The Truth Imperative (Full Posts Feed)

Wed, 27 May 2026 20:54:05 -0700

Subscribe to follow along in your feed reader of choice!

Artificial definitions

Fri, 06 Mar 2026 09:52:19 -0800

Just saw a post talking about someone predicting when we’ll see “ASI” (artificial superintelligence). The grifters haven’t even managed a decent definition of “AGI”, let alone, “AI”. What is “ASI”? We’re told it’s “defined” by Nick Bostrom. I went to find that definition because the way it was paraphrased didn’t “define” anything in a meaningful way – certainly not in any measurable way.

Nick’s definition of Superintelligence (not Artificial superintelligence, BTW):

‘By a “superintelligence” we mean an intellect that is much smarter than the best human brains in practically every field, including scientific creativity, general wisdom and social skills.’ ¹

If I asked what “a” was and you said “b and c”, that answer is a non-answer because it replaces one unknown “a” with more unknowns “b” and “c”. Uncertainty divided into smaller pieces of uncertainty is still…uncertain…

What is an “intellect”? What does “much smarter” mean? Before that, what does “smarter” mean? What does “practically” every field mean? That’s a weasel-word.

The author’s specific examples are baffling as well. Why these three things? If we had a definition of “smarter” above that doesn’t exist, that might help.

“scientific creativity” - definition? Creativity correlates to “smarter”? “general wisdom” - definition? “social skills” - puzzling - how does this relate to “smarter”? Now I really need to see that definition of “smarter” and “much smarter”!

How long before superintelligence? (2026, March 06). Retrieved from https://nickbostrom.com/superintelligence ↩︎

My Mentoring Journey with Community For Youth

Fri, 16 Jan 2026 11:40:44 -0800

Mentoring with Community For Youth changes lives – it changed mine! It made me more accountable, so I can be true to my word and bring my authentic self. It also taught me to get comfortable being uncomfortable and the power of vulnerability. CFY mentor training and experience also prepared me to be a better mentor as a leader throughout my career.

I was a youth mentor for the nonprofit Community For Youth (CFY) in Seattle for 10 years. What kept me going as a mentor for 10 years? Well, there are both “unselfish” and “selfish” reasons. My “unselfish” reasons were to give back to the community where I live and do something meaningful. However, I got so much in return from the amazing, powerful community of mentors and students! Some of my “selfish” reasons to stay with CFY were: the inspiring students, the personal growth I experienced, the supportive community (some of the most kind-hearted people I’ve ever met), and the fun you get to have!

Mentoring can be fun! I value joy and play. At CFY, the most memorable part of the program is going to camp to kick off the year. You work and play hard at camp, getting to know the students and mentors so that you can find your match - and your match can find you. I found that connections and earning trust are easier (and more enjoyable) when you hang out and have fun together. One year, the mentors in my “family group” took students to “Fright Night,” where we experienced the thrills of the Wild Waves amusement park in the spooky darkness.

For anyone on the fence about mentoring, I recommend not overthinking it. Youth are looking for someone who shows up and is there when they need them. You can be that consistent, positive connection! Couldn’t we all use that in our lives?

Mentoring youth is a hard job, but the “C” in CFY is community - there to support you and your student."

Learn more at Community for Youth

Update: Google Play store not taking advantage of Safe Browsing data to inform risk of apps in the store

Tue, 27 Apr 2021 07:59:00 -0700

I realized that I had never closed the loop on the flaw I discovered in the Google Play store years back.

I had discovered a missed opportunity for Google’s own Safe Browsing information to inform the Google Play machine learning to detect suspicious mobile applications and alert users or block those apps and potentially force them through a human review cycle to verify them.

During an incident at JP Morgan Chase, we were alerted to a malicious banking application in the Google Play store targeting JP Morgan Chase customers. The URL in the Google Play application listing was correctly flagged by Google’s own Safe Browsing API as malicious. However, Google’s Android app review did not consider this information when deciding to allow the application to be published. Nor did Google Play take advantage of this information to flag the app for review or unpublish it or even warn users that the application may be suspicious due to its association with the malicious URL.

Google chose not to fix this. Closed as “Won’t Fix (Infeasible)” ¯\_(ツ)_/¯

It’s no surprise to still see articles like this 5 years later, Google Play Store Is Main Distributor of Malicious Apps, Study Reveals. (2020, November 12) and this one from just *yesterday* Malware From Google Play Store Infects 700,000 Users. (2021, April 26)

Their official Android safety page has this gem:

Google Play Protect helps you download apps without worrying if they’ll hurt your phone or steal data. We carefully scan apps every day, and if we detect a bad one, we’ll let you know and tell you what to do next. And we study how it works. Because everything we learn improves the way we screen apps. So you stay safer. https://www.android.com/safety/

Well, they’re not using “everything we learn” to “improve the way we screen apps”.

My original questions to the Android team are still unanswered:

Is Google Play store taking advantage of Safe Browsing API data to identify risky appstore apps?
Is it able to flag app uploads that match risky Safe Browsing data and block them from the appstore unless there is human review, for example?
Is it able to hide or flag applications that are already in the Appstore so that unsuspecting users do not unwittingly install a likely malicious application associated with unsavory sites?

My original writeup:

Google Play + Safe Browsing = Safer Android Mobile Ecosystem. (2015, April 7). Retrieved from https://truthimperative.axley.net/2015/04/google-play-safe-browsing-safer-android.html

Google Play Safe Browsing Safer Android Mobile Ecosystem

Tue, 07 Apr 2015 13:54:00 -0700

A recent incident at my work came to my attention involving a takedown request for an unauthorized app in Google Play using my company’s brand. This happens often in appstores all over the world, which is why having brand protection monitoring for these is really critical. It is all too easy for these to slip into even legitimate appstores like Google Play.

One thing I noticed when I was investigating this incident was that the Google Play application page has a section that allows a developer to specify a website link, with a name “Visit Website”.

Google Play app metadata, including Visit Website

I happened to notice that the website link for the application in question also included our brand/company name in the URL. I wanted to visit it to see what else I could learn from what they had on that site. When I clicked on the link, however, it went through a redirect at Google (e.g. https://www.google.com/url?q=https://example.example.com) where Google Safe Browsing actually flagged the URL as a phishing site.

Google phishing warning

Which made me wonder - if Google’s left hand (Safe Browsing) has knowledge of a suspected phishing site, shouldn’t that inform Google’s right hand (Google Play) that any application tied to such a URL is also potentially untrustworthy? Essentially, if trust can propagate transitively, then the opposite (suspicion / risk) should also propagate transitively. If you take this even further, you should propagate that suspicion through a graph from the app containing the suspicious link up to the developer of the app and then back down to any other app that developer has associated with them in Google Play. This would be something that would be easily automated given the description of the machine learning in the Google Android Security 2014 Report already done to analyze applications:

“Google’s systems use machine learning to see patterns and make connections that humans would not. Google Play analyzes millions of data points, asset nodes, and relationship graphs to build a high-precision security-detection system.”

I would then imagine Google Play could take one or more of several actions if URLs are provided that get Safe Browsing scores low enough:

Apps or developers and their apps could be delisted from Google Play until a human has reviewed the URL and app in more detail. Google announced just last month they are going to be augmenting human review of apps in Google Play so this would dovetail with those efforts.
Google Play could and should include clear, usable UI warnings for users searching and browsing apps about the suspicion/risk so that they can make informed trust decisions.
The Google Play Verify Apps could further come into play if apps are confirmed malware/badware/Potentially Harmful Apps (PHAs) to warn users who may have already installed such an application or block the app. This would also seem to dovetail with other recently-announced efforts in their Google Android Security 2014 Report to help crack down on these kinds of applications in the Android ecosystem.

Beating The Open Source Is More Secure Straw Man

Mon, 16 Mar 2015 20:52:00 -0700

Given all of the serious security flaws in open source software lately, such as OpenSSL, it has been frequent subject of posters to use the open source hack-du-jour as a counterexample to a purported claim that “open source software is more secure” than proprietary software. And I just saw it come up again the other day:

Thank you OpenSSL for the one word answer when people claim open source software is secure. — Ryan Lackey (@octal) March 15, 2015

The problem with these statements is it seems to be a rampant straw-man. When I see them come up, I wonder, “Who in the world is actually making the positive claim that open source software is, in fact, more secure than proprietary software?” Is someone actually making these claims that are being “countered”? On what basis could they even make such a claim?

So, I started to search for specific examples of specific individuals making this specific claim that “open source” is “more secure” and I found it more common to claim someone believes this than to cite actual examples.

I’ve found a lot of discussion of the topic, such as this treatment from David A Wheeler “Is Open Source Good for Security?.” But even in those discussions, nobody quotes a specific person making this specific claim. Is everyone arguing with a straw man? Many articles have been written to debunk this “myth” of software security (this yields over 2 million hits in Google), yet not a single one seems to cite any source to back up the fact that this is even a myth at all? The best I found was Jon Viega’s piece from 2004, “Open Source Security: Still a Myth” where he actually refers to nameless people he’s encountered as believing this, but with David A Wheeler as being the only named proponent “Why Open Source Software / Free Software (OSS/FS, FOSS, or FLOSS)? Look at the Numbers!.”

Much of the genesis appears to be an extrapolation of Eric S Raymond’s famous assertion that, “given enough eyeballs, all bugs are shallow”, which certainly does not seem to hold up in the general software defect case let alone security defects. I’m not sure how many actually believe that this is true in general these days, or even whether it is common for the average developer to believe that it leads to better security. It certainly does not seem to be a common “myth” that is promulgated by promoters from my searching - it’s more the detractors that promote it as a myth.

Anyone know who the main proponents of this “myth” are these days? Why aren’t they called out in articles?

Free Community For Youth Lunch That Will Feed Your Soul

Wed, 20 Aug 2014 21:38:00 -0700

Community For Youth Changes Lives. I Know – It’s Changed Mine!

Personal Integrity. The CFY curriculum and core values have challenged the students in the community as well as mentors like me to be our best selves. When I started, I didn’t challenge myself with clear life goals and share them with others. I was too afraid of opening myself up to the shame of failure. However, through CFY, I’ve come to learn that sharing goals with a powerful community that can support you is exactly what can actually increase your chances of success. You learn to be more accountable to yourself by being accountable to a supportive community. And this has bled over into my daily life so much that even for small commitments, I maintain personal integrity. “Darn, I did say that I was going to bike to work tomorrow. Guess I have to suck it up and do it.”

Authenticity. I didn’t realize how much compartmentalization went on in my head regarding how I presented myself to others. We learn together how much more pleasant it is to be your own true self and how richer your connections are when you are not holding back or censoring yourself unnecessarily or trying to be someone you are not. “You let your students see your Facebook posts?” Sure. What I post and what I believe are important to me and I only share what interests me. Who I am or believe should not be something that I have to parcel out in small doses to particular people. It’s much freer to just be myself. How do people know they have something in common if they don’t share of themselves anyway?

Vulnerability. I felt somewhat comfortable in front of crowds, strangers talking about something abstract or technical. But CFY challenged everyone, including mentors, to share openly as your true authentic self. “Get comfortable with being uncomfortable”, we say. That was initially a very difficult thing for me to get used to, “You want me to talk about personal things…in front of everyone?” But you quickly find that, as social animals, human relationships are strengthened by vulnerability because it cuts through the pretense and superficiality that we often use when interacting with others – that’s not authentic and it shields you from truly connecting with others on a deeper level. Oh, and one of the biggest ways this has always manifested itself in my live is my reluctance to ask for help and instead go-it-alone. I’ve definitely gotten better at realizing when I need help – not perfect – but better.

There are many, many other ways that I’ve changed. And I have seen my students and other students change as well because of CFY. It truly does change your life and although you don’t always get direct evidence of it, the student’s lives are changed as well.

The most moving experience of a transformation I can recall from my 8 years with CFY was when a student who had been paralyzed by fear when speaking in front of crowds was encouraged to perform her spoken word poetry in front of the whole community at one of our weekend retreats. It took her a while to warm up to the idea and when she started speaking, my jaw dropped. She gradually transformed into a confident young woman creatively and boldly expressing herself through her words – compelling us to feel them as she felt them. She said later that she was incredibly nervous but honestly I had no idea. You could hear a pin drop in that room. Everyone was blown away in rapt attention. That was a turning point for her. From that point, she was able to challenge herself more and grow into a real leader with things to say and express with less and less fear. Truly inspiring.

That kind of growth and moving experiences is one of the most rewarding aspects. But even the challenges are rewarding. You are faced with situations and kids in situations that you never had to face in your life. Sometimes you’re thinking, “What the f* do I do with that?” But, you have a supportive community to help find ways of dealing with those solutions. Then that experience of tackling and possibly overcoming that challenge just makes you more ready for the next challenge in your own life.

This upcoming year will mark 9 years as a mentor with Community For Youth (CFY). It is impossible to sum up the impact that CFY has had on the community, the students it serves, and the mentors (especially myself) in a simple blog post. But there is an opportunity coming up that is far better that I hope you take me up on: come have a free lunch downtown Seattle on September 30th and learn about CFY, hear from the 2013-2014 mentors of the year, and on top of that, you get to hear from Seahawks wide receiver, Doug Baldwin.

The lunch is an opportunity for those who might know that I’m involved with Community For Youth but may not quite know what it’s all about. I absolutely love CFY and would appreciate any opportunity to share my experiences for others to see how impactful the program is. You can sign up at www.communitylunch.com and join me at my table.

Get Inspired

In a student’s own words, on the importance of CFY to their life.

“I appreciate the work that everyone has contributed in one way or another, to keep this program alive. Because there are teenagers like me, who need people, even if it’s just one person, to believe in them.” - See more at: https://communityforyouth.org/2013/04/my-introduction-to-cfy/#sthash.Xk9ZikAj.dpuf

Even if you can’t join, you should take some time to watch this 12-minute video to learn about who we serve from the students and mentors that are part of this powerful community. And if you’re feeling moved or generous or both, you can head on over and donate to Community For Youth too! and Community For Youth from Greg Hay on Vimeo.

Ios Clients Not Vulnerable To Heartbleed What Does The Source Say

Thu, 17 Apr 2014 15:05:00 -0700

Apple’s language in their assertion that they are not vulnerable to heartbleed on iOS are troubling as they specifically say (via ReCode), “IOS and OS X never incorporated the vulnerable software…” However, not incorporating the vulnerable OpenSSL software is merely one way that their customers could have been made vulnerable. What about the Apple SSL/TLS implementation? Has anyone checked it? Did they incorporate RFC 6520 for heartbeat support? I couldn’t find anything Google so figured I would share what I found.

Since the Apple SSL library code is open sourced, we can actually look at the code. And based on my read of the code, Apple doesn’t even implement the heartbeat extension. https://opensource.apple.com/source/Security/Security-55471/libsecurity_ssl/lib/sslHandshake.h doesn’t even define the heartbeat helloextension code 15 in the data structure:

/\* Hello Extensions per RFC 3546 \*/
typedef enum
{
 SSL\_HE\_ServerName = 0,
 SSL\_HE\_MaxFragmentLength = 1,
 SSL\_HE\_ClientCertificateURL = 2,
 SSL\_HE\_TrustedCAKeys = 3,
 SSL\_HE\_TruncatedHMAC = 4,
 SSL\_HE\_StatusReguest = 5,

 /\* ECDSA, RFC 4492 \*/
 SSL\_HE\_EllipticCurves = 10,
 SSL\_HE\_EC\_PointFormats = 11,

 /\* TLS 1.2 \*/
 SSL\_HE\_SignatureAlgorithms = 13,

 /\* RFC 5746 \*/
 SSL\_HE\_SecureRenegotation = 0xff01,

 /\*
 \* This one is suggested but not formally defined in
 \* I.D.salowey-tls-ticket-07
 \*/
 SSL\_HE\_SessionTicket = 35
} SSLHelloExtensionType;

Then in the implementation https://opensource.apple.com/source/Security/Security-55471/libsecurity_ssl/lib/sslHandshakeHello.c, they actually only support one extension, SSL_HE_SecureRenegotation. All others return an error code.

