Monday, November 27, 2006
Sunday, November 26, 2006
po-ru.com: Fixing ffmpeg on Ubuntu
It seems one can set DEB_BUILD_OPTIONS=risky to enable the missing codecs rather than editing debian/rules and building the package manually.
sudo apt-get build-dep ffmpeg
sudo apt-get install liblame-dev libfaad2-dev libfaac-dev libxvidcore4-dev checkinstall fakeroot
DEB_BUILD_OPTIONS=risky fakeroot apt-get source ffmpeg --compile
sudo dpkg -i ffmpeg-blah.dpkg
Friday, November 24, 2006
It's not really a typo but an intentionally left-out X separator forA Break for Code Breakers on a C.I.A. Mystery - New York Times
aesthetics on the sculpture that was intended to result in gibberish
when decrypted that would clue in the decryptors to reinsert a separator
and try again, except it ended up spelling something intelligible
instead of garbage so they thought they had decrypted it properly!
For nearly 16 years, puzzle enthusiasts have labored to decipher an 865-character coded message stenciled into a sculpture on the grounds of the Central Intelligence Agency's headquarters in Langley, Va. This week, the sculptor gave them an unsettling but hopeful surprise: part of the message they thought they had deciphered years ago actually says something else.
One of the best things you can do for your Windows security is to make sure you upgrade to IE 7.x which has been redesigned to avoid many classes of attacks. It is being pushed out by Windows Update (or Microsoft Update) You can also switch to Firefox or Opera to get better security but please don't use IE 6.x or older anymore!
Unfortunately, you have to be on Windows XP SP2 or higher to use IE 7. So, it will force Windows 2000 users to upgrade to XP first. That is probably also a good thing for security though.
Schneier on Security: Internet Explorer Sucks
--Washington AG Alleges Spyware Act Violations
(16 & 14 August 2006)
Washington State Attorney General Rob McKenna has filed a lawsuit against Movieland.com parent company Digital Enterprises alleging violations of the state's Computer Spyware and Consumer Protection Acts.
People sign up for a free, three-day trial of the company's software that allows them to download movie clips. After the three days, they are inundated with pop-up demands for payment, generated by software that has been placed on their computers without their knowing consent.
The pop-ups, which appear hourly or even more frequently, read "Click
'Continue' to purchase your license and stop these reminders." The
pop-ups remain on the screen for 40 seconds and cannot be closed during that time. McKenna also said that computer owners are not obligated to honor contracts entered into by others using their computers.
The worst part is that DHS didn't even try to hide the pork-barreling by making the inclusions and omissions clear and blatant. Oy. I reluctantly file this in the security category...
The Seattle Times: Local News: Dept. of Homeland Lunacy
When it comes to homeland security, I give up.
I've tried to highlight the absurdity of trying to protect every cranny of our country from al-Qaida attack. I've critiqued everything from the waste of buying anti-terrorist locks for Sammamish City Hall to the illogic of not having security cameras outside our airport. And yes, I've resorted to that columnist stock-in-trade: mocking and satirizing.
But it turns out nothing I can make up is as ludicrous as what the Department of Homeland Security is actually doing.
I happen to have a lock that I forgot the combo to that this will definitely come in handy for...if I can only find the lock...
Airport Security Oversights | The Onion - America's Finest News Source
Sept. 3, London to New York: A few Muslim people may have slipped through with their dignity
U.S. Cryptographers: 'FrpX-K5jE-Oc4n-e5Dn' | The Onion - America's Finest News Source
WASHINGTON, DC—In a carefully phrased, 128-bit encoded announcement that has challenged U.S. security agency procedures, top officials of the National Cryptography and Information Security Council warned that "FrpX-K5jE-Oc4n-e5Dn" if "Ha4d-87gH-uiH3-gB5r-g8Bh" late Monday.
- No pleated pants Get rid of your pleated pants in favor of flat-front pants. Flat-front pants are simpler, more modern looking, make you look slimmer, and not like an old man.
- Clothes should look new and fresh If your sweaters are pilled and your pants have wallet or knee wear marks, or the cuffs are frayed, it's time to get some new clothes. Buy something new and donate the old.
- Get pants with the proper length If you don't know your length, get measured or fitted in a store sometime. Your pants should "break" at the ankle and continue down slightly over your shoe. If you can see your socks when standing, your pants are too short!
- Appropriate sock color White socks are generally not going to work with any business casual attire, unless is Miami Vice white suit day, but even then you probably would be better going without socks...but I digress. The general rule with socks is they should not be noticeable! If your socks stand out, they are wrong for your outfit. I mostly wear neutral socks that match my pants to not draw attention to them. If you are wearing athletic socks with slacks you need to go to Costco and get some Gold Toe dress socks and save the nike socks for the gym.
