Friday, December 15, 2006

Sunday, December 3, 2006

Saturday, December 2, 2006

Slashdot | First-Person Account of



Slashdot | First-Person Account of a Social Engineering Attack

Slashdot | Possible Serious Security



Slashdot | Possible Serious Security Flaw In ATMs

TECH.BLORGE.com » Blog Archive »



TECH.BLORGE.com » Blog Archive » Definitive guide: Windows Vista and XP head to head

NIST blasts paperless electronic voting

The National Institute of Standards and Technology (NIST) recently published a paper condemning paperless electronic voting machines as insecurable.  I'll have to read the paper in-depth to see how they came to that strong of a conclusion, but I do know that there is no research showing that a purely electronic system can be completely trustworthy.

It's amazing how far this subject has come in just a few years, yet how far it still needs to go as evidenced by the irregularities in the recent 2006 midterm election.

Slashdot | NIST Condemns Paperless Electronic Voting

Dangerous plastic packaging

I've been wondering this and noting that more and more products are coming wrapped in this stuff.  I use a tchochke that I got from Tripwire that has a tiny corner of a razor blade on it to open these packages, but even then, the cut plastic package is sharper than the razor.  I've cut myself on several occasions.  The unusual shapes of the packages doesn't make it very easy to cleanly open either.

Slashdot | Plastic Packages Cause Injuries, Revolt

Of course this happened in Florida

This might get the award for best article title too.

The Seattle Times: Nation & World: He was naked, on crack and in alligator's mouth
"A gator's got me," Apgar replied, his voice faint in the background.



Mayid's call shortly after 4 a.m. sent four Polk County, Fla., deputies racing to the 2,150-acre lake just outside Lakeland, Fla., where they jumped into the water and wrenched Apgar's arm from the gator's mouth. The 45-year-old victim, who told authorities he'd passed out nude on the shore after smoking crack cocaine, was rushed to a hospital in critical condition.



Later Wednesday, state wildlife authorities trapped and killed a nearly 12-foot-long alligator thought to be the one that attacked Apgar.
.....
Sheriff's officials have said Apgar, 45, suffered a broken right arm.
His left arm was nearly severed, and he had bites to his buttocks and
leg. He underwent surgery Wednesday afternoon at Lakeland Regional
Medical Center


Sunday, November 26, 2006

Installing an uncrippled ffmpeg on Ubuntu

I'm trying this right now on Edgy Eft:

po-ru.com: Fixing ffmpeg on Ubuntu
It seems one can set DEB_BUILD_OPTIONS=risky to enable the missing codecs rather than editing debian/rules and building the package manually.



sudo apt-get build-dep ffmpeg



sudo apt-get install liblame-dev libfaad2-dev libfaac-dev libxvidcore4-dev checkinstall fakeroot



DEB_BUILD_OPTIONS=risky fakeroot apt-get source ffmpeg --compile



sudo dpkg -i ffmpeg-blah.dpkg


Friday, November 24, 2006

CIA Kryptos Sculpture Has a Typo

It's not really a typo but an intentionally left-out X separator for
aesthetics on the sculpture that was intended to result in gibberish
when decrypted that would clue in the decryptors to reinsert a separator
and try again, except it ended up spelling something intelligible
instead of garbage so they thought they had decrypted it properly!
A Break for Code Breakers on a C.I.A. Mystery - New York Times
For nearly 16 years, puzzle enthusiasts have labored to decipher an 865-character coded message stenciled into a sculpture on the grounds of the Central Intelligence Agency's headquarters in Langley, Va. This week, the sculptor gave them an unsettling but hopeful surprise: part of the message they thought they had deciphered years ago actually says something else.


Upgrade IE ASAP

A study from a year ago but just as valid today.  Actually, over the past year, IE got much worse.  There were many exploits and unpatched holes in the browser.

One of the best things you can do for your Windows security is to make sure you upgrade to IE 7.x which has been redesigned to avoid many classes of attacks.  It is being pushed out by Windows Update (or Microsoft Update)  You can also switch to Firefox or Opera to get better security but please don't use IE 6.x or older anymore! 

Unfortunately, you have to be on Windows XP SP2 or higher to use IE 7.  So, it will force Windows 2000 users to upgrade to XP first.  That is probably also a good thing for security though.

Schneier on Security: Internet Explorer Sucks


Washington State exercising new Anti-Spyware law

Rob McKenna is a good friend of the Security community here in Washington. Go get 'em!

 --Washington AG Alleges Spyware Act Violations
(16 & 14 August 2006)
Washington State Attorney General Rob McKenna has filed a lawsuit against Movieland.com parent company Digital Enterprises alleging violations of the state's Computer Spyware and Consumer Protection Acts.

People sign up for a free, three-day trial of the company's software that allows them to download movie clips.  After the three days, they are inundated with pop-up demands for payment, generated by software that has been placed on their computers without their knowing consent.

The pop-ups, which appear hourly or even more frequently, read "Click
'Continue' to purchase your license and stop these reminders."   The
pop-ups remain on the screen for 40 seconds and cannot be closed during that time. McKenna also said that computer owners are not obligated to honor contracts entered into by others using their computers.

http://www.theregister.co.uk/2006/08/16/washington_movie_spyware_lawsuit/print.html
http://www.networkworld.com/news/2006/081406-washington-sues-movie-download-service.html




Department of Homeland Pork

Get this:  The list of top terrorist targets from the Department of Homeland Security is seriously braindead.  It includes 1,305 casinos, 234 restaurants, an ice cream parlor, a tackle shop, a flea market, and an Amish popcorn factory  3,650 sites total.  What's going on?  Pork-barrel politics is what's going on.  We're never going to get security right if we continue to make it a parody of itself.

The worst part is that DHS didn't even try to hide the pork-barreling by making the inclusions and omissions clear and blatant.  Oy.  I reluctantly file this in the security category...

The Seattle Times: Local News: Dept. of Homeland Lunacy
When it comes to homeland security, I give up.

I've tried to highlight the absurdity of trying to protect every cranny of our country from al-Qaida attack. I've critiqued everything from the waste of buying anti-terrorist locks for Sammamish City Hall to the illogic of not having security cameras outside our airport. And yes, I've resorted to that columnist stock-in-trade: mocking and satirizing.

But it turns out nothing I can make up is as ludicrous as what the Department of Homeland Security is actually doing.


How to break a common Master combination lock

Here's a description of how to open a common Master brand lock in about 10 minutes.  The design makes the 40^3 possible combinations collapse to 121.  It's a physical metaphor for bad cryptography and reliance on obscurity.

I happen to have a lock that I forgot the combo to that this will definitely come in handy for...if I can only find the lock...


Airport Security Oversights from The Onion

This was the most troubling one:

Airport Security Oversights | The Onion - America's Finest News Source
Sept. 3, London to New York: A few Muslim people may have slipped through with their dignity


Encrypted Government Announcements


U.S. Cryptographers: 'FrpX-K5jE-Oc4n-e5Dn' | The Onion - America's Finest News Source
WASHINGTON, DC—In a carefully phrased, 128-bit encoded announcement that has challenged U.S. security agency procedures, top officials of the National Cryptography and Information Security Council warned that "FrpX-K5jE-Oc4n-e5Dn" if "Ha4d-87gH-uiH3-gB5r-g8Bh" late Monday.


