where are those reusable models made open source?
As for item #3, I don't think that I believe that there can be "quantitative" security risk management. The biggest problem is that there is not enough good data to base future risk upon (try this: how do you quantify risk of brand damage due to event X?).
Item #4 is very important and speaks to ensuring security systems are usable.
CRA (Computing Research Association) Grand Research Challenges
Four Grand Challenges in Trustworthy Computing:
1. Eliminate epidemic-style attacks (viruses, worms, email spam) within 10 years;
2. Develop tools and principles that allow construction of large-scale systems for important societal applications -- such as medical records systems -- that are highly trustworthy despite being attractive targets;
3. Develop quantitative information-systems risk management to be at least as good as quantitative financial risk management within the next decade;
4. Give end-users security controls they can understand and privacy they can control for the dynamic, pervasive computing environments of the future.
Given the circumstances that command its application, the system must be easy to use, requiring neither mental strain nor the knowledge of a long series of rules to observe.Psychological Acceptability has been defined as a critical aspect of secure systems for over 30 years by Saltzer and Schroeder (1975): The Protection of Information in Computer Systems
It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly. Also, to the extent that the user's mental image of his protection goals matches the mechanisms he must use, mistakes will be minimized. If he must translate his image of his protection needs into a radically different specification language, he will make errors.
Boing Boing: Copyright Office creates 6 DMCA exemptions
the office refused to grant exemptions that would benefit the general public -- space- and format-shifting, backing up your DVDs -- and they took back an earlier exemption that let people reverse-engineer the blacklists maintained by censorware companies to bring some transparency to their process.
Lawrence Lessig: When Web 2.0 meets Lawyers 1.0
Funny because I was just thinking about this regarding this blog. I think it's cool when people enjoy what I provide on this blog, but I really don't care if people read it or not. This is where I keep track of stories and topics that interest me, instead of saved emails or bookmarks that I never look at again. I can always go back and find what I found interesting and what I wrote about it. Pretty cool in my book.
My blog doesn't really have many that link to it and probably the fact that I post many links without a lot of commentary a lot of the time is a good reason why. But I disagree that nobody links to linkers. I personally like blogs because they act as filters or lenses that focus news and interesting content. There are tons of blogs but I like the ones whose mix of topics coincides most with what I'm interested in. Even if they just link to other places, that's fine with me. It's the filtering service that is the value-add, not necessarily original content.
That said, I have anecdotal evidence that my blog only gets noticed when I post original content. My recent entry about SOA security is a perfect example. I also was thinking about how I like the SANS newsbites because they actually summarize the stories they link to, not just provide links (on a related note, the links in Crypto-Gram require me to go read every story that sounds interesting so I generally read fewer of them).
No-one links to the linkers at Andrew Garrett’s Mutation
[infowarrior] - Verizon Slapped for Crippling Bluetooth
Verizon has been getting weasely with some of its customers in California who bought its Motorola v710 Bluetooth-³capable² phone on or before January 31, 2005. Preliminary approval of the settlement was granted in a California court for a class-action suit against the company because it didn¹t accurately tell prospective customers that its Bluetooth features weren¹t what they appeared to be. Verizon said the phone ³works with a PC² but left out that part about how you can¹t wirelessly sync photos or contacts or any other files using Bluetooth.
Proper UI is just as important as sound underlying technology in ensuring proper understanding and usability of a system. Recall Why Can't Johnny Encrypt? A Usability Evaluation of PGP 5.0 and the more recent Why Johnny Still Can't Encrypt: Evaluating the Usability of Email Encryption Software for how even known secure software can result in insecure and unintended actions by the user. The infamous Butterfly ballots were not DRE-based but certainly were flawed UI that caused voting errors in previous elections so this is not a new issue to software or to voting by far.
This is a perfect example though of how using DREs to generate human-and-machine-readable reciepts (voter verifiable) could allow for voters to detect their undervotes before they drop them into the ballot box. There could even be very blatant warnings to the user on the receipt and on the screen that they didn't vote in X of the races to help prevent unintentional undervotes. Did these companies do any focus group testing of DREs?
FL-13: More Evidence of Ballot Design Issues - TalkLeft: The Politics Of Crime
...Bev Harris and the Jennings campaign want you to think otherwise. They want to point away from their mistakes. But the real problem was the design...
Wednesday, November 22, 2006
I've been working on emergency preparedness for my neighborhood lately so this is very apropos.
BTW, I found a $79.99 Ready kit at Home Depot that is a pretty good deal for a 2-person 72 hour kit (what is recommended for personal preparedness at a minimum). Don't forget supplies for your pets too!
Two Flikr galleries dedicated to photo's of apostrophe and quotation mark abuse. I can't believe my previous post on Common writing mistakes didn't touch on this pet peeve of mine.