- Your shoes tell all They say you can tell a man by his shoes--they make or break an outfit. You can be totally put together elsewhere but if your shoes are crap, it's game over. What do your shoes say about you? Are they tired, scuffed, worn and dirty or new, sleek, stylish and shiny? It sucks but you really should have several pairs of shoes so that you can rotate them. Avoid wearing one pair day-in and day-out so that they will last longer and look fresh when you do wear them. I've even bought two of the same less expensive pairs of shoes that I liked to keep them looking nicer longer. Oh, and invest in a shoe brush and some instant shine pads. Esquire recommends using black polish--even with brown shoes.
- Wear the right size shirt This is another one of those things you're never taught: how to know you have the right size shirt. Here's the best way to know: Where the sleeves attach to the main body of the shirt, it makes a line. That line should roughly be even with the very edge of your shoulder blade. More than a 1/4 inch past that and your shirt is probably too big. I often see this with people who wear golf shirts (even PGA pros are bad offenders. Tiger Woods does it right though). Another way to tell if your short-sleeve shirt is too big is if your sleeves extend far past your elbow. They should probably end short of your elbow if it is sized correctly. Having the right size shirt means a sharper, put-together look. Oversized shirts tend to look sloppy or overly-casual.
- Dress for the position you want, not the one you have. Hey, I've been there where I loved being able to wear jeans and a T shirt because, hey, nobody sees me in the server room. But, if you have higher aspirations or if you interface with business folks who tend to dress nicer than you, then your clothes can be a distraction from you and your message. If anything, your clothes should be neutral or enhance your message. Beware of some managers who get nervous if their underlings dress nicer than they do, but that isn't really your problem--it's theirs for not dressing to their level in the organization!
- Skip ironing -- use the cleaners! Nothing says sloppy like a button-down shirt that has not been ironed or is poorly ironed. The difference I found with people who truly look sharp is not just tailoring but well-maintained clothing. It is so cheap to have someone else iron your shirts and it looks 1000 times better than if you try to do it that it is well worth the investment. And you can usually get a couple of wears out of each shirt before it needs to be sent back for cleaning and ironing. I pay $0.99 / shirt. If you have nice pants, you can usually get away with ironing them yourself but professional pressing also looks a lot better and holds longer than home ironing.
The Passport number
The Date Of Birth of the holder
The Expiry Date of the Passport
Bruce Schneier advises US passport holders to renew your passport NOW before the RFID requirement goes into effect so you can avoid being tracked or hunted down in our country or a foreign country. Otherwise, how will you still be able to claim you're a Canadian in foreign countries?
The latest version of RFIDIOt, the open-source python library for RFID
exploration/manipulation, contains code that implements the ICAO 9303
standard for Machine Readable Travel Documents in the form of a test
program called 'mrpkey.py'.
This program will exchange crypto keys with the passport and read and
display the contents therein, including the facial image and the
personal data printed in the passport.
Also see this news story.
These are the fatal flaws of patents--that they are often used these days to stifle competition or to patent ludicrous things like 1-click shopping or automatically launching active content in a webpage. The whole system needs to be revamped.
The theoretical justification for patents has seldom worked in practice.
Most patents are flagrantly bogus, always have been. Of the few
legitimate patents, the vast majority merely obstruct the development
and application of the technology, without in fact making money for the
inventor. The normal outcome of patenting a genuine innovation is that
people construct second rate workarounds, as Microsoft just did. The
destructive effect of patents is merely most visible in those fields
that are advancing most rapidly - cryptography being such a field.
This is an article from a year ago that showed how each vendor was able to respond to key virus outbreaks. They also show the data from the previous year.
I personally recommend F-Secure's product. The base product gives you everything you need for anti-spyware and malware and is inexpensive. It is not a huge fat pig like some of the products out there (McAfee...) I've heard from others who enjoy Kapersky as well, so either of those would be good choices and happen to both top this list.
I also personally got rid of McAfee products after a multitude of issues:
1. The product is seriously bloated and the Security Center product seems geard toward selling other products by McAfee than providing normal users with value.
2. Many of the products in the suite are not well integrated. They often had their own installers and were a real pain to uninstall.
3. Lots of errors resulting in having to reinstall the product (without there being an easy way to do so).
4. Their website security is horrendous. My wife forgot her password to their site so she used their "forgot my password" feature. Guess what? They emailed her, not a new random password, but her _actual password_ This from a security company! They either store passwords without encryption or store them with reversible encryption--both of which are seriously bad ideas and McAfee should know better.