Fashion Advice for Geeks

So, there happen to be these unwritten rules of style that change all the time that nobody seems to tell you about and it's hard to ask and for many, harder to know you should ask. And there are people in the work world that do judge you by your appearance, for better or worse, consciously and unconsciously.  Here is some advice that I have culled from significant others, from experience and observation in the workplace, from the advice in Esquire, and even from What Not to Wear on TLC.
  • No pleated pants
  • Get rid of your pleated pants in favor of flat-front pants. Flat-front pants are simpler, more modern looking, make you look slimmer, and not like an old man.
  • Clothes should look new and fresh
  • If your sweaters are pilled and your pants have wallet or knee wear marks, or the cuffs are frayed, it's time to get some new clothes. Buy something new and donate the old.
  • Get pants with the proper length
  • If you don't know your length, get measured or fitted in a store sometime. Your pants should "break" at the ankle and continue down slightly over your shoe. If you can see your socks when standing, your pants are too short!
  • Appropriate sock color
  • White socks are generally not going to work with any business casual attire, unless is Miami Vice white suit day, but even then you probably would be better going without socks...but I digress. The general rule with socks is they should not be noticeable! If your socks stand out, they are wrong for your outfit. I mostly wear neutral socks that match my pants to not draw attention to them. If you are wearing athletic socks with slacks you need to go to Costco and get some Gold Toe dress socks and save the nike socks for the gym.
  • Your shoes tell all
  • They say you can tell a man by his shoes--they make or break an outfit. You can be totally put together elsewhere but if your shoes are crap, it's game over.  What do your shoes say about you? Are they tired, scuffed, worn and dirty or new, sleek, stylish and shiny? It sucks but you really should have several pairs of shoes so that you can rotate them. Avoid wearing one pair day-in and day-out so that they will last longer and look fresh when you do wear them. I've even bought two of the same less expensive pairs of shoes that I liked to keep them looking nicer longer.  Oh, and invest in a shoe brush and some instant shine pads.  Esquire recommends using black polish--even with brown shoes. 
  • Wear the right size shirt
  • This is another one of those things you're never taught: how to know you have the right size shirt. Here's the best way to know: Where the sleeves attach to the main body of the shirt, it makes a line. That line should roughly be even with the very edge of your shoulder blade. More than a 1/4 inch past that and your shirt is probably too big. I often see this with people who wear golf shirts (even PGA pros are bad offenders. Tiger Woods does it right though). Another way to tell if your short-sleeve shirt is too big is if your sleeves extend far past your elbow. They should probably end short of your elbow if it is sized correctly. Having the right size shirt means a sharper, put-together look. Oversized shirts tend to look sloppy or overly-casual.
  • Dress for the position you want, not the one you have.
  • Hey, I've been there where I loved being able to wear jeans and a T shirt because, hey, nobody sees me in the server room. But, if you have higher aspirations or if you interface with business folks who tend to dress nicer than you, then your clothes can be a distraction from you and your message. If anything, your clothes should be neutral or enhance your message. Beware of some managers who get nervous if their underlings dress nicer than they do, but that isn't really your problem--it's theirs for not dressing to their level in the organization!
  • Skip ironing -- use the cleaners!
  • Nothing says sloppy like a button-down shirt that has not been ironed or is poorly ironed. The difference I found with people who truly look sharp is not just tailoring but well-maintained clothing. It is so cheap to have someone else iron your shirts and it looks 1000 times better than if you try to do it that it is well worth the investment. And you can usually get a couple of wears out of each shirt before it needs to be sent back for cleaning and ironing. I pay $0.99 / shirt. If you have nice pants, you can usually get away with ironing them yourself but professional pressing also looks a lot better and holds longer than home ironing.


RFIDIOts mandating insecure RFID passports

Nice proof of concept code that can read passport data posted to BUGTRAQ. The "key" is comprised of data on the passport itself so you can remotely decrypt someone's data only if you know this information, or can brute-force it since it is a small keyspace:

The Passport number

The Date Of Birth of the holder

The Expiry Date of the Passport

The latest version of RFIDIOt, the open-source python library for RFID
exploration/manipulation, contains code that implements the ICAO 9303
standard for Machine Readable Travel Documents in the form of a test
program called 'mrpkey.py'.

This program will exchange crypto keys with the passport and read and
display the contents therein, including the facial image and the
personal data printed in the passport.
Bruce Schneier advises US passport holders to renew your passport NOW before the RFID requirement goes into effect so you can avoid being tracked or hunted down in our country or a foreign country. Otherwise, how will you still be able to claim you're a Canadian in foreign countries?

Also see this news story.


Patents are bad for society

James A. Donald had a great rant to the Anti-Fraud mailing list about how patents just don't work, at least for their intended purpose of furthering public knowledge.

The theoretical justification for patents has seldom worked in practice.
Most patents are flagrantly bogus, always have been. Of the few
legitimate patents, the vast majority merely obstruct the development
and application of the technology, without in fact making money for the
inventor. The normal outcome of patenting a genuine innovation is that
people construct second rate workarounds, as Microsoft just did. The
destructive effect of patents is merely most visible in those fields
that are advancing most rapidly - cryptography being such a field.
These are the fatal flaws of patents--that they are often used these days to stifle competition or to patent ludicrous things like 1-click shopping or automatically launching active content in a webpage.  The whole system needs to be revamped.



Competitive information for Picking an Antivirus solution


This is an article from a year ago that showed how each vendor was able to respond to key virus outbreaks.  They also show the data from the previous year.

I personally recommend F-Secure's product.  The base product gives you everything you need for anti-spyware and malware and is inexpensive.  It is not a huge fat pig like some of the products out there (McAfee...)  I've heard from others who enjoy Kapersky as well, so either of those would be good choices and happen to both top this list.

I also personally got rid of McAfee products after a multitude of issues:

1. The product is seriously bloated and the Security Center product seems geard toward selling other products by McAfee than providing normal users with value.
2. Many of the products in the suite are not well integrated.  They often had their own installers and were a real pain to uninstall.
3. Lots of errors resulting in having to reinstall the product (without there being an easy way to do so).
4. Their website security is horrendous.  My wife forgot her password to their site so she used their "forgot my password" feature.  Guess what?  They emailed her, not a new random password, but her _actual password_  This from a security company!  They either store passwords without encryption or store them with reversible encryption--both of which are seriously bad ideas and McAfee should know better.
5. Their suite product line is very expensive and the price seems to go up every year.  They have since reworked their product line and it seems to be better now.
6. I read the F-Secure blog and can tell those guys really get security.
7. McAfee was the company with the poor QA that removed critical Office files to "protect" you and also mislabeled a legitmate ISP software program
8. McAfee products, like Symantec, have suffered from some local privilege escalation vulnerabilities or remote buffer overflows.  The cure is worse than the disease?

Ranking Response Times for Anti-Virus Programs - Security Fix

Four Challenges for Computer Security Research

I would add a 5th item:

5. Develop Reusable Security Architectures that cover common scenarios and include appropriate protection by design

Tools are sexy; secure design is hard.  That's why you see so many tools and vendors hawking tools but not as much work.  I hear from people all the time who talk about this tool or pen testing or scanning some server or how you need to hack your wireless network to be secure.  That is a bunch of crap in general because trying to audit your way to security is bottom-up grass-roots and can only get you so far.  It's an early maturity model to be spending so much time and energy on audits and pen tests instead of security design reviews and developing security architectures.  It's a lot easier and sexier to say you hacked a wireless network.  We need to get to where it is just as cool to say you developed a wireless network security architecture such that you don't care who is connected to the wireless network because your security is not so brittle as to lose sleep over it.  Where are those reusable models made open source?

As for item #3, I don't think that I believe that there can be "quantitative" security risk management.  The biggest problem is that there is not enough good data to base future risk upon (try this:  how do you quantify risk of brand damage due to event X?). 

Item #4 is very important and speaks to ensuring security systems are usable.

CRA (Computing Research Association) Grand Research Challenges

Four Grand Challenges in Trustworthy Computing:
1. Eliminate epidemic-style attacks (viruses, worms, email spam) within 10 years;
2. Develop tools and principles that allow construction of large-scale systems for important societal applications -- such as medical records systems -- that are highly trustworthy despite being attractive targets;
3. Develop quantitative information-systems risk management to be at least as good as quantitative financial risk management within the next decade;
4. Give end-users security controls they can understand and privacy they can control for the dynamic, pervasive computing environments of the future.


Security Usability: Not much progress since 1883 or 1975

This is a great article by Peter Gutmann and Ian Grigg on security usability that lists the six principles for a secure communications system put down by Auguste Kirchoffs ca. 1883.  Even he understood the need for usability back then:

Given the circumstances that command its application, the system must be easy to use, requiring neither mental strain nor the knowledge of a long series of rules to observe.
Psychological Acceptability has been defined as a critical aspect of secure systems for over 30 years by Saltzer and Schroeder (1975): The Protection of Information in Computer Systems

It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly. Also, to the extent that the user's mental image of his protection goals matches the mechanisms he must use, mistakes will be minimized. If he must translate his image of his protection needs into a radically different specification language, he will make errors.