And a hint for the upcoming holiday: Gift cards make great gifts...
2006 Gift Card Study (Page 1 of 4)
If you want a gift card you can use anywhere, you'll pay for the privilege, while gift cards from individual retailers are less costly and sprouting more options.
Those are the major findings of the third annual Bankrate.com Gift Card Study.
Retail store gift cards continue to be a consumer-friendly credit product, with fees and expiration dates the exception rather than the rule. The retailers can make a profit from the merchandise users buy.
Gift cards from the major credit card issuers, though, still carry an assortment of fees. All continue to charge monthly "maintenance" or "dormancy" fees, ranging from $2 per month to $3, if the gift card isn't used within a certain period of time. All but American Express have expiration dates.
Bankrate surveyed the top 25 retailers, as identified by the National Retail Federation, about the costs, terms and conditions of the gift cards they offer, both plastic and electronic. We also surveyed the four largest credit card companies: American Express, Discover Card, MasterCard and Visa.
Monday, November 20, 2006
I'm sick and tired of hearing about the false dichotomy of WS-Security versus SSL and why its performance is somehow going to be so much better than SSL transport encryption of SOAP-based web services. Pundits often point out that SSL has to encrypt the _whole payload_ while WS-Security can be used to digitally sign and/or encrypt only those attributes that absolutely need encrypting or signing.
This kind of reasoning is preposterous and is nowhere near being based on any facts or data, yet these talking points are ever-popular with the "SOA: the Armageddon is near" or WS-NotJustForBreakfastAnymore crowd.
For these people, I have one simple question for you about the assertion that WS-Security is always going to perform better in software than simply using SSL intelligently for the entire transport:
How is it that you can claim that WS-Security digital signature or encryption (with one _or more_ asymmetric plus 1 _or more_ symmetric crypto operation per request PLUS base64 encoding bloating the request PLUS extra SOAP XML tag hierarchies wrapping the encrypted/signed data section that need to be transferred over the network) is going to be faster in general than SSL (with one asymmetric crypto operation at session initiation, and henceforth 1 symmetric crypto operation per packet)?
It has often been vendors of XML firewalls and Microsoft web services evangelists that are the worst offenders. I'd love to hear some answers you get to this question. I haven't gotten a sensible one yet.
Asymmetric crypto operations are roughly 1000 times slower than symmetric crypto operations. I would love to see actual hard data based on a valid underlying test scenario proving that WS-Security is faster than SSL even in the face of this reality. But nobody who makes these claims has it and I can't see it just based on the orders of magnitude difference between the computing time required for the crypto. That is even before you factor in the additional latency for transmitting the extra bytes for the WS-Security payload and the extra parsing time and the likely need to have to encrypt and decrypt multiple separate data elements individually.
Yes, in the purported SOAP-router kind of network where SOAP is treated as if it were a wire-level protocol there are problems with SSL since it is not end-to-end, but that is a red herring when we are debunking the claims of enhanced performance. Stop changing the subject! There can be a place for WS-Security in some advanced SOA scenarios, but strictly on performance, I can't see there being any comparison. And most people aren't implementing anything like the SOAP architects envisioned anyway (but don't let that stop the vendors from beating that drum). Most people are still using SOAP for point-to-point services which often replace other wire-transports or technologies (e.g. DCOM, CORBA, proprietary XML services, etc.)
Performance issues with SSL have generally nothing to do with the fact that you are encrypting an entire payload instead of just subsets of the data. For small messages that typical SOAP calls are, this is perhaps a few clock cycles per request. I can say from lots of experience with lots of development teams that at least 90% of the performance problems with SSL in general are due to seriously flawed implementations. The other 10% is generally actual performance impact because the systems on which it is running are vastly undersized because the system was not designed to be secure (but rather designed on the omission or hope that they wouldn't have to size it to handle the required security).
If you implement SSL to intelligently minimize the asymmetric crypto operations to the absolute minimum by pooling connections and pinning them up and using keepalives, then you are barely going to notice its impact, especially on properly-sized hardware or if you use hardware crypto accelerators. But if it is done incorrectly, or not accounted for in sizing, SSL will remain the whipping boy of many an environment.
Oh, and I have data showing how SSL can actually _speed up_ connections under certain conditions.
TPMmuckraker November 17, 2006 01:35 PM
"You know," McCain said a few moments later, "you are really one of the more astonishing witnesses that I have [faced] -- in the 19 years I've been a member of this [Senate Commerce, Science and Transportation] Committee."
Lautenberger explained that his staff was working on "pieces" of the report, and conceded the November 2004 deadline had been a "difficult requirement to meet."