 switch (extType) {
 case SSL\_HE\_SecureRenegotation:
 if(got\_secure\_renegotiation)
 return errSSLProtocol; /\* Fail if we already processed one \*/
 got\_secure\_renegotiation = true;
 SSLProcessServerHelloExtension\_SecureRenegotiation(ctx, extLen, p);
 break;
 default:
 /\*
 Do nothing for other extensions. Per RFC 5246, we should (MUST) error
 if we received extensions we didnt specify in the Client Hello.
 Client should also abort handshake if multiple extensions of the same
 type are found
 \*/
 break;
 }
```So, it appears from the library code that they would not be vulnerable to this bug at all.

Using VNC to securely connect to OSX without exposing an unlocked console

Sun, 13 Apr 2014 22:27:00 -0700

I couldn’t believe how supremely difficult it is to securely use VNC to access an OSX mac remotely. Turns out that by default, using a standard VNC client (as opposed to an Apple Remote Desktop client) does not afford you an option to have the physical console lock when someone connects to the VNC server. Some third-party clients make this an option, but all that I could find were paid VNC clients that support it. It is somewhat ridiculous that this setting is left to the client rather than enforced on the server, but I digress…

I tried a few things suggested, such as enabling the screen saver or screen blanker, but those did not solve the problem as they did not differentiate between the VNC session and the physical desktop session so applied equally (the only states that were valid were either both unlocked or both locked). Other options people suggested were to just turn the screen brightness all the way down. This is security through obscurity though (the display is still unlocked and anyone who can get to your mouse/keyboard could mess with your computer, they just would be blind to what’s on the screen). It also seems problematic for usability (imagine you turn the brightness down and then come into the office the next day; how are you supposed to see the screen when you login if the brightness is still forced to the minimum?)

The solution I found that had the right security and usability properties was to use fast user switching + the Vine VNC Server. This enables you to have a different set of content on the physical display from what you see remotely on VNC. Unfortunately, fast user switching with the Apple VNC “Screen sharing” server doesn’t work. It mirrors your display exactly to the VNC display so does not allow you to have separate physical and remote displays. I presume that’s why it has a name like “Screen sharing”. It’s also not surprising that this doesn’t quite work as well outside of the Apple monoculture.

Download and install Vine VNC Server
Enable Fast User Switching on the mac

Enable fast user switching on OSX Mavericks

Connect to Vine VNC Server on OSX with any VNC client (e.g. on port 5901). I configure Vine to require SSH so it doesn’t listen to any remote port and requires SSH port tunneling to use it. Less attack surface.
Go to the fast user switching menu and select “Login Window…” When you do this, the physical display will change to the login screen but the VNC window will remain unlocked and functional, as desired.

@ = Fri 11:54 AM © @ Iason axiey ~ Login Window… Users & Groups Preferences…

Switch to login screen

I Get An Irs Scam Voice Mail

Sun, 13 Apr 2014 22:22:00 -0700

Had to share this hilarious voice-mail I received from an IRS scammer (happened to come in with Unknown caller ID – I read online that others had been spoofing US phone numbers for caller ID in the past). The transcript does not do it justice. I laughed out loud when I heard the phrase, “and you get arrested” as that is precisely what one would expect to hear from the IRS.

They actually tried calling me back and I got to talk to one of the people that afternoon, but my crummy cell service in my office resulted in the call dropping before I could chat with them too much. I told them that I didn’t believe them that they were from the IRS. Maybe they’ll call back again this week?

I plan on reporting it, as suggested. Head over to the IRS Tax Fraud Alerts page. Perhaps the best channel will be via their Phishing page. The IRS warning regarding this scam provides some information but there is of course no direct links to report the issue. I wonder if the 20,000 that reported it are a small fraction of those victimized since it’s so difficult to find a way to report it? They also suggest lodging a complaint with the FTC as well, but that is also somewhat difficult to determine how to categorize it for reporting.

See also: “IRS monitor: $1 million phone scam ’largest ever’ - Mar. 20, 2014 .” Last modified 04/14/2014 05:10:31. https://money.cnn.com/2014/03/20/pf/taxes/irs-phone-scam/ (accessed 4/13/2014).

Upgrade your browser. It should really support HTML5 audio.

Transcript

Good morning. This is Willy [“Villy”] Mandersen, calling you from Internal Revenue Service…Crime Investigation Department. The nature and the purpose of this call is just to let you know that….we have received…a legal petition notice…against your name…under your social security number. So, before this matter goes to the Federal claim court house…and you get arrested, kindly call us back at (866) 978-8320. I repeat (866) 978-8320. Remember, don’t disregard the message…as it is very important for you. And if you don’t return the call, then the situation will be worse. So take care about it, and call us back as soon as possible. Goodbye.

What's wrong with the Amazon mp3 store on Android?

Tue, 08 Oct 2013 21:40:00 -0700

First, I’m a big fan of amazon mp3. They offer high-quality DRM-free music that plays on anything and often at very competitive prices. And they make it very easy to spend a good amount of money and get some quality music. Their suggestions and free content have also been where I’ve discovered lots of new artists, such as ZZ Ward.

But I absolutely abhor shopping for mp3s on my mobile phone on Amazon’s mp3 app. Their interface on mobile only gives you these features:

Search
Recommendations
Bestsellers
New Releases
Genres
And some individual highlights, such as a $0.69 song, Latin song, Hot Single, one Free Song, a $5 album, a Song of the week, and an Album of the week

Amazon mp3 store in Chrome on Android

Amazon mp3 Android UI

Amazon mp3 desktop website

All of the categories let you view by Album or Songs. And one of the first annoying things is that there is an arbitrary limit of 100 items in each of the categories. What song/album is the 101st New Release? What if I want to keep shopping down the list? What if I own or don’t care about the top 100?

Grievance list:

100 item arbitrary limit, regardless of the category, with no way to keep scrolling for more. Although I do see that even the desktop site caps the list at this arbitrary number. Lame x 2.
No way to view song/album reviews, other than a static star-list. This is one of the highlights of the Amazon mp3 experience on the desktop that I find most useful (and often entertaining).
No way to rate songs/albums on mobile. Oops, a prerequisite for contributing (or benefiting) from the crowdsourced content is that you must first go to Amazon and buy a PC.
No access to the sub-lists within the category. One of my favorites has been the Top 100 Free lists. Another fun one is their monthly $5 albums list. I’ve found some great artists just perusing those lists. But sadly, on mobile you have no inkling they even exist. At least their HTML website on mobile has those (but even then the UI takes many cues from the mobile application).
No child lock. At least Amazon VOD on my Roku has a PIN code that I need to enter before purchasing videos to keep my kids from draining my bank account. Be careful who you give your phone to!
What you miss out on from the desktop site:
Hot New Releases
Movers & Shakers
Top Rated (another failure to enable social media to help drive sales)
Featured Albums, Editor’s picks, Artists on the rise, etc. (no ability to take advantage of Amazon’s music buyer curation, which is quite good. I’ve found lots of good music that way)
Customers who viewed/purchased X also viewed/purchased Y
All of the “deals” lists. You get only a light mist of them.
No wish list integration. Where’s a list of the music on my wish list? Can I add an item to my wish list rather than just buy it now?
Lack of a Play All button to play all samples. The desktop site has it. You somehow have to know that it will automatically play all (but this doesn’t give you a choice to listen to one without listening to all)
Lack of larger cover art.

I gave their HTML website a whirl in Chrome on Android and, although better in a few areas, it still has some of the annoying limitations that drive me back to a PC (the most annoying is when the _functionality_ of the site is artificially pruned, so you don’t even know it exists). I would love to get rid of my PCs and have nothing but tablets, but all too often the mobile experience on apps is completely butchered and hobbled to the point where you often have no choice but to fake a desktop browser or just open up the laptop. But I digress.

What they did right:

Long-press context menu on an item lets you “Shop album” or “Shop artist”. Nice way to explore “more”
Music previews good quality and have continuous play for sampling
Convenient to quickly purchase songs/albums you just heard.

I could rant about the cloud player annoyances, but they are far fewer.

Where Google Play Music Store on Android shines:

Clean, intuitive UI with swipe interaction model
Infinite scrolling lists of Top Albums, Top Songs, even Recommendations, etc.
Wish list integration
Free-music lists
Personalized recommendations right on the home screen based on genres and artists in your existing collection
Video integration
Clear Play All button to play all samples.
Larger thumbnails and ability to click and see a larger version you can actually see
You can read the reviews!!! And contribute your own. And moderate the reviews.
Integration with Google+ for sharing/liking content. Would be nice if there were other options than Google+ though.
Integration with Android Share to send via twitter, email, etc.
Parity with the desktop site (it’s the same thing, only with more real-estate)

Google Play Music Desktop site

Google Play Music App on Android

Google Play Music is rather annoying for purchases, especially forcing you to go through the same workflow for free songs as if you were “buying” them (really works to discourage “buying” multiple Free tracks, which may have been a business requirement – I don’t know). Too many clicks (even on the desktop).

At this point, what I would wish for these things to be fixed:

Update the UI to take advantage of mobile capabilities and gestures. Swipe from tab to tab to fluidly navigate
Remove the 100 item cap and make everything infinite scroll lists.
Abandon the “mobile crippleware” design strategy that so many have fallen in love with and maintain parity with the desktop site for accessing all of the same content. If you are concerned about UI bloat, there are ways of handling that (just look at Google’s approach for one). I prefer to have the options available _somewhere_ even if hidden in another menu somewhere.
If you can’t get the functionality into the mobile app, at least enable links into the mobile web version of the site from the Android app to allow for accessing the functionality
Remove the “mobile crippleware” design strategy on the mobile website to also maintain parity with the desktop site.
Take advantage of the curated content to drive sales!
Take advantage of user feedback and your preferences engine that works rather well on the desktop site to enable social exploration of other users who may have similar tastes to discover new music.
Enable social integration. I’ve often wanted to share a song I just heard or a playlist publicly but cannot
Push notifications could be employed in a limited way (ideally, fully user customizable) to notify when the new $5 list of albums are out, new free songs, highlighted curated content, etc. I’d sign up for them.
Here’s an idea, since you have access to the Android media list, you could maybe actually recognize in the UI when I’ve already purchased a given album/song (either from Amazon or elsewhere). You don’t even do that for stuff in my Cloud Player for some strange reason.

Seattle Area segregation

Wed, 25 Sep 2013 21:27:00 -0700

The Best Map Ever Made of America’s Racial Segregation | Wired Design | Wired.com

White people seem to love them some waterfront property in Seattle. This is fascinating. Go check out your neighborhood on the map. There are clearly pockets of similar ethnicity divided by street boundaries.

Humorous Page Not Found Error Page

Wed, 25 Sep 2013 21:13:00 -0700

This is great! (from https://www.computershare.com/Style%20Library/Images/404.png

Information Warfare Via Url Shorteners

Wed, 18 Sep 2013 23:21:00 -0700

As I’ve used Twitter more, I’ve noticed how many of the shared URLs are shortened. And to think that the Library of Congress is archiving all US tweets, how many will actually be usable at some point in the future? Hopefully their process logs the resolved actual URL instead of the shortened one. When I restored my blog, it was amazing how many broken links I found. I stopped fixing them. That’s just the regular web. Adding URL shortening is another level of indirection that is also another failure point.

As an information security guy, there’s another downside and that is just how secure are the shortened URLs now and long into the future from malicious redirection, including information warfare? Shortened URLs give a single entity enormous power into the future to do some pretty bad stuff. And I was wondering about the choice of Top-Level Domains (TLDs) that are used for URL shortening services. Just how stable are those politically? What kind of information warfare opportunities are there? Which URL shorteners have better security properties given all of the possible attack vectors? How powerful a political statement would it be if all of the shortened URLs were replaced by a political statement or terrorist threat for almost everything referenced on Twitter? You’d be able to gather a lot of eyeballs and press by doing that to get your message out.

bit.ly and ow.ly - both very popular on Twitter (as well as several others using .ly). The LY top-level domain is controlled by Libya. I can’t see a problem with them controlling where my links go now or sometime in the future, do you? Information warfare, anyone? Libya is on the US State Department’s list of travel warnings, with this summary of the stability of the region, “The security situation in Libya remains unpredictable. Sporadic episodes of civil unrest have occurred throughout the country.”
su.pr - Stumbleupon’s url shortener service. The PR TLD is Puerto Rico, an unincorporated US territory. So it probably would be more likely to have reasonable protection from information warfare except of course at the behest of our own US government.
cli.gs - this shortener service got hacked in 2009. The GS TLD is for South Georgia & South Sandwich Islands, which is a British territory, so presumably it is relatively stable and western-friendly.
goo.gl - a newer entrant, run by Google. The GL TLD is Greenland, which is part of the Kingdom of Denmark. Interestingly, Denmark is “frequently ranked as the happiest country in the world in cross-national studies of happiness”, Wikipedia
is.gd - A service that has an interesting terms of service about being an ethical URL shortener. The GD TLD is actually Grenada The world bank publishes XML data apparently that includes probability of political instability/terrorism for various countries, including Grenada. The current data shows a measure of the Political Stability and Absence of Violence (PV) – “capturing perceptions of the likelihood that the government will be destabilized or overthrown by unconstitutional or violent means, including politically-motivated violence and terrorism.” of 0.44. However, the USA’s data is continuing up and also has a 0.54. Earlier this year, the .gd domain and two others were also hijacked due to a dispute over control ov"er the TLDs.
tr.im - a shortening service that shut down in 2009 (but appears to possibly be back?)

Given these factors, I’d first suggest you run your own shortener service if you want full control and assurance of longevity (assuming you can build and operate such a thing securely). But if you had to pick a service, I’d go with a service running on a stable TLD registrar not likely to be subject to political wills of the host country and hosted by a company not likely to be going anywhere for the next few decades. Or just consider all communications using URL shorteners to be ephemeral and consider the likely non-functioning in the future a security precaution against future government snooping, perhaps.

On URL Shorteners is a discussion of the risks and issues with shorteners from 2009

Some other takes on them from around the web that summed up some of the general thoughts I had about them (if you care about your content being usable down the road and care about whether someone could take your visitors for a ride to malware-town)

An Unwelcome Reminder of the Nature of URL Shortening Services, “if you care about the long-term survival of your external links, steer clear of URL shortening services, no matter how convenient they may at first appear.”

Why I’m creating my own URL shortening service “I suppose that one of the driving forces behind this is my training as an archaeologist (we don’t like throwing things away, generally, and that includes data). I can’t archive the pages I link to, but at least I can give folks in the future a better chance of finding what I’m linking to.”

Seattle Infosec calendar

Thu, 11 Jul 2013 00:34:00 -0700

I searched and didn’t find a Seattle-specific Information Security calendar showing not only conferences, but smaller security events. So I created a new public one. And I guess that means now I’m maintaining one ;-)

If you know of something I’ve missed, let me know and I’ll add it.

To subscribe: ICAL, XML

Full browser web view

What can we learn from the ZRTPCPP / Silent Circle debacle?

Tue, 02 Jul 2013 23:37:00 -0700

07:00

As a way of background, Phil Zimmerman’s company Silent Circle became wildly successful recently after Snowden’s disclosures of extensive NSA data collection of telephony “metadata” and “data — including e-mails, videos, pictures, and connection logs — from the main servers of Microsoft, Google, Apple, and other leading U.S. tech companies” (1). “Mike Janke, one of the founders, estimated that the number of new customers for its subscription-based service surged by 400 percent” (2)

Mark Dowd from Azimuth Security “decided to take a brief look at the GNU ZRTPCPP library (https://github.com/wernerd/ZRTPCPP), which is a core security component of various secure phone solutions (perhaps most notably, the impressive SilentCircle suite of applications).” (3) He found several disturbing vulnerabilities in this library, including heap overflows, stack overflows, etc. that can lead to remote code execution or crashing the application. Additionally, Matthew Green found an implementation issue after a casual review.

Several applications use the same library, but most are open source free software applications. Silent Circle, however, is a commercial venture started by PGP’s Phil Zimmerman. And commercial entities, especially offering a service and product set completely geared toward security and privacy should probably be expected to have an application security program and sufficient tooling and resources to validate and vet its wares. And they claimed to have had done this. However, due to the glaring bugs that were identified in the ZRTPCPP library that they mainly funded development of through its author, Werner Dittman, it is clear that their controls program to ensure security of their product is wholly inadequate and they admit as much

“[W]e audit and test our own work and pay others to audit and test it for us. Obviously, in this case, the auditing failed. It was my understanding that all of the libraries that we used were audited, as well as all of our own code. The fact that these problems were missed suggests that there is a problem with the auditing process, that either not all of the third party libraries were audited or that somehow the auditing was not rigorous. Besides developing, testing and deploying these fixes, we will also be looking into the process.” (4)

When I learned the details, I wondered what can other entities that either have application security programs in place (or should) learn from this?

Even security software companies make mistakes and imperil security – sometimes they make some doozies

So, don’t assume that because a company has a security stalwart like Phil Zimmerman or that it’s in the security business that it is immune from the software security problems most everyone in every organization is dealing with.

Open source does allow for “more eyes” to potentially make “all bugs…shallow” but it’s not a guarantee. “open source can be reviewed by more people than proprietary software, but I don’t think it is reviewed by more people than proprietary software.” (5)

ZRTPCPP code had these bugs for roughly 6 years before they were found, and there were not just security bugs but double-increment bugs in loops and other issues. Third-party dependencies need to be evaluated as part of your threat model and the same scrutiny needs to be applied as you would to your own code. Probably even more so as you also need to consider other non-technical issues with each such as third-party viability, responsiveness, etc.

Use static analysis!

Several of these bugs are trivial for static analysis tools to find. For C++ code, there’s even the clang analyzer that is open source. This should be part of the build process and findings validated and hopefully fixed prior to release.

Trust, but verify your application security controls

So, you paid a chunk of change to an external party to vet your code for security issues and you got a clean bill of health. That means you can rest easy, right? Not necessarily. Absence of evidence is not evidence of absence. There are myriad reasons that an external assessment did not yield results. It could have been that the tester had inadequate experience or perhaps was not thorough enough or was just plain incompetent – all would yield equally “impressive” results. Ideally, you should be vetting your external partners to ensure they are able to catch flaws. You could even purposefully include code with known issues as a test.

Write unit tests – and ensure they execute as part of every build.

How can you trust code without any unit tests, or if the tests are not continuously executed to guard against new bugs being introduced, especially code that needs to accept arbitrary untrusted inputs that can be malformed in myriad ways? Looking at the github repository for the library, I see lots of application C++ code, but I don’t see any folder with “test” in it. I see a couple of files in the “demos” directory with “test” in the name, but based on their function and the README, they are examples of how to use the code, not defensive tests ensuring the correct functioning of the implementation (which should include both happy path cases and negative/boundary cases).

Even if you’re the best coder in the world and think you don’t need tests, what about the next person to make a change to your code or the team that inherits your code for maintenance who lacks your skill and familiarity? How can you ensure correct, safe operation now and in the future without code to check your code? What if an implementation (or security) bug is found in your code? How do you validate your fix works? How do you ensure that the same issue doesn’t get re-introduced later? Unit tests can do all of this for you while you sleep and your continuous integration (CI) build runs.

Security software needs to be the leader in this. If those in infosec can’t write secure software and follow secure development pracices, what are the chances for the rest of us?

Fuzz your network code. (and fuzz your other code as well)

This could be a corollary of the unit test recommendation. Code expecting untrusted inputs from outside should be fuzzed with random inputs and boundary conditions to validate your parsing and buffering code is sufficiently robust against active attacks. Fuzzing can help find other test cases that your unit tests may not be covering. If you find anything – fix it – and write a unit test for it so you will ensure that your code will remain immune to that issue in the future.

(1) “NSA Reportedly Mines Servers Of U.S. Internet Firms For Data : The Two-Way : NPR.” Last modified 07/03/2013 04:04:55. https://www.npr.org/blogs/thetwo-way/2013/06/06/189321612/nsa-reportedly-mines-servers-of-u-s-internet-firms-for-data (accessed 7/2/2013).

(2) “Startup sees boost in business following news of NSA surveillance - Washington Business Journal.” Last modified 07/03/2013 04:06:02. https://www.bizjournals.com/washington/blog/techflash/2013/06/startup-sees-boost-in-business.html (accessed 7/2/2013). (3) “Azimuth Security: Attacking Crypto Phones: Weaknesses in ZRTPCPP.” Last modified 07/02/2013 13:28:12. https://blog.azimuthsecurity.com/2013/06/attacking-crypto-phones-weaknesses-in.html (accessed 7/2/2013). (4) “Impact of ZRTP library critical security vulnerabilities · Issue #5 · SilentCircle/silent-phone-base · GitHub.” Last modified 07/03/2013 04:38:41. https://github.com/SilentCircle/silent-phone-base/issues/5#issuecomment-20232374 (accessed 7/2/2013). (5) " Microsoft’s Many Eyeballs and the Security Development Lifecycle - Thinking About Security - Site Home - MSDN Blogs ." Last modified 07/03/2013 04:52:27. https://blogs.msdn.com/b/shawnhernan/archive/2010/02/13/microsoft-s-many-eyeballs-and-the-security-development-lifecycle.aspx?Redirected=true (accessed 7/2/2013). (6) “What Happened With ZRTP This Week | Silent Circle Blog.” Last modified 07/03/2013 05:10:20. https://silentcircle.wordpress.com/2013/06/29/what-happened-with-zrtp-this-week/ (accessed 7/2/2013).

Mountain Lion Easter Egg References Debut Of Original Apple Macintosh

Fri, 21 Jun 2013 13:31:00 -0700

How clever. I just noticed this today.

Mountain Lion easter egg references debut of original Apple Macintosh: Mountain Lion easter egg references debut of original Apple Macintosh

Incomplete downloads in OS X 10.8 Mountain Lion show a “Date Modified” of Jan. 24, 1984, a reference to the day when Apple’s very first Macintosh was unveiled by Steve Jobs.

Ross Anderson Response About Payments System Weakness

Thu, 20 Jun 2013 00:46:00 -0700

“You complain that our work may undermine public conﬁdence in the payments system. What will support public conﬁdence in the payments system is evidence that the banks are frank and honest in admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies. Your letter shows that, instead, your member banks do their lamentable best to deprecate the work of those outside their cosy club, and indeed to censor it.”

https://www.cl.cam.ac.uk/~rja14/Papers/ukca.pdf

Zombie Juxtaposition blog coming back to life

Thu, 20 Jun 2013 00:43:00 -0700

I’ve had it on my TODO list to resurrect my blog posts and import into Blogger and finally started doing it. So, you’ll see lots of former posts coming back. I’m trying to review each one and clean up any formatting issues or easy to fix broken links or images.

My incentive was that summer is here, but I could not find the recipe for My New Concoction: The Adele Claire. And I’m also going to be crafting a new creation in honor of my son. Now it is back so enjoy an Adele Claire and read some history ;-)

It is actually somewhat sad to see old topics back in the news again:

FISA, warrantless wiretaps, telecom immunity
Obama vs. his former self (he was running anti-FISA)

Oh, how times change yet stay the same…

Devaluing Harassment

Thu, 28 Feb 2013 23:24:00 -0800

I’ve been taken aback lately by a variety of claims on blogs and twitter of someone “harassing” someone else or “stalking” them. People seem to throw these words out so cavalierly that they are in serious danger of being devalued; watered down so that they have no substantive meaning.

I wanted to do my own research to provide those who might be tempted to throw these words out in casual assertions with some clear definitions and some tools you could use to perhaps determine if certain behaviors rise to the level of actual “harassment” or “stalking” before using those terms.

Many states, including my own, have passed laws where these terms have been given specific meanings that can help provide some guidance (although many I have seen are still problematic in an operational sense as they are fairly vague and do not differentiate between “annoying” and outright “harassing” behavior).

Let’s start with a dictionary definition of harassment:

aggressive pressure or intimidation

Okay, that is not very helpful in terms of distinguishing between behavior that is socially and morally acceptable from the abusive kind of behavior. What causes behavior to rise to the level of harassment vs. mere annoyance?

My own state of Washington defines an “unlawful harassment” term thusly[1]:

“Unlawful harassment” means a knowing and willful course of conduct directed at a specific person which seriously alarms, annoys, harasses, or is detrimental to such person, and which serves no legitimate or lawful purpose. The course of conduct shall be such as would cause a reasonable person to suffer substantial emotional distress, and shall actually cause substantial emotional distress to the petitioner, or, when the course of conduct would cause a reasonable parent to fear for the well-being of their child.

California was one of the first states to pass online harassment legislation and this is their definition[2]:

“Harassment” means a knowing and willful course of conduct directed at a specific person that a reasonable person would consider as seriously alarming, seriously annoying, seriously tormenting, or seriously terrorizing the person and that serves no legitimate purpose.

The key distinctions of harassment over just annoying behavior are:

willful (speaks to the intent of the actions)
directed at a particular individual
seriousness or severity of the conduct (typically “torments” or “terrorizes” the individual)
serves no legitimate or lawful purpose
causes"substantial" emotional distress

Cyberstalking is a flavor of harassment that “generally refers to a clear pattern of conduct through which the perpetrator causes the victim reasonable fear for their safety or their family’s safety.”[4] Not all states have statutes covering both of these flavors and many include just one or the other or lump both in together.[5]

Washington state’s cyberstalking statute says:[3]

(1) A person is guilty of cyberstalking if he or she, with intent to harass, intimidate, torment, or embarrass any other person, and under circumstances not constituting telephone harassment, makes an electronic communication to such other person or a third party:

 (a) Using any lewd, lascivious, indecent, or obscene words, images, or language, or suggesting the commission of any lewd or lascivious act;

 (b) Anonymously or repeatedly whether or not conversation occurs; or

 (c) Threatening to inflict injury on the person or property of the person called or any member of his or her family or household.

So, my state differentiates cyberstalking different from plain harassment:

requires a particular intent
requires an electronic (but not telephone) communication
requires the content to be of a nasty nature OR
requires making a threat to the person or property or relations

I’m not going to drag up any specific twitter or blog examples of people devaluing harassment (you know who they (or you) are). But will generally point out that flaming someone or mentioning someone on twitter or a blog would not rise to the level of

But some of the actions that I’ve seen documented would appear to meet (IANAL) some (or more) of the legal criteria. Such as photoshopped obscene pictures of the individuals being criticized, and perhaps the practice of doxing people that you disagree with (which only seems to serve the purpose of intimidating the individual by exposing their physical and personal information).

Anyhow, the legal language still does not make it quite clear where to draw the line between annoying someone and harassing. Stalking may be clearer, although I don’t quite understand how the term “stalking” applies based on the way the legal language is written. What is more useful is a heuristic tool to gauge someone’s words and actions. One such tool was mentioned on a Linkedin discussion forum that is claimed to originate from the University of Alberta[6]. I tried to find the primary source material for the tool as I think it is a good one, but have yet to find it. I will quote it here for posterity and will add pointers to the original if it ever comes to light. The tool is called R.A.T.E.:

Respect - Is this behaviour respectful? Does this behaviour honour the dignity and the worth of the person? Does the behaviour recognize and appreciate differences - culture, viewpoint, age, status etc.?

Appropriate - Is the behaviour appropriate to the situation and to the relationship between the individuals?

Trust - Many relationships are relationships of trust - e.g. the relationship between a professor and student or between an employee and manager. Is the behaviour a violation of the trust?

Equal - What is the power balance in the relationship? Are the individuals equals? Is the behaviour exploiting a difference in power? Would an objection to the behaviour threaten the well-being of the person to whom the behaviour is directed?

I like that this model includes an assessment of the relative power of the individuals involved. There is a note that a single incident would not rise to the level of harassment. Harassment would generally need to involve a pattern of behavior.

[1] “RCW 10.14.020 Definitions”, https://apps.leg.wa.gov/rcw/default.aspx?cite=10.14.020, accessed 2013-02-18

[2] “PENAL CODE SECTION 639-653.2”, https://www.leginfo.ca.gov/cgi-bin/displaycode?section=pen&group=00001-01000&file=639-653.2, 653.2. (c)(1), accessed 2013-02-18

[3] “RCW 9.61.260 Cyberstalking.”, https://apps.leg.wa.gov/rcw/default.aspx?cite=9.61.260, accessed 2013-02-18

[4] “Harassment”, https://criminal.findlaw.com/criminal-charges/harassment.html, accessed 2013-02-18

[5] “State Cyberstalking and Cyberharassment Laws”, https://www.ncsl.org/issues-research/telecom/cyberstalking-and-cyberharassment-laws.aspx, accessed 2013-02-19 [6] “Where is the fine line separating “harassment” behaviour from merely “annoying”?”, https://www.linkedin.com/groups/Where-is-fine-line-separating-4416291.S.152158149, accessed 2013-02-19

The Truth Imperative: What's in a name?

Wed, 27 Feb 2013 21:10:00 -0800

I used to have a blog. I used to opine in it. Oh those days of yesteryear before kids when I had such luxuries of time… I let my blog languish. It devolved into my personal bookmark tool. It didn’t have a good focus. It was called “Juxtaposition”, after all, which is by its nature not focused. I had a missed opportunity to call it “Jaxtaposition” since my network handle was often “jaxley” – a kind of portmanteau of my name. But I have even found since then that neither were as unique or compelling as I had thought.

I have long wanted to have a place that could serve as my sounding board for sharing insights or tips regarding information security as well as skepticism and science. This is the focus my previous effort lacked. I plan to tag each post separately so if it turns out you really don’t care about skepticism, you can just subscribe to the “security” tagged items. And vice-versa, you could just subscribe to the “skeptical” tags.

I get a lot from detailed articles and in-depth insights and wanted to be able to give back to some extent. This will be my vehicle to do so.

Coming up with a name was a combination of frustration and humility in that so many of the names I thought of were not just inspiring to me but had been used already or were too common to stand out. I wanted something that would embody what my I’ve come to see is a core moral imperative: to seek the truth, no matter where it leads, and to stamp out falsehood and ignorance as the enemies of truth. Hence, “The Truth Imperative” seemed to embody this perfectly and was also was not crowded out in the Google search rankings. In fact, even before I posted the first article, this blog is result number 7 on Google.

If you were on the fence about the moral angle to the truth, perhaps the analogy in this quote will make the relationship clearer:

It is morally as bad not to care whether a thing is true or not, so long as it makes you feel good, as it is not to care how you got your money as long as you have got it. – Edmund Way Teale

There is something inside me that is outraged by truth injustices as much as social injustice. Falsehoods are so corrosive to our democracy, our environment, our health, to our freedoms, our safety, our own personal growth, and our understanding of the world around us. I came across this blog post, The reason for truth, sets out a fantastic list of reasons why the truth matters that I heartily endorse and says much of what I was going to write so go read it instead and then come back. He lays down his position on truth which jives completely with mine that I will quote here:

In a strict sense, all truth is provisional and stands open to challenge on the basis of a new interpretation of the available evidence or the provision of new evidence. The key point here is that it is evidence - old or new - that is at the heart of the determination.

In the meanwhile, the most truthful statements explain and are consistent with all the currently available evidence.

On the basis of consistency and utility, the most truthful statements are likely to be consistent with the current paradigm until persuasive evidence challenges that paradigm.

The most useful truths are those that do simply explain past phenomena but enable consistently accurate statements about the future.

I would only perhaps add some bullets to the list regarding protection of the truth from corrosive influences, whether subconscious or deliberate.