DMCA still stands, but now with some exemptions

It's still a shitty law though.  Something else I will happily ignore to avoid my fair use rights being infringed.  Again, how could I watch DVDs (legally rented/owned) on my Linux box without doing so?

Boing Boing: Copyright Office creates 6 DMCA exemptions
the office refused to grant exemptions that would benefit the general public -- space- and format-shifting, backing up your DVDs -- and they took back an earlier exemption that let people reverse-engineer the blacklists maintained by censorware companies to bring some transparency to their process.


YouTube shutting down ability to download videos from YouTube

Hey, I'm on a Linux computer and because they insist on requiring Flash to play the videos, the only way I can view them is to download them and watch them with Xine. I plan on violating their terms of service...to continue to access their service...

Lawrence Lessig: When Web 2.0 meets Lawyers 1.0

Blog popularity inversely proportional to amount of "linking"

Summary:  people link to bloggers that provide more original content than who just provide links to other places that do so.

Funny because I was just thinking about this regarding this blog.  I think it's cool when people enjoy what I provide on this blog, but I really don't care if people read it or not.  This is where I keep track of stories and topics that interest me, instead of saved emails or bookmarks that I never look at again.  I can always go back and find what I found interesting and what I wrote about it.  Pretty cool in my book.

My blog doesn't really have many that link to it and probably the fact that I post many links without a lot of commentary a lot of the time is a good reason why.  But I disagree that nobody links to linkers.  I personally like blogs because they act as filters or lenses that focus news and interesting content.  There are tons of blogs but I like the ones whose mix of topics coincides most with what I'm interested in.  Even if they just link to other places, that's fine with me.  It's the filtering service that is the value-add, not necessarily original content.

That said, I have anecdotal evidence that my blog only gets noticed when I post original content.  My recent entry about SOA security is a perfect example.  I also was thinking about how I like the SANS newsbites because they actually summarize the stories they link to, not just provide links (on a related note, the links in Crypto-Gram require me to go read every story that sounds interesting so I generally read fewer of them).

No-one links to the linkers at Andrew Garrett’s Mutation

Richard Dawkins Mania in Silicon Valley

I was bummed that he didn't come to Seattle on his tour, but I'll enjoy listening to the mp3 of his appearance in Silicon Valley.

Who Has Time For This?: Silicon Valley Loves Richard Dawkins

Verizon settles class-action suit about deceptive practices regarding crippled phones

This is great news.  They did the same with other phones, including the e815 that I have.  Fortunately, there are ways around this to re-enable the crippled features, but they are out of reach to most consumers.  I had to buy a data cable and software on eBay to uncripple my phone.

[infowarrior] - Verizon Slapped for Crippling Bluetooth
Verizon has been getting weasely with some of its customers in California who bought its Motorola v710 Bluetooth-³capable² phone on or before January 31, 2005. Preliminary approval of the settlement was granted in a California court for a class-action suit against the company because it didn¹t accurately tell prospective customers that its Bluetooth features weren¹t what they appeared to be. Verizon said the phone ³works with a PC² but left out that part about how you can¹t wirelessly sync photos or contacts or any other files using Bluetooth.


Ballot Design, not DRE issues at play in FL undervote anomalies?

It is hard to believe that such a blatant undervote error could be attributable solely to the DRE itself not properly recording them.  But user interface designs can certainly be abused maliciously, or likely unintentionally, to create these situations.  How ironic is it that the DREs that were touted to Help America Vote are actually helping them to undervote, due to poor design/implementation of the ballots?

Proper UI is just as important as sound underlying technology in ensuring proper understanding and usability of a system.  Recall Why Can't Johnny Encrypt?  A Usability Evaluation of PGP 5.0 and the more recent Why Johnny Still Can't Encrypt:  Evaluating the Usability of Email Encryption Software for how even known secure software can result in insecure  and unintended actions by the user.  The infamous Butterfly ballots were not DRE-based but certainly were flawed UI that caused voting errors in previous elections so this is not a new issue to software or to voting by far.

This is a perfect example though of how using DREs to generate human-and-machine-readable reciepts (voter verifiable) could allow for voters to detect their undervotes before they drop them into the ballot box.  There could even be very blatant warnings to the user on the receipt and on the screen that they didn't vote in X of the races to help prevent unintentional undervotes.  Did these companies do any focus group testing of DREs?

FL-13: More Evidence of Ballot Design Issues - TalkLeft: The Politics Of Crime
...Bev Harris and the Jennings campaign want you to think otherwise. They want to point away from their mistakes. But the real problem was the design...


Wednesday, November 22, 2006

Scans from 1962 Fallout Shelter Handbook

The Ward-O-Matic: Fallout Shelter Handbook 1962

I've been working on emergency preparedness for my neighborhood lately so this is very apropos.

BTW, I found a $79.99 Ready kit at Home Depot that is a pretty good deal for a 2-person 72 hour kit (what is recommended for personal preparedness at a minimum). Don't forget supplies for your pets too!

Apostrophe abuse is cruel

Boing Boing: Atrocious apostrophe's and "quotation" "mark" "abuse" photo galleries

Two Flikr galleries dedicated to photo's of apostrophe and quotation mark abuse. I can't believe my previous post on Common writing mistakes didn't touch on this pet peeve of mine.



2006 Gift Card Landscape

Good news about gift cards.  I was just thinking the other day about these practices and it looks like, just in time for the holiday season, you can find out which ones have done away with those pesky expiration dates (are you listening Amazon?) and fees.

And a hint for the upcoming holiday:  Gift cards make great gifts...

2006 Gift Card Study (Page 1 of 4)
If you want a gift card you can use anywhere, you'll pay for the privilege, while gift cards from individual retailers are less costly and sprouting more options.



Those are the major findings of the third annual Bankrate.com Gift Card Study.



Retail store gift cards continue to be a consumer-friendly credit product, with fees and expiration dates the exception rather than the rule. The retailers can make a profit from the merchandise users buy.



Gift cards from the major credit card issuers, though, still carry an assortment of fees. All continue to charge monthly "maintenance" or "dormancy" fees, ranging from $2 per month to $3, if the gift card isn't used within a certain period of time. All but American Express have expiration dates.



Bankrate surveyed the top 25 retailers, as identified by the National Retail Federation, about the costs, terms and conditions of the gift cards they offer, both plastic and electronic. We also surveyed the four largest credit card companies: American Express, Discover Card, MasterCard and Visa.


The Official God FAQ

There is only one question and the answer is not 42.

The Official God FAQ

Monday, November 20, 2006

On the performance of SSL vs. WS-Security

I've been meaning to rant about this for a while.

I'm sick and tired of hearing about the false dichotomy of WS-Security versus SSL and why its performance is somehow going to be so much better than SSL transport encryption of SOAP-based web services.  Pundits often point out that SSL has to encrypt the _whole payload_ while WS-Security can be used to digitally sign and/or encrypt only those attributes that absolutely need encrypting or signing.

This kind of reasoning is preposterous and is nowhere near being based on any facts or data, yet these talking points are ever-popular with the "SOA: the Armageddon is near" or WS-NotJustForBreakfastAnymore crowd.

For these people, I have one simple question for you about the assertion that WS-Security is always going to perform better in software than simply using SSL intelligently for the entire transport:

How is it that you can claim that WS-Security digital signature or encryption (with one _or more_ asymmetric plus 1  _or more_ symmetric crypto operation per request PLUS base64 encoding bloating the request PLUS extra SOAP XML tag hierarchies wrapping the encrypted/signed data section that need to be transferred over the network) is going to be faster in general than SSL (with one asymmetric crypto operation at session initiation, and henceforth 1 symmetric crypto operation per packet)?

It has often been vendors of XML firewalls and Microsoft web services evangelists that are the worst offenders.  I'd love to hear some answers you get to this question.  I haven't gotten a sensible one yet.

Asymmetric crypto operations are roughly 1000 times slower than symmetric crypto operations.  I would love to see actual hard data based on a valid underlying test scenario proving that WS-Security is faster than SSL even in the face of this reality.  But nobody who makes these claims has it and I can't see it just based on the orders of magnitude difference between the computing time required for the crypto.  That is even before you factor in the additional latency for transmitting the extra bytes for the WS-Security payload and the extra parsing time and the likely need to have to encrypt and decrypt multiple separate data elements individually.