ABC News: Poll: Elbow Room No Problem in Heaven
Who gets in is another matter. Among people who believe in heaven, one in four thinks access is limited to Christians. More than a third of Protestants feel that way, and this view peaks at 55 percent among Protestants who describe themselves as very religious.
Saturday, November 18, 2006
McCain once had words of praise for Senator Kerry, but he played the repugnican party line during the election and trashed him for his botched joke--acting as if he really believed Kerry, a decorated veteran, was actually disparaging the troops and not Bush. Politics is disgusting. McCain should take what Olbermann said about Rove and Bush to heart:
Crooks and Liars: Olbermann’s Special Comment : There is no line this President has not crossed — nor will not cross — to keep one political party, in power.
Mr. Bush and his minions responded [to Kerry's gaffe], by appearing to be too stupid to realize that they had been called stupid.
Bus driver allegedly flips off Bush so Bush and Reichert complain and the bus driver gets fired. Where is the compassion in that conservative again?
This Is Broken - Bank of America jailing a customer
Matthew Shinnick dropped by a Bank of America branch in San Francisco to make sure a check he was about to deposit wasn't fraudulent. The teller found that the check was fraudulent and told the manager, who then had Shinnick thrown in jail. Are you getting this right? The customer who wanted to make sure he wasn't about to draw on a fraudulent check, got thrown in jail by Bank of America.In response, customers have withdrawn or removed at least $50 million (at last count) from B of A in protest. See also Clark Howard's site, who gave this lots of attention in California on his radio show.
powered by performancing firefox
Wednesday, November 8, 2006
Monday, November 6, 2006
I was not feeling well but went to work anyway (I thought of resting up one more day and probably should have stayed in bed).
It was the first day back to work after being sick with fever for 3 days.
On my way to the bus stop, after only a 1/2 block from my house, my pants were soaked and shoes soaked through. The rain and wind has been insufferable this fall!
I reluctantly went back home frustrated and not knowing if there was a way to possibly get to work but not be soaking wet all day. I decided the strategy would be sacrificial clothing. I geared up in my Costa Rica Rain forest gear (all drip-dry) and packed a new dry outfit to change into at work, including new shoes.
Well, the sack that I put my shoes in got a hole worn in it on the way to and from the bus. One shoe fell out on the sidewalk coming into my work building. Fortunately, someone saw it right away and alerted me.
When I went to put my shoes on, one shoe got laces worn in half from dragging behind my wheeled laptop bag.
Turns out my laptop bag was not waterproof so my dry pants got wet.
Turns out my brand new building downtown Seattle has no hand dryers in the new bathrooms! So, I couldn't quickly dry my new pants.
So, I was stuck with wearing my rain pants while I waited for my others to dry out.
But those pants were still damp enough that they got my chair wet. So I had to switch chairs for the day after putting my dry pants on to avoid getting those wet again.
Sunday, November 5, 2006
Thursday, November 2, 2006
Bus driver allegedly flips off Bush so Bush and Reichert complain and the bus driver gets fired. Where is the compassion in that conservative again?
Monday, October 30, 2006
10-29-2006 sunday comic in case the link breaks in the future.
Boing Boing: Congressman on Boarding Pass Generator guy: Uh... oops?
Last Friday, Rep. Edward Markey (D-MA) called for the arrest of Christopher Soghoian, and the takedown of his "Boarding Pass Generator" website which illustrated an airline security hole documented on the web for several years. Hours after the congressman's statement, Soghoian says FBI agents visited his home, then returned a second time after he'd left -- in the middle of the night -- with a search warrant signed at 2AM, and seized Soghoian's computer(s) and other belongings.
Now, several days too late, Markey issues another pronouncement which backtracks on his earlier statement. It's 250 words, but they boil down to one: "oops."
Think Progress » GLOBAL WARMING REPORT: Right-Wing Fiction vs. Economic Reality
Think Progress » Senior Bush Appointee Rejected Scientists’ Recommendations In Favor Of Industry Positions
Julie MacDonald, Deputy Assistant Secretary for Fish and Wildlife and Parks, has consistently "rejected staff scientists' recommendations to protect imperiled animals and plants under the Endangered Species Act." A civil engineer with no training in biology, she has overruled and disparaged the findings of her staff, instead relying on the recommendations of political and industry groups.
Media Matters - Despite McCain's many hedges, Borger asserted that "[n]o one would accuse McCain of equivocating on anything"
In her latest column, posted online on October 29 and that will appear in the November 6 edition of U.S. News & World Report, U.S. News contributing editor and CBS News national political correspondent Gloria Borger asserted that "[n]o one would accuse [Sen. John] McCain [R-AZ] of equivocating on anything." Writing about the prospect of Sen. Barack Obama's (D-IL) running for president in 2008, Borger contrasted him with McCain, asserting that Obama's "penchant for wishy-washy is well documented." Yet as Media Matters for America has repeatedly noted, despite an abundance of well-documented backtracks, flip-flops, and inconsistencies, the media continue to describe McCain with words such as "honest" and "authentic" and generally regard him as an unwavering purveyor of "straight talk."