Additionally, I would clarify that this pursuit of truth is all about truth with a small “t”. Many make the false assumption that there is (or must be) some metaphysical Truth with a capital “T” out there and even claim that skeptics or scientists think they “know the truth” or “know everything”. Not only are these flimsy straw men, but skeptics and scientists generally do not believe that such a Truth is something we are going to be able to know for certain. Truth, and especially scientific truth, is always truth with a small “t”. It is a provisional, asymptotic approximation of the Truth with a capital “T”, or at least a usable model of that Truth that works well enough to make predictions and describe and understand our world.

As humans, we are fettered by various human frailties, biases and tendencies toward rationalization that make it often times difficult to step back and be truly objective about ourselves, our beliefs, the world and the facts that we attempt to evaluate. Our brains are constantly filtering and interpreting the information we receive via all of our senses. We all (skeptics included) need to be aware of and constantly diligent about these limitations as well in our pursuit of the truth. I’ve seen ideology trump facts and data too often in all walks of life. Follow the evidence!

Q: “What do you call alternative medicine that works?” A: “Medicine”

I love this joke. It is pithy and gets to the heart of the difference between a prevalent topic where people have many rationales that lead them to relaxing the standards for reason and evidence to give something not rooted in demonstrable, testable, measurable facts a seat at the table next to something that is.

Reason and evidence are crucial as well for my vocation, information security. I have come across so many terrible arguments, both for and against, security controls as well as people who try to use security as a trojan horse to deliver something rooted in ulterior motives that would otherwise have never been green-lighted, or who use security as a sword to strike down something they don’t like for other reasons (often unjustifiable or flimsy at best). Intellectual dishonesty, sloppy scholarship, fallacious argumentation, rationalization, cognitive dissonance all occur so often that it is useful and necessary to engage one’s skills as a skeptic to get at the kernel of truth and ensure you are making the right evidence-based decisions, lest you convey a false sense of security, waste precious security budget on the wrong (or incomplete or ineffectual) solutions, or miss out on focusing on more important security problems. I think I’ve made a career out of being the voice of reason calling out for demonstrable evidence where necessary to prove an assertion or in redirecting efforts to address higher risk vulnerabilities than the hack-du-jour. I’ll definitely write more about those experiences.

Wherever those pesky facts lead us is worthy of pursuit and protection from those who would undermine reality for pursuit of their own alternative agenda. There are the aforementioned who abuse the truth about information security to push a competing agenda, religious fundamentalists who are adulterating the educational system, global warming deniers preventing real change to stem the damage and research solutions to anthropogenic forcing, ideologues, quacks and charlatans who peddle remedies that simply don’t work (except to drain your bank account) or worse, are highly dangerous or keep people from continuing with real therapies, religious fundamentalists that keep their kids from receiving medical care in lieu of prayer, etc. Visit https://whatstheharm.net/ for specific documented examples of the real harms of pseudoscience.

I leave you for now with some of my favorite quotes regarding the pursuit and importance of truth:

Truth is a shining goddess, always veiled, always distant, never wholly approachable, but worthy of all the devotion of which the human spirit is capable. – Bertrand Russell

The pursuit of truth and beauty is a sphere of activity in which we are permitted to remain children all our lives. – Albert Einstein

Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn’t. – Mark Twain

The truth may be puzzling. It may take some work to grapple with. It may be counterintuitive. It may contradict deeply held prejudices. It may not be consonant with what we desperately want to be true. But our preferences do not determine what’s true. – Carl Sagan

I maintain there is much more wonder in science than in pseudoscience. And in addition, to whatever measure this term has any meaning, science has the additional virtue, and it is not an inconsiderable one, of being true. – Carl Sagan

The significance of our lives and our fragile planet is then determined only by our own wisdom and courage. We are the custodians of life’s meaning. We long for a Parent to care for us, to forgive us our errors, to save us from our childish mistakes. But knowledge is preferable to ignorance. Better by far to embrace the hard truth than a reassuring fable. If we crave some cosmic purpose, then let us find ourselves a worthy goal. – Carl Sagan

If I could get the world to respond to one question, it would be, Do we have the courage to let go of our beliefs in order to grab on to what is true? – Sara Mayhew

Beautiful Life Diary To Cultivate Happiness

Sun, 25 Mar 2012 13:31:00 -0700

From the book 59 Seconds by Richard Wiseman, this is a list of writing topics that you can do over the course of a week – spending just 59 seconds each day – to cultivate happiness. And each activity is backed by actual scientific research.

I had intended to do this from early on this year but have not done so. But that’s not going to stop me from starting now.

Monday: “Thanksgiving” [list 3 things]; be grateful even for small things over past week
Tuesday: “Terrific times in life”; describe it and how you felt
Wednesday: “Future fantastic”; imagine life in the future as a realistic reality and write about it
Thursday: “Dear”; someone dear to you. write a letter to them describing their impact on you and how as if this was the only opportunity to tell them
Friday: “Reviewing the situation”; reflect over past week and write 1 sentence on why each of 3 things that went well for you and why each turned out so well

I’d highly, highly recommend this book. It is a fascinating read and has loads of very insightful and useful tips and cuts through the self-help scrap-heap.

Christmas Car Break In

Fri, 24 Dec 2010 04:31:00 -0800

Ugh. Came out this morning to my car in my driveway to go downtown and found both right-side windows rolled down. Hmmm… I didn’t do that. Go around to the driver’s side and both of _those_ are rolled down too. Grrr.

Fortunately, it did not rain very hard so there was little water that got in the car. And fortunately there is no visible damage and nothing was taken (there really wasn’t anything to take except some pennies)

And now I find via a Google search that there are some hacks that can cause the windows to all electronically roll down with a screwdriver in or near the keyhole. Lovely. This system does not seem to require the key with the transponder chip in it to operate. Maybe someone with a valet key or some kind of master can trick the lock into rolling down the windows.

Looks like I’ll be disconnecting that wiring and maybe even replacing the keyhole cover with a blank plate like on the passenger side to cover the hole entirely. Either that or leave the car unlocked for the next guy.

Abc News Poll On Tsa Scanners Misleading

Wed, 24 Nov 2010 14:55:00 -0800

So, ABC news polled 514 people by telephone to try to find out if people support the new backscatter x-ray machines. They are reporting now that people support them “2 to 1” over those opposing them. However, if you look at their sampling methodology (available on a PDF on their site), you can see that they actually skewed the question. Their whole focus was on determining support _in lieu of the privacy issues_. They did not, however, include any questions about the support if there were _risks due to radiation_ They asked questions about how informed users were about possible risks, but only generically and treated it as if it was relegated to just opinion.

Here is the question they asked that the 2-to-1 figure is based on:

“The Transportation Security Administration is increasing its use of so-called ‘full-body’ digital x-ray machines to screen passengers in airport security lines. (Supporters say these machines improve the ability to spot hidden weapons and explosives, and reduce the need for physical searches.) (Opponents say these machines invade privacy by producing x-ray images of a passenger’s naked body that security officials can see, and don’t provide enough added security to justify this.) Which comes closer to your own view - do you support or oppose using these scanners in airport security lines? "

Here is the question they asked about health concerns:

“As far as you’re aware do you think these new scanning machines may pose a health risk, or do you think that’s not a serious concern?”

As if the health risks are just some kind of matter of opinion? Why not ask a question like,

“Researchers have shown that these machines emit X-rays in high enough doses that are concentrated at skin depth and may well increase the risk of cancer (skin, testicular, etc.), which will knowingly result in harming people each year – more than the machines might save from terrorist attacks. Given this information, do you think that their usage is justified?”

https://abcnews.go.com/Politics/abc-news-washington-post-poll-air-travel-security/story?id=12215139

Skepticblog » Get Fed Up: Report Medical Quackery to the FDA

Sun, 17 Oct 2010 13:21:00 -0700

Medical practice quackery has to be reported to the FTC, https://www.ftc.gov/ftc/contact.shtm as I just did to a chiropractor that claimed they could help with “ADHD”, “Bedwetting”, “PMS”, “Asthma”, “Ear infections”, “Colic”, and even “Allergies” The FTC “wizard” is a bit cumbersome, but you eventually get 3500 characters to describe your complaint after about 50 clicks.

https://skepticblog.org/2010/01/14/get-fed-up-report-medical-quackery-to-the-fda/

Update: Forgot to link to a great paper summarizing the common false claims made and a summary of the current evidence for each claim from the New Zealand Medical Journal Chiropractic claims in the English-speaking world

Google Voice Chat Qos

Fri, 01 Oct 2010 15:59:00 -0700

I’ve been looking for QoS pointers for Google Voice Chat. I’ve found that it works great on my DSL until I also am attending a web conference over Webex at the same time. Then I can still hear fine, but upstream I’m told my voice cuts in and out.

So, I figured it’s time for some QoS Settings on my router.

It appears that Google Voice Chat uses HTTPS for signaling but an XMPP extension called Jingle that uses RTP over UDP for the actual call data.

I cracked open Wireshark to analyze the traffic and see communication with servers on the 74.125 network, which is owned by google (a /16).

Destination: stun.l.google.com (74.125.155.126)

So, for now, I have enabled Expedited packet status for any UDP packets going to and from that network. Will have to run another test later to see if it helped dramatically.

One troubling thing that I noticed in the packet capture is that not all of the data is protected by confidentiality protection. I suspect there _may_ be some encryption for the RTP data because Wireshark did not detect any RTP sessions. However, one packet every once in a while revealed the phone number that I was calling. So anyone on your wireless LAN or along the wire can see who you are calling. They may even be able to intercept that packet and play MITM by routing your calls through them. Who knows.

Here’s a redacted version of the ascii portion of the data packet contents:

0 0+12065551212@voice.google.com

Understanding Atheists/Agnostics

Sat, 25 Sep 2010 04:59:00 -0700

Came across this quote today that is more cerebral than the quip about “We’re all atheists – I just go one god further than you”

“when you understand why you reject the gods of other religions, you’ll understand why I reject yours.”

Favorite New Android Apps

Mon, 20 Sep 2010 16:37:00 -0700

Call Block Unlimited: https://www.appbrain.com/app/com.mrnumber.blocker Highly configurable app that lets you set policies for how to handle incoming calls. I used this when on vacation to send all calls not in my contacts list to voicemail. Shows an alert of which calls were blocked. Very nice and free!
App Brain App Market: https://www.appbrain.com/app/com.appspot.swisscodemonkeys.apps Install this and never open the lame Google Market app again. This does everything that the Google market should do but doesn’t.
OurGroceries: https://www.appbrain.com/app/com.headcode.ourgroceries This app has a lot of promise for sharing grocery list ideas between my wife and myself. Even can input recipes and then add ingredients to store lists from those. And allows you to check off items as you buy them so you won’t miss anything. Very sweet!
EStrongs Task Manager: https://www.appbrain.com/app/com.estrongs.android.taskmanager This is a very fast task manager that has the best UI of any that I’ve seen so far. I rarely use one these days but when you’ve got to kill a task, this is a slick one for doing the job.
Dropbox: https://www.appbrain.com/app/com.dropbox.android Dropbox is about the easiest way to synchronize files from your desktop to your phone wirelessly.
Wireless Tether For Root Users: https://www.appbrain.com/app/android.tether This was sooo cool. Lets you set up your phone as a wifi access point to allow Internet access to devices nearby. Used it this weekend and got better performance than the DSL (not saying much as this place must have been on the far end of the line from the central office)
JuiceDefender (free): https://www.appbrain.com/app/com.latedroid.juicedefender I have found after lots and lots of testing that the #1 killer of battery on the HTC Hero is constant use of the APN (mobile carrier data network). The more apps you install that synchronize data, the worse this gets. It’s not so bad if you stay in one place where you have good cell coverage. But if you are in an area of spotty coverage, your battery life will go down the toilet. It seems as if whenever you get even the weakest data link back, all your apps that need to synchronize data light up and overwhelm the terrible connection and pretty much do this all day long. When at work, my battery would not last long at all (22nd floor with poor coverage) but at home it would be great. That’s how I figured it out. I stopped using task killers since they can be worse for your battery life and use JuiceDefender. I used to have Wi-Sync plus to do the same thing, but that has apparently been abandoned.

Rooting And Optimizing The Sprint Htc Hero Cdma-

Mon, 20 Sep 2010 15:33:00 -0700

I have been meaning to write up instructions on how I updated my ROM and kernel on my CDMA HTC Hero to fix some annoying performance issues and overcome the internal memory limitation to be able to install more apps by installing them to the SD card. Since this phone will not officially get 2.2 Froyo, I needed to do something to keep the phone relevant. I had already ran into the max size of apps installed so was forced into taking some action.

Root your phone. If you are running the latest 2.1 OS (version 6), the vulnerability in version 5 was patched so you cannot use that to root your phone anymore. However, I just found a new method of rooting the phone that works like a charm and is even easier. It’s called Universal Android Root https://forum.xda-developers.com/showthread.php?t=747598 Download the latest apk. Enable USB debugging and plug your phone into your PC. Use the ADB command from the android SDK to install the app.

adb install UniversalAndroot-1.6.2-beta5.apk

Once you get it installed, find the universal root application and launch it. It was pretty intuitive. It even has an option to just root the phone temporarily until you reboot, which is nice for keeping your phone as pristine and secure as possible if you prefer.
Install a new recovery image. You need this to be able to perform nandroid full system backups, flash new content, wipe content before reflashing, etc. https://forum.xda-developers.com/showpost.php?p=4898505&postcount=1 This is the one I use on my CDMA Hero. You may need to install the flash_image program to your phone first and make it executable if it does not exist yet. Here is one set of instructions on this thread that will be useful: https://forum.xda-developers.com/showthread.php?t=660396
Obtain the updated Sprint ROM and other files to update your phone’s ROM to one that contains lots of goodies, including superuser access control, apps2sd (allows you to run and install apps to your SD card prior to Froyo), Wifi tethering, etc. but is based on the actual Sprint stock ROM package. The thread is here with downloads and instructions: https://forum.xda-developers.com/showthread.php?p=6825435#post6825435 You will need:
- HeroCSprintODEX_2276516A2SDFin.zip - the actual ROM files.
- nework.fix_signed.zip - I found that I needed this patch to fix some additional sluggishness
- phonedialer5odex_signed.zip - I needed this to back the dialer to version 5 to fix sluggishness of the latest version. I actually put this on my wife’s phone that has the stock ROM and it works great.

Other optional updates that I recommend:

framework_update_signed.zip - this is some eye candy that is simple but slick for the UI. Does not use theming so is safe with ODEX file versions.
ZenKernel-HTC-08122012.zip - https://forum.xda-developers.com/showthread.php?t=750170 - with SetCPU (from the market), allows you to overclock your kernel. But, most importantly, it fixes the lock screen lag that is soooo annoying. Optionally, use one of the 691 kernels (meaning 691 mhz) but reports are that there is still lock screen lag so I don’t use them.

The ROM comes with the HTC_IME keyboard mod that you can enable. But it has v25. I recommend updating it to v27 which fixes some bugs. https://forum.xda-developers.com/showthread.php?t=624416 The HTC_IME keyboard is a modded HTC keyboard that adds some cool features and fixes nagging bugs and performs better than the stock HTC keyboard. It adds voice input and smileys which are also kind of handy. No Swype keyboard that I can find yet for the Hero… Oh, get the lo-res version for the Hero since the screen is not high res.

When installing the ROM, I did not enable JIT as I have no compelling reason to do so that I’m aware of and it sounds like it may have some downsides that I don’t want to incur. I did enable app2sd though, which requires you to reformat your SD card so that you leave a partition for a linux ext filesystem for installing the apps to. See https://forum.xda-developers.com/showpost.php?p=7021325&postcount=2 for apps2sd generic setup instructions. Basically, if you have your SD card partitioned for it, it will be enabled.

To install the zipped ROM images, you do NOT need to unzip them. Just copy them to your sdcard and you can install them from the recovery boot image as-is.

Other ROM notes:

Comes with Titanium backup for root users, which can back up _anything_ on your phone. I have yet to try a full backup, ROM flash, then restore to see if it saves me from having to redo my apps and settings every time I reflash but plan to do that sometime shortly as I would like to try one of the unofficial Froyo 2.2 builds for my phone (i.e. this one https://forum.xda-developers.com/showthread.php?t=731659)
OMADM force close. I never had this problem, but watch for it and update if need be: https://forum.xda-developers.com/showthread.php?p=7723243&highlight=adb#post7723243
With a rooted phone, you can remove some apps that you may never use. I did this before to avoid some apps that insisted on starting on boot that I never used like Sprint TV. https://forum.xda-developers.com/showthread.php?p=7077498&highlight=adb+reboot#post7077498 for one way of removing them.

I’m sure that I am missing some subtle things that were not initially obvious to me (most instructions are fairly high-level and assume you know some basics about adb commands and other things). If I missed any, I will fill them in.

Here is a good primer to get you started called “Take Control of your HTC CDMA Hero” https://forum.xda-developers.com/showthread.php?t=717416

Taxonomy of Blue Angels Haters: What kind of hater are you?

Thu, 19 Aug 2010 13:41:00 -0700

The Blue Angels were recently in town and I couldn’t believe the kinds of Facebook rants or other kinds of rants I heard from people complaining about The Blue Angels. I’ve heard it every year since I was a kid, but I have noticed some different camps.

Anti-millitary

There seem to be quite a few people who use The Blue Angels to channel their disdain for all things military. I’m not the biggest fan of the war machine myself, but we do need the military. And from my perspective, The Blue Angels represent some pretty cool – even if the planes are old by today’s standards – technology that is really quite amazing to watch. And the skill that the pilots have is really something to behold. I don’t see how it glorifies war or anything like that. Although I could see how someone who was prone to think that way beforehand would look at them through the same mental filter.

Anti-noise

These people complain about how noisy they are. I feel sorry for them that they don’t see how _cool_ those loud engines are. I love the roar of the engines (sidebar: having 4 take off in formation just yards above your head is pretty freaking sweet). But my guess is that these people might complain about any kind of thing and The Blue Angels are just a convenient thing to complain about. Seriously, the planes are in town for 3 days and only fly for an hour each day and may only be near you for a few minutes at a time. It’s not like they built a naval air station in your neighborhood that will be loud every day forever… Come on people!

Paranoid / Risk-averse

This camp has the people who claim they think that the planes flying basically anywhere are too dangerous. The “what if they crashed into someone’s house” crowd, if you will. In the past 20 years, there have only been 4 incidents so they are rare events. But you’re surely free to have your opinion and you can keep yourself safe by being nowhere near them if you want to try absolute safety. But realize that you are probably going to die in a car crash while trying to escape the highly unlikely plane incident you fear most. Humans are terrible judges of relative risk. We just never evolved that as an innate ability yet it is something we need to make good, sound decisions in daily life. So, save yourself but leave the rest of us to make our risk/reward decision and enjoy the spectacle!

Stupid Android market bug STILL affects 2.1 OS

Mon, 14 Jun 2010 14:17:00 -0700

I can’t believe this hasn’t been fixed yet. I was not about to reset back to factory defaults and I had been meaning to root my phone anyhow so went this route. It was difficult to find a solution that did NOT require resetting to factory defaults. Enjoy.

Issue 3477 - android - HTC Hero - can’t sign Gmail account if user skips signing when initially using the phone. - Project Hosting on Google Code

referring to my comment 37 above, and 16 … (1) First you need to root the phone. I had to Google how to do this, I found the solution (for 2.0, not 2.01) on some German site (yes, careless, I know). (2) Then, you need a a terminal app (such as “Better Terminal Emulator”). With the terminal app you can navigate in the file system of the phone. However, you need root access (above) to be able to see the folder “/data/data/[and so on]”. Without root access you cannot navigate to this folder. Then you need some Unix-fu to navigate to the correct folder, and remove the correct files. Look up the commands “ls”, “cd”, “rm”, and “rmdir” (my Unix-fu was just sufficient, thank fate). Maybe a file manager app would to for step 2, I don’t know. The process is likely slightly different for each phone (mine’s a Milestone).

At T Leaks Email Addresses Of 114 000 Ipad Users

Wed, 09 Jun 2010 13:50:00 -0700

I think it is disingenuous of this article to have “Apple” in the title. It was an AT&T server with a stupid application that used AJAX calls to obtain email addresses by ICC ID. And since the ICC IDs are apparently sequential, the group was able to iterate through thousands of them to obtain the information.

Then AT&T decides to claim as well that the researchers who discovered the flaw did not contact them. It sounds like AT&T is lying.

Apple’s Worst Security Breach: 114,000 iPad Owners Exposed

SurveyMonkey has crummy logon security

Sun, 06 Jun 2010 05:02:00 -0700

FYI, SurveyMonkey is a great site, but they have really crappy security. They actually store your password in the clear, or in reversibly-encrypted format. If you request your forgotten login and/or password, they actually helpfully email you both your login _and_ your cleartext password. What year is it again? That is the kind of kindergarten mistake that there is no excuse for making. How to securely handle logons to systems and applications is fairly standardized and there are lots of simple options for supporting secure one-way hashes that are immune to a variety of attacks. No excuse for security this bad…

Fortunately, they allow you now to sign in with your Google login so that might be a better option – get them out of the authentication business that it appears they have no business being in.

Alcohol Caffeine And Pregnancy

Fri, 04 Jun 2010 16:46:00 -0700

Sorting through the myriad information and misinformation on these topics is difficult. And remembering what the actual conclusion is can be even more difficult “Was coffee safe or not?”

So, I figured that I would blog about two very recent posts that summarize the data about these topics.

Summary:

Caffeine bad (“Pregnant women should avoid caffeine because of potential effects on fetal growth and spontaneous abortion.”), Alcohol seems okay in moderation (i.e. no known conclusive data exists that shows a problem with low intake during pregnancy)

Science-Based Medicine » Alcohol and Pregnancy

“The scientific evidence has not identified a threshold below which alcohol consumption during pregnancy is definitely safe, but neither has it shown any convincing evidence of harm at low levels of intake, and it has not ruled out the possibility that low levels might provide a small benefit.”

NeuroLogica Blog » Caffeine

Proof That Iframes Are Not Risk Free

Wed, 02 Jun 2010 16:44:00 -0700

This one loaded drive-by-malware, a popular tactic.

Malicious iFrame on US Treasury and other sites?

https://community.websense.com/blogs/securitylabs/archive/2010/05/04/treasury-websites-compromised.aspx

Aap Against Female Genital Mutilation After They Were For It

Wed, 02 Jun 2010 16:35:00 -0700

Ridiculous but glad they changed their policy.

A retraction from the American Academy of Pediatrics : Pharyngula

“We retracted the policy because it is important that the world health community understands the AAP is totally opposed to all forms of female genital cutting, both here in the U.S. and anywhere else in the world,” said AAP President Judith S. Palfrey.

Every Baby Knows Science

Wed, 02 Jun 2010 16:27:00 -0700

Then, if you’re a baby in Texas, Arkansas, Kansas, or related states you get reprogrammed to fear and doubt science and believe horsepucky. Glad me and my baby live in Seattle.

I may have to order this print. Lots of other goodies for geeky parents like me there too.

Weather forecasting terms explained

Sat, 22 May 2010 04:21:00 -0700

There is something to be said about using terms that have the most precise meaning possible. However, in scientific circles, you may have a better understanding of the nuance in different terms than the colloquial understanding. Weather forecasting is definitely one of those areas. The one that I have been wanting to understand recently is showers vs. rain (because you also hear ‘scattered showers’ which seemed redundant to me if showers are just scattered rain in the first place):

Meteorologist Forecasting Terms: Differences Explained Between Scattered Showers and Rain at Times

Rain - forms from stratus clouds, more widespread, steady, less intense

Showers - forms from cumulus clouds, more isolated, short-lived, affects a smaller area, sometimes more intense

So, scattered showers does seem to be a bit redundant if they are already “isolated” and “affect a smaller area”.

Deleting Lines And Non Matching Lines With Vim

Sat, 15 May 2010 03:53:00 -0700

I’m always forgetting how to do this but here’s how to delete matching lines:

:g/.*foo.*/d

And the more difficult thing to do that vim makes easy is deleting non-matching lines. All you do is negate the pattern:

:g!/.*foo.*/d

Daily Vim: Text Editor Tips, Tricks, Tutorials, and HOWTOs: Delete Lines Matching Keyword

Dispute With Seattle Public Utilities Over Alley Trash Collection

Mon, 10 May 2010 13:50:00 -0700

We were given a big “FU” by SPU (Seattle Public Utilities) last week and told that alley trash service would stop tomorrow and we would have to somehow haul our cans up to the street level every week. This is complete bullshit, of course, as I point out in a letter to SPU I just submitted. All of my neighbors affected are protesting by continuing to put the cans in the alley tomorrow. We’ll see what happens. We’ve all been calling to complain the past week but so far there seems to be no recourse at all. I plan to keep escalating this until we get a reasonable response.

“All houses on my alley were given only a week’s notice that alley garbage and recycling and yard waste service were to be discontinued starting 5/11/2010 and that we would have to put our bins on the street level. We have all brought this to the attention of SPU that this is a ridiculous request for our block due to the nature of the terrain. That is the reason that we have had alley garbage service for the over 5 years that I have lived here and beyond that.

Alley service is the only option that makes any pragmatic sense due to the terrain that our houses are built on. The houses main floors are on a grade level _below_ the street. The lower floors of the houses are on yet another grade lower than that but on par with the grade of the alley.

There are at least 9 houses on my block that all have alley garbage service for this reason: [redacted 9 specific addresses] are all addresses on this street receiving alley service.

My house alone has 8 steps to reach the street level that make it simply impractical to haul one, let alone three or four cans up and down the stairs each week. Other houses have more stairs and many even have twisting staircases that would make it treacherous to lug the garbage up and down.

Waste Management needs to have SPU tell them “no” and to resume alley service and ensure that we continue to receive this service from now into the future.

We have been told that Waste Management’s contract has the option to arbitrarily change the collection location at their decision, however I have read the contract posted online and do not see that they have that authority at all. It says in section 135 that “collections from Residential Structures shall be made at the curbside or alley, as determined by the City”, meaning that the discretion is entirely the city’s. It goes on to say that, “Subject to special arrangements made by mutual agreement between the Contractor and the City on a case-by-case basis to accommodate extraordinary situations, Residential Structures on the same side of the street on the same block shall place all Containers on the curbside or all on the alley. However, if a particular property does not abut the alley or have alley access, Container placement shall be at the curb.” So, our case is already covered in this language since all of the houses who do not abut our dead-end alley do not have alley access. Even if they did, our case would fall under the ’extraordinary situations’ case anyhow due to the uneven, steep terrain that our houses have been built upon. See https://www.seattle.gov/util/stellent/groups/public/@spu/@csb/documents/webcontent/spu01_005943.pdf

None of us are going to be putting our cans at the street level and will expect that our waste service will continue in the alley as it has been or else we will continue to report missed collections every week that goes by and will continue escalating this issue higher in the governmental chain until we get a reasonable resolution.”

Notable Quotable Skeptic Is Not A Bad Word

Fri, 07 May 2010 16:13:00 -0700

I find myself reticent to use the word ‘skeptic’ to describe myself because it is often incorrectly equated to ‘cynic’ or some other malcontent or negative connotation. I’ve used “rigorous doubt” in its stead on occasion since it takes a bit more thought to contemplate and avoids the knee-jerk emotional reaction that can accompany the term ‘skeptic’.

But, I came across this quote from Eugenie Scott on Skepchick that nicely summarizes what being a skeptic is and how it is really a neutral position:

“Skepticism is a perspective that does not accept or reject claims at face value, but withholds judgment until specific evidence is available.” ~ Eugenie Scott

Excellent Infographic On Health Care Reform Implementation Plan

Fri, 07 May 2010 16:09:00 -0700

If only the government or the media reporting on this could be this clear…

Health Care Reform Infographic – Changes Coming!

Passwordcard A Low Tech Wallet Password Manager

Sat, 01 May 2010 14:47:00 -0700

Visit this site and it will automatically generate a card with symbols for columns and colors for rows with randomly-generated digits on it. You can then use this card to generate very strong passwords that you don’t have to remember. And no bad guy can guess them and even if they get a copy of your card, they won’t know which subset of the random characters are your password so it provides protection against a physical attack on your wallet.

It’s an alternative to writing your passwords down directly and keeping them in your wallet (which is actually not a bad thing since it allows you to have varying passwords with better quality).

Your PasswordCard

throw new DumbCodingException

Wed, 28 Apr 2010 16:11:00 -0700

I came across the dumbest code I’ve seen in a while at work today.

try 
{ 
    return _Collection.Length; 
} 
catch (NullReferenceException) 
{ 
    return 0; 
}

I found it because when debugging an asp.net page, I had enabled thrown exception breaks and this code was causing about 5 debug breaks for every page load… Needless to say it has now been rewritten.

Infographic On Efficacy Of Popular Supplements

Tue, 27 Apr 2010 16:00:00 -0700

The really cool thing is that the whole graphic is backed by a google doc spreadsheet that is chock full with explicit references to back up the claims. My wife of course asked where they got the data – and you can actually check it out (you don’t have to take their word for it). This is a graphical representation of the “Alternative” medicine trash heap I blogged about previously.

I think that skeptics need to do more and more of these things to consolidate the current state of affairs for all kinds of scientific questions that are muddied by woo proponents.

Snake Oil? The scientific evidence for health supplements

Excellent Primer On Tree Pruning

Tue, 27 Apr 2010 15:56:00 -0700

Probably one of the most clear sites with pictures showing how to prune. Although if you’re like me and have older trees that were never properly pruned early on, you have to be more creative.

HGIC 1351 Pruning & Training Apple & Pear Trees : Extension : Clemson University : South Carolina

Virtual PC - VMware breaks mouse

Mon, 15 Feb 2010 02:58:00 -0800

I had this intermittent problem with my mouse in a VM until I realized it had been converted from a Virtual PC image long ago. That still left some mouse driver hooks that were breaking the VMWare mouse driver. Thank goodness for keyboard shortcuts and thank goodness I still know them… The fix is here:

mouse stopped working correctly after VMware tools were installed - Page 2 - Petri.co.il forums by Daniel Petri

Facebook Broken In Firefox Brought To You By The Letter Quot S Quot-

Tue, 19 Jan 2010 16:27:00 -0800

Actually, the lack of a letter “s”.

I hadn’t noticed that Firefox had opened facebook up without SSL, but sure enough, the tip from this thread got everything working correctly (now have Older Posts back and the bottom toolbar). Sheesh.

Problems in Facebook page when using Firefox 3.5.1

Nutritiondata Know What You Eat

Sun, 03 Jan 2010 03:46:00 -0800

Excellent way to get data on just about anything and good graphs to visualize the balance of nutrients to fat.

Nutrition Facts and Analysis for Seeds, flaxseed

Reigning In Credit Card Companies Begins February 13 2010

Wed, 23 Dec 2009 15:25:00 -0800

Bank of America nicely summarized some of the major changes coming due tot he Credit Card Accountability and Disclosure (CARD) Act. In short, your credit card company can’t be so much of a money-grubbing bastard anymore. Although there are so many avenues not closed by this act, they actually still can be pretty evil. For example, there is no regulation preventing credit card companies from charging whatever they want for interest rates.

Here’s some of the good stuff that should have been in place already were it not for a congress that is in bed with the financial sector:

APRs can only be raised if you do not make at least the minimum payment within 60 days of your payment due date. Previously, they would jack it up probably the next day after your payment was due.
If your APR was raised due to missing a payment for > 60 days, your APR can be returned to the original rate if you pay your bill for the next 6 months by the due date.
45 days notice required for increasing your APR for any arbitrary reason.
Amounts you pay over the minimum payment apply to the highest APR balances first. Without this legislation, they would just apply it to whatever they wanted that maximized their profit and minimized your wallet. Because they are mostly still evil, they are going to still apply the amount due to the lowest APR balance first.
Payment due dates will always fall on the same date each month. You will also get at least 25 days from the statement closing date for your payment due date. I’m guessing that they changed your dates in the past to make you more likely to miss your payment so this is a nice catch.