Yes, in the purported SOAP-router kind of network where SOAP is treated as if it were a wire-level protocol there are problems with SSL since it is not end-to-end, but that is a red herring when we are debunking the claims of enhanced performance.  Stop changing the subject!  There can be a place for WS-Security in some advanced SOA scenarios, but strictly on performance, I can't see there being any comparison.  And most people aren't implementing anything like the SOAP architects envisioned anyway (but don't let that stop the vendors from beating that drum).  Most people are still using SOAP for point-to-point services which often replace other wire-transports or technologies (e.g. DCOM, CORBA, proprietary XML services, etc.)

Performance issues with SSL have generally nothing to do with the fact that you are encrypting an entire payload instead of just subsets of the data.  For small messages that typical SOAP calls are, this is perhaps a few clock cycles per request.  I can say from lots of experience with lots of development teams that at least 90% of the performance problems with SSL in general are due to seriously flawed implementations.  The other 10% is generally actual performance impact because the systems on which it is running are vastly undersized because the system was not designed to be secure (but rather designed on the omission or hope that they wouldn't have to size it to handle the required security).

If you implement SSL to intelligently minimize the asymmetric crypto operations to the absolute minimum by pooling connections and pinning them up and using keepalives, then you are barely going to notice its impact, especially on properly-sized hardware or if you use hardware crypto accelerators.  But if it is done incorrectly, or not accounted for in sizing, SSL will remain the whipping boy of many an environment.

Oh, and I have data showing how SSL can actually _speed up_ connections under certain conditions. 


Some Good News on the McCain Front: Attacking NOAA for delays in global warming report

Ugh.

TPMmuckraker November 17, 2006 01:35 PM
"You know," McCain said a few moments later, "you are really one of the more astonishing witnesses that I have [faced] -- in the 19 years I've been a member of this [Senate Commerce, Science and Transportation] Committee."

Lautenberger explained that his staff was working on "pieces" of the report, and conceded the November 2004 deadline had been a "difficult requirement to meet."


More McCain flip-floppery: Now on abortion



Think Progress: McCain Flip-Flops, Supports Immediate Reversal of Roe v. Wade

Great moments in sarcasm



Eschaton
In the early 1990s I built a workable time machine. All it lacked was the flux capacitor and 1.21 gigawatts of electricity.


Club Heaven

75% of Americans think they'll get into Heaven?  They must be Evangelicals whose sole criteria is "belief" and not "good deeds"...  At least I'll have lots of friends in hell.

ABC News: Poll: Elbow Room No Problem in Heaven
Who gets in is another matter. Among people who believe in heaven, one in four thinks access is limited to Christians. More than a third of Protestants feel that way, and this view peaks at 55 percent among Protestants who describe themselves as very religious.


Saturday, November 18, 2006

Another McCain flip-flop

Crooks and Liars: St. McCain's look of desperation

McCain once had words of praise for Senator Kerry, but he played the repugnican party line during the election and trashed him for his botched joke--acting as if he really believed Kerry, a decorated veteran, was actually disparaging the troops and not Bush.  Politics is disgusting.  McCain should take what Olbermann said about Rove and Bush to heart:

Crooks and Liars: Olbermann’s Special Comment : There is no line this President has not crossed — nor will not cross — to keep one political party, in power.

Mr. Bush and his minions responded [to Kerry's gaffe], by appearing to be too stupid to realize that they had been called stupid.


Bush & Reichert get Issaquah Bus Driver Fired

The Royal Fingerer Can Dish it Out But Can't Take it"

Bus driver allegedly flips off Bush so Bush and Reichert complain and the bus driver gets fired. Where is the compassion in that conservative again?

Searing Discount of Liebermann Win

The Insignificance of Lieberman - TalkLeft: The Politics Of Crime

What Big Tent Democrat says.

powered by performancing firefox



Bank of America jails a customer; causes backlash > $50 million

The This is Broken blog is a pretty cool idea too.  There are so many processes, instructions, websites, etc. that just don't work quite right.  They get posted to this blog!

This Is Broken - Bank of America jailing a customer
Matthew Shinnick dropped by a Bank of America branch in San Francisco to make sure a check he was about to deposit wasn't fraudulent. The teller found that the check was fraudulent and told the manager, who then had Shinnick thrown in jail. Are you getting this right? The customer who wanted to make sure he wasn't about to draw on a fraudulent check, got thrown in jail by Bank of America.
In response, customers have withdrawn or removed at least $50 million (at last count) from B of A in protest.  See also Clark Howard's site, who gave this lots of attention in California on his radio show.


powered by performancing firefox



Monday, November 6, 2006

Bad monday

I had one of the worst mondays in a while.

I was not feeling well but went to work anyway (I thought of resting up one more day and probably should have stayed in bed).

It was the first day back to work after being sick with fever for 3 days.

On my way to the bus stop, after only a 1/2 block from my house, my pants were soaked and shoes soaked through. The rain and wind has been insufferable this fall!
I reluctantly went back home frustrated and not knowing if there was a way to possibly get to work but not be soaking wet all day. I decided the strategy would be sacrificial clothing. I geared up in my Costa Rica Rain forest gear (all drip-dry) and packed a new dry outfit to change into at work, including new shoes.

Well, the sack that I put my shoes in got a hole worn in it on the way to and from the bus. One shoe fell out on the sidewalk coming into my work building. Fortunately, someone saw it right away and alerted me.

When I went to put my shoes on, one shoe got laces worn in half from dragging behind my wheeled laptop bag.

Turns out my laptop bag was not waterproof so my dry pants got wet.

Turns out my brand new building downtown Seattle has no hand dryers in the new bathrooms! So, I couldn't quickly dry my new pants.

So, I was stuck with wearing my rain pants while I waited for my others to dry out.

But those pants were still damp enough that they got my chair wet. So I had to switch chairs for the day after putting my dry pants on to avoid getting those wet again.

Ugh.

Antennaweb - TV and HDTV

AntennaWeb



Seattle HDTV antenna map mashup

HDTV Magazine - Broadcast HDTV Market : Seattle-Tacoma



Thursday, November 2, 2006

Bush & Reichert get Issaquah Bus Driver Fired

The Royal Fingerer Can Dish it Out But Can't Take it"

Bus driver allegedly flips off Bush so Bush and Reichert complain and the bus driver gets fired. Where is the compassion in that conservative again?

Monday, October 30, 2006

Good info on Compact Fluorescent lamps

Plus recommendations on where to, and where not to, use them, based on the best use of the technology for the money without excessive wear on the lamps.

What C.F. Lamps to Use Where

More Constitution Shredding by Bush Administration


Boing Boing: Bush legalizes martial law -- what Constitution?

Foxtrot comic on electronic voting machines: "scary"

Welcome to goComics Web Site featuring FoxTrot - Online Comics, Editorial Cartoons, Email Comics, Political Cartoons

10-29-2006 sunday comic in case the link breaks in the future.


Congressman Oops results in legal and civil liberties violation of student

Something tells me that the government has too much power...

Boing Boing: Congressman on Boarding Pass Generator guy: Uh... oops?
Last Friday, Rep. Edward Markey (D-MA) called for the arrest of Christopher Soghoian, and the takedown of his "Boarding Pass Generator" website which illustrated an airline security hole documented on the web for several years. Hours after the congressman's statement, Soghoian says FBI agents visited his home, then returned a second time after he'd left -- in the middle of the night -- with a search warrant signed at 2AM, and seized Soghoian's computer(s) and other belongings.

Now, several days too late, Markey issues another pronouncement which backtracks on his earlier statement. It's 250 words, but they boil down to one: "oops."


Speed traps suck

Oh, you should boycott Newhalem, WA for the same reason.  I'll blog about that story someday.

saablog :: Stupid Utah. Stupid rental cars. - The rest of the story

Global Warming Report: Pay now or pay lots more later

Financial and ecological consequences by delaying the inevitable though.