Biblical creationist blasts tour of 'Lucy' at Pandagon
Monday, October 23, 2006
I have written about the utterly fictitious "ticking bomb" scenario on several occasions. Because I do not want to engage in this exercise ever again, I have assembled here the major relevant arguments, so that they will all be in one place.
An excellent debunking of the "ticking timebomb" argument. Sorry Jack Bauer.
Wednesday, October 18, 2006
Popup-your-way-to-security in vista. If this is the logical conclusion of having something secure-by-default (one of the SDs in SD^3), we may be in real trouble.
Thursday, October 12, 2006
Article showing how VirusTotal revealed how easy it can be to create "variants" that go undetected by most Anti Virus products. The VirustTotal website could be a valuable resource.
Wednesday, October 11, 2006
When President Bush touched on Iraq at his news conference this morning, he may have been revealing more than he knew.
[video] BUSH: The stakes couldn't be any higher, as I said earlier, in the world in which we live. There are extreme elements that use religion to achieve objectives.
He was talking about religious extremists in Iraq. But an hour later, Mr. Bush posed with officials from the Southern Baptist Convention.
Tuesday, October 10, 2006
Monday, October 9, 2006
So, I found a small bug in Microsoft's
I called Microsoft to find out how I could report the bug in XCACLS.vbs and after voice jail and being put through the regular support cruft they said that the only way to report bugs is by US Mail! They don't have any email address or way to report them via their support line. I told them to forget it. I'd just post something on my blog so that someone having the same problem can find it via google (and that then maybe Microsoft might google it someday so they can fix the problem).
mechanisms and usability. They make you use an annoying, long numeric ID
as your login ID (you can't change it to an easily-rememberable one) which
you can't likely remember so you have to write it down or use Password
Safe to recall it. By making account IDs a secret, they are hoping to buy
additional security from the obscurity.
However, they recently added a feature on the site (likely because of the
usability problems with people not knowing or remembering their login ID)
where you can enter some static identifying information (SSN, zip code,
birthdate) and they will then pre-populate your customer login ID. I use
this often because although you have to type in more information, the
usability is better because it is faster to do this than to look up what
my login ID is. But, they have now created a great target for phishers
that can undo all the benefits of the hidden login ID and the additional
measures on the site because this feature is not protected with their
RSA/Cyota eStamp as their login dialog is.
Saturday, October 7, 2006
I just heard Limbaugh today repeating the crap talking point about the Foley issue being about the existence of a "gay" republican. That is bullshit. This is about exploitation and preying on innocent children. Wanker.
Friday, October 6, 2006
Note to news media: Report the FACTS on the NEWS and lose the question mark.
An excellent paper summarizing many of the problems with certifiers such as TRUSTe as well as showing that sites that get these certifications to prove their trustworthiness are actually more likely to NOT be trustworthy!
I know companies who are simply concerned about wanting customers to _think_ that their site was secure that they worked on getting a certification instead of investing in actually _making_ their site secure. No corrective action was taken to align technology or processes to the spirit or letter of the "certification". The same crummy procedures and mindsets that existed before the certification were there after the certification.
I have actually helped fill out the TRUST-e questionnaire the difficulty in answering their survey questions with 100% knowledge of everything that goes on in a company even though it tends to certify the site.
Thursday, October 5, 2006
Would only be cooler if it removed DRM!
Tuesday, October 3, 2006
Step right up! Join your fellow Right-wingers and go on record as a child predator apologist! Downplay the crime of statutory rape! Justify the coverup as necessary for political reasons!
Wednesday, September 27, 2006
More in the front on the War on Science. Ugh.
"Discover what's important, make it happen, share your progress. Find your 43 things."
I just came across this site. Seems like a fun idea. You can add your own thing that "you want to do with your life" or see what other people said and use those ideas. You can track your progress. Larger fonts indicate more popular topics in the list. There are thousands of people from around the world on there. It also shows "People doing this are also doing these things", which is interesting as well.
Monday, September 25, 2006
if I were a terrorist, don’t you think that I could figure out how to take the top off a bottle of contact lens solution and put my explosive liquids in there? It is totally pointless to enforce rules which impose costs on innocent people, but are easily circumvented by terrorists. Can anyone think this is accomplishing anything productive?
This was a long-overdue smackdown by Clinton after being sandbagged on Fox. They forced YouTube to take down the video clip--trying to rewrite history. Stephanie Miller played the audio this morning--are they going to go after her too? Oh no, people will know that Fox is slanted to the right and giving people on the right a pass!