Paying more than your minimum amount due will actually reduce your interest costs because of changes in how finance charges (that B of A now says will be all called “interest charges”) are calculated.
Payment cutoff times are changing from just one timezone (e.g. Eastern) to be the actual timezone of the facility to where you mail your payments. This helps you because a payment received on the Tuesday it is due, but after 5pm eastern, was actually counted as “late” prior to this law. Unbelievable.
Cash advance checks they mail to you will all have printed expiration dates and will not be honored after that date. Sounds like a good security measure to me. I hate that they send checks about every month; waiting for someone to steal them from my mail.
So long as you pay at least the minimum amount due by the due date, your APR for existing balances will not be affected.
In addition to your payment grace period (where you can carry a balance but not pay interest), if you have paid in full previously but on one statement do not pay in full (thus leaving a balance on your card), portions of your “Purchase balance” (I’m interpreting this to be stuff you just bought on your card this billing cycle) are eligible for an extended interest-free period. Thus, you do not get dinged right away for finance charges on your entire card balance. That was the really annoying thing. If you had $1000 on your card, and missed a payment by even one day, you would get assessed a finance charge on – not just the amount on your bill, but the total amount you owed on your card – even stuff in the grace period. So, you had no way of reliably knowing what you might have to pay. This sounds like it’s a game-changer for that practice.

But beware that you will be seeing some “novel” attempts by the card companies to return to excessive profitability at your expense at some time soon. They are poring over the legislation to find the loopholes.

New Study Suggests Exposure To Microbes As Kids Is Healthy

Thu, 10 Dec 2009 14:47:00 -0800

Best to have a kid get a cold here or there to reduce the chance of higher inflammation as adults and protect them from cardiovascular diseases. We were just talking about this…

Everyday germs in childhood may prevent diseases in adulthood

The "Alternative" medicine trash heap

Sun, 29 Nov 2009 15:22:00 -0800

I think it is a horrible waste that the US spends so much money to fund the National Center for Complementary and Alternative Medicine (NCCAM) which investigates non-scientific modalities, many of which have no prior plausibility so would not normally even qualify for scientific investigation. I prefer the term Supplements and Complementary and Alternative Medicine for the category of woo because it has a better acronym (SCAM) – thanks to Mark Crislip for that.

However, one good thing is that they have tested out many of the common “remedies” and supplements that many Americans take and have succeeded in disproving them. The trash heap now contains at least:

Other non-remedies to add to the list are:

Vitamin C (Too much can cause diarrhea or oxalate stones)
“Probiotics”
Antioxidants They may actually harm systems that depend on free radicals

Oh, and Airborne is chock full of a bunch of woo and is not going to be effective so don’t give those thieves any of your money. Also, Airborne contains 100% of your RDA of Vitamin A, but if you take up to the maximum recommended “dose” of Airborne (every 3 hours, or 8 times/day) you will get 8 times the RDA of Vitamin A. And excess vitamins can be harmful as a new study shows specifically with Vitamin A.

And if you thought that Zicam was safe, watch out. It can cause a complete loss of smell and taste. So although it _may_ have a modest affect for the common cold, I don’t think that the risk may outweigh the benefits.

Also, if any substance has a pharmacological effect on the human body, then _it is a drug_ And you should tell your doctor when you are taking these things because they can have drug interaction effects just like any prescription drug. Some can be very dangerous to not tell your doctor about. And as with any drug, they can have side effects.

Daily Nasal Irrigation May Encourage Sinus Infections

Sun, 29 Nov 2009 14:32:00 -0800

A brand new study out shows that using sinus rinsing as a prophylactic may actually have the opposite effect of increasing your rate of sinus infections. Significantly. As much as 50-60+ % more sinus infections.

They did not test efficacy of using sinus irrigation when you actually have a cold or sinus infection so until hard data is out there, it may still be okay.

Long-Term Neti Pot Use May Backfire

Iphone Worm Warning To Rooted Android Users

Sun, 22 Nov 2009 08:26:00 -0800

As I recently wrote about the security issues with rooting your android phone. Fortunately, this should spark some discussion about how to securely jailbreak or root your phone.

BBC NEWS | Technology | Worm attack bites at Apple iPhone

Securely rooting your HTC Hero

Wed, 11 Nov 2009 13:06:00 -0800

The best guide I found for reliably getting root access to your android HTC Hero device is here: How To: Root Your CDMA HTC Hero (Sprint/Verizon) | The Unlockr

However, as a security guy, I notice that none of the guides discuss anything about the implications of the process from a security perspective, so I will add a bit of extra tips and observations and explain how it works.

By default, Android devices run applications as low privileged user accounts on the underlying Linux operating system. If you have the application RoboTop installed, you can actually see the users that each process runs as. For example, the robotop process and its child ’top’ processes all run as ‘app_60’.

This is a good secure-by-default design for the operating system, however there are some things that you must do as root to have enough rights at the OS level to complete your task. For my case, I needed to be able to clean the /data/boot-cache directory to work around an annoying defect on the HTC Hero that was preventing application upgrades from persisting across a reboot. Some applications (SSH server, I believe) also need to run as root.

But, Google does not provide any means for getting root access as an end user. But the community has come up with all kinds of ways to get around this on various devices. If you have physical access to a device, it is generally pretty easy to gain full access to it _somehow_. In the case of the Hero, it essentially involves:

1. Running a Linux kernel exploit that allows you to run arbitrary programs as root. Discouragingly, the program to do this is a binary with no source code. But it is claimed to be based on this kernel bug: Sprint Hero HAS BEEN ROOTED@! - Android Forums 2. Using the exploit to launch a shell as root. 3. Using the root shell to create a setuid root shell so that you can gain root anytime in the future without the exploit.

However, there are some serious security implications of doing this:

1. The procedures don’t tell you to delete /data/local/asroot2, so you end up leaving a program that can run arbitrary code as root on your system in a known location 2. The procedures have you create a setuid root shell as /system/bin/su. However, this allows anyone or any application to run arbitrary code on your phone as the highest privilege user using a binary at a known location.

So, you may have root but you have absolutely no way to control it. And applications that require root now expect to find a setuid root shell in /system/bin/su to gain root. Any application can now do anything it wants, including replace parts of your operating system for whatever nefarious purpose (malicious, wireless worm, extortion, annoyance, etc.)

But, all is not lost. You can get control back with the Superuser application. I’ve read through the design and it sounds on the face of it to be a reasonable approach: My Brain Hurts: Fixing the “setuid su” security hole on Modified Android RC30 Instructions on installing it and download of the files (source code is available as well): https://www.koushikdutta.com/2008/11/update-to-superuser.html

The install.bat file did not work for me though. I got a permission denied trying to write a file as a non-root user into /sysadmin/bin. Actually, the low user privileges cannot write to many places on the filesystem. Instead of copying the bin/su file directly, I copied it to /data/local/tmp and then _as root_ on the phone, I copied it into /sysadmin/bin and changed the permissions.

The next step is to first run the Superuser application on the phone so that it can replace the files and set the permissions properly to implement the protection.

After you do this, you will now get a visible request each time an application tries to execute /system/bin/su. You got control and auditing back.

Oh, and what you also need to remember to do is delete /data/local/asroot2. You don’t need it anymore and it only makes your system vulnerable to keep it around. If you ever needed it again, you can copy it back.

Gmail Suppresses Copies Of Mailman Posts To Yourself

Thu, 05 Nov 2009 03:13:00 -0800

FYI. Kind of annoying since I have to look in my mail logs to double-check if a critical message actually went out.

I use Gmail-Googlemail, but I can’t tell if any of my messages have been posted to the list - Documentation - Confluence

Colorpulse Carl Sagan Ft Stephen Hawking Quot A Glorious Dawn Quot-

Fri, 30 Oct 2009 16:41:00 -0700

This was played at the end of Reasonable Doubts podcast e55 and I loved it. Had to find the high-fidelity version. I think I might have my new ringtone…every call will be awe-inspiring.

Very cool trance mix with wonderful clips from Sagan and Hawking masterfully woven in.

Symphony of Science

Flash App To Find Flickr Photo Set Ids

Tue, 20 Oct 2009 16:03:00 -0700

Very cool and handy. I use it for drupal’s Flickr plugin.

idFindr - Find your Flickr userids, groupids, photosetids

My First Greasemonkey Script Now Available

Tue, 20 Oct 2009 16:00:00 -0700

I just posted a greasemonkey script I wrote months back that I use all the time to make managing my Chase accounts just a bit easier. I cleaned it up a bit and added some missing comments. I decided later to switch to jQuery by referring to a remotely-hosted copy on chase.com so eventually I’ll simplify things and rewrite what I can in jQuery instead but it works great!

Chase OFX downloader for Greasemonkey

Script Summary: Automates chase.com OFX file downloads for every eligible account. One click to download all available OFX files one after the other instead of manually. Also adds useful features not present in the site, such as remembering the date you last downloaded

If like me you think that the chase online transaction download form could use a little help, you might enjoy this script.

1. It provides a button on every page that allows you to quickly go right to the download transactions page. Otherwise, you have to hunt around for this page. 2. On the download transactions page, it: a) Automatically persists the last transaction download date and then reloads it next time you come back so that you don’t have to remember the date you need to start downloading from. b) Automatically sets the end date for transaction downloads to the current date. c) Remembers the OFX file type you selected and reloads it automatically next time. d) Most importantly, provides a “Download All OFX” button that you can use to download available OFX transactions from every account in the drop-down list. Multiple download windows will appear that you can click on one at a time and the transactions will then be opened in the application associated.

Free West Seattle Wi Fi

Sat, 26 Sep 2009 11:55:00 -0700

Finally got a secondary wi-fi setup at home for guests, iPhone users, and neighbors who need to borrow it. Like Bruce Schneier, I just think it’s the neighborly thing to do. Until now, I couldn’t allow it because my main wi-fi needs encryption to keep interlopers off my LAN. But, the secondary wi-fi is in a DMZ so all that is accessible is the Internet.

SSID: hellohansenview

Enjoy!

* Hansen View is the official name of my neighborhood.

Curious if anyone else out there vends open wi-fi for the interloper?

I’ve borrowed some neighbor’s open linksys many a time to get info on the Internet when my DSL is down. But these days, most are encrypted, which makes me sad.

Obama Does Not Go Far Enough With Financial Regulation

Thu, 24 Sep 2009 15:55:00 -0700

I work for a company that is ’too big to fail’ and that is a scary prospect. Here’s another thing on the list that I don’t agree with Obama about. I like him a great deal, but don’t think he’s as progressive as he was billed…

Hopefully congress can see through this and will pass some decent legislation regarding overhauling the so-called PATRIOT act and other things that Obama has not taken a very strong stand on.

Volcker: Obama Plans Maintain ‘Too Big To Fail’

A top White House economic adviser says the Obama administration’s proposed overhaul of financial rules preserves the policy of “too big to fail,” and could lead to future bailouts.

Former Federal Reserve Chairman Paul Volcker said Thursday that by designating some companies as critical to the broader financial system, the plans create an expectation that those firms enjoy government backing in tough times. That implies those financial companies “will be sheltered by access to a federal safety net,” he said.

Why I hate my 2wire DSL modem

Mon, 21 Sep 2009 17:39:00 -0700

Recently, all Internet connectivity decided to stop working at home. I tracked the problem down to my 2wire 2700HG-B DSL modem that was the more reliable of the two (my other is an Actiontec gt701-wg) that was just dropping packets into the ether somehow. So, I put my Actiontec back in service briefly, only to be reminded of how flaky it was, stopping responding to even pings to the LAN interface every once and a while. I ended up bricking the Actiontec in trying to do a recovery installation to it so I could clear out the flash completely to see if that would make it more reliable.

So, it was spend-5-hours-to-get-the-2wire-working-again. Toward the end of the 5 hours, I asked myself why the WAN configuration was different, and I think that the 2wire (from AT&T; bought on ebay) did a firmware auto-upgrade on me and that hosed everything up so that it did not operate correctly with the same configuration as before.

So, I had to borrow some neighborhood wi-fi time to research how to get a similar configuration with the new firmware. I succeeded in getting outbound Internet working at about 2am and left well enough alone. It seems as if you can change a little setting and all of a sudden everything stops working. Highly temperamental.

But that left inbound Internet not working, which was okay for a few days. I just decided to make an attempt (while I’m trying to obtain a motorola 3347 to replace it) to get inbound Internet working again even with a sub-optimal configuration. I was not able to get the routed subnet to work at all inbound. The firewall on the 2wire just does not work right inbound. Even if I set it to disable the firewall inbound for the routed subnet, no packets come into the LAN.

So I abandoned the routed subnet and went with a sub-optimal SNAT configuration, along with editing routing the public IP to an internal IP. Which still didn’t work because the stupid firewall on the 2wire still did not allow packets to come in even in DMZplus mode. So, next step was to do port “pinhole” configuration in the firewall to allow the services I wanted inbound. Okay, that works. This all of course required me to first wait forever for the local LAN device to be magically re-detected by the 2wire so that I could actually configure the IP allocation and firewall settings… Why, oh why, can you not just manually specify what the stupid IP address is you want for the local device? Auto detection is not easier if it does not work as expected or is not reliable people!

The most ridiculous thing was then that the 2wire seems to do SNAT not only inbound, but outbound as well! So when it sees a packet come from a host behind the firewall with a private IP, like 192.168.1.1, that it NATs outbound to a public IP, say 204.16.40.73, it actually SNATs the packets before applying the firewall rules so it turns the outbound packets into requests _from_ 204.16.40.73 – totally munging up the distinction of LAN/WAN IPs and preventing any meaningful ability to configure rules to allow traffic to route out to the public IP but back into the LAN device from the intranet. You see these fun messages int he event log: “IP Source and Destination Address are the same, Packet Dropped” Just dumb.

So back in to configure additional SNAT and routing rules with a virtual interface to prevent packets from leaving the LAN and being dropped by the 2wire. Ugh.

Destructive auto-update
Inflexible firewall
Inflexible NAT/routing (and doesn’t even work right)
Occasionally stops responding to packets on the LAN interface (but still on the WAN interface)
Inflexible addressing options for wireless, etc.

Study: Who Causes Bicycle Deaths? (90% of the time, motorists)

Sun, 06 Sep 2009 17:09:00 -0700

The Daily Dish | By Andrew Sullivan

Who Causes Bicycle Deaths?

What the Internet knows about you scary

Sun, 06 Sep 2009 16:50:00 -0700

This site is a demonstration that makes use of CSS and/or javascript tricks (noscript will not help you) to show the kind of information that your browser leaks about you, if someone was to want to look for it.

e.g. if a site wanted to see if you had visited their competitor’s sites, they could use this technique to peek into your browser history. Or maybe they want to see if you’ve ever been to a popular pr0n site. Or maybe your employer wants to see if you’ve visited wikileaks, etc.

What the Internet knows about you

Eerie Similarities To Grisham Non Fiction Book With Georgia Case

Tue, 18 Aug 2009 16:03:00 -0700

Scalia’s Right, It’s All Perfectly Legal to Kill An Innocent Man | Crooks and Liars

So, the supreme court is not getting involved with a case where a man in Georgia is likely able to prove his innocence even though he will end up being wrongly put to death. This case sounds so eerily familiar to the true story The Innocent Man. At least there was some actual dissent among the justices on this one.

What is it with the south and wrongful convictions though? Grisham’s book was about a case in Oklahoma where their appellate courts almost rubber-stamp-ignored the attempts to hear the exonerating evidence for decades. The man was finally saved hours before he was to be put to death.

Glenn Beck Zaniness Continues

Thu, 13 Aug 2009 16:10:00 -0700

This is one of the most popular videos now on Youtube where Glenn Beck dons his tinfoil hat and claims a conspiracy theory about the government taking over your PC for participating in the ‘cash for clunkers’ program. Here’s my response:

Actually, I looked into this and it is known that Glenn Beck is not the most credible source on a lot of stuff, and it turns out this is no exception: https://www.snopes.com/computer/internet/clunkers.asp

For the real wacky Glenn Beck, check these out: He goes on an insane rant against one of his callers: https://www.youtube.com/watch?v=YA7-BvVDV10 He tries to defend his insane rant above: https://www.youtube.com/watch?v=if3wVXSMw4M He’s a global warming denier: https://www.youtube.com/watch?v=Ft8LfE7AI2w Glenn agrees that what the US needs is another attack from Al Qaeda; that ’the only hope for the country was for Osama Bin Laden to “deploy and detonate a major weapon in the United States.” ‘: https://www.youtube.com/watch?v=auQJVhNH99c Glenn calls Obama a racist (sounds like Rush Limbaugh): https://www.youtube.com/watch?v=GzKFYcHKbnk Which sparked a campaign to get advertisers to pull out from his program. Many have, including GEICO, Men’s Wearhouse and others: https://colorofchange.org/beck/message.html Just bizarre full-on crying on air: https://www.youtube.com/watch?v=6HWKzobeya4 Glenn jokes about putting poison in Nancy Pelosi’s wine: https://crooksandliars.com/david-neiwert/glenn-beck-jokes-about-putting-poiso Glenn boasts about how he brought a gun to a movie: https://thinkprogress.org/2009/07/22/beck-gun-movies/

He’s also part of a vocal extremist minority of “birthers” and “deathers” who are spouting insane conspiracy theories and stirring unrest against the president that may well lead to violence by the crazy factions of our society.

-Jason

REDACTED wrote:

From: Brian Sent: Thursday, August 13, 2009 4:06 PM To: REDACTED Subject: Fw: Fwd: EXTREMELY IMPORTANT MESSAGE!!

This is very interesting Scarey stuff. A friend told me about this earlier but I hadn’t seen it on the air.

DO NOT EVER, EVER, EVER, ! ! ! ! ! go to <https://cars.gov/> cars.gov until you watch this video from FOX news. This is the scariest takeover of our lives the government has ever tried. The Obama “Car Czar” is at work.

CLICK BELOW:

https://www.youtube.com/watch?v=RAOBlqUqUZ8

Be sure to let everyone on your email list know about this ASAP

One Car Show I'M Not Sad I Missed

Tue, 11 Aug 2009 15:36:00 -0700

Cruising for Jesus. California’s biggest Christian car show!

Of course, NO ALCOHOL.

Latest Entry In The Horrible Ui Category

Mon, 10 Aug 2009 13:35:00 -0700

There are some companies that just should not be allowed anywhere near a UI. Sun Microsystems, Oracle, and of course PeopleSoft (now part of Oracle) to name a few.

Case in point is PeopleSoft (Oracle) I happened to need to report some vacation time and noticed this gem that made me read the logic several times to make sure I chose correctly:

Okay, 99.9% of all other UIs would have the logic 180 degrees opposite of this (choose OK to continue, Cancel to go back). But why be conventional when you can be obtuse?

Palin Haiku Entries

Sun, 09 Aug 2009 07:03:00 -0700

I posted three, with a theme of trying to use her own words to answer the question.

Palin embodies “Politics as usual”: Cash in while you can

Governing is hard. It’s much easier to take “A quitter’s way out”

“Let me tell you…I’m” “A maverick…nuc-u-lar” “Hockey mom…you know”

Left Take:: $20.09 HAIKU contest: Why Sarah Palin is a jackass

Let’s try something new – a “haiku” contest.

$20.12 for the “best” haiku, spelling out why Sarah Palin is a jackass. Awarded at 5pm (eastern) Friday, August 14th.

Prediction 'Persecuted Christian' Propaganda Chain Email Fodder

Sat, 08 Aug 2009 16:51:00 -0700

There are so many lying, hypocritical fundamentalists, why, I can hardly keep track of them all. But let’s start today with former Navy Chaplain Gordon Klingenschmitt, since his fabricated tale of woe has made him such a favorite of fundies sunk deep in their persecution complex

10 Things Obama Did Wrong On Health Care

Sat, 08 Aug 2009 16:46:00 -0700

Pretty much sums up my impressions, although I’ve been out of the loop while on vacation.

Ten Things Obama Did Wrong on Health-Care Reform | Crooks and Liars

-->

Quot Uncle Sam Quot Billboard Spouts Birther Nonsense

Sat, 08 Aug 2009 16:43:00 -0700

I noticed on my way back from California today that the right-wing “Uncle Sam” billboard had a birther conspiracy theorist saying on it. I was driving and my wife was asleep, else I would have gotten a photo. The caption read:

“Where’s the birth certificate?”

Ugh. Idiots.

Map - Right-Wing Uncle Sam Billboard, Chehalis, WA

Evidence Based Government Succeeds In West Seattle-

Thu, 23 Jul 2009 15:56:00 -0700

Wow. I like actually seeing a decision based on hard data and seeing that there is some sanity (not just revenue lust) that goes into parking designations. We need more governing like this.

West Seattle Blog… » Bulletin: SDOT says no paid parking for The Junction

President Carter Courageously Quot Sever S Ties With The Southern Baptist Convention Quot Over Women'S Rights

Thu, 23 Jul 2009 15:54:00 -0700

President Carter is joining onto the new enlightenment that I hope continues. Gay rights awareness, a black president, women in high positions in government, increasing numbers of those unaffiliated with any religion, etc.

I ask again why any self-respecting woman would associate herself with such misogynistic organizations as these religions who have nothing but contempt for them? Even Catholicism which subjugates women to inferior roles within the clergy should have scorn heaped upon it. Although there are far worse religions that still even have the marriage vow where the woman pledges to obey her husband (but of course it’s not bidirectional…)

I’ll also point out that it wasn’t until the late 1970s when rape by your own spouse was considered a crime. (thank you Law & Order for pointing out this sad fact). It actually took longer for this to be recognized in all states. Most of the ‘bible belt’ states held onto some notion of exempting spouses from such laws. Oh, and it should be pointed out that the much-touted Ten Commandments don’t say anything about rape but do say lots of other things like boiling goats in their mother’s milk which we all know is much more heinous.

These are the best quotes from the article (my emphasis added). Enough said.

Losing my religion for equality | theage.com.au

This view that women are somehow inferior to men is not restricted to one religion or belief. Women are prevented from playing a full and equal role in many faiths. Nor, tragically, does its influence stop at the walls of the church, mosque, synagogue or temple. This discrimination, unjustifiably attributed to a Higher Authority, has provided a reason or excuse for the deprivation of women’s equal rights across the world for centuries.

At its most repugnant, the belief that women must be subjugated to the wishes of men excuses slavery, violence, forced prostitution, genital mutilation and national laws that omit rape as a crime. …

We have decided to draw particular attention to the responsibility of religious and traditional leaders in ensuring equality and human rights and have recently published a statement that declares: “The justification of discrimination against women and girls on grounds of religion or tradition, as if it were prescribed by a Higher Authority, is unacceptable.”

…

The carefully selected verses found in the Holy Scriptures to justify the superiority of men owe more to time and place - and the determination of male leaders to hold onto their influence - than eternal truths. Similar biblical excerpts could be found to support the approval of slavery and the timid acquiescence to oppressive rulers.

…

It wasn’t until the fourth century that dominant Christian leaders, all men, twisted and distorted Holy Scriptures to perpetuate their ascendant positions within the religious hierarchy.

The truth is that male religious leaders have had - and still have - an option to interpret holy teachings either to exalt or subjugate women. They have, for their own selfish ends, overwhelmingly chosen the latter. Their continuing choice provides the foundation or justification for much of the pervasive persecution and abuse of women throughout the world. This is in clear violation not just of the Universal Declaration of Human Rights but also the teachings of Jesus Christ, the Apostle Paul, Moses and the prophets, Muhammad, and founders of other great religions - all of whom have called for proper and equitable treatment of all the children of God. It is time we had the courage to challenge these views.

My New Concoction The Adele Claire

Sun, 19 Jul 2009 09:43:00 -0700

You loved her as a baby…Now, from the makers of the Adele Claire baby, comes a refreshing summer drink.

Our master mixologist (me) has been hard at work devising a drink worthy of the name Adele Claire and now it has arrived!

2 oz Gin (preferably an aromatic such as Tangueray 10 or Bombay Sapphire)
2 oz Pineapple juice
1/2 oz fresh lemon juice
1/2 oz simple syrup
3 fresh sage leaves

Combine all in a cocktail shaker with plenty of ice. Strain into a martini glass and be sure to grab the sage (floats to the top of the shaker) for garnish and extra flavor in each glass.

Untrue email indicators (enhanced)

Mon, 06 Jul 2009 13:52:00 -0700

I found myself writing an enhanced follow-up to a previous blog posting on the indicators that correlate to the likely falsehood of a chain email. In my experience on the Internet, there are many factors which _negatively correlate_ to the truthfulness of a chain email message (meaning, the presence of one or more of these factors only increases the probability that the content is bunk). I could likely write a program to analyze emails for these factors and identify about 100% of chain emails:

Font size > 12 point (less true the larger the font size)
Forwarded so many times the original email is 4 or more levels below the most recent email
The message forwarded to a number of recipients without the forwarder adding anything substantive as commentary (ratio of forwarded text to added text very high)
Ratio of exclamation points to periods.
Multiple colored text in the original email
Number of recipients in the forwarded email
Any urging in the email to ‘keep this going’ or ‘pass this along to everyone you can’
Links to snopes in the original email (often not even to the right topic) or an assertion in the original email that it was ‘checked on snopes’

My Favorite Geek Gadgets Part 1

Sun, 07 Jun 2009 08:51:00 -0700

I often get asked about recommendations for various things and have been meaning to write up my absolute favorite devices for some time. I finally got this done so enjoy! If I think of other devices, I’ll write follow-up articles.

Cowon D2 with 16 Gb AData SDHC memory card

This is my media player. I think it blows away most all on the market, although things are always changing. There isn’t a perfect device out there but this came about as close as possible.

52 hour music playback time
10 hour video playback time
Gorgeous audio quality
No moving parts – perfect for those with a propensity to drop their mp3 players
Very compact
Upgradeable storage
Bookmarks
Plays almost everything, including WMA DRM audiobooks.
Firmware updates, active user and hacking community, and even a RockBox implementation!

The screen is small, but it is big and bright enough for my uses. The primary downside is the requirement to convert videos to fit on the device (there isn’t enough CPU power to downconvert on the fly)

Motorola S9-HD bluetooth headphones

I started out with the original S9 headphones because they were simply the best out there on the market in terms of style and audio quality. But they are notorious for a terrible design flaw where the touch-sensitive buttons are also moisture-sensitive and prone to just stop working after a few months, especially if you work out in them.

However, Motorola’s RMA department was quite smooth and when I suggested (thanks to numerous postings online from other people’s experiences) that the problem was endemic to these that perhaps they should replace with the S9-HD, they obliged! They appear to have fixed the touch-sensitive button design and went with a traditional press button (which has other problems if you try to wear them and a snowboarding helmet at the same time), but they work flawlessly! The sound is even better. They can pair with many, many devices at the same time. I pair them with my computer to play video games and use them as wireless headphones, with my cell phone, and with my media player (via the Jabra device below).

They have the feature where if they are paired with your phone and music player at the same time, they will seamlessly switch to your phone if you get a call and then switch back when you hang up.

I can’t say enough good things about these now. The only downside is that, according to the manual, the battery is not user-replaceable and is only good to 400 charges. So, this may not be your everyday headphones unless you want to buy new ones in a year. Also, the battery life is better than the S9 but still not stellar. Be prepared to charge them after using them for 4-6 hours.

Jabra A120s Bluetooth Music Adapter

I bought this on ebay for a steal of a deal. I wanted a generic, bluetooth transmitter to use on anything with a regular stereo headphone jack. I use them with my media player, and have also used them with other devices. The transmission strength is impressive, although its generally a good idea to keep them within 20 feet of you. I put this with my D2 in my hydration pack and have no cutouts at all when biking. Also, when I go to the gym, I leave my player on the floor while running on the treadmill, etc. with no cutouts. And no wires to get in the way!

These are rechargeable via USB – a very nice feature. It is really tiny and amazingly light. The pictures online are all bigger than the device actually is. It also comes with velcro so you can stick the device to your music player. The audio quality is _excellent_ which is another criticism of a lot of the players out there.

Philips SHS8000 Earhook Headphones

For everyday music listening, I switched from Sony earbuds to a set of Philips earhook design. I liked the Sonys, but the cord was too short and required attaching a heavier extension (included) to get a reasonable length. The Philips are at least as good, if not better, for audio quality. I find the earhook design more comfortable than the Sonys, but unlike the Sonys, you cannot convert them to non-earhook style. The only problem I’ve had with them is probably my fault – the wire attachment at the phono jack is very delicate and I made the mistake of wearing them to sleep once or twice and ended up breaking the connection inside the jack. I’m on my second pair now (purchased on ebay from Hong Kong for ~$20 including shipping) and am sure to use a sacrificial pair for nighttime.

Canon MP970

I really am tired of HP owning the printer market and their tactics with their toner. But these days you can get aftermarket toner that is just as good for much less. So, I was considering another HP. But then I discovered the MP970 at an awesome price with more features and quality and individual ink wells than you can shake a stick at and had to have it. My main concern was that Canon is unapologetic about not supporting Linux drivers, but I don’t print from Linux much anyway, and there is progress being made in reverse-engineering the ethernet protocol so drivers are on the horizon.

A main beneift of this printer is that it is trivial to share on the network by plugging it into my home LAN. And it is now my print server (no more need to manage a CUPS print server to share out otherwise unsharable HP printers…)

This printer has superb print quality, has a high-capacity feed tray, is super easy to set up (don’t even believe them when they tell you to set it up via USB before connecting to the network. You don’t need to), has network and print server support built in, makes network scanning a snap, the software for windows is quite good, has duplex printing, individual ink wells with electronic ink level management, is really, really quiet when printing, etc.

Only possible downside is that it has a rather large desktop footprint. But its nice looking so I don’t find that a problem.

Logitech MX Revolution Wireless Mouse

I got this on an awesome sale at Best Buy. It comes with a battery charger base so no more AA batteries thrown in the trash. The battery life is phenomenal and has a warning to tell you when the battery is low. The design has a great feel, is ergonomic, lightweight, portable. It also has some great features for the scroll wheel feedback (click or free-spin) that are nice.

Main downside for this mouse is that Logitech drivers are notoriously buggy. I would definitely just install the drivers that shipped with it and not upgrade them unless you have to. Newer does not equal better. They need some better QA on their drivers for sure. I wish I had a second one for work…

Mio Digiwalker GPS

I bought this used from my friend Kevin and even without text-to-speech, it is absolutely invaluable. It has a great feature I haven’t seen in others (e.g. a Tom Tom I used once):

Announces moves coming up 1000 feet ahead and successively closer. Great for unfamiliar areas.

It has some minor annoyances, such as poor battery life, and it gets confused sometimes with elevated roadways around here, and makes some questionable route choices, like telling me to exit left off of Hwy 99 where there isn’t an exit, but it’s often very similar routing to Google maps and is pretty easy to use.

It could be easier to add personal points of interest, but I found a way to do it fairly reliably.

And it has developed some sort of short that causes the screen to go white that I have to take apart to investigate. But now I know some things to look for in the next device.

TVRSS.net down -- some alternatives

Sun, 07 Jun 2009 07:57:00 -0700

This is really unfortunate. I hope it comes back. Was an excellent service.

For now, I’m using mininova or eztv.it directly and having good luck. Not sure if I want to take the time to update all my auto download feeds though or stick it out and hope tvrss.net makes it back online…

3 Alternatives to TVRSS.net’s RSS feeds | OzSoapbox

Organic Weed Prevention Not With Corn Gluten Meal

Wed, 27 May 2009 09:31:00 -0700

-meal

I’ve used this before and was considering it again as an alternative to Preen (a pesticide/herbicide) but found that there is no evidence that it does anything and actual evidence it makes weeds _worse_ because it contains 10% nitrogen.

Corn gluten meal did not prevent weeds from germinating in OSU study

Corn gluten meal is a natural substitute for a synthetic “pre-emergence” herbicide and has been advertised as a more environmentally friendly way to control weeds.

A pre-emergent herbicide is one that kills seedlings as they germinate. Pre-emergent herbicides generally have to be applied and watered in before weed seeds germinate. Other herbicides, such as glyphosate (e.g. Round Up) kill plants after they have emerged.

A by-product of commercial corn milling, corn gluten meal contains protein from the corn. It poses no health risk to people or animals when used as an herbicide. With 60 percent protein it is used as feed for livestock, fish and dogs. It contains 10 percent nitrogen, by weight, so it acts as a fertilizer as well.

The use of corn gluten meal as an herbicide was discovered by accident during turfgrass disease research at Iowa State University. Researchers noticed that it prevented grass seeds from sprouting. Further research at Iowa State showed that it also effectively prevents other seeds from sprouting, including seeds from many weeds such as crabgrass, chickweed, and even dandelions. Components in corn gluten meal called dipeptides are apparently responsible for herbicidal activity.