Think Progress » GLOBAL WARMING REPORT: Right-Wing Fiction vs. Economic Reality

More sad news in the war on science and reason


Think Progress » Senior Bush Appointee Rejected Scientists’ Recommendations In Favor Of Industry Positions

Julie MacDonald, Deputy Assistant Secretary for Fish and Wildlife and Parks, has consistently "rejected staff scientists' recommendations to protect imperiled animals and plants under the Endangered Species Act." A civil engineer with no training in biology, she has overruled and disparaged the findings of her staff, instead relying on the recommendations of political and industry groups.


Some Media outlets "forgetting" McCain's reversals

Especially heinous I think is the recent legislation McCain helped to broker that suspended habeus corpus for "enemy combatants", and allows torture, among other dreadful things.  I used to like McCain, but now he's pimped himself out for too many political purposes I think. 

Media Matters - Despite McCain's many hedges, Borger asserted that "[n]o one would accuse McCain of equivocating on anything"
In her latest column, posted online on October 29 and that will appear in the November 6 edition of U.S. News & World Report, U.S. News contributing editor and CBS News national political correspondent Gloria Borger asserted that "[n]o one would accuse [Sen. John] McCain [R-AZ] of equivocating on anything." Writing about the prospect of Sen. Barack Obama's (D-IL) running for president in 2008, Borger contrasted him with McCain, asserting that Obama's "penchant for wishy-washy is well documented." Yet as Media Matters for America has repeatedly noted, despite an abundance of well-documented backtracks, flip-flops, and inconsistencies, the media continue to describe McCain with words such as "honest" and "authentic" and generally regard him as an unwavering purveyor of "straight talk."


'Lucy' Tour coincides with "Creation Museum"

Oh brother.  "allegedly 3.2-million" years old.

Biblical creationist blasts tour of 'Lucy' at Pandagon

Monday, October 23, 2006

The "ticking timebomb" argument is BS

Once Upon a Time...: Lies in the Service of Evil

I have written about the utterly fictitious "ticking bomb" scenario on several occasions. Because I do not want to engage in this exercise ever again, I have assembled here the major relevant arguments, so that they will all be in one place.


An excellent debunking of the "ticking timebomb" argument. Sorry Jack Bauer.

Wednesday, October 18, 2006

Windows Vista: SD^3 begets Popup-your-way-to-security?

Usable Security: Blog Archive: Security in Windows Vista: to 2002 and Beyond!

Popup-your-way-to-security in vista. If this is the logical conclusion of having something secure-by-default (one of the SDs in SD^3), we may be in real trouble.

Thursday, October 12, 2006

VirusTotal: Free site to check malware and AV solution efficacy

Aviv Raff On .NET - VML Exploit vs. AV/IPS/IDS signatures

Article showing how VirusTotal revealed how easy it can be to create "variants" that go undetected by most Anti Virus products. The VirustTotal website could be a valuable resource.

Wednesday, October 11, 2006

Crooks and Liars: Olbermann Exclusive: Dissecting new Book: Tempting Faith


When President Bush touched on Iraq at his news conference this morning, he may have been revealing more than he knew.

[video] BUSH: The stakes couldn't be any higher, as I said earlier, in the world in which we live. There are extreme elements that use religion to achieve objectives.

He was talking about religious extremists in Iraq. But an hour later, Mr. Bush posed with officials from the Southern Baptist Convention.




Tuesday, October 10, 2006

no-fly list

Schneier on Security: No-Fly List

What a piece of crap!

New Google Code Search

Google code search (kottke.org)

Find all sorts of interesting things in source code out there, or web sites running interesting code. There's a great list to get you started "Google Code Hacking".

Monday, October 9, 2006

Microsoft Bug Reporting Process Makes me CACL

The story of how Microsoft has ended up with so many unconnected and uncoordinated versions of command-line tools to manage setting and displaying ACL (Access Control List) entries is funny enough, but wait until you hear about my experience trying to report a bug in the tool. First, on the sordid history that has lead to three versions of the same tool, instead of one version that actually works correctly and handles all situations. There was first cacls.exe, which shipped with windows AFAIK. That was missing some key features so in all their wisdom, Microsoft released xcacls.exe in a resource kit that made up for the shortcomings in cacls.

So, I found a small bug in Microsoft's

I called Microsoft to find out how I could report the bug in XCACLS.vbs and after voice jail and being put through the regular support cruft they said that the only way to report bugs is by US Mail! They don't have any email address or way to report them via their support line. I told them to forget it. I'd just post something on my blog so that someone having the same problem can find it via google (and that then maybe Microsoft might google it someday so they can fix the problem).

ING Direct's Anti-Phishing Measure Backfires?

Another funny observation I had was about ING's anti-phishing security
mechanisms and usability. They make you use an annoying, long numeric ID
as your login ID (you can't change it to an easily-rememberable one) which
you can't likely remember so you have to write it down or use Password
Safe to recall it. By making account IDs a secret, they are hoping to buy
additional security from the obscurity.

However, they recently added a feature on the site (likely because of the
usability problems with people not knowing or remembering their login ID)
where you can enter some static identifying information (SSN, zip code,
birthdate) and they will then pre-populate your customer login ID. I use
this often because although you have to type in more information, the
usability is better because it is faster to do this than to look up what
my login ID is. But, they have now created a great target for phishers
that can undo all the benefits of the hidden login ID and the additional
measures on the site because this feature is not protected with their
RSA/Cyota eStamp as their login dialog is.

YouTube: Hours of entertainment

YouTube - White & Nerdy

This is hilarious.

And for other Halo fans (and lovers of the original skit from Monty Python) is this mashup:

YouTube - Monty Python Halo

Net Neutrality Issue for Dummies

Network Neutrality Threatened In Norway

A very clear description of the Net Neutrality issue and how the claims made by those against it are baseless.

TBogg - "...a somewhat popular blogger"



Friday, October 6, 2006

Incompetence to breed more incompetence in Bush Administration

Think Progress: Bush Asserts Constitutional Right To Hire Incompetent People At FEMA

More news media lameness: Abuse of the Question Mark

Crooks and Liars: Jon Stewart’s Hilarious Look at the Use of the Question Mark

Note to news media: Report the FACTS on the NEWS and lose the question mark.

Security and Privacy "Certifications" often mean the opposite

Certifications and Site Trustworthiness

An excellent paper summarizing many of the problems with certifiers such as TRUSTe as well as showing that sites that get these certifications to prove their trustworthiness are actually more likely to NOT be trustworthy!

I know companies who are simply concerned about wanting customers to _think_ that their site was secure that they worked on getting a certification instead of investing in actually _making_ their site secure. No corrective action was taken to align technology or processes to the spirit or letter of the "certification". The same crummy procedures and mindsets that existed before the certification were there after the certification.

I have actually helped fill out the TRUST-e questionnaire the difficulty in answering their survey questions with 100% knowledge of everything that goes on in a company even though it tends to certify the site.

Tuesday, October 3, 2006

Right-Wing Pundit Wankers: More Good Use of Free Speech

scootmandubious: GOP's Revealing Response To Foley Scandal

Step right up! Join your fellow Right-wingers and go on record as a child predator apologist! Downplay the crime of statutory rape! Justify the coverup as necessary for political reasons!

Wednesday, September 27, 2006

White house withholding report linking Global Warming to Increase in Hurricanes

Crooks and Liars: White House Bars Hurricane Report

More in the front on the War on Science. Ugh.

43 Things: interesting user-driven site

43 Things

"Discover what's important, make it happen, share your progress. Find your 43 things."

I just came across this site. Seems like a fun idea. You can add your own thing that "you want to do with your life" or see what other people said and use those ideas. You can track your progress. Larger fonts indicate more popular topics in the list. There are thousands of people from around the world on there. It also shows "People doing this are also doing these things", which is interesting as well.

Monday, September 25, 2006

TSA Insecurity. An economists perspective

Freakonomics Blog: An airplane announcement I’ve been waiting for


if I were a terrorist, don’t you think that I could figure out how to take the top off a bottle of contact lens solution and put my explosive liquids in there? It is totally pointless to enforce rules which impose costs on innocent people, but are easily circumvented by terrorists. Can anyone think this is accomplishing anything productive?