5. Their suite product line is very expensive and the price seems to go up every year. They have since reworked their product line and it seems to be better now.
6. I read the F-Secure blog and can tell those guys really get security.
7. McAfee was the company with the poor QA that removed critical Office files to "protect" you and also mislabeled a legitmate ISP software program
8. McAfee products, like Symantec, have suffered from some local privilege escalation vulnerabilities or remote buffer overflows. The cure is worse than the disease?
Ranking Response Times for Anti-Virus Programs - Security Fix
5. Develop Reusable Security Architectures that cover common scenarios and include appropriate protection by design
Tools are sexy; secure design is hard. That's why you see so many tools and vendors hawking tools but not as much work. I hear from people all the time who talk about this tool or pen testing or scanning some server or how you need to hack your wireless network to be secure. That is a bunch of crap in general because trying to audit your way to security is bottom-up grass-roots and can only get you so far. It's an early maturity model to be spending so much time and energy on audits and pen tests instead of security design reviews and developing security architectures. It's a lot easier and sexier to say you hacked a wireless network. We need to get to where it is just as cool to say you developed a wireless network security architecture such that you don't care who is connected to the wireless network because your security is not so brittle as to lose sleep over it. Where are those reusable models made open source?
As for item #3, I don't think that I believe that there can be "quantitative" security risk management. The biggest problem is that there is not enough good data to base future risk upon (try this: how do you quantify risk of brand damage due to event X?).
Item #4 is very important and speaks to ensuring security systems are usable.
CRA (Computing Research Association) Grand Research Challenges
Four Grand Challenges in Trustworthy Computing:
1. Eliminate epidemic-style attacks (viruses, worms, email spam) within 10 years;
2. Develop tools and principles that allow construction of large-scale systems for important societal applications -- such as medical records systems -- that are highly trustworthy despite being attractive targets;
3. Develop quantitative information-systems risk management to be at least as good as quantitative financial risk management within the next decade;
4. Give end-users security controls they can understand and privacy they can control for the dynamic, pervasive computing environments of the future.
Given the circumstances that command its application, the system must be easy to use, requiring neither mental strain nor the knowledge of a long series of rules to observe.Psychological Acceptability has been defined as a critical aspect of secure systems for over 30 years by Saltzer and Schroeder (1975): The Protection of Information in Computer Systems
It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly. Also, to the extent that the user's mental image of his protection goals matches the mechanisms he must use, mistakes will be minimized. If he must translate his image of his protection needs into a radically different specification language, he will make errors.
Boing Boing: Copyright Office creates 6 DMCA exemptions
the office refused to grant exemptions that would benefit the general public -- space- and format-shifting, backing up your DVDs -- and they took back an earlier exemption that let people reverse-engineer the blacklists maintained by censorware companies to bring some transparency to their process.
Lawrence Lessig: When Web 2.0 meets Lawyers 1.0
Funny because I was just thinking about this regarding this blog. I think it's cool when people enjoy what I provide on this blog, but I really don't care if people read it or not. This is where I keep track of stories and topics that interest me, instead of saved emails or bookmarks that I never look at again. I can always go back and find what I found interesting and what I wrote about it. Pretty cool in my book.
My blog doesn't really have many that link to it and probably the fact that I post many links without a lot of commentary a lot of the time is a good reason why. But I disagree that nobody links to linkers. I personally like blogs because they act as filters or lenses that focus news and interesting content. There are tons of blogs but I like the ones whose mix of topics coincides most with what I'm interested in. Even if they just link to other places, that's fine with me. It's the filtering service that is the value-add, not necessarily original content.
That said, I have anecdotal evidence that my blog only gets noticed when I post original content. My recent entry about SOA security is a perfect example. I also was thinking about how I like the SANS newsbites because they actually summarize the stories they link to, not just provide links (on a related note, the links in Crypto-Gram require me to go read every story that sounds interesting so I generally read fewer of them).
No-one links to the linkers at Andrew Garrett’s Mutation
[infowarrior] - Verizon Slapped for Crippling Bluetooth
Verizon has been getting weasely with some of its customers in California who bought its Motorola v710 Bluetooth-³capable² phone on or before January 31, 2005. Preliminary approval of the settlement was granted in a California court for a class-action suit against the company because it didn¹t accurately tell prospective customers that its Bluetooth features weren¹t what they appeared to be. Verizon said the phone ³works with a PC² but left out that part about how you can¹t wirelessly sync photos or contacts or any other files using Bluetooth.