Saturday, September 23, 2006
Media Matters got an advance copy of O'Reilly's new book and dissects the "errors, unsubstantiated claims, and baseless attacks that run through Culture Warrior".
October 7th but in Virginia. Transcript and video will be available afterward. I'll be watching it...
Monday, September 18, 2006
take some time, come up with a couple of sharp arguments, and spread those arguments among the people. We can complain about how well or how poorly legislators defend the Constitution. However, ultimately, it is our job to defend the Constitution, and this is one of the greatest assaults the Constitution has ever been subjected to.
Do you care enough to help defend it?
It sickens me to hear people like Pat Robertson on McLaughlin group making these claims as if we know that the captured people are 100% guilty. We often don't really know that, as evidenced by the many, many people we have captured, held, then let go free. We are considered innocent until proven guilty in this country to protect the innocent -- and that is you and me -- from unfounded abuse. Give that up and you or your family could be next. All it would take is for one of those in custody we are "coercively interrogating" (read: Jack Bauer tactics) to name you or your family. Then you could be sitting right next to them.
There are laws that prevent some businesses from being open on Sundays??? I thought it was "christian" pandering by businesses. It is really annoying that so many businesses are closed Sundays and if the government is the reason why, then that is appalling.
I like the quote about "God doesn't do well in the free market."
Cooking the books to lead us into war with Iran now? Where have we seen this before...
Sunday, September 17, 2006
This is great. People tend to make decisions using the emotional, fear-driven parts of their brain. Even in the face of raw data about risks it is very hard for people to feel comfortable turning away from those hard-wired instincts for self-preservation and making decisions that conflict with those feelings. A look at this chart shows how irrational spending and decisions are in this country. And how trading security for a little perceived freedom is a bad tradeoff--especially when you are far more at risk from plenty of other factors. The incidence of government taking advantage of its citizenry is likely to be higher than terrorist attacks against America.
Unfortunately, politicians rely on the masses making poor choices on inaccurate or flawed data to keep them in power. Think about that when you vote this November. Those who want you to stay afraid are themselves afraid.
Saturday, September 16, 2006
Thursday, September 14, 2006
Researchers at Princeton, including Ed Felton, have been able to implant malicious code on Diebold touch screen voting machines that was demonstrated to be able to flip election results. They have a video of them doing this as well.
The company response is typically clueless (as is their security). I wonder if the nice Diebold ATMs in use at banks such as USBank are anywhere near as vulnerable?
I saw this first on The Daily Show. I can't believe this hasn't gotten more press despite the large percentage of the country who have been made to accept the opposite as true because of the lapdog press and liars in this administration.
the second 9/11 is the political prop — a mangled, grotesque doppelganger of the first one that has been whored out on the political street for over four years now. The second 9/11 is the source of policies that have made the world far worse, and have killed many times the number of people who died in the Towers. And so, what’s truly tragic about the second 9/11 is that it threatens to forever stain the legacy of the first 9/11
Indeed. How hard was it to find a radio/TV station that wasn't pushing 9/11 in your face? Who wants to hear another fearmongering speech by W? Not I.
Saturday, September 9, 2006
ABC and Disney, for starters, still plan to broadcast an account of the events leading up to the September 11, 2001, terrorist attacks that they know to be false.
This despite Disney's 2004 refusal to distribute Fahrenheit 9/11, which was highly critical of President Bush, even though it was produced by a Disney subsidiary, Miramax Films. Then-Disney CEO Michael Eisner explained that the company "did not want a film in the middle of the political process where we're such a nonpartisan company and our guests, that participate in all of our attractions, do not look for us to take sides."
Americans United Condemns House Committee Passage Of Bill Cutting Off Attorneys' Fees In Church-State Cases
Measure Is More Pandering To The Religious Right, Says AU's Lynn
Democrats have to take the house back in November.
Saturday, September 2, 2006
Sunday, August 13, 2006
Thursday, August 10, 2006
EPIC Alert 13.16
Open letter to DHS secretary Michael Chertoff
A good analysis of why the threat model of materials in checked luggage may be sufficiently different than carry-on that would need to hold for the new security measures to make sense.
I'm not sure I agree with Bruce Schneier's assessment that, "Given how little we know of the extent of the plot, these don't seem like rediculous [sic] short-term measures." I don't agree with this because if it is too risky to bring these kinds of materials onboard today, then why would it ever be okay to allow them tomorrow? It's kind of like the precautionary disconnect from the Internet, "Why, why, why do they let employees use the Internet at all if they occasionally stop trusting its safety? Threats don't magically shrink just because you updated the antivirus package." It doesn't make much sense occassionally stop trusting liquids/gels on airplanes, They are either a threat (someone can always masquerade a bomb as benign liquid at anytime and can always disguise a detonator as anything--imagine if terrorists use cellphones instead of keyfobs for a detonaor--the public reaction to banning cellphones in carry-on would be huge) or they aren't. I agree that there is a heightened threat right now, but that threat has been and will be nonzero, so when will it be "safe" to allow them back on board and what criteria would determine this?