Faux News Wishes No News of Clinton Smackdown of Wallace

Fox and the Clinton Interview: Hanlon’s Razor

This was a long-overdue smackdown by Clinton after being sandbagged on Fox. They forced YouTube to take down the video clip--trying to rewrite history. Stephanie Miller played the audio this morning--are they going to go after her too? Oh no, people will know that Fox is slanted to the right and giving people on the right a pass!

Saturday, September 23, 2006

O'Reilly: Peddling Lies Again

Media Matters - Bill O'Reilly's enemies list, available in hardback for $26

Media Matters got an advance copy of O'Reilly's new book and dissects the "errors, unsubstantiated claims, and baseless attacks that run through Culture Warrior".

Upcoming debate on The Problem of Evil

Debunking Christianity: My Debate With David Wood on the Problem of Evil

October 7th but in Virginia. Transcript and video will be available afterward. I'll be watching it...

Monday, September 18, 2006

Educate yourself and help Defend The Constitution

Atheist Ethicist: Defending the Constitution


take some time, come up with a couple of sharp arguments, and spread those arguments among the people. We can complain about how well or how poorly legislators defend the Constitution. However, ultimately, it is our job to defend the Constitution, and this is one of the greatest assaults the Constitution has ever been subjected to.

Do you care enough to help defend it?


It sickens me to hear people like Pat Robertson on McLaughlin group making these claims as if we know that the captured people are 100% guilty. We often don't really know that, as evidenced by the many, many people we have captured, held, then let go free. We are considered innocent until proven guilty in this country to protect the innocent -- and that is you and me -- from unfounded abuse. Give that up and you or your family could be next. All it would take is for one of those in custody we are "coercively interrogating" (read: Jack Bauer tactics) to name you or your family. Then you could be sitting right next to them.

"God doesn't do well in the free market."

The struggle to find the downside ended in failure at Pandagon

There are laws that prevent some businesses from being open on Sundays??? I thought it was "christian" pandering by businesses. It is really annoying that so many businesses are closed Sundays and if the government is the reason why, then that is appalling.

I like the quote about "God doesn't do well in the free market."

Iran: Iraq Part 2

Crooks and Liars: IAEA calls US Report on Iran—a lie

Cooking the books to lead us into war with Iran now? Where have we seen this before...

Sunday, September 17, 2006

Statistics show more stupidity of "terror alert levels"

Boing Boing: Flu, hernia, or police more to kill you than Al Qaeda

This is great. People tend to make decisions using the emotional, fear-driven parts of their brain. Even in the face of raw data about risks it is very hard for people to feel comfortable turning away from those hard-wired instincts for self-preservation and making decisions that conflict with those feelings. A look at this chart shows how irrational spending and decisions are in this country. And how trading security for a little perceived freedom is a bad tradeoff--especially when you are far more at risk from plenty of other factors. The incidence of government taking advantage of its citizenry is likely to be higher than terrorist attacks against America.

Unfortunately, politicians rely on the masses making poor choices on inaccurate or flawed data to keep them in power. Think about that when you vote this November. Those who want you to stay afraid are themselves afraid.

Thursday, September 14, 2006

Diebold voting systems hacked AGAIN

The BRAD BLOG : HACKED: VIRUS IMPLANTED, SPREAD ON DIEBOLD TOUCH-SCREEN VOTING MACHINE!

Researchers at Princeton, including Ed Felton, have been able to implant malicious code on Diebold touch screen voting machines that was demonstrated to be able to flip election results. They have a video of them doing this as well.

The company response is typically clueless (as is their security). I wonder if the nice Diebold ATMs in use at banks such as USBank are anywhere near as vulnerable?

Bush sets record straight: Iraq Had 'Nothing' to Do With 9/11

Think Progress: Bush Now Says What He Wouldn’t Say Before War: Iraq Had ‘Nothing’ To Do With 9/11

I saw this first on The Daily Show. I can't believe this hasn't gotten more press despite the large percentage of the country who have been made to accept the opposite as true because of the lapdog press and liars in this administration.

The new 9/11

Legal Fiction: THE TWO 9/11s


the second 9/11 is the political prop — a mangled, grotesque doppelganger of the first one that has been whored out on the political street for over four years now. The second 9/11 is the source of policies that have made the world far worse, and have killed many times the number of people who died in the Towers. And so, what’s truly tragic about the second 9/11 is that it threatens to forever stain the legacy of the first 9/11


Indeed. How hard was it to find a radio/TV station that wasn't pushing 9/11 in your face? Who wants to hear another fearmongering speech by W? Not I.

Saturday, September 9, 2006

ABC's of ABC's hypocrisy

Media Matters - "Media Matters"; by Jamison Foser

ABC and Disney, for starters, still plan to broadcast an account of the events leading up to the September 11, 2001, terrorist attacks that they know to be false.

This despite Disney's 2004 refusal to distribute Fahrenheit 9/11, which was highly critical of President Bush, even though it was produced by a Disney subsidiary, Miramax Films. Then-Disney CEO Michael Eisner explained that the company "did not want a film in the middle of the political process where we're such a nonpartisan company and our guests, that participate in all of our attractions, do not look for us to take sides."

Church and State Just Snuggled Closer

Americans United for the Separation of Church and State


Americans United Condemns House Committee Passage Of Bill Cutting Off Attorneys' Fees In Church-State Cases
Measure Is More Pandering To The Religious Right, Says AU's Lynn


Democrats have to take the house back in November.

Thursday, August 10, 2006

Opposition to nominated US Chief Privacy Officer

I'm so tired of seeing privacy officers and council members who are lawyers first. They may understand the law, but they often don't understand privacy. And lawyers tend to not consider risks outside of the legal/liability context. I've experienced privacy lawyers say that it was okay to not encrypt data anywhere internally because we only said "via our website" in our privacy policy. That may be true in a strict legal sense, but from an overall customer privacy and privacy threat model perspective, it doesn't adequately ensure either adequate protection for customer privacy (the intent of the policy and assurances to customers) nor does it ensure an adequate privacy environment or mindset in a company (which itself often leads to more lax treatment of sensitive information and therefore breaches).


EPIC Alert 13.16


Open letter to DHS secretary Michael Chertoff

Latest airline "security" hysteria

Educated Guesswork: Threat modelling airplane explosive detection

A good analysis of why the threat model of materials in checked luggage may be sufficiently different than carry-on that would need to hold for the new security measures to make sense.

I'm not sure I agree with Bruce Schneier's assessment that, "Given how little we know of the extent of the plot, these don't seem like rediculous [sic] short-term measures." I don't agree with this because if it is too risky to bring these kinds of materials onboard today, then why would it ever be okay to allow them tomorrow? It's kind of like the precautionary disconnect from the Internet, "Why, why, why do they let employees use the Internet at all if they occasionally stop trusting its safety? Threats don't magically shrink just because you updated the antivirus package." It doesn't make much sense occassionally stop trusting liquids/gels on airplanes, They are either a threat (someone can always masquerade a bomb as benign liquid at anytime and can always disguise a detonator as anything--imagine if terrorists use cellphones instead of keyfobs for a detonaor--the public reaction to banning cellphones in carry-on would be huge) or they aren't. I agree that there is a heightened threat right now, but that threat has been and will be nonzero, so when will it be "safe" to allow them back on board and what criteria would determine this?

The other danger of taking such drastic measures is that the terrorists could be counting on that. Terrorists can just change tactics while the TSA is busy keeping someone's Frappuccino off the plane but allowing supposed breastmilk and liquid prescription drugs. As if the terrorists wouldn't have anticipated that loophole.

I wish I wasn't flying in a couple of days--not because I'm afraid of the possibility of a terrorist on board my plane, but because it's going to be a nightmare to go through security. And now I have to rethink everything I was planning to bring on board.

Tuesday, August 8, 2006

Illogicacy

Atheist Ethicist: Well Founded Beliefs

Great treatise on how the inability for people to properly reason (I called it Illogicacy here after Innumeracy) leads them to make terrible mistakes that result in harm to others, often worse than those that society often feels harm society most.

This blog is really, really excellent, BTW. Really makes you think. Sometimes just think that you would have never come up with that or could never have expressed that so logically and eloquently.