Proper UI is just as important as sound underlying technology in ensuring proper understanding and usability of a system. Recall Why Can't Johnny Encrypt? A Usability Evaluation of PGP 5.0 and the more recent Why Johnny Still Can't Encrypt: Evaluating the Usability of Email Encryption Software for how even known secure software can result in insecure and unintended actions by the user. The infamous Butterfly ballots were not DRE-based but certainly were flawed UI that caused voting errors in previous elections so this is not a new issue to software or to voting by far.
This is a perfect example though of how using DREs to generate human-and-machine-readable reciepts (voter verifiable) could allow for voters to detect their undervotes before they drop them into the ballot box. There could even be very blatant warnings to the user on the receipt and on the screen that they didn't vote in X of the races to help prevent unintentional undervotes. Did these companies do any focus group testing of DREs?
FL-13: More Evidence of Ballot Design Issues - TalkLeft: The Politics Of Crime
...Bev Harris and the Jennings campaign want you to think otherwise. They want to point away from their mistakes. But the real problem was the design...
Wednesday, November 22, 2006
I've been working on emergency preparedness for my neighborhood lately so this is very apropos.
BTW, I found a $79.99 Ready kit at Home Depot that is a pretty good deal for a 2-person 72 hour kit (what is recommended for personal preparedness at a minimum). Don't forget supplies for your pets too!
Two Flikr galleries dedicated to photo's of apostrophe and quotation mark abuse. I can't believe my previous post on Common writing mistakes didn't touch on this pet peeve of mine.
And a hint for the upcoming holiday: Gift cards make great gifts...
2006 Gift Card Study (Page 1 of 4)
If you want a gift card you can use anywhere, you'll pay for the privilege, while gift cards from individual retailers are less costly and sprouting more options.
Those are the major findings of the third annual Bankrate.com Gift Card Study.
Retail store gift cards continue to be a consumer-friendly credit product, with fees and expiration dates the exception rather than the rule. The retailers can make a profit from the merchandise users buy.
Gift cards from the major credit card issuers, though, still carry an assortment of fees. All continue to charge monthly "maintenance" or "dormancy" fees, ranging from $2 per month to $3, if the gift card isn't used within a certain period of time. All but American Express have expiration dates.
Bankrate surveyed the top 25 retailers, as identified by the National Retail Federation, about the costs, terms and conditions of the gift cards they offer, both plastic and electronic. We also surveyed the four largest credit card companies: American Express, Discover Card, MasterCard and Visa.
Monday, November 20, 2006
I'm sick and tired of hearing about the false dichotomy of WS-Security versus SSL and why its performance is somehow going to be so much better than SSL transport encryption of SOAP-based web services. Pundits often point out that SSL has to encrypt the _whole payload_ while WS-Security can be used to digitally sign and/or encrypt only those attributes that absolutely need encrypting or signing.
This kind of reasoning is preposterous and is nowhere near being based on any facts or data, yet these talking points are ever-popular with the "SOA: the Armageddon is near" or WS-NotJustForBreakfastAnymore crowd.
For these people, I have one simple question for you about the assertion that WS-Security is always going to perform better in software than simply using SSL intelligently for the entire transport:
How is it that you can claim that WS-Security digital signature or encryption (with one _or more_ asymmetric plus 1 _or more_ symmetric crypto operation per request PLUS base64 encoding bloating the request PLUS extra SOAP XML tag hierarchies wrapping the encrypted/signed data section that need to be transferred over the network) is going to be faster in general than SSL (with one asymmetric crypto operation at session initiation, and henceforth 1 symmetric crypto operation per packet)?
It has often been vendors of XML firewalls and Microsoft web services evangelists that are the worst offenders. I'd love to hear some answers you get to this question. I haven't gotten a sensible one yet.
Asymmetric crypto operations are roughly 1000 times slower than symmetric crypto operations. I would love to see actual hard data based on a valid underlying test scenario proving that WS-Security is faster than SSL even in the face of this reality. But nobody who makes these claims has it and I can't see it just based on the orders of magnitude difference between the computing time required for the crypto. That is even before you factor in the additional latency for transmitting the extra bytes for the WS-Security payload and the extra parsing time and the likely need to have to encrypt and decrypt multiple separate data elements individually.
Yes, in the purported SOAP-router kind of network where SOAP is treated as if it were a wire-level protocol there are problems with SSL since it is not end-to-end, but that is a red herring when we are debunking the claims of enhanced performance. Stop changing the subject! There can be a place for WS-Security in some advanced SOA scenarios, but strictly on performance, I can't see there being any comparison. And most people aren't implementing anything like the SOAP architects envisioned anyway (but don't let that stop the vendors from beating that drum). Most people are still using SOAP for point-to-point services which often replace other wire-transports or technologies (e.g. DCOM, CORBA, proprietary XML services, etc.)