The other danger of taking such drastic measures is that the terrorists could be counting on that. Terrorists can just change tactics while the TSA is busy keeping someone's Frappuccino off the plane but allowing supposed breastmilk and liquid prescription drugs. As if the terrorists wouldn't have anticipated that loophole.
I wish I wasn't flying in a couple of days--not because I'm afraid of the possibility of a terrorist on board my plane, but because it's going to be a nightmare to go through security. And now I have to rethink everything I was planning to bring on board.
Tuesday, August 8, 2006
Great treatise on how the inability for people to properly reason (I called it Illogicacy here after Innumeracy) leads them to make terrible mistakes that result in harm to others, often worse than those that society often feels harm society most.
This blog is really, really excellent, BTW. Really makes you think. Sometimes just think that you would have never come up with that or could never have expressed that so logically and eloquently.
Tuesday, August 1, 2006
I'm going to need to get one of those cards and a bunch of drives to augment my data server with a terabyte of RAID-5 goodness. *yum*
A water desalination system using carbon nanotube-based membranes could significantly reduce the cost of purifying water from the ocean. The technology could potentially provide a solution to water shortages both in the United States, where populations are expected to soar in areas with few freshwater sources, and worldwide, where a lack of clean water is a major cause of disease.
Monday, July 31, 2006
“This may be the worst security flaw we have seen in touch screen voting machines,” says Open Voting Foundation president, Alan Dechert. Upon examining the inner workings of one of the most popular paperless touch screen voting machines used in public elections in the United States, it has been determined that with the flip of a single switch inside, the machine can behave in a completely different manner compared to the tested and certified version.
Makes you wonder how secure those ATMs made by Diebold are (USBank uses them I know).
Saturday, July 29, 2006
You know, there was a time when I thought McCain was a straight-shooter. Now, he's no different than any other politician it seems. Will someone in politics ever be able to maintain rational, principled stands on something?? They are few and far between.
What a great idea.
Wednesday, July 26, 2006
Malicious banner ad exploits unpatched IE hole (there are many and more all the time). You have switched to Firefox, Opera, Konqueror or anything other than IE, right?
Just found out about an informal security group that meets in Seattle. I've often seen a need for interaction with security professionals between Agora and ISSA monthly meetings (and I'm on the ISSA Puget Sound board). Where organizations don't meet needs, they often spring up on their own. Once my dance lessons are over at Century Ballroom, I'll be able to attend these on Wednesdays.
Agora and ISSA are too formal. This is just a chance to hang out with local security professionals and get to know each other.
Monday, July 24, 2006
Sunday, July 23, 2006
Atheist Ethicist: The Stem Cell Veto
Independent Online Edition: Stephen Hawking to EU on Stem Cell Research
"Europe should not follow the reactionary lead of President Bush, who recently vetoed a bill passed by Congress and supported by a majority of the American people that would have allowed federal funding for stem cell research," he said in a statement to The Independent. "Stem cell research is the key to developing cures for degenerative conditions like Parkinson's and motor neurone disease from which I and many others suffer," he said.
And more idiot liars in the White House repeating the same non-reality-based crap:
Bolten Defends Rove’s False Claims on Stem Cells: Karl ‘Knows A Lot of Stuff’
Thursday, July 20, 2006
Here is why Bush's position is a joke: Thousands and thousands of embryos are destroyed every year in fertility clinics. They are created in petri dishes as part of fertility treatments like IVF; then they are discarded.
Exactly. It's half-assed ridiculous pandering to anti-science, life-regardless-of-the-quality-of-life religious zealots.
This made me wonder if the bible mentions anything about dinosaurs. If it doesn't, does that mean they never existed (for those inclined to believe that everything about the world can be derived from the bible)?
Tuesday, July 18, 2006
Sunday, July 9, 2006
That messy 2000 election was supposed to be the jolt America needed. After chronic flaws in the country's voting process became painfully public, an ambitious reform effort was supposed to make hanging chads and butterfly ballots relics of election nightmares gone by.
But nearly six years later, it hasn't turned out that way. In the state of Washington, the 2004 governor's election took more than six months to resolve--again before a court. And some liberal activists still believe that vote tampering and dirty tricks handed Ohio to the GOP, enabling President Bush to win re-election. Now, heading into the midterm congressional elections, despite the expenditure of billions of dollars, a litany of problems remains.