…

Corn gluten meal did not control any weeds in any trials under any circumstances over a two-year period. They found no evidence of pre- or post-emergence weed control in any of their trials. Because it contains 10 percent nitrogen, corn gluten meal proved to be a very effective fertilizer, causing lush, dense growth of turfgrass and of weeds in shrub beds.

Variable speed limit signs: Opportunity for evidence Based government?

Tue, 19 May 2009 04:37:00 -0700

Here’s a challenge to WSDOT: Are you willing to halt and reverse the variable speed limit signage deployment if, after a set amount of time, there has not been a significant reduction in congestion-related collisions? Or, if the new signage actually causes more congestion or more collisions?

All too often the readerboards that give information on accidents seem to slow traffic down even more.

WSDOT - I-90 - Two-Way Transit and HOV Operations - Variable Speed Limit Signs

Tried and true on our mountain passes WSDOT uses variable speed limit signs on US 2 at Steven Pass and on I-90 at Snoqualmie Pass to alert drivers to slow down during icy, snowy and congested driving conditions. Similar signs installed on European urban roadways incresed safety and decrease congestion-related collisions by 30% or more.

Human Readable Privacy Policies Are Good For Everyone

Tue, 19 May 2009 04:33:00 -0700

I can’t believe how many privacy policies are cut from the same tattered cloth and are written by corporate lawyers who are not concerned with people actually understanding them or in actually communicating the information that someone might be looking for in a privacy policy (CYA mode only). I came across one that gets to the meat of the matters that should be important to anyone using an online service:

Who owns my data in your system?

“At drop.io, what’s yours is yours. Period. This Privacy Policy describes what little information we do collect from you (the “User”) as part of our web service (the “Service”), and how that information may be used and/or disclosed.”

What are you going to collect and what are you going to do with it?

“Very little. In fact, practically nothing. You do not need to provide us with any personal information to set up free Drops. …. Although we know very little about you – Drops are not totally anonymous. When you visit our Service, some information is automatically collected, such as your computer’s operating system and browser type, version, and capabilities. We also will track your Internet Protocol (IP) address and the time and date of your visit.”

Now that is USEFUL information about data privacy that is understandable and I can get behind!

drop.io privacy policy

The typical corporate privacy policy is typified by:

No information on the specific _service data_ that is being collected
No information on how the specific _service data_ is being protected
No information on how to view or correct or expunge information stored about you.
No details on the exact list of information collected about you.
Generic platitudes about SSL as the panacea for site security
Mostly irrelevant discussions of client-side cookies that are too generic or marketing-specific and not website or service-specific
Generic information about marketing data collection and emails
Only information about _website_, not software or service security (data is not contextualized; but the lawyers are happy because they have a checkmark in the box next to “Write Privacy Policy”)
Focus too much on opt-out for marketing.

No wonder people don’t care enough about their privacy. They aren’t able to understand what companies are doing with their data.

To be fair, the companies writing the policies (if they are big enough) probably don’t really understand very well what is being collected or used so they are forced to write generic policies. It’s hard work to actually catalog and enforce customer data tracking and most companies don’t think they need to do this, and customers enable they by not demanding this level of accountability.

Fire Caused By Sunlight

Mon, 18 May 2009 14:27:00 -0700

Wow. Was just recalling how a mirror on the passenger seat of my grandparents’ car burned a hole in the dashboard on a sunny day when I was a kid. Was a reminder to not leave mirrors attached inside the vehicle (even though having one to watch our little cutie would be handy)

Sunlight, Water, Bowl Likely Cause Of Bellevue Fire - Seattle News Story - KIRO Seattle

BELLEVUE, Wash. – Investigators suspect sunlight was the cause of a fire that destroyed a deck and kitchen in an east Bellevue home on Sunday, said Lt. Eric Keenan of the City of Bellevue.

A glass bowl partially filled with water elevated on a wire rack in a sunny area of the home’s deck provided the right conditions to focus the sunlight and start a fire, Keenan said.

The fire occurred shortly before 3 p.m. Sunday in the 17100 block of Northeast Fifth Street.

The homeowners were away from the house when neighbors noticed flames and smoke.

Bellevue firefighters were able to extinguish the fire without injuries, and the family dog was rescued, but damage to the home is estimated at about $215,000.

Bang Exploitable-

Mon, 23 Mar 2009 15:33:00 -0700

Very cool news about a fuzzer + ms debugger extension to not only do fuzz testing of software, but help weed out false positives. Will be interested in trying this out and reading more about it. Wonder if it works with asp.net? Or at least the unit-testable portions of code?

Kaminsky: MS security assessment tool is a ‘game changer’ • The Register

-->

The next creationist strategy?

Sun, 22 Mar 2009 03:46:00 -0700

Looks like at least one attempt at a new strategy for teaching shit as if it was science (creationism) is to get an education degree program accredited so that the Institute for Creation Research can churn out teachers that can infect the school system like viruses and eat children’s brains from the inside out. A Texas representative is trying a new tactic to get the degree program approved: exempt the ICR from the rules created by the Texas Higher Education Coordinating Board that rejected the last attempt by a unanimous 8-0 vote.

Higher Education Commissioner Raymund Paredes said at the time that the institute’s program, based on a literal interpretation of biblical creation, falls outside the realm of science and therefore could not be designated “science” or “science education.”

This rep is making the tired old “fairness” argument, “Why are people who call themselves scientists afraid to hear two sides of a debate?” Berman asked Friday.

Note to Berman: Science is not a “debate”. It is based on facts and a rigorous methodology for evaluating those facts to approximate the truth as closely as is possible to make predictions about the natural world. Creationism is not based on facts or a methodology at all.

Little Green Footballs - Texas Lawmaker Backs Creationist ‘Degree’

12 Key Policy Decisions Led To Cataclysm

Sun, 15 Mar 2009 15:49:00 -0700

A new 231 page report outlines 12 key policy decisions that led to the current economic crisis. Let’s hope that some facts start to do a couple of things:

1. Stop the stupid right-wing chain emails that claim that this all rests on the Democrats and Fannie/Freddie. There’s plenty of blame to go around (Fannie and Freddie are # 10 on the blame list) 2. Stop the pundits that decry the “finger pointing” and hope to instead “move forward”. Excuse me, but I think that a report looking critically at pointing fingers at what got us in this mess is _kind of important_ to know how we get out of it. Of course maybe those pundits just want us to “look busy” and “do some stuff” and hope it works. I prefer evidence-based governing myself and the place to start is with the evidence for how we got in this mess.

Wall Street Watch

1. In 1999, Congress repealed the Glass-Steagall Act, which had prohibited the merger of commercial banking and investment banking. 2. Regulatory rules permitted off-balance sheet accounting – tricks that enabled banks to hide their liabilities. 3. The Clinton administration blocked the Commodity Futures Trading Commission from regulating financial derivatives – which became the basis for massive speculation. 4. Congress in 2000 prohibited regulation of financial derivatives when it passed the Commodity Futures Modernization Act. 5. The Securities and Exchange Commission in 2004 adopted a voluntary regulation scheme for investment banks that enabled them to incur much higher levels of debt. 6. Rules adopted by global regulators at the behest of the financial industry would enable commercial banks to determine their own capital reserve requirements, based on their internal “risk-assessment models.” 7. Federal regulators refused to block widespread predatory lending practices earlier in this decade, failing to either issue appropriate regulations or even enforce existing ones. 8. Federal bank regulators claimed the power to supersede state consumer protection laws that could have diminished predatory lending and other abusive practices. 9. Federal rules prevent victims of abusive loans from suing firms that bought their loans from the banks that issued the original loan. 10. Fannie Mae and Freddie Mac expanded beyond their traditional scope of business and entered the subprime market, ultimately costing taxpayers hundreds of billions of dollars. 11. The abandonment of antitrust and related regulatory principles enabled the creation of too-big-to-fail megabanks, which engaged in much riskier practices than smaller banks. 12. Beset by conflicts of interest, private credit rating companies incorrectly assessed the quality of mortgage-backed securities; a 2006 law handcuffed the SEC from properly regulating the firms.

-->

Open Letter Chain Email Rebuttal Quot Fw Why Are We Bankrupt Quot-

Sun, 15 Mar 2009 14:24:00 -0700

quot-

Oh, got another stupid retread of a retread of a chain email that I had to debunk. Posting to the inter-tubes for the benefit of others. It seems that when you google shit like this the results tend to be topped with people reposting and rarely with posts intelligently analyzing the statements.

This one was particularly hilarious because if you actually read the sources cited, they tend to contain plenty of information that debunks their own claims!

-Jason

From: Jason Axley <redacted – die-spammers-die> To: Sent: Monday, March 2, 2009 6:33:13 PM Subject: Re: Fw: WHY ARE WE BANKRUPT? “Why isn’t this in the papers?” Because it is chock full of lies and distortions (i.e. it’s not true)! Oh, there are so many things wrong with this that I will point out just a few things.

The first to point out is that you absolutely cannot rely on the claimed “fact-checking” of chain emails. Unless this was written by your buddy bikemick (it wasn’t), and he was the one who did the fact-checking (he didn’t), then you are still passing along likely false information. And much (if not all of this) is false, which implies that probably most of it is false – no matter how much it agrees with your preconceived notions. DO YOUR OWN FACT CHECKING or just delete these if you won’t be able to vouch for the veracity of the claims.

Let’s just start at the beginning. 1. $11 - 22 billion is spent on welfare for illegal aliens each year. And they cite a supposed source to back this claim up (which actually then cites another source which DOES NOT back up the data). The latest data in the study cited is from 2001 and shows 8,274,240,000 (8 billion / year). The fact that they gave a range of x - 2x should have been a red flag to start with (don’t we know these things exactly?) They wanted to make you think it was high when it isn’t that high. Especially when compared to native and legal immigrant use of welfare, which is respectively 21 times and about 4 times higher than that (or 174 billion and 30 billion respectively)

The bogus figure comes from “FAIR, which has faced bipartisan accusations of airing “racially inflammatory” anti-immigration ads with another group, the Coalition for the Future of the American Worker.”

I also thought you would find it illuminating to consider placing blame on the companies and industries that _hire_ illegal immigrant laborers. Supply and demand folks, and with a complicit government that looks the other way to support business, you get what you get. Instead of villifying “illegals” who are just trying to feed their families, if you really want to get to the bottom of these problems, you should look at solving the market-driven problem with a market-driven solution.

From the very study that was (misquoted by the first citation below):

“If such businesses can only survive by paying poverty-level wages, creating huge costs for taxpayers in the form of welfare payments to their workers, then maintaining such an industry makes little sense. Welfare payments to low-wage workers represent a large subsidy to business. For example, if taxpayers provide health care in the form of Medicaid, then employers do not have to provide health care. Of course, employers find this a very desirable situation. Employers do not see the costs of Medicaid because they are diffuse, borne by all taxpayers, while employers have a very strong incentive to keep down their labor costs by keeping immigration high. By providing workers with welfare and other means-tested programs, taxpayers are in effect paying part of the salary for these workers. Like any business receiving subsidies, those who use unskilled labor will try very hard to retain them. The fact that some businesses wish to retain this subsidy cannot, however, justify the costs to taxpayers, or the reduction in wages for the poorest American workers. "

Additionally, the title of the CIS study cited below? “The High Cost of Cheap Labor” Right. They are pointing out that this is an economic problem created by a market that is working the way markets work with little oversight from the government. The most damning problem of the “facts” below is that they are split out individually, then added up again (double, and maybe even triple counted). So the “total” is utter bunk. The CIS study being cited actually contains a realistic figure for the TOTAL: “Households headed by illegal aliens imposed more than $26.3 billion in costs on the federal government in 2002 and paid only $16 billion in taxes, creating a net fiscal deficit of almost $10.4 billion” That’s right – a whopping net of 10.4 billion. Not 338 billion. Their data rightly subtracts the $16 billion paid in taxes by illegals.

This email has been on the Internet for years and is now making another round as some sorry person has decided to edit it to make it “current” with the economic crisis at hand. More debunking here: https://colorado.mediamatters.org/items/200707060001

-Jason

-—- Forwarded Message —- From: Sent: Sunday, March 1, 2009 9:27:04 PM Subject: WHY ARE WE BANKRUPT?

This is astounding and infuriating. Why isn’t this in the papers? Please read and pass it on. WHY ARE WE BANKRUPT? !

You think the war in Iraq is costing us too much? Read this: Boy, was I confused. I have been hammered with the propaganda that it is the Iraq war and the war on terror that is bankrupting us. I now find that to be RIDICULOUS. I & nbsp;hope the following 14 reasons are forwarded over and over again until they are read so many times that the reader gets sick of reading them. I also have included the URL’s for verification of all the following facts. **1. $11 Billion to $22 billion is spent on welfare to illegal aliens each year by state governments. ** Verify at: https://tinyurl.com/zob77 2. $2.2 Billion dollars a year is spent on food assistance programs such as food stamps, WIC, and free school lunches for illegal aliens. Verify at: https://www.cis.org/articles/2004/fiscalexec.HTML 3. $2.5 Billion dollars a year is spent on Medicaid for illegal aliens. Verify at: https://www.cis.org/articles/2004/fiscalexec.HTML 4. $12 Billion dollars a year is spent on primary and secondary school education for children here illegally and they cannot speak a word of English! Verify at: https://transcripts.CNN.com/TRANSCRIPTS/0604/01/ldt.0.HTML 5. $17 Billion dollars a year is spent for education for the American-born children of illegal aliens, known as anchor babies. Verify at https://transcripts.CNN.com/TRANSCRIPTS/0604/01/ldt.01.HTML 6. $3 Million Dollars a DAY is spent to incarcerate illegal aliens. Verify at: https://transcripts.cnn.com/%20TRANSCRIPTS/0604/01/ldt.01.HTML 7. 30% percent of all Federal Prison inmates are illegal aliens. Verify at: **https://transcripts.CNN.com/TRANSCRIPTS/0604/01/ldt.01.HTML8. $90 Billion Dollars a year is spent on illegal aliens for Welfare & social services by the A merican taxpayers. Verify at: https://premium.CNN.com/TRANSCIPTS/0610/29/ldt.01.HTML 9. $200 Billion dollars a year in suppressed American wages are caused by the illegal aliens. Verify at: https://transcripts.cnn.com/TRANSC%20RI%20PTS/0604/01/ldt.01.HTML **10. The illegal aliens in the United States have a crime rate that’s two and a half times that of white non-illegal aliens. In particular, their children, are going to make a huge additional crime problem in the US ** Verify at: https://transcripts.CNN.com/TRANSCRIPTS/0606/12/ldt.01.HTML 11. During the year of 2005 there were 4 to 10 MILLION illegal aliens that crossed our Southern Border also, as many as 19,500 illegal aliens from Terrorist Countries. Millions of pounds of drugs, cocaine, meth, heroin and marijuana, crossed into the U. S from the Southern border. **Verify at: Homeland Security Report: h**ttp://tinyurl.com/t9sht 12. The National policy Institute, estimated that the total cost of mass deportation would be between $206 and $230 billion or an average cost of between $41 and $46 billion annually over a five year period.’ Verify at: https://www.nationalpolicyinstitute.org/PDF/deportation.PDF 13. In 2006 illegal aliens sent home $45 BILLION in remittances to their countries of origin. Verify at: https://www.rense.com/general75/niht.htm> **14. ‘The Dark Side of Illegal Immigration: Nearly One million sex crimes Committed by Illegal Immigrants In The United States .’Verify at: http: // www.drdsk.com/articleshtml <https://ww w.drdsk.com/articleshtml> The total cost is a whopping $ 338.3 BILLION DOLLARS A YEAR AND IF YOU’RE LIKE ME HAVING TROUBLE UNDERSTANDING THIS AMOUNT OF MONEY; IT IS $338,300,000,000.00 WHICH WOULD BE ENOUGH TO STIMULATE THE ECONOMY FOR THE **CITIZENS OF THIS COUNTRY. **

Are we THAT stupid? YES, FOR LETTING THOSE IN THE U.S. CONGRESS GET AWAY WITH LETTING THIS HAPPEN YEAR AFTER YEAR!!!!!

Check all of your email inboxes from anywhere on the web. Try the new Email Toolbar now!

Do You Know Your Different Precipitations

Sat, 07 Mar 2009 02:45:00 -0800

I think that right now it is sleeting in Seattle.

Freezing Rain: supercooled raindrops that freeze instantly when they hit the ground or other objects
Hail: snow and rain in the upper atmosphere mix due to updrafts and accumulate into large pellets that fall to earth when the updraft can’t support their weight
Sleet: Partially-melted snow that freezes again on the way down and falls as visible pellets.

Precipitation: hail, rain, freezing rain, sleet and snow

Face Recognition Biometric Security Badly Broken

Sun, 15 Feb 2009 01:33:00 -0800

It was only a matter of time that this would be broken. If you have one of these laptops that uses this software, you should disable it.

My guess would be that just a simple webcam is not going to be able to get enough information to be able to tell the difference between a fake 2-d picture of an individual and an actual 3-d person. They probably need some sort of additional 3-d scanner that samples depths on a face as well or similar technique.

The hack seems to rely on faking the image comparison algorithms since ultimately these systems are storing the original facial image and using image processing on it.

Researchers Hack Faces In Biometric Facial Authentication Systems

“There is no way to fix this vulnerability,” Duc says. “Asus, Lenovo, and Toshiba have to remove this function from all the models of their laptops … [they] must give an advisory to users all over the world: Stop using this [biometric] function.”

An attacker can edit and adjust the lighting and angle of a phony photo to ensure the system will accept it, according to the researchers. “Due to the fact that a hacker doesn’t know exactly how the face learnt by the system looks like, he has to create a large number of images…let us call this method of attack ‘Fake Face Bruteforce.’ It is just easy to do that with a wide range of image editing programs at the moment,” they wrote in their paper.

Facebook Privacy Settings To Minimize Ridicule And Embarrassment

Sun, 15 Feb 2009 01:25:00 -0800

This is an excellent guide to the kinds of things that you may or may not be familiar with as possible sources of embarrassment on Facebook, or even just if you want to have more control over people monitoring you. But you do have control over these things. I might suggest the relationship one for many people – so that you only post to your profile relationship status changes that you really want to broadcast.

Facebook | 10 Privacy Settings Every Facebook User Should Know

Untrue email indicators

Sat, 14 Feb 2009 11:37:00 -0800

After sending out the umpteenth rebuttal of a demonstrably untrue email this week, I thought of at least two things that are negatively correlated with the truthfulness of the contents:

A claim by the author of the chain email that they “verified this on snopes” (with or without a link to snopes). Note, this is a claim by the chain email author, not your friend who just forwarded it to you. I have seen not only just the generic claim of verifying on snopes (without citation), but also an erroneous link to content on snopes that actually _refutes_ the content being peddled.
Pleading by the author to “send this to everyone you know”. Again, this is done by the anonymous or pseudonymous author of the untrue content, not your buddy who sent it to you.

Font Preview Application In Flash

Sun, 08 Feb 2009 13:41:00 -0800

This is a very very cool site that allows searching by font names and even allows you to see a specific unicode font rendered in a variety of fonts local to your computer.

https://www.fileformat.info/info/unicode/font/fontlist.htm?text=%E2%86%91+-+UPWARDS+ARROW+(U%2B2191)

Ms Office Wins A Battle Vs Openoffice Calc

Sun, 08 Feb 2009 13:38:00 -0800

This is completely counter-intuitive. The OpenOffice dialog for conditional formatting only lets you select from pre-defined “styles” by name (no autopreview) and no way to add a new style from the dialog. I had to google this to find out how to modify existing styles. Oy. Sometimes the MS way is the better way…

OpenOffice.org Training, Tips, and Ideas: Conditional Formatting in OpenOffice Calc Spreadsheets

Keep Up With Basic Auto Maintenance

Sat, 07 Feb 2009 07:04:00 -0800

This compiles a few sets of auto maintenance tips that everyone should know about, not only for fuel economy, but to prolong the life of your vehicle.

I actually look forward to when the car will be smart enough and have a nice enough LCD display where it could tell you when your maintenance was due since it knows your mileage and driving habits. Enough with the dumb blinky light patterns or general “service engine soon” lights. There is a computer in the car – it’s time to catch the display up with the technology so people can actually use it.

Driving Less? Don’t forget you still need some basic maintenance - AutoblogGreen

Finally An Explanation Of Why Catnet Craps Out

Wed, 04 Feb 2009 02:42:00 -0800

Ever since CAT.NET was released I have not been able to successfully use it for a typical solution/project. It actually causes Visual Studio to crash after running for a while and taking all of the available memory with it…

Even with the command-line tool, any large set of assemblies being analyzed seems to consume more than CAT.NET can get the .Net framework to allocate (not to mention the entire system grinds to a halt while it is running). The reason is due to how .Net needs to allocate contiguous pages of memory and the 32 bit per-process memory limitations. The solution for now is to run the command-line tool on 64 bit windows or vista or to split up the analysis into smaller sets of assemblies.

BTW, I think that “Call Flow Super Graph” would be an _awesome_ band name.

The Connected Information Security Group : Current Memory Limitations of CAT.NET

Even with virtual memory there are limits to how much memory a single .NET application can allocate. As reported in recent blog post a 32-bit process, such as the CAT.NET Visual Studio plug-in version can only allocate about 1200 MB, even on a 4GB RAM (32-bit) system. Moreover another shortcoming of the current implementation is that when CAT.NET runs out of memory is it exits with an unhandled OutOfMemory (OOM) exception, unfortunately this does not get reported by the Visual Studio plug-in and the plug-in just seems to hang.

Intolerable Beauty

Tue, 03 Feb 2009 15:39:00 -0800

This artist’s work is MASSIVE in size and in message. I find this to be a simple yet powerful way to spread a message. I have often wondered what it would look like to see all of the thrown-away batteries, plastic silverware, plastic bags, etc. piled all together. Now you can in artistic ways.

You can even get a couple of prints 24x36 for the great price of $30 each

chris jordan photography

Intolerable Beauty: Portraits of American Mass Consumption

Exploring around our country’s shipping ports and industrial yards, where the accumulated detritus of our consumption is exposed to view like eroded layers in the Grand Canyon, I find evidence of a slow-motion apocalypse in progress. I am appalled by these scenes, and yet also drawn into them with awe and fascination. The immense scale of our consumption can appear desolate, macabre, oddly comical and ironic, and even darkly beautiful; for me its consistent feature is a staggering complexity.

The pervasiveness of our consumerism holds a seductive kind of mob mentality. Collectively we are committing a vast and unsustainable act of taking, but we each are anonymous and no one is in charge or accountable for the consequences. I fear that in this process we are doing irreparable harm to our planet and to our individual spirits.

As an American consumer myself, I am in no position to finger wag; but I do know that when we reflect on a difficult question in the absence of an answer, our attention can turn inward, and in that space may exist the possibility of some evolution of thought or action. So my hope is that these photographs can serve as portals to a kind of cultural self-inquiry. It may not be the most comfortable terrain, but I have heard it said that in risking self-awareness, at least we know that we are awake.

"You know your security is broken when..."

Tue, 03 Feb 2009 01:06:00 -0800

“… a $250 device can clone RFID passports and Driver’s licenses at a distance”

Researchers built a mobile device for $250 that can

identify and
clone RFID chips in US passports and state REAL ID driver’s licenses by war driving.

Do you think that they will listen to the security and privacy experts next time? Probably not.

[ISN] Passport RFIDs cloned wholesale by $250 eBay auction spree

“It’s one thing to say that something can be done, it’s another thing completely to actually do it,” Paget said in explaining why he built the device. “It’s mainly to defeat the argument that you can’t do it in the real world, that there’s no real-world attack here, that it’s all theoretical.”

Mclaughlin Man Of Myths

Mon, 02 Feb 2009 11:41:00 -0800

I watch The McLaughlin Group religiously. I find the panel tends to lean right in general, but for the most part enjoy the varied opinions and the cross-section sampling of views from the right.

But, I have been increasingly annoyed with John McLaughlin continuing to trot out some seriously flawed and ridiculous myths that have been roundly debunked. And it’s been more annoying that the panelists don’t call him on them. Here is my list that have come up fairly frequently of late, and details (sourced) as to why they are bogus.

It was a victory for Bush that we “haven’t been attacked” since 9-11 by terrorists.

How this is ridiculous:

It’s NOT TRUE. We were attacked after 9-11. Remember the Anthrax Attacks, the perpetrators of which are still at large? And how about the attacks on US facilities abroad? More here.
It confuses correlation with causation. Clinton also didn’t have another attack on his watch. Is there a causal relationship? But even worse, Bush’s response was abhorrent to have the same effect as Clinton. I couldn’t say it better than Bob Cesca “President Clinton went more than seven years without a second 1993 WTC attack, and he did it without invading and occupying Iraq; he did it without torture; he did it without illegally spying on American citizens and the rest of it.”
9-11 happened in large part because of FAILINGS of the Bush administration to heed the warnings of many people about the danger of Al-Quaeda.

Obama is the most liberal senator in the US Senate.

This has been debunked. Their study only looked at 2007 (probably because that was the only year that the results turned out the way they wanted; the previous years showed Obama as the 10th and 16th most liberal, using their methodology), not the entire career voting records of each senator.

The National Journal’s study methodology has been called into question. They made the same kinds of mistakes that people doing bad meta-analyses make – they appeared to cherry-pick the data to fit their conclusion. For example, “Oh, yeah, he voted to require the Department of Homeland Security to check all cargo containers entering the United States for nukes and stuff. That’s one of the votes that counted as “liberal” in the study” https://blogs.e-rockford.com/applesauce/2008/03/26/its-amazing-what-passes-for-liberalism/ and see a fuller list here.

For an actual scientific methodology, check out voteview.com, which assesses congressional votes based on a rigorous scientific methodology – it is not swayed by cherry-picking of votes to include in the analysis or by arbitrary definitions of what constitutes “liberal”. Liberal-Conservative Rankings Done Right This methodology shows that there are 8 senators and 80 house representatives more liberal than Obama.

The US is a center-right country and/or Obama and his administration are center-right

There are so many things that debunk this claim.

The majority of Americans favor progressive policy positions and reject their conservative counterparts. Election ‘08 – The Center-Right Myth

The latest Pew Research poll showed that only 25 percent of the public agrees with the centerpiece of the conservative tax program: making Bush’s tax cuts permanent. The public also agrees by 58 percent to 35 percent that the government should guarantee “health insurance for all citizens even if it means raising taxes.” Exit poll data showed that 60 percent of voters were worried about rising health care costs and that 66 percent of those people backed Obama. A majority of Americans also want to expand environmental protections, increase the minimum wage, recognize same-sex marriage, and end the Iraq war, to name a few.
Obama ran on the most progressive platform in years and won with a majority of the popular vote (by 7.4 million) and won 63 more electoral votes than Bush.
More and more democrats have been voted into congress in the past few elections, even unseating incumbents like Senator Ted Stevens of the very-conservative Alaska.
Polls show that people state-by-state self-identify as overwhelmingly democratic-leaning, with only a few exceptions. And overall, a majority of Americans said they identified with or leaned to the Democratic party in 2008.

How Reliable Is Dna Identification

Sun, 25 Jan 2009 13:00:00 -0800

https://www.latimes.com/news/local/la-me-dna20-2008jul20,0,1506170,full.story

A discovery leads to questions about whether the odds of people sharing genetic profiles are sometimes higher than portrayed. Calling the finding meaningless, the FBI has sought to block such inquiry.

Lovely that our own FBI actively worked to try to block researchers and defense attorneys from investigating just how unique DNA is using the existing national DNA database (known to fellow CSI fans as CODIS). Don’t they care about the truth? Apparently not. There are 6 million DNA profiles in there so far. Staggering.

No one knows precisely how rare DNA profiles are.

That is scary. Harkens back to the fingerprint uniqueness issues that were brought to light in the last few years too. The research shows that there can be many, many matches of 9 loci (locations on the chromosomes) or more. If you get busted by DNA evidence, you should insist on a match of at least 13 loci. But it should still be known just how likely it is for even that to match someone who is not the right person.

Do Market Analysts Really Know What The F They Are Talking About

Sun, 25 Jan 2009 12:41:00 -0800

After seeing these headlines in the news and RSS news feeds (many of the AP headlines _changed_ from one day to the next, but thanks to RSS readers every change was logged as a “new” entry so the full history of the headlines was preserved for your enjoyment below), I have to think the answer is “hell no”.

How could oil and gas prices both be categorized as rising and falling, rebounding and tumbling, and then the reasons for this ranging from “weak demand” to “supply from OPEC” to “storage crunch” to “Bernanke’s comments” to “US earnings”? And that was just within a span of _5 days_.

Jan 16 (Friday) Gasoline prices on the rise again (seattle PI) MARKET WATCH: Crude, gas prices fall World oil prices firm as markets eye OPEC “Oil prices rebounded Friday as the market tossed between worries over OPEC production cuts and the International Energy Agency’s unexpectedly sharp reduction in global demand forecasts.” Oil Prices Rally After Early Losses

Jan 15 (Thursday) Storage Crunch Weighs On Oil Prices

Jan 13 (Tuesday) Oil falls to near $36 on weak US crude demand (AP)

Jan 13 (Tuesday) Oil falls below $37 on gloomy demand outlook (AP)

Jan 13 (Tuesday) Oil rises to near $39 on Bernanke comments (AP)

Jan 12 (Monday) Oil tumbles below $38 on eve of US earnings season (AP)

Bluesoleil Bluetooth Driver Annoyances Solved-

Sun, 25 Jan 2009 12:37:00 -0800

One annoyance is that, by default, the Bluesoleil driver does not work as a Limited user account. Since I run exclusively as a limited user on windows XP, that was annoying. Fortunately, there is a solution: run it at startup as a higher-priv user. There are negative security implications to this, especially in light of my blog posting about software/driver rot because OEMs don’t get to maintain the latest driver versions, but the risk may be worth the reward.

Windows XP + Limited Accounts + Bluetooth - WiFi-Forum - Wi-Fi Discussion Forum

In registry editor, go to ….HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/Currentversion/single click “Run”. On the right side u’ll see the softwares which run on system startup. Here u have to put ur Bluesoleil executable in the following way.

“maus right-click”/new/stringvalue/give a name like “Bluesoleil”/maus right-click on “Bluesoleil”/Modify/here give the path of the executable, someting like “C:\Program Files\IVT Corporation\Bluesoleil\Bluesoleil.exe”

Another annoyance was the dreaded “____________” error you often get upon installation or reinstallation or upgrade of the drivers. The vendor’s solution is not very helpful “cleanly uninstall before installation”, especially if the install had failed so you _can’t_ uninstall. But there is a solution gleaned from an International site:

no puedo instalar bluetooth | Ayuda, no, puedo, instalar, bluetooth | 2412322 | 3345 / 5

Right click in HKEY_CLASSES_ROOT. Choose Permissions… Click in advanced. In the new window check the box Replace permission entries on all child objects with entries shown here that apply to child objects. Click OK.

Repeat this to the HKEY_LOCAL_MACHINE. Probably you will receive some denied warnings in this step. This is completely normal.

Again, there may be security implications of doing this so take care.

Another thing that could get in the way is a firewall or anti-spyware program preventing registry modification so watch for that too.

Citibank Atm Insecurity

Sun, 25 Jan 2009 12:35:00 -0800

Ahh, doesn’t it save so much money to outsource? Ever wonder why it is cheaper (there _are_ reasons)? Well, in this case it seems that the company running ATMs at 7-11s that Citibank allowed to put its brand on had a massive security breach. Does not look like they were very security savvy. Funny, there’s one of these ATMs at the 7-11 right near my house. And I thought I had to be scared of the tiny, off-brand ones in convenience stores!

ATM-Owner Cardtronics Issues Non-Denial Denial in Citibank Breach | Threat Level from Wired.com

To recap what we know about the late-2007 PIN theft: Hackers broke into a server that processes transactions from the Citibank-branded ATMs at 7-Eleven convenience stores. The hackers installed some kind of software on the server, and made off with enough account numbers and PINs to steal at least two million dollars from Citibank accounts.

Dead To Me Word 2007 Auto Save Recovery

Sun, 25 Jan 2009 12:28:00 -0800

You would think that there might be some compelling reason to upgrade from Office 2003 to 2007, or perhaps to consider paying for office instead of the wonderful Openoffice.org 3.0 that is totally free. You would have thought wrong as far as this instance goes.

My wife recently had a problem where the stupid windows auto-updates rebooted her computer in the middle of the night and she had (contrary to normal practice) not saved a new document to a filename. But fortunately, there were the office Auto Saves, right?

Well, to recap:

* Auto save worked just fine. * But what if a user is not paying attention when they next launch Word and ignore the auto save recovery window upon recovery? Uhh, word nicely deletes the autosave file. Even VIM would err on the side of leaving your auto-recovery file in place. * Fortunately, I have nightly backups. So, I was able to recover the .asd file from the temporary directory (strangely %USERPROFILE%\Application Data\Microsoft\Word by default). Now what? * It should be as simple as File -> Open, right? Well, that’s what Microsoft’s own documentation says you should do. But this is WRONG. You get an “Unsupported file type” error or similar. * It was only after renaming to a .docx file and trying to open it that a helpful message said, “if you are trying to recover a file, open it _this_ way”. * Sheesh, can’t the program a) know how to open and deal with its own damned auto recover files in the first place? or b) not require the _user_ to do something different. Reminds me of Bill Cosby as Noah when god tells him he’s got two male animals and he has to go back out and get a female instead, Noah says, “I’m not going to do that – you change one of them!!”

* One Internet posting about how to restore this was to use Open Office Writer to open the .asd file and save as a .doc file. That actually works great.

Open Office can do it the user-friendly way, why not Word? What exactly do you get for $400 list price again?

Anti Abortion Activists Think About Implications Much

Sun, 25 Jan 2009 08:44:00 -0800

This is a fascinating video. Abortion protesters are asked what should be done to the women who would have illegal abortions. None of them had an answer and none of them had ever thought about it. It was hilarious to see them come up with arguments as to why women should actually _not_ be punished if they were to have an illegal abortion. They are quick to make an analogy to abortion and killing a child, but they are very reticent to make the penalties the same. One even said something to the effect that “it would depend on the situation” and the woman’s mental state of mind. Wowzers.

“”Did you know you can stump anti-abortionists with one simple question?" They know it’s absurd and unfair — which means they know abortion is not really murder."

Pharyngula: This must be a very hard question

Disappointment In Bits Public Comments On Contactless Payments Privacy And Security

Sun, 25 Jan 2009 05:57:00 -0800

The FTC had solicited public comments on contactless payment systems: The Federal Trade Commission and the Technology Law and Public Policy Clinic at the University of Washington Will Host a Town Hall Meeting on July 24, 2008, to Explore the Growth of Contactless Payment Systems and Their Implications for Consumer Protection If I had known this was happening in Seattle I would have definitely attended.

They have published various letters received on the website above.

BITS Financial Services Roundtable Comments were a bit underwhelming.

“Thank you for inviting me to participate in the Town Hall on “Pay on the Go: Consumers and Contactless Payment.” Attached are four key summary conclusions.”

So, what were the four key summary conclusions BITS provided?

First, contactless payments that have been utilized by financial institutions do not pose a significant security or privacy protection risk to consumers.

_Say what? No positive evidence is provided for their safety other than “there are lots deployed and we haven’t seen much risk so far”. That’s not a good argument. How about descriptions of the security and privacy technologies that provide the assurance? We know there have been some really bad deployments so either they don’t read the RISKS digest or perhaps even the news?

How to hack RFID-enabled credit cards for $8 - Boing Boing TV Schneier on Security: Skimming RFID Credit Cards Black Hat reveals credit data via RFID insecurity RFID deployment moving forward despite security flaws _ 5. Second, it is vital that the government permit financial institutions and technology providers to innovate using new technologies so long as it is done in a safe and sound manner and meets the needs of consumers.

_Okay, that’s an industry-apologist position. And nobody would disagree with the premise but the way that things get done in the industry tends to put the supposed “needs of consumers” ahead of the security and privacy since the mental threat models only look at the bottom line fraud risk and ignore the customer privacy concern. It would have been better to state, “Financial institutions will commit to developing these capabilities in an open, full-disclosure manner and include security and privacy concerns of customers and security researchers into the design discussion” _ 9. Third, it is important for government agencies to work together to address issues that span their jurisdictions.

Basically, “we need big government regulators to tell us how to do security; in the absence of something telling us we’re doing something wrong, we’ll assume there’s nothing wrong with what we’re doing” I’ve seen this all too often that financial institutions try to do security by committee or in the absence of that, do only what the regulators ask about. They need to commit to a proactive stance that is based on sound threat models and openly address these issues in any new technology.

Fourth, it is important for government to encourage the private sector to collaborate…[on standards for mobile payments]

_Again, security by committee is not the way to go about these things. And the standards are irrelevant to the design and the principles. They also did not mention anything about ensuring the standards ensure _minimum security_ and _privacy_ are included – just that they need “standards”. Look no further than the magstripe PIN block standards for typical “good enough” design that is not necessarily based on the most optimal security. Same thing happened with WEP…

Hey, how about also committing to public publishing of the standards? I can’t tell you how difficult it is to even get official documents for ANSI / ISO financial industry standards. They should be available to anyone with google. _

What is most disappointing is that they do not offer any positive claims for why we should not care. This site offers five good tips that perhaps BITS should have recommended each participating company to publish information about. Can Contactless Credit Cards Be Hacked? 5 Tips to Stay Secure I’ve added my own to the mix.

Publish the security design principles, such as “no customer identifiable information stored on the card or transmitted in the clear”, “no reliance on the wireless signal being short-range as a security mechanism”, “employing strong encryption and well-known and tested authentication and key exchange protocols”, etc.
Full disclosure of the data stored on the card and the security protections employed. What information does the card transmit in the clear over the air? What prevents an adversary from querying the card from within your pocket?
Which RFID/contactless standards are employed and, if so, how are they exceeded?
Full disclosure of the encryption strength employed
Ways that the customer can take preventive action (such as providing protective sleeves to block RFID when you are not using your card)
Clearly publish the fraud liability information, if it differs from traditional mag-stripe cards
Give customers the option of having a non-contactless card
and even more importantly, ensure that your call centers know how to route those requests and handle them appropriately.
Take a leadership role in providing for the government regulators the kinds of controls that they should look for that could impact fraud, identity theft, or personal privacy. I’ve seen that financial institutions tend to focus on the fraud aspect and often ignore the privacy aspect until someone complains…
Adhere to some basic consumer protection standards that would underlie any of the design considerations. Such as the proactive ones listed above. Adhere to open, full-disclosure. Commit that you will not stifle security researchers publishing work in these areas and that you think it is valuable to help improve the technology and keep innovating.

Css Sprites Are Cool

Sun, 25 Jan 2009 04:05:00 -0800

I just learned about CSS sprites for reducing the amount of HTTP requests it takes to render a page. Very cool stuff.

Basically, you create a single image that contains all of the small images to use on your site and that is all you need to download. Then you use CSS and offsets within that image to select that part of the image to display in the page. There is padding around each image so that you don’t get weird renderings with different browser quirks.

https://css-tricks.com/css-sprites-what-they-are-why-theyre-cool-and-how-to-use-them/

Ev Certs Used Against Us

Sun, 25 Jan 2009 03:38:00 -0800

I happened to notice this in my Spam bucket. Funny to see the phishers adapting to the trend of increased use of EV certs and the fact that customers are rightly ignorant of what EV certs actually are and why they would be good for them. It’s never as simple as one might think to solve these kinds of problems with technology. There is that human factor…

Dear HSBC Member, Due to the high number of fraud attempts and phishing scams, it has been decided to implement EV SSL Certification on this Internet Banking website.

The use of EV SSL certification works with high security Web browsers to clearly identify whether the site belongs to the company or is another site imitating that company’s site.

It has been introduced to protect our clients against phishing and other online fraudulent activities. Since most Internet related crimes rely on false identity, HSBC went through a rigorous validation process that meets the Extended Validation guidelines.

Please Update your account to the new EV SSL certification by Clicking here.

The BEAST on Rush

Tue, 13 Jan 2009 14:39:00 -0800

I recently listened to Rush while driving and wanted to reach into the radio and shake him because his delivery is so annoying. He must love to hear himself talk so much he repeats everything ad nauseum. Or perhaps his demographic falls asleep often during his show and needs an instant replay?

This sounds about like the best description of this foul human being. There are some hilarious other entries as well you have to read.

THE BEAST 50 MOST LOATHSOME PEOPLE IN AMERICA, 2008

11. Rush Limbaugh

Charges: The father of modern stupidity, Limbaugh spins reflexively, never struggling with issues, because he knows his conclusion must favor Republicans, and his only task is finding a way to get there. In other words, he may or may not actually believe what he’s saying, but it’s beside the point. His job is not to say what he thinks, but to instruct his listeners on what they should think. If the facts don’t agree, he can always change them, as his “ditto heads” are already armed against the contrary evidence with the all-purpose “liberal bias” attack. “Rush is right,” as the slogan goes, and all those nerdy reporters in the “drive by media” are lying, because they secretly love terrorists. It’s this creepily worshipful, breathtakingly infantile abdication of intellect to a blatantly dishonest hypocrite that makes Limbaugh’s audience so goddamn sad. These pathetic, insecure, failures of men look to Rush as the champion of their impotent rage, helping them to externalize responsibility for their own deficiencies, pinning the blame on those darn liberals and their racial and gender equality.

Exhibit A: You have to marvel at the sheer ignominy of someone who coins the term “Obama recession” two days after the election.

Lou Dobbs Global Warming Denier

Tue, 13 Jan 2009 14:17:00 -0800

Hat tip to FAIR’s Counterspin for covering this last week. I hadn’t heard it discussed yet.

What hubris!! To think that you somehow know more than the consensus of scientific opinion? Argument from personal incredulity abounds.

And the great hypocritical final quote from Lou himself that he should re-read after reading his own transcript (at the site below)

CNN’s Lou Dobbs: Belief in Global Warming ‘Almost a Religion’ | NewsBusters.org

there seems to be such a crowding out of facts and objective assessment of those facts, and as the scientists, the climatologist in your report suggests, there’s such selective choices of data as one discusses and tries to understand the reality of the issues that make up global warming.

Browser Security Policies Documented And Compared

Tue, 13 Jan 2009 13:56:00 -0800

I have often wondered about this kind of thing. Browsers implement all kinds of “policies” that are largely implemented as undocumented logic in code – probably in response to a security bug. Never before that I’m aware of has such a great documentation of considerations for client-side security for browsers been documented.

I’ve read through the whole thing and it is fascinating reading. I hope the browser vendors look at this and start a war for who’s going to have a more secure browser!

Main - browsersec - Google Code - Browser Security Handbook landing page

This document is meant to provide web application developers, browser engineers, and information security researchers with a one-stop reference to key security properties of contemporary web browsers. Insufficient understanding of these often poorly-documented characteristics is a major contributing factor to the prevalence of several classes of security vulnerabilities.

Although all browsers implement roughly the same set of baseline features, there is relatively little standardization - or conformance to standards - when it comes to many of the less apparent implementation details. Furthermore, vendors routinely introduce proprietary tweaks or improvements that may interfere with existing features in non-obvious ways, and seldom provide a detailed discussion of potential problems.

Dangers Of Instant Runoff Voting

Tue, 13 Jan 2009 13:53:00 -0800

Several recent editions of RISKS discuss some evidence of the dangers of IRV (Instant Runoff Voting) systems. Which is a shame since I hoped that they would offer a better approach that could help break the stranglehold of the two-party system. When they discuss paradoxical results, one is the situation such as if three people vote and the votes are:

A preferred over B B preferred over C C preferred over A

What is the solution to this that will result in the “right” person being elected? There are other paradoxes as well that can occur when people leave the race before it is decided too.

Well, I at least wanted to be able to have a “negative vote” where I could specify a lack of desire for a candidate. There may still be hope.

Runoff elections are expensive, which has led to various approaches to avoiding them by having voters express priorities among the various candidates. However, an important paper by Kenneth Arrow (RAND Corp, 1948) provides mathematical evidence that no voting system that ranks preferences among more than two candidates can guarantee logically fair nonparadoxical results.

A nice example of a “winner-turns-loser” paradox with Instant Runoff Voting (IRV) is given by William Poundstone, Why Elections Aren’t Fair (And What We Can Do About It), Hill & Wang, 2008, by considering hypothetically what might have happened in the 1991 Louisiana governor’s race if IRV had been used. I oversimplify slightly (and ignore the political positions that might have made this logical!):

34% of the voters were for Edwin Edwards, 32% for David Duke, 27% for Buddy Roemer. Under IRV, Roemer would have been eliminated, and his votes reallocated – which could have resulted in Edwards winning.

Suppose Edwards managed to have swung 6% of Duke’s voters to have switched to Edwards. Then Duke would have been eliminated, and the reallocation could have resulted in Roemer being the winner.

There’s a nice review article on Poundstone’s Gaming the Vote, and Spencer Overton’s Stealing Democracy: The New Politics of Voter Suppression, Norton, 2008, in *The Nation*, 2 Jun 2008, written by Peter C. Baker. https://www.thenation.com/doc/20080602/baker

…

“In many real-world elections, there is a “Condorcet” winner, ie someone who is preferred by a majority of the electorate to every other candidate (it may be a different majority in each case). If there is such a winner, then electing them fulfills Arrow’s theorem. The problem is that in some elections, preferences are circular (ie A>B, B>C and C>A, where > represents ‘is preferred to’ rather than the usual ‘is greater than’). Where this occurs, no system can fulfill Arrow’s criteria - either the system will elect someone who would lose in a simple majority two candidate election (which fails Arrow’s dictatorship criterion) or IIA will be breached, as any proposed winner can be defeated by the withdrawal of one of his opponents.”

Constitutional Challenge To Fisa Immunity Law Go Eff Go-

Tue, 13 Jan 2009 13:41:00 -0800

In Courtroom Showdown, Bush Demands Amnesty for Spying Telecoms | Threat Level from Wired.com

“Is there any precedent for this type of enactment that is analogous in all of these respects: retroactivity; immunity for constitutional violations; and delegation of broad discretion to the executive branch to determine whether to invoke the provision?,” the judge asked.

Carl Tobias, a professor at the University of Richmond School of Law, says the immunity legislation, if upheld, “makes it possible to extend immunity to other areas of the law.”

And fortunately, the judge seemed to have some reservations about the statute:

Judge Questions Telecom Immunity | Threat Level from Wired.com

“In essence that gives the attorney general carte blanche to immunize anyone.” Walker said, wondering what odd creature Congress had fashioned. “What other statute is like this statute?”

Here are the EFF’s documents on the case:

NSA Multi-District Litigation | Electronic Frontier Foundation

The Electronic Frontier Foundation (EFF) filed a class-action lawsuit against AT&T on January 31, 2006, accusing the telecom giant of violating the law and the privacy of its customers by collaborating with the National Security Agency (NSA) in its massive, illegal program to wiretap and data-mine Americans’ communications. In May, 2006, many other cases were filed against a variety of telecommunications companies. Subsequently the Multi-District Litigation Panel of the federal courts transferred approximately 40 cases to the Northern District of California federal court.

And the good news is that Judge Walker has denied the motion to dismiss!

Al-Haramain Warrantless Spying Case Can Proceed | Electronic Frontier Foundation

Today, Chief Judge Vaughn Walker of the United States District Court in San Francisco denied the government’s third motion to dismiss the Al-Haramain v. Bush litigation. The ruling means that the case can proceed and the court also set up a process to allow the Al Haramain plaintiffs to prosecute the case while protecting classified information.

“Without a doubt, plaintiffs have alleged enough to plead ‘aggrieved persons’ status so as to proceed to the next step in proceedings . . .”

Iphone Being Closed Makes It Less Secure

Tue, 13 Jan 2009 13:22:00 -0800

I was thinking recently about developers wanting to be able to exploit future bugs in systems like the iPhone (and even in windows media player and the like) to gain access to locked content, features or. I was thinking about how this means they are not reporting security bugs but keep them secret. Which seems to be an overall negative _for the platform_ since they have created a market through their own actions that thrives on finding and keeping bugs secret. Not all those who use such vulnerabilities are good guys trying to get their fair use rights back for sure and that is where the danger lies.

Of course it is also annoying when you have to choose whether or not to apply a security patch that will likely close your fair use access to a system or device. I typically err on the side of upgrading to close the holes (begrudgingly) lest I get compromised by someone else. Fortunately my media player can play DRMed WMA files now so I don’t have to convert them. But I did avoid upgrading cell phones in the past so that they would not be able to block my ability to access the bluetooth features that I rightly purchased.

Another thing that worries me (especially due to the remote exploit risk) are the bluetooth dongle vendors who OEM the driver software from someone but that agreement does not allow you to keep current on versions. I stopped using one that I know has vulnerable drivers and switched to another one that now has different stale drivers. It will cost 19 pounds to “upgrade” (meaning, buy a current license with upgrade rights). Good that I got the dongle cheap so I can afford the software. I think this is irresponsible of both vendors.

Timely: Emergency Radio test in West Seattle

Tue, 13 Jan 2009 13:11:00 -0800

I made the west seattle blog! West Seattle Blog… » Non-snow news: Neighborhood radio test - talk about timely!

That’s myself and some other neighbors from the nearby west seattle neighborhood associations and blockwatch groups. We braved the chilly pre-storm air to map out signal strength tests and come up with recommendations for purchasing equipment and covering the “dead zones” that were encountered to ensure seamless communications during an emergency so we can relay infromation between affected neighborhoods.

The west seattle HAM groups are also likely to be reborn to act as a backbone in case of emergency.

And not too soon it seems as right afterward we were hit by the snow and wind and icestorms. I had my radio tuned to channel 4-11 during the first early snowstorm in case of power outages.

Will have my radio tuned again during the next windstorms. We only lost power for a half a second the last time. And we just had our trees trimmed near the power lines in the alley since there was some serious arcing and burning limbs so that should prevent some of the recent brownouts too.

I would like to have known that the stores were completely out of eggs before I risked life, limb, and vehicle to get some next time ;-) Will check the blog before venturing forth.

Oh, and the West Seattle Blog is one of the greatest resources we have for finding out conditions and emergency information. They have lots of contingencies there to continue relaying information (many people keep up with RSS feeds on their wireless devices these days, which is another communications channel to keep in mind). Even many city organizations are experimenting with Twitter as a means of communicating.

Cool! Marrying new and old technology for emergency preparedness…

Security issue dulls "Chrome"'s luster

Tue, 13 Jan 2009 13:09:00 -0800

Actually, lots of browsers get poor marks overall for how the password management systems function and protect you against malicious attacks.

I’m still floored that Firefox does not have the functionality of the Master Password Timeout extension as a base option. Otherwise, anyone who walks up to your browser can access any site you visit and log in (if you don’t use a master password and/or once you type in the master password once)! With this extension, you ensure that the exposure is limited to a set time period. It also helps protect against automated attacks since they can’t succeed unless you type your master password in again.

Chapin Information Services

Google Chrome Receives Lowest Password Security Score Safari Ties for Last Place

Movie Plot Comes True

Tue, 13 Jan 2009 13:02:00 -0800

Funny, especially in light of watching the season premiere of “24” where Jack shoots out a video camera, which draws the people out to check on it, leaving them vulnerable to attack. Add social engineering to that and you have a nice attack.

The danger of false alarms…

Date: Fri, 6 Jun 2008 00:57:29 +0100 From: David Hollman Subject: Sometimes the computer is right…

Here’s a case where social engineering defeated an apparently correctly working automated security system and allowed a burglary:

“An experienced jewelry thief may have hoodwinked the University of British Columbia’s campus security by telling them to ignore security alarms on the night of last month’s multi-million dollar heist at the Museum of Anthropology…

Four hours before the break-in on May 23, two or three key surveillance cameras at the Museum of Anthropology mysteriously went off-line.

Around the same time, a caller claiming to be from the alarm company phoned campus security, telling them there was a problem with the system and to ignore any alarms that might go off.

Campus security fell for the ruse and ignored an automated computer alert sent to them, police sources told CBC News.”

Full article: https://www.cbc.ca/arts/story/2008/06/04/bc-ubc-security-ruse.html

Tracking (and evading) the trackers

Tue, 13 Jan 2009 12:58:00 -0800

A very interesting research paper to read up on. I’m most curious how they baited the RIAA/MPAA into thinking that printers had been downloading files over bittorrent.

Tracking the Trackers

As people increasingly rely on the Internet to deliver downloadable music, movies, and television, content producers are faced with the problem of increasing Internet piracy. To protect their content, copyright holders police the Internet, searching for unauthorized distribution of their work on websites like YouTube or peer-to-peer networks such as BitTorrent. When infringement is (allegedly) discovered, formal complaints are issued to network operators that may result in websites being taken down or home Internet connections being disabled.

Although the implications of being accused of copyright infringement are significant, very little is known about the methods used by enforcement agencies to detect it, particularly in P2P networks. We have conducted the first scientific, experimental study of monitoring and copyright enforcement on P2P networks and have made several discoveries which we find surprising.

Ripped From Informercials Spam

Fri, 09 Jan 2009 15:07:00 -0800

So, I’m listening to this story on NPR yesterday and the CEO of the company that brings you the Sham-Wow, Pedi-Paws, Ped Egg, and other cruft for $19.95 was on. I rarely watch commercials anymore because I don’t watch live TV and skip through them. So why is it that I know of so many TeleBrands products? – Spam.

That’s right. I have noticed a huge volume of spam for the stupid fscking Pedi-Paws (which sounds like it sucks, BTW). Now I find out that it’s an infomercial-peddled product. And, I recently started getting Sham-Wow spam. (aside: I hate that commercial. Makes me think I’m at the Puyallup Fair or something. Also, do they always have to be a horrid Orange color? Yeah, I’m going to use an ORANGE bath mat.)

It makes me wonder whether the company behind the TV advertising of the products is in some way behind the spam campaigns for its products as well? Each of the emails I’ve received have different links at different sites embedded for “unsubscribing”. Most are .info domains. But the links that do work redirect you to order sites under www.officialtvwebsite822.com Could simply be a way of phishing since to order you have to give your credit card number, name and address.

Infomercials Thrive Amid Downturn : NPR

A downturn in the economy has provided a boom for infomercials. A.J. Khubani, president and CEO of the direct response company TeleBrands, says his company has seen that business booms in bad economic times. He attributes the success to lower TV ad rates.

And just for fun, some reviews of some of the peddled products:

Top 5 Worst Telebrands Products « Just Pazz…

Md5 Demonstrated Very Broken But Worse Some Cas Were Still Using It

Tue, 30 Dec 2008 16:15:00 -0800

Now, a proof-of-concept showing that the long-known MD5 vulnerabilities can be actually used to fake a CA certificate. This could be really bad if done by a bad guy. And it has long been known that to hedge your bets, your certs should use either both MD5 and SHA-1 or just SHA and drop MD5 altogether. But apparently some ridiculous CAs didn’t get that message and should not be in the business they are in IMO because of such a collossal error. Equifax Secure Global eBusiness CA-1 is one of the certificates shown to use md5rsa. From the slashdot discussion, here is a reposting of other CAs still using MD5:

RapidSSL FreeSSL TrustCenter RSA Data Security (!) Thawte (!) verisign.co.jp

I expect this kind of thing from Equifax because they seem to do everything but the right thing in any interaction I’ve had with them online (e.g. why would they decide it a good idea to direct people to https://consumerinfo.com as an Equifax property? That seems like the phishiest thing I’ve come across. Seriously?) But RSA? Thawte?

I’ll repeat again my analogy I have used in the past for those who don’t get the implications:

“If you used a daycare for your child that you found to have strewn about broken glass, hypodermic needles, frayed electrical cords, etc. would you not switch to a new daycare?”

“Okay, now assume for example, that the bad daycare in the above example cleaned all of that up and pleaded that they would never be so careless again. Would you bring your child back to that daycare? If so, why? If they were so careless in the past, and there are so many other better daycare facilities, why should you risk your child’s security on someone so careless and clueless?”

Now, there is a caveat that is possible and I call it the Jack-in-the-box caveat. In the aftermath of the E-coli illnesses attributed to Jack-in-the-Box restaurants many, many years ago, when they reopened I was not hesitant to have a burger there. Why? Because it was clear that they were under very tight scrutiny from the government and health agencies due to what they went through. But, other restaurants were potential ticking timebombs. It’s the devil you know vs. the devil you don’t.

Emergent Chaos: Now will you believe MD5 is broken?

Bpa Safety In Plastics For Your Baby

Tue, 30 Dec 2008 12:26:00 -0800

I’ve heard lots of information about BPA in plastics (aka Bisphenol-A), and a little misinformation. So I figured that it was time to crosscheck these concerns against the other chain-email-brand hysteria about plastics that I have debunked before.

Turns out that there is some right to be concerned about BPA in plastics. BPA was used as a synthetic hormone replacement and is combined with other ingredients to create many of the clear plastics used today. However, not all of the BPA is locked into chemical bonds and so some of it can leech out, especially when heated.

The question then becomes, what level of human safety is there for BPA and what should you do about it? Well, there is a recent rebuke of the FDA methodology that seems to be the most arresting information to date.

Panel Rebukes F.D.A. on Plastic Safety - Well Blog - NYTimes.com With a link to the PDF written by the panel of scientists. They found several problems with the FDA methodology.

Bottom line: Infants should not directly use BPA plastics but whether there are effects in larger, more developed adults, is unknown.

Myth #1: Avoid all plastics that have #7 on the bottom. As this note on the Nalgene website points out, the reality is a bit more complex than that:

What does the #7 represent?

The #7 recycling label is a catchall indicator for plastics made with a resin other than those in the #1 to #6 designations, or made of more than one resin. The #7 category not only includes polycarbonate, but also includes compostable plastics made of organic material and other types of plastic that do not necessarily contain BPA (Bisphenol-A). For example, our new Everyday™ line manufactured with Eastman’s Tritan™ copolyester is a #7, but does not include BPA.

So, you should be cautious of older plastics with #7, but most likely, new plastics will be specifically marketed as “BPA free” so that you will know if that bottle is okay.

Recent information from a trusted scientific publication, Scientific American: Just How Harmful Are Bisphenol-A Plastics?: Scientific American

Information from a blog that has a great name:

Bisphenol A- Not OK? « SCIENCE-BASED PARENTING

Some older information from earlier in the year, but lots of timelines from around April 2008 when things started happening, including Nalgene reluctantly pulling their BPA products. Canada was on the verge of declaring BPA a toxin.

Bisphenol A (BPA) information

But beware of the plastics council and other misinformation out there, as this blog posting points out:

Dept. of Propaganda: BPA Facts.org | SierraDescents Blog

Trouble selling your home? St. Joseph to the rescue!

Mon, 22 Dec 2008 14:42:00 -0800

But you have to be a believer or it won’t work. Well, even then it won’t work.

I wonder what kind of anti-scientific process that lead someone to postulate that it isn’t enough to just _pray_ to St. Joseph – no – you have to a) make a mini-me version of him b) bury him in your yard c) Oh, don’t forget the most important part – bury him _upside down_.

Funny how products you buy on TV from hacks have a supposed “Guaranteed to work or your money back” promise, yet religious cruft from the local “Christan Supply” store doesn’t… Think about it…

Some homeowners resort to outside help to sell their property: Consumer Reports Home & Garden Blog

Quackery In Seattle

Tue, 25 Nov 2008 14:48:00 -0800

I often listen to AM 1090 Seattle (upstart progressive talk radio station and Air America / Nova M radio affiliate). What irks me are the many fringe/quack commercials and infomercials that air on the station. I don’t see many of the vendors listed on their sponsor pages so I’m not sure if they are just forwarding commercials from the networks, but I wish they would take a little more editorial control.

What doesn’t help is that one of their prominent talk show hosts (that I actually like for his political acumen and rational take on issues) Thom Hartman tends to shill for many questionable products. He seems fairly gullible outside of the political sphere. And this seems to only be reinforced now that I found that he owns his own company producing ADHD herbal treatments: Enzymatic Therapy, Inc. - North America’s leading manufacturer and distributor of dietary supplements and natural medicines. Seriously – if there was something to what he discovered, it should result in a pharmaceutical product regulated by the FDA and controlled in dosage with well-done and documented trials to prove efficacy. Products that go the “natural” route don’t have that kind of rigor and actual evidence backing them.

Some of the products featured that are total quackery (not science-based medicine):

Evercleanse which claims to rid you of “the five to twenty five pounds of waste that some experts say is trapped on the colon walls like spackle or paste” This is a typical quack claim. Anyone who has gotten a colonoscopy can tell you that you actually don’t have “pounds” of stuff on your colon walls. Your body expels solid waste fairly well, unless you have an obstructed bowel. Then you would need serious medical attention, not some supplement that is not even regulated by the FDA. See How Clean Should Your Colon Be? (The American Council on Science and Health)

Super Beta Prostate, formulated by Roger Mason, who has the book quackishly-titled, “The Natural Prostate Cure” and even one entitled “The Natural Diabetes Cure”. Do you think if someone had a “cure” for these diseases, especially one that was over-the-counter, that this would be HUGE news that the scientific and lay press would take a big interest in. Not to mention the pharmaceutical companies that would love to synthesize a cancer treatment.

I found this review from amazon.ca funny and to-the-point:

Roger Mason’s little pamphlet has some serious flaws in it. He proclaims that the way to beat prostate cancer is to eliminate meat and dairy in favor of whole grains and vegetables. His authority for this is that a grain based diet is what mankind has been consuming throughout recorded history. This is falacious reasoning at best. Archaeologists can tell him that they can determine the eating habits from ancient skeletal remains by examination of the teeth. Healthy, undecayed teeth are indicative of someone whose diet was primarily meat; while teeth that demonstrate considerable deterioration proves that their diet was primarily grains. Why is it that grains do that and meat doesn’t?! In addition, they might also reveal that the natural mode of human biology is for a mother to nurse for up to three years and remain infertile throughout that time; while a grain based diet interferes with the natural biological cycle and returns a woman to fertility in as little as three months despite nursing an extant child. Mason should also explain why humans have incisors…

The Atkins diet plan is juxtaposed to Mason’s views. It emphasizes the more natural diet of meat and de-emphasizes grains and starches as the heaviest carbohydrates. The results are startling - reduced weight and cholesterol despite eating MORE red meat! Carbs get stored in fat cells when there is an overabunbance. That leads to disease. The human body can’t store extra protein. It’s the extra carbs that cause an oversupply of estrogen in men, not the consumption of protein as Mason contends.

Mason just doesn’t know what he’s talking about. Try reading instead Drs. Eades & Eades’ Protein Power, in which real medical doctors give real medical evidence about estrogen, insulin and how the body manages protein, carbohydrates and fats.

Regardless, the main ingredients in SBP are Beta-sitosterols and the website claims that one capsule is equivalent to 100 typical Saw Palmetto capsules for the amount of Beta-sitosterols. So, one could look at the efficacy (or lack thereof) of Saw Palmetto then to help determine whether SBP could conceivably have any benefit. As recently as 2006 there was a large study that seemed to show (as is typical when the effect is not real) the larger, well-done study tends not to show an effect. Meaning, that it is unlikely that saw palmetto and its ingredients would be a good anti-cancer therapy. Study Casts Doubt on Saw Palmetto as Prostate Remedy : NPR

A new study in The New England Journal of Medicine indicates “saw palmetto” does not work to shrink enlarged prostates. At least 2 million men take the supplements, often on the advice of doctors. Smaller studies have shown that saw palmetto does work, but this is the largest study to date.

There's a sucker born every 12,500,000 emails

Sun, 23 Nov 2008 08:13:00 -0800

I can believe this given how gullible relatives forward out obviously-false chain emails all the time. There’s a fine line between that behaviour and responding to these.

Spam gets 1 response per 12,500,000 emails | News | TechRadar UK

A new study details how spammers – the bane of our email inboxes – still make pots of money, despite only receiving a response to one in every 12,500,000 emails they spam out.