Performance issues with SSL have generally nothing to do with the fact that you are encrypting an entire payload instead of just subsets of the data. For small messages that typical SOAP calls are, this is perhaps a few clock cycles per request. I can say from lots of experience with lots of development teams that at least 90% of the performance problems with SSL in general are due to seriously flawed implementations. The other 10% is generally actual performance impact because the systems on which it is running are vastly undersized because the system was not designed to be secure (but rather designed on the omission or hope that they wouldn't have to size it to handle the required security).
If you implement SSL to intelligently minimize the asymmetric crypto operations to the absolute minimum by pooling connections and pinning them up and using keepalives, then you are barely going to notice its impact, especially on properly-sized hardware or if you use hardware crypto accelerators. But if it is done incorrectly, or not accounted for in sizing, SSL will remain the whipping boy of many an environment.
Oh, and I have data showing how SSL can actually _speed up_ connections under certain conditions.
TPMmuckraker November 17, 2006 01:35 PM
"You know," McCain said a few moments later, "you are really one of the more astonishing witnesses that I have [faced] -- in the 19 years I've been a member of this [Senate Commerce, Science and Transportation] Committee."
Lautenberger explained that his staff was working on "pieces" of the report, and conceded the November 2004 deadline had been a "difficult requirement to meet."
ABC News: Poll: Elbow Room No Problem in Heaven
Who gets in is another matter. Among people who believe in heaven, one in four thinks access is limited to Christians. More than a third of Protestants feel that way, and this view peaks at 55 percent among Protestants who describe themselves as very religious.
Saturday, November 18, 2006
McCain once had words of praise for Senator Kerry, but he played the repugnican party line during the election and trashed him for his botched joke--acting as if he really believed Kerry, a decorated veteran, was actually disparaging the troops and not Bush. Politics is disgusting. McCain should take what Olbermann said about Rove and Bush to heart:
Crooks and Liars: Olbermann’s Special Comment : There is no line this President has not crossed — nor will not cross — to keep one political party, in power.
Mr. Bush and his minions responded [to Kerry's gaffe], by appearing to be too stupid to realize that they had been called stupid.
Bus driver allegedly flips off Bush so Bush and Reichert complain and the bus driver gets fired. Where is the compassion in that conservative again?
This Is Broken - Bank of America jailing a customer
Matthew Shinnick dropped by a Bank of America branch in San Francisco to make sure a check he was about to deposit wasn't fraudulent. The teller found that the check was fraudulent and told the manager, who then had Shinnick thrown in jail. Are you getting this right? The customer who wanted to make sure he wasn't about to draw on a fraudulent check, got thrown in jail by Bank of America.In response, customers have withdrawn or removed at least $50 million (at last count) from B of A in protest. See also Clark Howard's site, who gave this lots of attention in California on his radio show.
powered by performancing firefox
Wednesday, November 8, 2006
Monday, November 6, 2006
I was not feeling well but went to work anyway (I thought of resting up one more day and probably should have stayed in bed).
It was the first day back to work after being sick with fever for 3 days.
On my way to the bus stop, after only a 1/2 block from my house, my pants were soaked and shoes soaked through. The rain and wind has been insufferable this fall!
I reluctantly went back home frustrated and not knowing if there was a way to possibly get to work but not be soaking wet all day. I decided the strategy would be sacrificial clothing. I geared up in my Costa Rica Rain forest gear (all drip-dry) and packed a new dry outfit to change into at work, including new shoes.
Well, the sack that I put my shoes in got a hole worn in it on the way to and from the bus. One shoe fell out on the sidewalk coming into my work building. Fortunately, someone saw it right away and alerted me.
When I went to put my shoes on, one shoe got laces worn in half from dragging behind my wheeled laptop bag.
Turns out my laptop bag was not waterproof so my dry pants got wet.
Turns out my brand new building downtown Seattle has no hand dryers in the new bathrooms! So, I couldn't quickly dry my new pants.
So, I was stuck with wearing my rain pants while I waited for my others to dry out.
But those pants were still damp enough that they got my chair wet. So I had to switch chairs for the day after putting my dry pants on to avoid getting those wet again.
Sunday, November 5, 2006
Thursday, November 2, 2006
Bus driver allegedly flips off Bush so Bush and Reichert complain and the bus driver gets fired. Where is the compassion in that conservative again?