Also, several good links via SANS NewsBites Vol. 8 Num. 53:
--Study Finds Popular eVoting Machines Susceptible to Fraud
(27 June 2006)
A Brennan Center for Justice study of electronic voting machines concluded that the three most widely used voting machines are vulnerable to fraud, but there are measures that can be taken in all three cases to boost their integrity. Roughly 80 percent of American voters are expected to use electronic voting machines in elections this November.
Representative Rush Holt (D-N.J.) has introduced a bill that would require all voting machines to provide a verifiable paper audit trail.
[Editor's Note (Schultz): The fact that a verifiable paper trail is being proposed is in and of itself an extremely positive step forward as far as fairness in electronic voting goes.
(Pescatore): I think we are past the point where any rational person believes that most current voting machines are safe enough. The first generation of ATM machines weren't secure enough either - the real issue is making sure the current problems are bounded and managed, and that the next generation of voting machines make big leaps forward.
(HONAN): The Irish Commission on Electronic Voting recently published their report highlighting serious concerns with the software used in the electronic voting machines purchased by the Irish Government.
This Site Rocks - FUNNY Videos & Pictures
Seed Magazine: on policy and social implications of science
FARK.com: (1837095) Pick the best photoshop image of 2005 used in a previous contest
Gone in 20 Minutes: using laptops to steal cars | Leftlane News - Car News For Enthusiasts Backdoors for locksmiths in electronic lock systems being used by car thieves. Who would have guessed that could happen?
But, the SSL change can help in a couple of key ways:
- Rather than give customers 0 tools to protect themselves, we can give them at least the best tool out there so far for authenticating our site and therefore make an informed decision.
- . Rather than continuing to train users to "trust page contents" (i.e. the lock image and our feeble assurances in the "Why this is secure" page), we can retrain them to use reliable measures that are not as subject to spoofing.
That is not to say that SSL does not have its problems:
- Who made the trust decision to put the 50-100 CA certs in the browser? Why should the user trust those introducers? How do we know that those issuers won't screw up (like Equifax/GeoTrust did recently by issuing a domain-verified cert automatically that was very similar to a real bank: http://jordy.gundy.org/?p=49)
The UI is horrible for security. The lock is too small, it is too easy for the "simon says" problem to bite you since you don't notice when it isn't there. Some changes, such as changing the browser toolbar color based on the encryption will help, but Firefox and IE7 use different color schemes for the same semantics...
- There are usability issues with the UI. Everybody (even me) turns off the warning dialogs about submitting unencrypted form posts. That kind of annoy-user-into-submission security fails the psychological acceptability test and it doesn't work anyhow because you should generally protect the user where it counts, not warn and hope they do the right thing.
- The phishing problem is one of Identity Continuity. It's not important that an SSL certificate matches the domain, since that does not help during the initial introduction to a site. What you really should be protecting the users from is when a known relationship in the digital sense has a discontinuity. That signals a phishing attack. The analogy is SSH known_hosts. On the initial introduction, you choose to trust the server since the likelihood that you are being MITM attacked is infinitesimal. But, if you are MITM attacked, SSH will scream loudly and not let you connect. That is what the browsers should do, although clean up the UI a bit for the unwashed masses. The MITM issue is one of a discontinuity. So, SSL in the current sense solves the wrong problem because the browsers have no means of managing site continuity information. They should. Some schemes, such as trustbar and petnames, allow friendly site logos or names to help users detect continuity problems, but their UIs are too easy to ignore if there is a problem. The user should actually be stopped from proceeding.
And so on. That's just off the top of my head.
This must be true because Robertson obviously is Higher-powered (as reported by my colleauge Pete):
I don't know about you, but I almost missed this. Pat Robertson's amazing age-defying protein shakes have helped him to leg press 2,000 pounds!
If that doesn't sound impressive to you, note that it tops the all-time Florida State University leg press record by 665 lbs, set by a guy whose eye capillaries burst during the effort. http://www.sportsline.com/spin/story/9454343
legal or not, this sort of spying program probably isn't worth infringing our civil liberties for — because it's very unlikely that the type of information one can glean from it will help us win the war on terrorism.
Interesting mathematical analysis of how effective the NSA domestic call-tracking spy program could possibly be.
From: Andrew van der Stock [mailto:[email protected]]
Sent: Tuesday, June 20, 2006 4:43 AM
To: Webappsec ((((E-mail))))
Subject: Fwd: SF new article announcement: Ajax security basics
This was posted to SecurityFocus.com yesterday.
Their article is eerily similar to my Ajax presentation from February
(particularly if you've seen me give the presentation), and even more
similar to the draft Ajax chapter I wrote shortly after for the OWASP
Guide (now posted to our Wiki - http://www.owasp.org/index.php/
Ajax_and_Other_%22Rich%22_Interface_Technologies). Hmmmm. As the saying
goes, this is the best form of flattery. I suppose.