The study, by a team of seven computer scientists from University of California, Berkeley and UC, San Diego (UCSD) infiltrated the Storm network, which uses hijacked home PCs to relay much of the junk email you spend your days wading through while wondering ‘who the hell responds to this stuff?’

Well. Now you know. One gullible idiot in 12,500,000 recipients. Or thereabouts.

Vote demographics 2008

Sun, 23 Nov 2008 07:46:00 -0800

I’m sure this will come in handy in future debates. Not to mention it is very interesting to see where the votes fell.

Daily Kos: The Poll That Counts: Obama 52 McCain 46

Deregulation Behind The Massive Financial Crisis

Sun, 23 Nov 2008 07:43:00 -0800

No, it wasn’t Fannie and Freddie. Alan Greenspan (who owns a lot of blame for the mess), the SEC chairman and John Snow agree it wasn’t them. Fannie and Freddie weren’t even securitizing those mortgages in large numbers until 2005.

Wonk Room » The Perino Challenge: ‘What Specific Regulation Did We Eliminate?’ Lists several key ones.

Think Progress » Cox, Greenspan, Snow Agree: Freddie Mac And Fannie Mae Did Not Cause The Financial Crisis

Gop Rebirth Focus On New Fundamentals Instead Of Fundamentalist Views-

Sun, 23 Nov 2008 07:42:00 -0800

We can only hope. You can’t keep campaigning on social issues but falling down when in office on the other issues that should be more important (the economy, the war, veterans benefits, etc.)

Think Progress » Ensign: GOP shouldn’t focus on abortion or gay rights.

Although Ensign was not ready to call for a break from socially conservative ideologies, he said issues such as abortion or gay rights should not be at the core of the party.

“I think we lost our way on our fundamentals” in recent years, Ensign said, adding that “those are the issue that we can disagree on as a party.”

Cool Site With Newspaper Headlines Of Obama Win From Around The World

Sun, 23 Nov 2008 07:24:00 -0800

VERY cool. Especially for those who couldn’t get their hands on a paper copy the day-after.

Newspaper headlines of Obama election win, Nov. 5 2008 - Boing Boing

Healthy Skepticism Of Court Quot Tools Quot Of The Trade

Sun, 23 Nov 2008 07:14:00 -0800

A skeptic should be aware of the fallibility of eyewitness identification. This excellent 5-part series discusses 19 case studies and the specific techniques you may be familiar with from CSI and Law & Order that result in erroneous convictions if there isn’t adequate corroborating evidence. Hopefully some municipalities will read this and change procedures as a result to prevent more wrongful convictions. It would be nice if the writers of the popular shows would feature these issues prominently…

“Eyewitness testimony is the crack cocaine of the criminal justice system.”

Misidentifications have been cited as a key factor in an estimated 75 percent of the 220 wrongful convictions exposed by DNA testing nationwide since 1989

Ouch.

Eyewitness ID: A Primary Cause of Wrongful Convictions - TalkLeft: The Politics Of Crime

police and prosecutors view them as a useful “tool” of law enforcement precisely because they lead to convictions, even if the convictions are sometimes erroneous. Police and prosecutors too often value convictions more than they value the truth.

Most wrongful convictions that are based on eyewitness identifications will never be corrected, because no DNA is available to provide the certain proof that courts seem to want before admitting that a mistake was made.

Speaking of DNA evidence, there’s a very technical book examining the state-of-the-art of DNA profiling. I watch a lot of CSI so just might have to pick up a copy of this.

https://books.google.com/books?id=SnHYMZXAkQEC

Esp. pp 14-15

Underwriter's knot -- safe wiring

Sat, 15 Nov 2008 09:03:00 -0800

I just repaired my 1940s-era radio that I thought had blown a tube. Turns out that the stupid plug (does not appear to be original) was not wired safely so the soldered wire got pulled out due to strain on the cord over time. Sure enough, when I opened it up, there was no Underwriter’s knot aka UL knot to be found. I made sure to tie one before re-soldering the wire so that it wouldn’t happen again.

This site has great graphics for tying your own if you happen to be wiring a light fixture or fixing the plug on a cord. Not only will it save your cord, it could save your life.

Electricity Lab Graphics

Boy Sent Home From School For Dressing As Jesus For Halloween

Sat, 08 Nov 2008 03:25:00 -0800

This is truly ridiculous. The constitutional prohibitions against schools endorsing religion do not extend to what the students choose to do. This is the wrong move from a first amendment standpoint. So before the religulous get in a huff about how the government is trying to get religion out of our schools, etc., I agree with you that they should not have done this. But, this was not an issue of state-sponsored-religion.

I still want to dress as Jesus on the bus to work one of these years…

wcbstv.com - Boy Sent Home From School For Dressing As Jesus

Funniest Nonprofit

Thu, 06 Nov 2008 02:12:00 -0800

They do sound like they are doing good work. But sounded like a joke at first mention. Don’t miss the 2008 World Toilet Summit.

World Toilet Organization|WTO|Global Voice for Toilets & Sanitation

World Toilet Organization (WTO) is a global non- profit organization committed to improving toilet and sanitation conditions worldwide.

And the funniest icon:

Vatican doesn't invite anti Evolution pseudoscientists

Sun, 02 Nov 2008 03:59:00 -0800

Heh. Gotta hand it to the Catholics for their ability to not deny fundamental scientific advances to save face with their religious dogma. The Vatican astronomer was great in Bill Maher’s Religulous too.

Little Green Footballs - Pope Benedict Meets Stephen Hawking, Sans Creationists

Pope Benedict met Stephen Hawking at a Vatican-sponsored conference on evolution yesterday, and the pseudo-scientific shills of the Discovery Institute were not invited.

Be Careful Hanging Decorations In Space

Sun, 26 Oct 2008 14:19:00 -0700

This is amazing. X-rays from ordinary adhesive tape. The cool thing is they expect to be able to come up with a way to make an inexpensive, low-power x-ray machine for use in poor areas or areas without reliable power. This would be an interesting project for Seattle University’s Engineers Without Borders program

X-rays emitted from ordinary Scotch tape - Innovation- msnbc.com

It turns out that if you peel the popular adhesive tape off its roll in a vacuum chamber, it emits X-rays. The researchers even made an X-ray image of one of their fingers.

Who knew? Actually, more than 50 years ago, some Russian scientists reported evidence of X-rays from peeling sticky tape off glass. But the new work demonstrates that you can get a lot of X-rays, a study co-author says.

Experience Education And Judgment

Sat, 25 Oct 2008 17:05:00 -0700

This is a very stark comparison. I am sickened by the Dumbfuckistan residents of this country who wear lack of education and lack of reliance on sound data for decisions as a badge of honor.

We need smart people, who know smart people for their cabinet, who will have the smarts and creativity to get us out of these messes we are in. For all the talk of “experience” as the #1 factor for a president or VP, what about _not being a dumbass like Sarah Palin_? Doesn’t that count for something? And further, wouldn’t you say that pretty much any Harvard law grad would be a reasonable choice for President – especially one toward the top of his class??

Pharyngula: Elitism is not a four-letter word

Educational Background:

Barack Obama:

Columbia University - B.A. Political Science with a Specialization in International Relations.

Harvard - Juris Doctor (J.D.) Magna Cum Laude

Joseph Biden:

University of Delaware - B.A. in History and B.A. in Political Science.

Syracuse University College of Law - Juris Doctor (J.D.)

vs.

John McCain:

United States Naval Academy - Class rank: 894 of 899

Sarah Palin:

Hawaii Pacific University - 1 semester

North Idaho College - 2 semesters - general study

University of Idaho - 2 semesters - journalism

Matanuska-Susitna College - 1 semester

University of Idaho - 3 semesters - B.A. in Journalism

My Newfound Links To Fame

Sat, 25 Oct 2008 16:41:00 -0700

So, I was on myspace inviting other members of my mentoring group to our myspace group when I noticed a posting by Death Cab For Cutie,

Death Cab for Cutie posted new blog entries: Chris Walla featured in Myspace.com’s “Front To Back” and Chris Walla campaigning for Obama

I thought, “Wait a minute. There can’t be more than one Chris Walla.” Well, there may be, but I know this one. I googled him to find a photo and more information – sure enough, he’s a friend of mine from Bothell High School that I used to play guitar with in a couple bands. And now, he is the producer and guitarist for Death Cab For Cutie. How did I not know this? His Wikipedia entry also mentions his stint with a band, The Wallflowers (no, not the famous one of the same name). I was in that band myself for a short time. It was in the days before I had truly discovered Indie rock though so was not a good fit at the time. He has also done lots of work with another favorite band of mine, The Decemberists, from Portland, OR. Insane!

I also found out that he’s still in touch with another High School friend, Nathan Goode, who was one of the best drummers I had ever seen. Chris, Nate, my friend Mike, Jerod and I used to all play together at Nate’s house or in my backyard shed – it was a lot of fun.

Crazy! Well, maybe there is still hope of quitting my job and being a rockstar after all…

Social Security privatization would have been disastrous.

Sun, 19 Oct 2008 08:45:00 -0700

And when most 401ks have dropped 20-30% of late. Yet at the same time Social Security just announce the largest cost-of-living benefit increase ever, of 5.8%. Don’t buy the hype about Social Security being in trouble!

Open Thread | Crooks and Liars

TSA stupidity: Peanut Butter is now a liquid/Gel

Sun, 19 Oct 2008 04:05:00 -0700

My sister (who is pregnant) just found out what is seemingly nonintuitive to anyone – Peanut Butter is a controlled substance (by the TSA). You can bring it on board, but it can only be in a 3 oz container or smaller. What??? This kind of insanity has to stop.

TSA: What To Know Before You Go

Canned or jarred goods such as soup, sauces, peanut butter, fruits, vegetables and jellies Yes - 3 oz. or smaller container

Bruce Schneier wrote recently about how this kind of thing (no consequences for trying and failing to bring such contraband on board) is actually harmful to the stated goals of airport security.

Security Matters: Airport Pasta-Sauce Interdiction Considered Harmful

Bank Implode O Meter Death Watch For Financial Institutions

Sat, 18 Oct 2008 11:38:00 -0700

If I only had known about this site in the days before the FDIC/OTS seizure… Great stuff.

The Bank Implode-O-Meter - Your play-by-play for the end game of modern banking.

Make A Difference Become A Mentor-

Fri, 17 Oct 2008 15:43:00 -0700

ntor-

I am now a third-year mentor with Community For Youth (CFY), a wonderful non-profit organization that works with youth in the three lowest-performing Seattle public high schools: Chief Sealth, Rainier Beach, and Cleveland. The program “transforms high school students who are struggling - with school, with family, with their direction in life - into young adults who have confidence, determination and self-awareness.”

It has been one of the most rewarding things that I have ever done. I love the energy of the kids; the creativity; the possibilities.

The most important quality of a mentor is that you be dedicated – to the youth, to the program, to the community. As we say, “Put on the program!” If you have that, the skills and the rest will fall into place as you go along. Many of these kids have been abandoned by everyone else. Sometimes all it takes is for that life-line to just be there.

I also think about my life in high school and how great it would have been to have someone there just for me – someone who may be in a position in life that I would like to be in one day (or maybe one beyond my capability to imagine at the time). Serendipitously, I made it on my own, but many of these kids just need to get a little boost in the right direction (or help figuring out what that direction is).

“Nothing you do for children is ever wasted. They seem not to notice us, hovering, averting our eyes, and they seldom offer thanks, but what we do for them is never wasted” – Garrison Keillor

Why CFY as an organization is more deserving of your time than other volunteer organizations:
There is a structure and a program to guide you through the year. Other programs may just throw you together with a kid and you’re left to your own devices.
You get mentor training. You are certainly not expected to know how to interact with youth or how to help them with their goals. You get on the job training!
You have and entire community of staff, volunteers, other volunteer mentors and of course the kids themselves to help you. That’s what the Community in Community For Youth is all about. Nobody should have to go it alone.
A little bit about what it means to be a mentor:
Being a “Relentless Commitment” to a youth. Others may leave them, but you will stick by them.
Providing encouragement, coaching and supporting them; being an advocate for them to get what they want out of life
Being their friend; having fun!
Help guide them away from trouble or get them help if they are ever in danger or at risk
Being a mentor, changes your life. I didn’t know what that could possibly mean at the time, but I was intrigued to find out. And it is absolutely true. You may actually gain so much more than the students.
Mentors truly look forward to their nights with their students, the community, their family groups. Three hours a week is all it takes to make a difference. But once you’re involved, you find yourself wanting to give even more.
The other mentors are such great, quality people. And you get to meet them, support each other, and have fun too.
You get the opportunity to do something new that will take you out of your comfort zone and help you grow as a person
Oh, and did I mention – you get to go to camp!

Contact me with any questions! But go to their website and sign up for an orientation! Only two left for 2008/2009:

October 29, 2008 @ 5:30pm

November 3, 2008 @ 5:30pm

The Obamica

Tue, 14 Oct 2008 15:14:00 -0700

We saw two guys at Home Depot wearing similar Yarmulkes emblazoned with Obama’s logo. They call these the Obamica (I thought it would be called the Obamlke though)

Obamica, the Barack Obama Kippah

Acdc Pulls The Plug On Their New Album Being Sold On Itunes

Mon, 13 Oct 2008 10:58:00 -0700

Well, after talking with many kids who rarely buy albums, I can see their point. But eventually they will come to an end. AC/DC is delaying the inevitable.

AC/DC refuses to sell album through iTunes | NEWS.com.au

FOR those about to rock, AC/DC salutes you — unless, that is, you want to buy the heavy metal group’s newest album Black Ice on iTunes.

“Maybe I’m just being old-fashioned, but this iTunes, God bless ’em, it’s going to kill music if they’re not careful,” said lead singer Brian Johnson, 61.

AC/DC, formed by brothers Angus and Malcolm Young in 1973, is among only a handful of bands to refuse to put their music on the popular download service.

Johnson said the decision was a bid to protect the album format from the internet’s emphasis on buying and selling single tracks.

Cq Exposes Ayers Allegations Quot Pants On Fire Quot Wrong

Mon, 13 Oct 2008 07:11:00 -0700

CQ Politics | Fact-Checking the Ayers Allegations: So Wrong, It’s “Pants on Fire” Wrong

Why does disagreement have to lead to hatred and divisiveness?

Mon, 13 Oct 2008 06:28:00 -0700

It is very disturbing to me – and embarrassing to be an American – to see all of the hatred being sown and reaped by the supporters of McCain and Palin. This whole “you’re with me or against me” line of reasoning is leading to excessively hateful division and smears.

I can’t understand why people cannot be content to just say “you know, that guy has weighed the facts and has come to different conclusions on the issues than I have.” and have it be alright to disagree on values or policy issues. But instead, there is this fervor to take it to an insane level and actually demonize those who disagree with you as if they were the worst person in the world. Seriously? People should check their hatred and save it for people who truly deserve it, not those who just happen to hold different positions than you do.

The Palin-McCain Mob | Crooks and Liars Watch these videos to see the kinds of unabashed hatred that is being stirred up at these rallies.

Here is a list of some of the best quotes – from conservatives – about the lines of discourse and how harmful they. My friend Pete had a great list as well that some of these are from.

McCain’s Supposed Adviser John Lewis Calls Him Out | Crooks and Liars

“As one who was a victim of violence and hate during the height of the Civil Rights Movement, I am deeply disturbed by the negative tone of the McCain-Palin campaign. Sen. McCain and Gov. Palin are sowing the seeds of hatred and division, and there is no need for this hostility in our political discourse.

During another period, in the not too distant past, there was a governor of the state of Alabama named George Wallace who also became a presidential candidate. George Wallace never threw a bomb. He never fired a gun, but he created the climate and the conditions that encouraged vicious attacks against innocent Americans who were simply trying to exercise their constitutional rights. Because of this atmosphere of hate, four little girls were killed on Sunday morning when a church was bombed in Birmingham, Alabama.

As public figures with the power to influence and persuade, Sen. McCain and Gov. Palin are playing with fire, and if they are not careful, that fire will consume us all. They are playing a very dangerous game that disregards the value of the political process and cheapens our entire democracy. We can do better. The American people deserve better.” – John Lewis

“We conservatives are sending a powerful, inadvertent message with this negative campaign against Barack Obama’s associations and former associations: that we lack a positive agenda of our own and that we don’t care about the economic issues that are worrying American voters.” – David Frum, National Review

“Under the pressure of the financial crisis, one presidential candidate is behaving like a flustered rookie playing in a league too high. It is not Barack Obama…. Conservatives who insist that electing McCain is crucial usually start, and increasingly end, by saying he would make excellent judicial selections. But the more one sees of his impulsive, intensely personal reactions to people and events, the less confidence one has that he would select judges by calm reflection and clear principles, having neither patience nor aptitude for either.” – George Will

“This is my concern: I think this hate and fear that comes out of the crowd isn’t necessarily something that the McCain people have consciously tried to put out there, but that’s all that McCain has left. You know, that the wing nuts are the only people left to come to these rallies. In fact some colleagues of mine went out into the crowd today and I can tell you after covering McCain for a year and a half, usually there are *some* crazy people – there are always crazy people at rallies. That’s what they do, right? They go to rallies. But you’d only find a few of them. And today every single person that I talked to, and the majority of people that my friends and colleagues in the press talked to, were of the belief that, you know, Barack Obama is a muslim, Barack Obama is not American.” — Ana Maria Cox, Time Magazine

… the negative tone of these rallies is “incendiary” and could lead to violence.

“There is this free floating sort of whipping around anger that could really lead to some violence. I think we’re not far from that,” he said. “I think it’s really imperative that the candidates try to calm people down.” – David Gergen, advisor to Nixon and Reagan

“He is not the McCain I endorsed,” said Milliken, reached at his Traverse City home Thursday. “He keeps saying, ‘Who is Barack Obama?’ I would ask the question, ‘Who is John McCain?’ because his campaign has become rather disappointing to me.

“I’m disappointed in the tenor and the personal attacks on the part of the McCain campaign, when he ought to be talking about the issues.” – former Republican Gov. William Milliken

McCain’s attacks fuel dangerous hatred – baltimoresun.com

John McCain, you’re walking a perilous line. If you do not stand up for all that is good in America and declare that Senator Obama is a patriot, fit for office, and denounce your hate-filled supporters when they scream out “Terrorist” or “Kill him,” history will hold you responsible for all that follows.

John McCain and Sarah Palin, you are playing with fire, and you know it. You are unleashing the monster of American hatred and prejudice, to the peril of all of us. You are doing this in wartime. You are doing this as our economy collapses. You are doing this in a country with a history of assassinations. – Frank Schaeffer (lifelong Republican)

David Brooks: Sarah Palin “Represents A Fatal Cancer To The Republican Party”

And the other thing that does separate Obama from just a pure intellectual: he has tremendous powers of social perception. And this is why he’s a politician, not an academic. A couple of years ago, I was writing columns attacking the Republican congress for spending too much money. And I throw in a few sentences attacking the Democrats to make myself feel better. And one morning I get an email from Obama saying, ‘David, if you wanna attack us, fine, but you’re only throwing in those sentences to make yourself feel better.’ And it was a perfect description of what was going through my mind. And everybody who knows Obama all have these stories to tell about his capacity for social perception. – David Brooks

How John McCain lost me - Politico.com Print View

McCain’s recent conduct of his campaign – his willingness to lie repeatedly (including in his acceptance speech) and to play Russian roulette with the vice-presidency, in order to fulfill his long-held ambition – has reinforced my earlier, and growing, sense that John McCain is not a principled man. In fact, it’s not clear who he is. – Elizabeth Drew

Panic attacks: Voters unload at GOP rallies - Jonathan Martin - Politico.com

“People need to understand, for moral reasons and the protection of our civil society, the differences with Sen. Obama are ideological, based on clear differences on policy and a lack of experience compared to Sen. McCain,” Weaver said. “And from a purely practical political vantage point, please find me a swing voter, an undecided independent, or a torn female voter that finds an angry mob mentality attractive.”

“Sen. Obama is a classic liberal with an outdated economic agenda. We should take that agenda on in a robust manner. As a party we should not and must not stand by as the small amount of haters in our society question whether he is as American as the rest of us. Shame on them and shame on us if we allow this to take hold.” – John Weaver, McCain’s former top strategist

WBBM 780 - Chicago’s #1 source for local news, traffic and weather - LaHood: Palin Should Stop It

“Look it. This doesn’t befit the office that she’s running for. And frankly, people don’t like it.”

Congressman LaHood says it could backfire on the Republican ticket.

He says the names that Obama is being called, “Certainly don’t reflect the character of the man.” – Ray LaHood, congressman R-IL

The Raw Story | GOP insiders predicting Obama victory

“They have send this young, naive – very confident, perhaps in Alaska – young woman out with the most incendiary talking points, the most dangerous racist talking points and I think they should be ashamed of themselves,” – Michelle Laxalt, Republican consultant

Permitting Same Sex Marriage Is More Moral Than Prohibiting It

Mon, 13 Oct 2008 05:38:00 -0700

ng-it

I think it is immoral to deny people who love each other the rights and privileges that come with marriage (as a civil, contractual union – a license granted by the State, not in a religious context). Changing a state or federal constitution to ban same-sex marriage is, in fact, writing bigotry and hatred into those documents. Substitute “black” or “african american” or “mixed-race marriage” into any rationale for banning same-sex marriage and you will see how bigoted such claims really are.

There is no reason to prohibit this activity other than hatred and bigotry. I still have yet to hear evidence of how they will be or have been harmed by other people engaging in relationships that have nothing to do with you. Scriptural rationales are ridiculous on their face because that just shows that the intent is to entice the government to endorse one particular religious viewpoint over others (in violation of the US Constitution).

You would think that if the institution of marriage was so sacred, that the people fighting same-sex marriage would spend at least as much energy into banning divorce as a way to uphold the sanctity of marriage.

This essay puts a finer point on this than I could:

Atheist Ethicist: The Immorality of Homosexual Marriage

Yet, none of that is relevant to the point of this essay – that a society that permits homosexual marriage is more moral than a society that does not.

It is a mistake not to put it in these terms, and to allow those who like morality to religion or to scripture to make their assertions unchallenged. In this sense, silence implies consent. In this case, refusing to challenge claims that link morality to scripture means that most people only hear that they are linked. If that is all they hear, then that is what they will believe, which will perpetuate the myth, much to our disadvantage.

…

I would like to hear the fact that reported that those who wish to prohibit homosexual marriage and who defend it through scripture are no different in principle than those who wrote into the U.S. Constitution that black slavery was permissible and defended it with references to scripture.

Some reasoned answers to the common illogical rationales: Americans United: The Federal Marriage Amendment: Some Questions and Answers

And for those who seek to ban same-sex marriage, here is a list of several things that same-sex couples are not granted _by the State_ that heterosexual couples benefit from. Therefore, it is immoral to deny these rights, especially without justification.

HRC | Questions about Same-Sex Marriage

Hospital visitation. Married couples have the automatic right to visit each other in the hospital and make medical decisions. Same-sex couples can be denied the right to visit a sick or injured loved one in the hospital.

Social Security benefits. Married people receive Social Security payments upon the death of a spouse. Despite paying payroll taxes, gay and lesbian workers receive no Social Security survivor benefits – resulting in an average annual income loss of $5,528 upon the death of a partner.

Health insurance. Many public and private employers provide medical coverage to the spouses of their employees, but most employers do not provide coverage to the life partners of gay and lesbian employees. Gay employees who do receive health coverage for their partners must pay federal income taxes on the value of the insurance.

Estate taxes. A married person automatically inherits all the property of his or her deceased spouse without paying estate taxes. A gay or lesbian taxpayer is forced to pay estate taxes on property inherited from a deceased partner.

Retirement savings. While a married person can roll a deceased spouse’s 401(k) funds into an IRA without paying taxes, a gay or lesbian American who inherits a 401(k) can end up paying up to 70 percent of it in taxes and penalties.

Family leave. Married workers are legally entitled to unpaid leave from their jobs to care for an ill spouse. Gay and lesbian workers are not entitled to family leave to care for their partners.

Immigration rights. Bi-national families are commonly broken up or forced to leave the country to stay together. The reason: U.S. immigration law does not permit American citizens to petition for their same-sex partners to immigrate.

Nursing homes. Married couples have a legal right to live together in nursing homes. Because they are not legal spouses, elderly gay or lesbian couples do not have the right to spend their last days living together in nursing homes.

Home protection. Laws protect married seniors from being forced to sell their homes to pay high nursing home bills; gay and lesbian seniors have no such protection.

Pensions. After the death of a worker, most pension plans pay survivor benefits only to a legal spouse of the participant. Gay and lesbian partners are excluded from such pension benefits.

This site also has a very succinct treatment of why civil unions are not equivalent to marriage.

What I think should happen is that marriage licenses should all be renamed as civil union licenses. So that the word “marriage” is taken out of the debate. Marriage can continue to be a religious ceremony and commitment. Then, there would be no difference between same-sex unions from heterosexual unions. And it would be made apparent that any attempt to make these dissimilar benefits would be without merit.

Open Letter The Guilt By Association Game Okay Mccain Let'S Play

Mon, 13 Oct 2008 03:49:00 -0700

This is an edited response to the desperate hate-mongering and lies and guilt-by-association game that McCain/Palin are trying to gin-up. I wanted to have a nice list of McCain/Palin’s associations. Of course, Guilt by association isn’t. So I am not arguing that their associations make them guilty – just that there are lots of associations to go around if you want to play that game. But if you’re going to play, you’ve got to show your cards as well.

Guilt by association isn’t (guilt). I want you to consider – just consider – that Obama is not really the anti-christ. If you are interested in how this can be so – how he can actually be a good guy, I can help you understand why I think he’s a great man. But if you want to cling to your belief that he is some corrupt horrible individual, then I can’t help you. Again, you can rightly disagree with him on value and policy issues, but it’s another thing altogether to demonize him as a man – and unfairly.

And to consider that while you are busy criticizing Obama, you are not applying the same scrutiny to your own guy’s character. Seriously, have you looked at your guy McCain and Palin?

Have you not noticed the hate-filled campaign of McCain? How does that show “character”? “This past week, by ginning up an anger and resentment on the campaign trail that should leave all with a cold chill running through their bodies, McCain has shown neither presidential temperament nor character. "
How does this show character? “McCain-Palin supporters screaming inflammatory words at the very mention of Obama’s name. Words like “terrorist” and “Kill him!” and “treason.” And at no point has McCain or Palin called on those folks and others who would imitate them to stop.”
How about Palin being shown guilty of abusing her power in Alaska and violating the Open Records Act: [https://lnmc.crooksandliars.com/jamie/sarah-palins-email-crime-used-expose-crime https://www.news.com.au/heraldsun/story/0,21985,24479770-661,00.html

](https://lnmc.crooksandliars.com/jamie/sarah-palins-email-crime-used-expose-crime)
How about McCain’s ties to G. Gordon Liddy, the convicted Watergate burglar? Se https://voices.washingtonpost.com/postpartisan/2008/10/mccains_chilling_dance_with_th.html and also https://mediamatters.org/items/200810040004
How about McCain’s role in the Keating Savings & Loan disaster (he was one of the Keating 5). Watch the new video on this (fact-checked by CNN): https://www.keatingeconomics.com/ McCain associated _directly_ with Charles Keating (convicted) and of the other Keating 5, “had the closest personal friendship with Charles Keating”. John McCain was cleared of any criminal impropriety, but the Senate Ethics committee criticized him for poor judgment for when he met with regulators on behalf of Charles Keating. In 2002, John McCain said these two meetings were “the worst mistake of my life.”
How about McCain’s pastor Hagee: “Pastor hagee-on african americans-“Hagee, pastor of the 16,000-member Cornerstone Church, last week had announced a ’slave sale’ to raise funds for high school seniors in his church bulletin, ‘The Cluster.’ Hagee, pastor of the 16,000-member Cornerstone Church, last week had announced a ’slave sale’ to raise funds for high school seniors in his church bulletin, ‘The Cluster.’ “The item was introduced with the sentence ‘Slavery in America is returning to Cornerstone” and ended with “Make plans to come and go home with a slave.” https://mediamatters.org/items/200802280018
How about Palin’s husband being a member of the Alaskan Independence Party (AIP)? A party started by a guy named Joe Vogler who said, " The fires of hell are frozen glaciers compared to my hatred for the American government…and I won’t be buried under their damn flag… I’m an Alaskan, not an American. I’ve got no use for America or her damned institutions.” This party wants to secede from the united states. Palin spoke at their conference _earlier this year_. There is video on the Internet: https://www.youtube.com/watch?v=ZwvPNXYrIyI Palin said at this speech, " Keep up the good work, and God bless you." Hmm.
How about McCain’s own advisers and campaign staffers being former lobbyists, especially a former Fannie/Freddie lobbyist: https://www.motherjones.com/mojoblog/archives/2008/09/9663_mccain_fannie_freddie.html

The Ayers stuff is really stretching the bounds of credulity. Here’s what Obama said on the matter:

“This is a guy who lives in my neighborhood, who is a professor of English in Chicago, who I know, and who I have not received some official endorsement from. He is not someone I exchange ideas (with) on a regular basis.”

Obama went on to say Ayers “engaged in despicable acts 40 years ago when I was 8 years old,” and to suggest that “that reflects on me and my values doesn’t make much sense.” https://www.npr.org/templates/story/story.php?storyId=95442902, also look at this debunking of the lie and distortion in McCain’s advertisement: https://www.politifact.com/truth-o-meter/statements/790/

You better learn to love Obama because by all projections he is going to be our next president. He is close to winning a landslide of electoral votes too (351, with 375 as a landslide). https://www.fivethirtyeight.com/

Mccain Fact Check From Last Debate Planetarium Projector Overhead Projector

Sun, 12 Oct 2008 15:51:00 -0700

Note to McCain: Overhead projector is not a planetarium projector - Boing Boing

My friends, during last night’s presidential debate, McCain took That One to task for approving funding for an “overhead projector.” Howard Covitz, who used to work at Chicago’s Adler Planetarium, prepared this helpful graphic for McCain to show the difference between an overhead projector and a planetarium projector.

Warning: This email has been known to cause stupidity by the State of California

Sun, 12 Oct 2008 13:36:00 -0700

I feel it is my moral duty to not let emails full of lies, mischaracterizations, and known misleading or untrue information go by without pointing this out.

When 61% of the country believes in the Noah’s Ark flood story _literally_, between 45% and 70% believe that Saddam Hussein was behind the 9-11 attacks, and 12% of Americans still think that Barack Obama is a muslim, it is clear that when things get written down and repeated over and over again, it has an effect of changing people’s minds so that they believe things that never happened or are clearly or demonstrably untrue.

I have recently become rather frustrated with people who insist on sending out these kinds of propaganda and lies – even without fact-checking or providing some kind of warning if they know that some, or all, of it is untrue or suspect. And I have been searching for a less time-consuming, more clear and humorous and less crass way (other than doing all of their fact-checking for them – which takes quite a long time and I don’t think they read it anyway) of getting the message out that the email is worth about as much as the stuff I scrape off of my shoe.

My solution? A warning message. Feel free to copy and use with your next fallacious, vile, malicious, lying, hate-filled, widely-debunked, email that comes your way.

** WARNING!! This email contains information that is known to be fallacious, demonstrably false, misleading, lies, slanted propaganda, or a mixture of these. It should never have been sent out in its current state without this warning to the unsuspecting recipients. While it may contain some factual information, any redeeming value it may have had is poisoned by its proximity to such noxious information.

Continuing to propagate this information is contributing to the precipitous decline of the level of civil discourse and of our entire modern civilization.

Everyone on the recipient list is now likely dumber for having read it. Consider yourself warned.**

More Evidence Against Data Mining As An Anti Terrorist Tool

Sun, 12 Oct 2008 11:19:00 -0700

There have been a number of studies saying the same thing (search Bruce Schneier’s blog for plenty of other examples)

It’s kind of like trying to determine if someone is going to rob a bank by looking at their phone calls, etc. How do you know _beforehand_ what kinds of “patterns” and “data” are indicative of a bank robbery? And even if you see one bank robbery, not all are created equally, so why would you be able to infer that you could predict the next one based on previous data?

Scientists question terrorist-hunting techniques - CNN.com

The 352-page report by the National Research Council, an arm of the National Academy of Sciences, does not evaluate the TSA or any other specific government program. Instead, it explores issues related to data mining and behavior detection techniques and attempts to advise lawmakers how to appropriately balance security with privacy.

The report recommends the government be required to systematically evaluate the effectiveness and lawfulness of data-mining and behavior-detection programs before implementing them, and at regular intervals thereafter.