Tuesday, August 1, 2006

DIY RAID-5 NAS

Build a Cheap and Fast RAID 5 NAS | Tom's Networking

I'm going to need to get one of those cards and a bunch of drives to augment my data server with a terabyte of RAID-5 goodness. *yum*


Desalinate water while ascending your space elevator?

Technology Review: Cheap Drinking Water from the Ocean


A water desalination system using carbon nanotube-based membranes could significantly reduce the cost of purifying water from the ocean. The technology could potentially provide a solution to water shortages both in the United States, where populations are expected to soar in areas with few freshwater sources, and worldwide, where a lack of clean water is a major cause of disease.


Monday, July 31, 2006

Diebold: A Danger to America

The Open Voting Foundation


“This may be the worst security flaw we have seen in touch screen voting machines,” says Open Voting Foundation president, Alan Dechert. Upon examining the inner workings of one of the most popular paperless touch screen voting machines used in public elections in the United States, it has been determined that with the flip of a single switch inside, the machine can behave in a completely different manner compared to the tested and certified version.


Makes you wonder how secure those ATMs made by Diebold are (USBank uses them I know).

RFID no good for vehicle security

Wired 14.08: Pinch My Ride

Alternate attack vectors mean that RFID is often not the part of the security system that gets broken (not unlike strong crypto). All of the supporting systems around it are easily broken.


Wednesday, July 26, 2006

MySpace infects YourPC

Schneier on Security: Hacked MySpace Server Infects a Million Computers with Malware

Malicious banner ad exploits unpatched IE hole (there are many and more all the time). You have switched to Firefox, Opera, Konqueror or anything other than IE, right?



SeaSec security forum

SeaSec security forum

Just found out about an informal security group that meets in Seattle. I've often seen a need for interaction with security professionals between Agora and ISSA monthly meetings (and I'm on the ISSA Puget Sound board). Where organizations don't meet needs, they often spring up on their own. Once my dance lessons are over at Century Ballroom, I'll be able to attend these on Wednesdays.


Why

Agora and ISSA are too formal. This is just a chance to hang out with local security professionals and get to know each other.


Sunday, July 23, 2006

Anti-science Inhofe: "Gore is full of crap"

Think Progress: Sen. Inhofe: ‘Gore Is Full of Crap,’ ‘All Recent Science…Confirms This Thing Is A Hoax’

Wanker.


Excellent posts on the stem-cell veto

Legal Fiction: THE STEM CELL SILVER LINING

Atheist Ethicist: The Stem Cell Veto

Independent Online Edition: Stephen Hawking to EU on Stem Cell Research


"Europe should not follow the reactionary lead of President Bush, who recently vetoed a bill passed by Congress and supported by a majority of the American people that would have allowed federal funding for stem cell research," he said in a statement to The Independent. "Stem cell research is the key to developing cures for degenerative conditions like Parkinson's and motor neurone disease from which I and many others suffer," he said.


And more idiot liars in the White House repeating the same non-reality-based crap:

Bolten Defends Rove’s False Claims on Stem Cells: Karl ‘Knows A Lot of Stuff’

Thursday, July 20, 2006

Bush*it Stem-cell veto

Scott Rosenberg's Links & Comment


Here is why Bush's position is a joke: Thousands and thousands of embryos are destroyed every year in fertility clinics. They are created in petri dishes as part of fertility treatments like IVF; then they are discarded.


Exactly. It's half-assed ridiculous pandering to anti-science, life-regardless-of-the-quality-of-life religious zealots.

Yet another way evangelical schools are destroying America

" href="http://tbogg.blogspot.com/2006/07/2-2-jesus-rode-dinosaur-new-from-apple.html">2 + 2 = Jesus rode a dinosaur

This made me wonder if the bible mentions anything about dinosaurs. If it doesn't, does that mean they never existed (for those inclined to believe that everything about the world can be derived from the bible)?

Sunday, July 9, 2006

Keycode: coupons and discount codes from all kinds of companies

KeyCode Coupons, Coupon Codes, Online Coupons, Discounts, Online Deals



US Election System Still Frought with Systemic Problems

USNews.com: The road to reform in election corrections has been slow going

That messy 2000 election was supposed to be the jolt America needed. After chronic flaws in the country's voting process became painfully public, an ambitious reform effort was supposed to make hanging chads and butterfly ballots relics of election nightmares gone by.

But nearly six years later, it hasn't turned out that way. In the state of Washington, the 2004 governor's election took more than six months to resolve--again before a court. And some liberal activists still believe that vote tampering and dirty tricks handed Ohio to the GOP, enabling President Bush to win re-election. Now, heading into the midterm congressional elections, despite the expenditure of billions of dollars, a litany of problems remains.


Also, several good links via SANS NewsBites Vol. 8 Num. 53:

--Study Finds Popular eVoting Machines Susceptible to Fraud
(27 June 2006)
A Brennan Center for Justice study of electronic voting machines concluded that the three most widely used voting machines are vulnerable to fraud, but there are measures that can be taken in all three cases to boost their integrity. Roughly 80 percent of American voters are expected to use electronic voting machines in elections this November.
Representative Rush Holt (D-N.J.) has introduced a bill that would require all voting machines to provide a verifiable paper audit trail.
http://news.com.com/2102-7348_3-6088464.html?tag=st.util.print
[Editor's Note (Schultz): The fact that a verifiable paper trail is being proposed is in and of itself an extremely positive step forward as far as fairness in electronic voting goes.
(Pescatore): I think we are past the point where any rational person believes that most current voting machines are safe enough. The first generation of ATM machines weren't secure enough either - the real issue is making sure the current problems are bounded and managed, and that the next generation of voting machines make big leaps forward.
(HONAN): The Irish Commission on Electronic Voting recently published their report highlighting serious concerns with the software used in the electronic voting machines purchased by the Irish Government.
http://www.cev.ie/htm/report/download_second.htm
http://www.unison.ie/irish_independent/stories.php3?ca=9&si=1646254&issue_id=14303
http://www.examiner.ie/irishexaminer/pages/story.aspx-qqqg=ireland-qqqm=ireland-qqqa=ireland-qqqid=7621-qqqx=1.asp]

Genographic project

https://www3.nationalgeographic.com/genographic/index.html

and to participate go here -- they send you a DNA swab kit that you
mail back to them.

https://www3.nationalgeographic.com/genographic/participate.html



Link mania

Gas prices in your area

This Site Rocks - FUNNY Videos & Pictures

Seed Magazine: on policy and social implications of science

FARK.com: (1837095) Pick the best photoshop image of 2005 used in a previous contest

Gone in 20 Minutes: using laptops to steal cars | Leftlane News - Car News For Enthusiasts Backdoors for locksmiths in electronic lock systems being used by car thieves. Who would have guessed that could happen?

Why SSL alone will not solve the phishing problem

SSL-authenticated login pages certainly doesn't _solve_ the phishing problem since phishing is partly psychological/sociological and makes use of technology as a means of improving the odds of the hacking the human psyche. So, a purely technological fix is unlikely to, prima facia, address the root issues.

But, the SSL change can help in a couple of key ways:


  1. Rather than give customers 0 tools to protect themselves, we can give them at least the best tool out there so far for authenticating our site and therefore make an informed decision.

  2. . Rather than continuing to train users to "trust page contents" (i.e. the lock image and our feeble assurances in the "Why this is secure" page), we can retrain them to use reliable measures that are not as subject to spoofing.



That is not to say that SSL does not have its problems:


  1. Who made the trust decision to put the 50-100 CA certs in the browser? Why should the user trust those introducers? How do we know that those issuers won't screw up (like Equifax/GeoTrust did recently by issuing a domain-verified cert automatically that was very similar to a real bank: http://jordy.gundy.org/?p=49)


  2. The UI is horrible for security. The lock is too small, it is too easy for the "simon says" problem to bite you since you don't notice when it isn't there. Some changes, such as changing the browser toolbar color based on the encryption will help, but Firefox and IE7 use different color schemes for the same semantics...

  3. There are usability issues with the UI. Everybody (even me) turns off the warning dialogs about submitting unencrypted form posts. That kind of annoy-user-into-submission security fails the psychological acceptability test and it doesn't work anyhow because you should generally protect the user where it counts, not warn and hope they do the right thing.