If you haven't had a chance to read up on Ajax security, their article
is a start... as is my presentation (http://www.greebo.net/?
page_id=329) and the draft chapter in the OWASP Guide 3.0 current.
Begin forwarded message:
> > Ajax security basics
> > By Jaswinder S. Hayre, and Jayasankar Kelath
> > 2006-06-19
> > The purpose of this article is to introduce some of the security
> > implications with modern Ajax web technologies. Though Ajax
> > applications can be more difficult to test, security professionals
> > already have most of relevant approaches and tools needed.
> > http://www.securityfocus.com/infocus/1868
OWASP is pleased to announce the immediate availability of the OWASP PHP
Top 5. The OWASP Top 5 is an education piece which provides up to date
advice to PHP developers, hosters, and other PHP users. The PHP Top 5 is
produced by the OWASP PHP Project.
The PHP Top 5 is based upon attack frequency in 2005 as reported to
Bugtraq. This information is a valuable insight into the most
devastating attacks against the world's most popular web application
In 2005, OWASP collaborated with SANS to research and write a completely
new PHP section for their successful SANS Top 20 2005. The OWASP PHP Top
5 is the full unabridged text, updated to reflect recent XSS attacks and
SQL injection vectors.
OWASP PHP Top 5
OWASP PHP Project
"The going rate for downloading songs from online music services like Apple's (AAPL) iTunes Music Store, MusicNet, Pressplay, and Rhapsody is about $1 a pop. Yet the economics of recorded music sales haven't changed much since the vinyl era -- despite the fact that digital files cost very little to produce and distribute. So how much of your buck makes its way back to the artists? Not much, though it's clearly a better deal than they get from piracy. "
Drum-beating about the 9th circuit decision about "Under God" in the pledge:
AMERICAN ATHEISTS LEGAL UPDATE
Public prayer fanatics borrow page from enemy's script
The Bush administration has been dealt a setback in its campaign to
allow prayer in our public schools. The full 9th Circuit U.S. Court
of Appeals has voted 15-9 to back the 2-1 vote by its earlier panel
finding the Pledge of Allegiance unconstitutional because of the
words ''under God.''
How did your senator vote on the pledge legislation (" S. Res. 71 As Amended; A resolution expressing the support for the Pledge of Allegiance.")?
U.S. Senate: Legislation & Records Home > Votes > Roll Call Vote
The Sacramento Bee -- sacbee.com -- Diana Griego Erwin: Pledge debate recalls another tradition, another controversy The best quote is, "the Constitution wasn't written to uphold majority opinion." It was written to protect the minority from the tyranny of the majority.
The 9th Circuit seems to agree. Our Constitution protects the freedom of us all, Jew, Christian, atheist, Muslim, Buddhist or agnostic to pray or keep silent, worship or not, believe or disbelieve. Standing outside the classroom door to avoid participating is exclusionary, especially for children.
At my school in the 1960s, one student couldn't pledge allegiance to the flag because her family was Jehovah's Witness. Being children, we thought she was weird. She even seemed less American. She was just a little girl.
And finally, an article debunking the religious nut talking point that we are a "Christian nation". The Nation | Article | Our Godless Constitution | Brooke Allen
But what if the same secret technology, called global positioning satellite tracking, could track anyone at any time?
The Washington Supreme Court will decide soon whether police agencies throughout the state may use the device freely -- without a warrant. The Jackson case is the first in the state dealing with the issue.
Update: The court unanimously decided that a warrant is required:
OLYMPIA, WA - The American Civil Liberties Union of Washington today hailed a unanimous, first-in-the-nation ruling by the Washington Supreme Court that police must obtain a warrant in order to track an individual's movements with Global Positioning Systems (GPS). The ruling agrees with arguments the ACLU submitted in a friend-of-the-court brief in the case.
"The ACLU applauds the court's ruling in this landmark case. Tracking a person's movements by GPS is highly intrusive. It is the equivalent of placing an invisible police officer in the back seat of a person's car," said ACLU of Washington Privacy Project Director Doug Klunder, who wrote the ACLU's brief.
>I've been working on the issue of how to build secure public networks
>for about 7 years. I started out as a military analyst and I wanted to
>put the cyber terror/cyber war issue in a larger strategic context.
>About a year ago, I started looking for examples of cyber-terrorism,
>where hackers had shut down critical infrastuctures. I was surprised to
>discover that I couldn't find any, so I began to look more closely at
>the hypothetical scenarios involving cyber war. Most of them turned out
>to be implausible from a military or national security perspective.
>Hence the report.