  4. The phishing problem is one of Identity Continuity. It's not important that an SSL certificate matches the domain, since that does not help during the initial introduction to a site. What you really should be protecting the users from is when a known relationship in the digital sense has a discontinuity. That signals a phishing attack. The analogy is SSH known_hosts. On the initial introduction, you choose to trust the server since the likelihood that you are being MITM attacked is infinitesimal. But, if you are MITM attacked, SSH will scream loudly and not let you connect. That is what the browsers should do, although clean up the UI a bit for the unwashed masses. The MITM issue is one of a discontinuity. So, SSL in the current sense solves the wrong problem because the browsers have no means of managing site continuity information. They should. Some schemes, such as trustbar and petnames, allow friendly site logos or names to help users detect continuity problems, but their UIs are too easy to ignore if there is a problem. The user should actually be stopped from proceeding.



And so on. That's just off the top of my head.

Cartoon: The revised, revised story about NSA wiretapping

WorkingForChange-This Modern World: The revised revised story



God is angry, but not at Pat Robertson

The Seattle Times: Nation & World: God is warning of big storms, Robertson says

This must be true because Robertson obviously is Higher-powered (as reported by my colleauge Pete):


I don't know about you, but I almost missed this. Pat Robertson's amazing age-defying protein shakes have helped him to leg press 2,000 pounds!
http://www.cbn.com/communitypublic/shake.asp

If that doesn't sound impressive to you, note that it tops the all-time Florida State University leg press record by 665 lbs, set by a guy whose eye capillaries burst during the effort. http://www.sportsline.com/spin/story/9454343




NSA's math problem

http://www.liveammo.com Security News Blog

legal or not, this sort of spying program probably isn't worth infringing our civil liberties for — because it's very unlikely that the type of information one can glean from it will help us win the war on terrorism.


Interesting mathematical analysis of how effective the NSA domestic call-tracking spy program could possibly be.

In-Accu-Weather forecast

Hat tip to my friend Kris who discovered this. I captured it for posterity:

In-Accu-Weather

AJAX security basics

AJAX security is no different than normal web application security, except that it can add lots of complexity to a site and make black-box auditing much more difficult.

-----Original Message-----
From: Andrew van der Stock [mailto:[email protected]]
Sent: Tuesday, June 20, 2006 4:43 AM
To: Webappsec ((((E-mail))))
Subject: Fwd: SF new article announcement: Ajax security basics

This was posted to SecurityFocus.com yesterday.

Their article is eerily similar to my Ajax presentation from February
(particularly if you've seen me give the presentation), and even more
similar to the draft Ajax chapter I wrote shortly after for the OWASP
Guide (now posted to our Wiki - http://www.owasp.org/index.php/
Ajax_and_Other_%22Rich%22_Interface_Technologies). Hmmmm. As the saying
goes, this is the best form of flattery. I suppose.

If you haven't had a chance to read up on Ajax security, their article
is a start... as is my presentation (http://www.greebo.net/?
page_id=329) and the draft chapter in the OWASP Guide 3.0 current.

thanks,
Andrew

Begin forwarded message:

> > Ajax security basics
> > By Jaswinder S. Hayre, and Jayasankar Kelath
> > 2006-06-19
> >
> > The purpose of this article is to introduce some of the security
> > implications with modern Ajax web technologies. Though Ajax
> > applications can be more difficult to test, security professionals
> > already have most of relevant approaches and tools needed.
> >
> > http://www.securityfocus.com/infocus/1868


PHP Security: Top 5 from OWASP


OWASP is pleased to announce the immediate availability of the OWASP PHP
Top 5. The OWASP Top 5 is an education piece which provides up to date
advice to PHP developers, hosters, and other PHP users. The PHP Top 5 is
produced by the OWASP PHP Project.

The PHP Top 5 is based upon attack frequency in 2005 as reported to
Bugtraq. This information is a valuable insight into the most
devastating attacks against the world's most popular web application
framework.

In 2005, OWASP collaborated with SANS to research and write a completely
new PHP section for their successful SANS Top 20 2005. The OWASP PHP Top
5 is the full unabridged text, updated to reflect recent XSS attacks and
SQL injection vectors.



OWASP PHP Top 5

http://www.owasp.org/index.php/PHP_Top_5



OWASP PHP Project

http://www.owasp.org/index.php/Category:OWASP_PHP_Project


Another article on musicians being screwed out of profits even with digital distribution schemes

Business 2.0 - Magazine Article - The MP3 Economy

"The going rate for downloading songs from online music services like Apple's (AAPL) iTunes Music Store, MusicNet, Pressplay, and Rhapsody is about $1 a pop. Yet the economics of recorded music sales haven't changed much since the vinyl era -- despite the fact that digital files cost very little to produce and distribute. So how much of your buck makes its way back to the artists? Not much, though it's clearly a better deal than they get from piracy. "


Getting god out of government

Several articles on the topic of the government pushing religion.

Drum-beating about the 9th circuit decision about "Under God" in the pledge:

AMERICAN ATHEISTS LEGAL UPDATE

Public prayer fanatics borrow page from enemy's script

The Bush administration has been dealt a setback in its campaign to
allow prayer in our public schools. The full 9th Circuit U.S. Court
of Appeals has voted 15-9 to back the 2-1 vote by its earlier panel
finding the Pledge of Allegiance unconstitutional because of the
words ''under God.''


How did your senator vote on the pledge legislation (" S. Res. 71 As Amended; A resolution expressing the support for the Pledge of Allegiance.")?
U.S. Senate: Legislation & Records Home > Votes > Roll Call Vote

The Sacramento Bee -- sacbee.com -- Diana Griego Erwin: Pledge debate recalls another tradition, another controversy The best quote is, "the Constitution wasn't written to uphold majority opinion." It was written to protect the minority from the tyranny of the majority.


The 9th Circuit seems to agree. Our Constitution protects the freedom of us all, Jew, Christian, atheist, Muslim, Buddhist or agnostic to pray or keep silent, worship or not, believe or disbelieve. Standing outside the classroom door to avoid participating is exclusionary, especially for children.

At my school in the 1960s, one student couldn't pledge allegiance to the flag because her family was Jehovah's Witness. Being children, we thought she was weird. She even seemed less American. She was just a little girl.


And finally, an article debunking the religious nut talking point that we are a "Christian nation". The Nation | Article | Our Godless Constitution | Brooke Allen

Washington Supreme Court will decide if police need warrant for GPS 'tracking

Court will decide if police need warrant for GPS 'tracking'


But what if the same secret technology, called global positioning satellite tracking, could track anyone at any time?

The Washington Supreme Court will decide soon whether police agencies throughout the state may use the device freely -- without a warrant. The Jackson case is the first in the state dealing with the issue.


Update: The court unanimously decided that a warrant is required:


OLYMPIA, WA - The American Civil Liberties Union of Washington today hailed a unanimous, first-in-the-nation ruling by the Washington Supreme Court that police must obtain a warrant in order to track an individual's movements with Global Positioning Systems (GPS). The ruling agrees with arguments the ACLU submitted in a friend-of-the-court brief in the case.

"The ACLU applauds the court's ruling in this landmark case. Tracking a person's movements by GPS is highly intrusive. It is the equivalent of placing an invisible police officer in the back seat of a person's car," said ACLU of Washington Privacy Project Director Doug Klunder, who wrote the ACLU's brief.


Airline <strike>security</strike>

A Dangerous Loophole in Airport Security - If Slate could discover it, the terrorists will too. By Andy Bowers

More security window-dressing... More reason that ID checks and the watch list are BS security.

The Phantom "Cyber" terrorism?

[IP] Govt Comp.News - Assessing "cyberterror" - couldn't find any!


>I've been working on the issue of how to build secure public networks
>for about 7 years. I started out as a military analyst and I wanted to
>put the cyber terror/cyber war issue in a larger strategic context.
>About a year ago, I started looking for examples of cyber-terrorism,
>where hackers had shut down critical infrastuctures. I was surprised to
>discover that I couldn't find any, so I began to look more closely at
>the hypothetical scenarios involving cyber war. Most of them turned out
>to be implausible from a military or national security perspective.
>Hence the report.