The programs also should be subjected to robust, independent oversight, the group recommends.

Election Hi Jinx Begins 'Osama' On Ny Ballot

Sun, 12 Oct 2008 05:39:00 -0700

Yeah, “Oops”. “Honest mistake”

ELECTION MIX-UP: ‘OSAMA’ ON THE BALLOT - New York Post

TROY, N.Y. - Who is running for president? In an upstate New York county, hundreds of voters have been sent absentee ballots in which they could vote for “Barack Osama.”

The absentee ballots sent to voters in Rensselaer County identified the two presidential candidates as “Barack Osama” and “John McCain.” In the United States, the best-known person named Osama is Osama bin Laden, leader of the al-Qaida terrorist group.

Commissioners for the Rensselaer County Board of Elections say they regret the error but do not acknowledge in a statement exactly what the error is.

The botched ballots were first reported by the Times-Union of Albany.

Sam Harris On Palin

Sun, 05 Oct 2008 15:33:00 -0700

This is one of my favorite parts of this article for Newsweek. The scary thing is that you could see her answering a question just like this.

Sam Harris on Sarah Palin and Elitism | Newsweek Politics: Campaign 2008 | Newsweek.com

What is so unnerving about the candidacy of Sarah Palin is the degree to which she represents—and her supporters celebrate—the joyful marriage of confidence and ignorance. Watching her deny to Gibson that she had ever harbored the slightest doubt about her readiness to take command of the world’s only superpower, one got the feeling that Palin would gladly assume any responsibility on earth:

“Governor Palin, are you ready at this moment to perform surgery on this child’s brain?”

“Of course, Charlie. I have several boys of my own, and I’m an avid hunter.”

“But governor, this is neurosurgery, and you have no training as a surgeon of any kind.”

“That’s just the point, Charlie. The American people want change in how we make medical decisions in this country. And when faced with a challenge, you cannot blink.”

Link O Rama

Sun, 05 Oct 2008 05:20:00 -0700

A couple of cool sites that I’ve come across recently

- Science Facts, science trivia, science info

Science news and loads of interesting facts, like this one:

Each King in a deck of playing cards represents a great king from history. Spades - King David; Clubs - Alexander the Great; Hearts - Charlemagne; and Diamonds - Julius Caesar.

Wordle - Beautiful Word Clouds

Wordle is a toy for generating “word clouds” from text that you provide. The clouds give greater prominence to words that appear more frequently in the source text. You can tweak your clouds with different fonts, layouts, and color schemes. The images you create with Wordle are yours to use however you like. You can print them out, or save them to the Wordle gallery to share with your friends.

Very interesting tool to create word clouds. I may throw resumes through this to see what kinds of patterns emerge about the person. I saw this used to compare the VP debate transcripts for each candidate.

Annoyance Tv Football Graphics Without Persistent Down And Yardage

Sun, 05 Oct 2008 05:16:00 -0700

I can’t believe that I would be the only one to notice this, but I find it so annoying that it seems universal across College and NFL football coverage and universal on every network I’ve seen that the statistics that are persistent on the screen throughout the game only consist of:

Network, current score (plus possession), time remaining, period, (blank space for down and yards) and other scores.

I find the most interesting information at any given moment though is what the Down and Yards to go are. Why are they not always listed? They are only displayed _when they change_, and then they are hidden. Why, oh why? What reason could there be for not showing this during the play?

Police Don'T Have To Pay For Damage During Raidsin Washington

Sun, 05 Oct 2008 05:10:00 -0700

I often think of this when I watch CSI and see them busting down doors, cutting people’s carpet, etc. to obtain evidence or apprehend suspects.

This is a terrible ruling. I can’t believe that this couldn’t be considered negligence for a mistake that they would need to pay for.

WA: Police don’t have to pay for damage during raids » Rational Review

“In a split decision Thursday, the state Supreme Court rejected a plea by a Kent property owner seeking compensation for damage done during a drug raid. Affirming lower court decisions, five of the court’s nine justices found the city of Kent was not required to pay $5,000 for damage to buildings owned by Leo Brutsche during a failed 2004 anti-methamphetamine operation. During the raid, narcotics officers used battering rams to knock down doors in buildings owned by Brutsche while searching for a meth lab they believed Brutsche’s son to be operating on the property, according to court records. No drugs were found, and Brutsche contends he offered officers keys to the doors before they began knocking them down.” (10/02/08)

New Research Lack Of Control Increases Seeing Patterns Where None Exist

Sun, 05 Oct 2008 05:07:00 -0700

This is very interesting research. May explain why people turn to religion in those instances too.

See a Pattern on Wall Street? - TierneyLab Blog - NYTimes.com

These questions are not unrelated, according to a report in the new issue of Science by Jennifer Whitson and Adam Galinsky. The researchers found that when people were primed to feel out of control, they were more likely to see patterns where none exist. They would spot an object in each of the images above, even though only the image on the right contains one (the outline of Saturn and its rings). If you thought you saw something in the image on the left, don’t be too hard on yourself — your feeling may be perfectly understandable given the chaos on Wall Street.

The researchers say that their experiments, which also tested people’s tendency to detect conspiracies and see superstitious lessons in stories, help explain why conspiracy theories and superstitions flourish when people are feeling out of control. Previous researchers have reported, for instance, that first-year business-school students are more prone to imagine conspiracies than are second-year students, and that deep-sea fishermen have more elaborate rituals and superstitions than ones who fish in more predictable conditions near shore.

WaMu failure editorial

Sat, 27 Sep 2008 05:46:00 -0700

A salient quote.

And Alan Fishman seems to be the most overpaid, underwhelming executive to come along since…Kerry Killinger. Nice going board and Fishman. Nice.

Editorials & Opinion | WaMu: Seattle’s big bank bites the dust | Seattle Times Newspaper

How many of Washington Mutual’s 43,200 employees should be deemed personally responsible for this? Very few. The directors, to be sure. A more useless board of directors would be difficult to find. Former CEO Kerry Killinger, absolutely. A few others.

Don'T Believe The Polls

Thu, 25 Sep 2008 07:58:00 -0700

Hot off the presses. The nonpartisan Pew Research Center finds that the previous assumptions that cell phone users thought similarly to landline phone users who are able to be polled are likely not valid. In fact, 62% of young cell phone-only users preferred democrats and Obama specifically.

Therefore, any polls that are head-to-head national and do not include cell phone users are very, very suspect.

The Associated Press: Study: Omitting cell phone users may affect polls

Earlier studies — including a joint Pew-AP report two years ago — concluded that cell and landline users had similar enough views that not calling cell users had no major impact on poll findings. The new report concludes that “this assumption is increasingly questionable,” especially for young people, who use cells heavily.

Combining polls it conducted in August and September, Pew found that of people under age 30 with only cell phones, 62 percent were Democrats and 28 percent Republicans. Among landline users the same age that gap was narrower: 54 percent Democrats, 36 percent GOP.

Similarly, young cell users preferred Democratic presidential candidate Barack Obama over Republican nominee John McCain by 35 percentage points. For young landline users, it was a smaller 13-point Obama edge.

Bush Amp Paulson Just Making Sht Up

Wed, 24 Sep 2008 15:20:00 -0700

ht-up

Hat tip to Chuck Schumer who asked a real question of Paulson earlier this week about why $700 billion, and why all the money now? Why not $150 billion and come ask for more so we can see whether it is working?

Think Progress » Treasury explains how it came up with $700 billion: We just wanted ‘a really large number.’

In fact, some of the most basic details, including the $700 billion figure Treasury would use to buy up bad debt, are fuzzy.

“It’s not based on any particular data point,” a Treasury spokeswoman told Forbes.com Tuesday. “We just wanted to choose a really large number.”

Insiders Steal Data From Countrywide

Sat, 20 Sep 2008 07:19:00 -0700

I got my letter this week that my data appeared to be affected. They are taking serious measures though and offered 2 years of free credit monitoring services to those affected.

Although I can’t help but think about how phishy it looks when I was directed to go to not experian.com, but consumerinfo.com/countrywide. And I’m supposed to know that consumerinfo.com is Experian??

Insider arrested in relation to Countrywide data theft - security

Sex for oil scandal

Wed, 10 Sep 2008 11:55:00 -0700

Sheesh. Everyone knows you should be using water-based lubes for that.

Think Progress » Bush administration officials exchanged sex for oil.

The Interior Department’s inspector general revealed today that 13 government officials “handling billions of dollars in oil royalties improperly engaged in sex with employees of energy companies they were dealing with and received numerous gifts from them.” As the AP reports, the investigation revealed a “culture of substance abuse and promiscuity“:

Evidence That Democratic Adminnistrations Bring More Economic Prosperity To America

Tue, 09 Sep 2008 16:32:00 -0700

https://www.nytimes.com/2008/08/31/business/31view.html?_r=1&em&oref=slogin

“The stark contrast between the whiz-bang Clinton years and the dreary Bush years is familiar because it is so recent. But while it is extreme, it is not atypical. Data for the whole period from 1948 to 2007, during which Republicans occupied the White House for 34 years and Democrats for 26, show average annual growth of real gross national product of 1.64 percent per capita under Republican presidents versus 2.78 percent under Democrats.

That 1.14-point difference, if maintained for eight years, would yield 9.33 percent more income per person, which is a lot more than almost anyone can expect from a tax cut.

Such a large historical gap in economic performance between the two parties is rather surprising, because presidents have limited leverage over the nation’s economy. Most economists will tell you that Federal Reserve policy and oil prices, to name just two influences, are far more powerful than fiscal policy. Furthermore, as those mutual fund prospectuses constantly warn us, past results are no guarantee of future performance. But statistical regularities, like facts, are stubborn things. You bet against them at your peril.”

Open Letter Response To Quot Dear Mr Obama Quot Video

Tue, 09 Sep 2008 16:23:00 -0700

I was surprised to find recently that these kinds of propaganda videos/emails seem to stay almost entirely within right-wing circles of discussion. I have googled and either nobody who is a progressive or skeptic is examining the claims or having a balanced discussion about these or they are so drowned out by the same kinds of passive-aggressive postings with little to no added value. Even the right-wing sites that are discussing this are not discussing any salient ideas. It seems like the ultimate “bumper sticker” mentality – i.e. bumper stickers aren’t going to change anyone’s mind and really only serve as membership cards in a particular mindset.

So, I figured that this would be a good response to make open to add to the fray and maybe open up some lines of communication about the premises of these kinds of thoughts.

YouTube - Dear Mr. Obama

Anecdote is not plural for data. This, of course, is an anecdote. There are certainly many more military personnel who do not believe as this gentleman does: Take this Zogby poll as some actual data. https://www.zogby.com/news/readnews.dbm?id=1075 Here’s a choice example:

Le Moyne College/Zogby Poll shows just one in five troops want to heed Bush call to stay “as long as they are needed”
While 58% say mission is clear, 42% say U.S. role is hazy
Plurality believes Iraqi insurgents are mostly homegrown
Almost 90% think war is retaliation for Saddam’s role in 9/11, most don’t blame Iraqi public for insurgent attacks

The wide-ranging poll also shows that 58% of those serving in country say the U.S. mission in Iraq is clear in their minds, while 42% said it is either somewhat or very unclear to them, that they have no understanding of it at all, or are unsure. While 85% said the U.S. mission is mainly “to retaliate for Saddam’s role in the 9-11 attacks,” 77% said they also believe the main or a major reason for the war was “to stop Saddam from protecting al Qaeda in Iraq.”

“Ninety-three percent said that removing weapons of mass destruction is not a reason for U.S. troops being there,” said Pollster John Zogby, President and CEO of Zogby International. “Instead, that initial rationale went by the wayside and, in the minds of 68% of the troops, the real mission became to remove Saddam Hussein.” Just 24% said that “establishing a democracy that can be a model for the Arab World" was the main or a major reason for the war. Only small percentages see the mission there as securing oil supplies (11%) or to provide long-term bases for US troops in the region (6%).

This shows that many in the military are actually a) not very clear on the whole as to our mission (not surprising since the rationale was based on lies and has morphed many times as the previous reasons turned out to be bunk or lies) b)

But, I think it’s more likely that he is like many Americans who look at some outcomes of our involvement in the war and conclude that the end justifies the means. Additionally, none of these people seem to be looking at the cost, and the opportunity cost, of the resources we have expended in Iraq. I’m not saying that Sadaam was not a bad guy, but is it worth the estimated $3 Trillion dollars it will cost? I find it hard to believe that there wasn’t something better for our grandchildren to spend that money on than a war of convenience that was sold to us by a bunch of lies. We were never in Iraq to “spread freedom”. The original intent was (as the lies go) because we _knew_ that Iraq had WMDs and that they would not hesitate to use them on us. Oh, and then sprinkle in 9-11 over and over until even our troops think that we were going in there because of some link to 9-11. The troops were lied to (probably still are) just as the American people were so it is not surprising to see some make these claims based on their experiences on the ground.

Here is some more data – from actually asking Iraqis if they feel they are better off. This one from 2007. 90% think they were better off under Sadaam. https://www.angus-reid.com/polls/view/14282 It’s no wonder since many go without electricity, water, etc. for hours or days at a time. They’ve been force from their houses. It is very dangerous in many parts still.

The following two statements were made by the gentleman in the video:

“Iraq was not a mistake” and “Those sacrifices were not mistakes” “When you call the Iraqi war a mistake, you disrespect the service of everyone who has died promoting freedom.”

As to the first, the gentleman appears to be making this claim primarily because of the freedom we have given the Iraqis. Although that was a noble outcome, the price in human life to do this and the $3 Trillion dollar pricetag that we are _borrowing_ to pay for, as well as the fact that we diverted our attention and resources away from Afghanistan and Al Qaeda (the _real_ people who attacked us on 9-11) are all evidence that it was a mistake of Vietnam proportions. In addition, we were not prepared for the aftermath of the war and didn’t understand the region and the issues so that it was not even the right time for doing this even if it were the best use of our resources.

As to the second, that is just not true. It is often put out there that any criticism of the mission is “bad” and “disrespectful” to the troops. But this seems to be based on a fallacy that if the war was a mistake, then those who died are no longer respected which is absolutely not the case and a non sequitur. This is a corollary to the “Love it or leave it” fallacy. There are other alternatives, such as the more correct understanding that the sanity of the mission is a completely distinct cognitive and emotional issue from our respect for those who have served the mission. I don’t know anyone (and I doubt that people holding this belief could even point me to one person) who believes otherwise and impugns the military for the mission. Everyone knows that they did not make the mission or decide to do it– that was the “decider”. I believe that it is the ultimate support of our troops to criticize them being put in harm’s way for purposes that are really not necessary for our national security (a war of convenience like Iraq). And for them to be put on stop-loss to do it is even more abhorrent to me.

-Jason

Redacted wrote:

From: Sender redacted To: Undisclosed-Recipient:; Sent: 9/7/2008 7:48:18 P.M. Eastern Daylight Time Subj: Fw: must see…

**

Every American should see this,,,pass it on,,,,,,,,,, *****************************************************

‘This commercial was done by a local kid. You have to watch the whole thing.. When he finishes talking and walks away, you get a sense of how this could be the commercial of the campaign season.

Bob Cook and I were on the Lake County Republican Central Committee together. His son Joe returned from Iraq last year and I was at the celebration to welcome him home.’

Hi, My son Joe just did a commercial for John McCain. Please pass this on.

https://www.youtube.com/watch?v=TG4fe9GlWS8

**

Excessive Sql Logging In Zogby Website

Tue, 09 Sep 2008 15:44:00 -0700

Zogby website backed by…MS Access…yuk.

Got this gem of an error message this evening trying to bring up a link from google. It’s not a good idea to expose this kind of information to the Internet as it makes it easier for someone to attack your application, perhaps with SQL injection.

Error Diagnostic Information

ODBC Error Code = S1001 (Memory allocation error)

[Microsoft][ODBC Microsoft Access Driver] Not enough space on temporary disk.

The error occurred while processing an element with a general identifier of (CFQUERY), occupying document position (7:1) to (7:43).

Date/Time: 09/10/08 01:42:35 Browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 Remote Address: 216.39.144.193 HTTP Referer: https://www.google.com/search?hl=en&q=survey+troops+iraq&btnG=Search Template: c:\inetpub\wwwroot\news\readnews.dbm Query String: id=1075

Nvidia Driver Breaks Remode Desktop On Windows Xp Solution

Sun, 07 Sep 2008 09:21:00 -0700

Gotta love Google.

I added this key, rebooted and now I’m back in business!

NVIDIA Forums -> WHQL 175.16 - remote desktop fails

This problem is not specific to any one graphics company. It can probably happen with printer drivers too.

The root of the problem is that the session image space is too small and it can’t load any more drivers into it. The session image space is shared for the display driver drivers and printer drivers. rdpdd = remote desktop protocol display driver.

You can fix this bug by increasing the size of the session image space via a registry key. Add the following key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]

“SessionImageSize”=dword:00000020

0x20 == 32 MB works on my system anyway.

Security and Politics: Spoofing Obama VP TXT messages

Sun, 24 Aug 2008 06:27:00 -0700

Reports are that people are getting fake TXT messages claiming to announce Obama’s VP pick. I’ve certainly gotten lots of spam claiming that Hillary is the VP pick for example.

But to bring in the security angle, Verizon’s website makes it easy to spoof the return address of text addresses to perpetrate these messages.

Wonkette: The D.C. Gossip » Blog Archive » Freak Out Your Friends With Fake Obama VP TXT

Preaching To The Choir Fake News Viewers More Informed Than Mainstream News Viewers

Sun, 24 Aug 2008 06:22:00 -0700

A recent Pew research study shows that viewers of The Daily Show and The Colbert Report are more informed about current events than “average consumers of NBC, ABC, Fox News, CNN, C-SPAN and daily newspapers.” Pathetic.

e.g.

“Thirty percent of Daily Show and 34 percent of Colbert viewers correctly identified Secretary of State Condoleezza Rice, British Prime Minister Gordon Brown and the majority party in the U.S. House of Representatives”

Think Progress » Colbert, Stewart viewers more well-informed than those watching O’Reilly, Dobbs.

Sad Cynical Reaction From Yglesias About Op Eds

Sun, 24 Aug 2008 06:15:00 -0700

Again, nothing annoys me more than unadulterated lies and distortions that go out unchallenged. More evidence that we cannot rely on the mainstream media for fair and accurate reporting. It’s a shame.

Matthew Yglesias (July 27, 2008) - Facts Are Hard (Media)

Of course if being accurate were a requirement for op-ed pieces, then more than one national newspaper columnist might be out of a job. So given the current economic downturn, I think it’s important to keep letting people make stuff up.

Mccain Cites Urban Legend As Evidence Of Al Qaeda Evil

Sun, 24 Aug 2008 06:12:00 -0700

Nothing annoys me more than someone using debunked, false, misleading, distorted information to support a position. And who decides to do this with a straight face, but John McCain. You know, we really should require our officials to not only be honest but to be well-informed on what they are talking about. McCain just falls down again with this gaffe showing how he is not only out of touch on the economy, but also on foreign policy – a supposed strong point of his.

I was reminded of a great quote recently from Daniel Patrick Moynihan, “Everyone is entitled to their own opinion, but not their own facts.”

Ben Smith’s Blog: McCain cites questionable story on ’evil’ - Politico.com

“Not long ago in Baghdad, Al Qaeda took two young women who were mentally disabled and put suicide vests on them, sent them into a marketplace, and by remote control, detonated those suicide vests,” McCain told Rick Warren. “If that isn’t evil, you have to tell me what is.”

The horrifying story that terrorists used two women with Down Syndrome to carry bombs was a sensation in February, but The New York Times later suggested it hadn’t happened that way:

Carbs Attack Appetite Suppressing Cells Over Time

Sun, 24 Aug 2008 06:07:00 -0700

Fascinating that we now know that the very mechanism of how our brain determines that we are full (satiety) relies on free radicals, but it is these same free radicals that actually negatively affect our very ability to detect satiety long-term! But carbs are soooo good.

Killer Carbs: Scientist Finds Key To Overeating As We Age

Dr Andrews found that appetite-suppressing cells are attacked by free radicals after eating and said the degeneration is more significant following meals rich in carbohydrates and sugars.

“The more carbs and sugars you eat, the more your appetite-control cells are damaged, and potentially you consume more,” Dr Andrews said.

Dr Andrews said the attack on appetite suppressing cells creates a cellular imbalance between our need to eat and the message to the brain to stop eating.

“People in the age group of 25 to 50 are most at risk. The neurons that tell people in the crucial age range not to over-eat are being killed-off.

“When the stomach is empty, it triggers the ghrelin hormone that notifies the brain that we are hungry. When we are full, a set of neurons known as POMC’s kick in.

“However, free radicals created naturally in the body attack the POMC neurons. This process causes the neurons to degenerate overtime, affecting our judgement as to when our hunger is satisfied,” Dr Andrews said.

News From Seattle Former Police Chief Is Anti Drug Prohibition

Sun, 24 Aug 2008 06:04:00 -0700

Kudos to Norm Stamper for the courage to speak his mind and use his experiences to go against the grain. Sounds like an interesting book as well.

I can’t help but think of how much resources are wasted on the war on drugs as I watch episodes of “The Wire”. All that would go away. And the hypocrisy of alcohol being legal while marijuana is not is asinine.

Former Seattle Police Chief on the high costs of the drug war - Boing Boing

Stamper is the author of the Breaking Rank: A Top Cop’s Exposé of the Dark Side of American Policing (2005) and now works with Law Enforcement Against Prohibition (LEAP), a nonprofit created by former cops to “reduce the multitude of unintended harmful consequences resulting from fighting the war on drugs and to lessen the incidence of death, disease, crime, and addiction by ultimately ending drug prohibition.”

Taxpayers making up for corporations shirking responsibilities

Sun, 24 Aug 2008 06:01:00 -0700

This is enough to make you vomit in your mouth. Yes, we are all having to pay more _individual_ taxes to make up for US corporations that use kickbacks and loopholes to avoid paying federal taxes. This should make the anti-tax people irate, especially since we live in a world where corporations are equivalent to individuals from a legal standpoint. How anyone can claim that they pay their fair share is beyond me.

Crooks and Liars » GAO Study: Most US corporations avoid income tax

The Government Accountability Office said 72 percent of all foreign corporations and about 57 percent of U.S. companies doing business in the United States paid no federal income taxes for at least one year between 1998 and 2005.

Tips for buying a new car video

Sun, 24 Aug 2008 05:58:00 -0700

This is an entertaining 6 minute video (out of Seattle no less) I documented many of the salient points here.

Plan. Give at least 2 weekends
Get financing _before_ you go to your dealership so you know how much you can afford in advance.
Don’t sell your car to the dealership. Sell it on craigslist
Get down to top 3 cars you are interested in.
Test drive them. Don’t buy it then. Choose all of your options
Don’t use the invoice as a guide for price. You want the competitive bid. Call 8-10 dealerships.
Get the “drive it off the lot” price
Come back a second time. Stick to your guns. Walk out when the deal changes.
Don’t sign until you are done with everything and all is in writing.
Don’t buy any of the add-on stuff (high-margin stuff). Akin to stocking up on candy “at the movie theater” to bring home.

How to buy a new car and not get screwed - Boing Boing

Flying Without Id

Sun, 24 Aug 2008 05:06:00 -0700

Legally, there is no requirement that you must have an ID to fly in the US. However, you may encounter lots of resistance. That’s why I, as a security professional, have not yet attempted to do so. My wife would probably not be as interested as I am in the answer…

Seems as if the TSA may even have different procedures for those who _forget_ their IDs than for those who _refuse to show_ ID. Funny. It is also noted that if they write SSSS on your boarding pass for “special screening”, if you were to have another copy of your boarding pass without the SSSS you may be able to bypass the extra screening.

philosecurity » Blog Archive » Flying Without a Wallet

I was curious to learn more about the TSA’s new practices for ID-less travelers. As a security professional, I decided to research TSA’s latest security screening procedures.

Medeco Hacked At Defcon 2008

Sun, 24 Aug 2008 05:01:00 -0700

Ahh, the holy grail. Basically, if anyone gets to photograph your medeco keys, any hacker can whittle a blank from that photo and bypass these “high security” locks.

Add “Obtain photograph of building keys” as a node in your physical security threat models ;-)

Working Medeco high-security keys can be whittled out of plastic - Boing Boing

Researchers at DefCon in Vegas have demonstrated that they can make “high security” Medeco key-blanks out of the plastic used in credit-cards, and then whittle them into working keys by referring to low-resolution photos of original keys.

Terrorist watch list false positives have real consequences to real people

Sat, 23 Aug 2008 05:27:00 -0700

Really? An honorably-discharged American soldier is on the Terrorist watch list? Seems like there is definitely some cruft in the list of 400,000 - 1MM names. Here is a personal story of how this kind of system has consequences somewhat as bad as what the terrorists could hope to accomplish themselves–loss of freedom and unjust treatment.

Name on government watch list threatens pilot’s career - CNN.com

In April, Colgan informed Scherfen that he was on a government list and would be suspended from his job. He was told he faced termination on September 1 unless he was able to clear his name.

But Scherfen, of Schuylkill Haven, Pennsylvania, has been unable to do so and said he fears that it could mean he has no future as a pilot.

“My entire career depends on me getting off this list,” he said. “I probably won’t be able to get a job anywhere else in the world having this mark that I’m on this list.”

Witold Walczak, an American Civil Liberties Union attorney representing Scherfen and his wife in a lawsuit, calls the government actions “unfair” and “unjust.”

Bruce Schneier recently pointed out how absurd this list is, especially when it is publically known how many times the _actual_ people on the list were encountered – but nothing happened to them. If they are so dangerous, why were they not detained?

Schneier on Security: Congratulations to our Millionth Terrorist!

Screening and law enforcement agencies encountered the actual people on the watch list (not false matches) more than 53,000 times from December 2003 to May 2007, according to a Government Accountability Office report last fall.

Okay, so I have a question. How many of those 53,000 were arrested? Of those who were not, why not? How many have we taken off the list after we’ve investigated them?

Weekly spam files

Sat, 23 Aug 2008 04:48:00 -0700

I got some seriously choice spam messages this week. Here are some of the outstanding ones. The first one was hilarious – but even more hilarious that it decided to include the TV show “The View” in the list of the “earth’s ills” for a double punch line.

Former Astronaut Dr. Edgar Mitchell - a veteran of the Apollo 14 mission - claims aliens are gay and that they are responsible for many of the earth’s ills including global warming, war, disease and The View.

The House of Representatives ethics committee has passed a new set of Republican backed rules which reduce the Ten Commandments down to nine “suggestions”.

Paris Hilton Gives Birth To Twins…Aliens

Paris Hilton Becomes Mormon – Marries Paparazzi

Diebold Admits Coding But That Causes Vote Loss

Fri, 22 Aug 2008 11:33:00 -0700

Diebold originally blamed a glitch that lost votes on anti-virus software but it turns out it was due to a flaw causing votes to not be recorded to memory when uploading votes from the external cards. It’s a wonder how something as simple as counting votes could have so many bugs in core functionality…

Note to US Bank customers: Diebold makes many of their ATMs! Let’s hope the accounting is better there.

Premier (f/k/a Diebold) Confesses Error - TalkLeft: The Politics Of Crime

Slashdot | Diebold Admits Ohio Machines May Lose Votes

Anonymous Company Ratings Reviews And Salaries Online

Sun, 17 Aug 2008 09:07:00 -0700

Wow, what a cool site. They even have ratings of CEOs but this can be an invaluable site when negotiating salary for a job, or deciding which field you want to get into.

Glassdoor.com - Company Ratings, Reviews, and Salaries.

Insider At Wamu Embezzles 16mm

Sun, 17 Aug 2008 08:55:00 -0700

And who thinks businesses don’t need to worry about insiders? Harden your soft-chewy center. The most puzzling thing is that she was let out on $100k bail, yet she is from Mexico and that’s where she wired the dinero…

SignOnSanDiego.com > News > Metro – Bank teller arrested in $1.6 million theft

SOUTH COUNTY: A 22-year-old bank teller was arrested Tuesday on suspicion of embezzling more than $1.6 million from Washington Mutual Bank and wiring the money to a bank in Mexico, a sheriff’s investigator said.

Some assistance for your 2008 WA primary voting

Sun, 17 Aug 2008 08:36:00 -0700

A couple of great resources to help out with your last-minute voting.

Show My Elections | 2008 Primary

Fuse Primary Voter’s Guide (great summaries of endorsements for judges, which can be difficult at times to know who’s better)

And, the voter’s guides are online: https://www.vote.wa.gov

Security holes can get you into trouble

Sun, 17 Aug 2008 08:28:00 -0700

Oops. Remember kids, disable directory indexing on your porn server! Or better yet, don’t mix shared data with stuff you wouldn’t want people to find on accident.

Judge Alex Kozinski’s porn stash - Boing Boing

Kozinski had sent a link to a file (unrelated to the stuff being reported about) that was stored on a file server maintained by Kozinski’s son, Yale. From that link (and a mistake in how the server was configured), it was possible to determine the directory structure for the server. From that directory structure, it was possible to see likely interesting places to peer. The disgruntled sort did that, and shopped some of what he found to the news sources that are now spreading it…

His son set up a server to make it easy for friends and family to share stuff – family pictures, documents he wanted to share, videos, etc.

Washington's Top 2 primary system: death knell for the major parties?

Sun, 17 Aug 2008 08:11:00 -0700

This is a great article, with some choice quotes from some of the folks on the ballot for this country’s first top-2 primary system. I have long hated the 2-party system, especially as gerrymandering has allowed the parties to artificially remain entrenched in government. And especially as the issues are more and more complex yet the parties try to divide the country evenly into two camps. I think the rise of independent and “swing” voters has shown that our views can’t be so easily divided along party lines. Although there are many of the “swing” voters who just seem to be lazy or noncommittal (as I saw during the caucuses when many had not even researched the candidates. No wonder they couldn’t decide! They wanted others to do the deciding/persuading for them).

I pride myself on being a truly independent voter. Although I often prefer candidates of a progressive democratic nature since many of my values match theirs in general, I can’t stand party-line votes just for the sake of voting party line. I would prefer to have a parliamentary system as that would allow for more shifting coalitions rather than just two giant parties trying to please everyone but pleasing no-one (is it any wonder the congressional ratings are worse than GW Bush?).

I just cast my ballot for the top-2 primary and am excited to think that Oregon and other states could follow our lead.

Lights out for parties? Tuesday’s top two primary could signal a new political era for Washington state- Columbian.com, Clark County, Washington, Vancouver, Breaking News, U.S., World, Entertainment, Video, Weather, Sports

I did laugh when I read Clarence Thomas’ quote from this article but I at least agree with him on principle; not sure where that sentiment falls in relation to the constitution though.

Panoramic Aerial Photography Using A Kite

Tue, 12 Aug 2008 14:56:00 -0700

-kite

Got this link courtesy of Credo Mobile. Very cool. I was intrigued by the San Francisco shots since I just got back from there, but they are photos from nearby, not of the city.

Kite Aerial Photography by Scott Haefner | 360° Panoramas

Skinny dipper "sting" in Germany

Mon, 04 Aug 2008 15:12:00 -0700

This is especially funny in light of the revelations that it is becoming popular, especially in the UK, to use Google Maps to locate swimming pools to crash like this. I guess they better survey the area to make sure there aren’t any nettles first.

Germany:Skinny dippers fall for sting » Rational Review

Fairy Amp Human Relations

Mon, 28 Jul 2008 15:26:00 -0700

I was sad that when I was near Winthrop, WA this past weekend I was not able to break away to check out the Fairy & Human Relations Congress 2008 that was going on. I’m glad I remembered the website address so I could read more about it.

The notion that Fairies are not Human, such that they need to find ways of relating to us humans was strange. “The humans are vastly outnumbered at the Congress by the fairies, devas and other Light beings who are in attendance.” I wasn’t sure from the advertisement I saw if they were for real or not but I think they are. Of course you need to bring your crystals and items for the fairy altar.

And practice on using the word “realm” as much as you can.

I think their mission to increase peace is a good one, although I’m not sure which “realm” they are hoping to accomplish this in…

Some photos of what I missed:

Flickr: Fairy & Human Relations Congress 2008

Tell Barack Obama what you think of his FISA vote

Mon, 14 Jul 2008 15:19:00 -0700

Hat tip to Moveon.org

https://my.barackobama.com/page/s/contact2

My thoughts on the response below are that it is full of bunk to put it bluntly. “FISA and existing criminal wiretap statutes as the exclusive means to conduct surveillance” was already embodied in FISA. I can see some definite pandering to the “we’re tough on terrorists” bunk – as if caving on this was necessary to stop terrorism. That only lends credence to the administration’s claims that what they were doing illegally was necessary to fight terrorism. Oh well. My Open letter:

(soon to be) Mr. President,

I was deeply, deeply saddened by your decision to vote to approve the
horrible FISA bill. I think the best indication of how bad a decision
that was came when still-president Bush hailed the bill after it was
passed. And how could you have sanctioned the precedent, let alone the
specific case, of granting immunity for law breaking (no matter how
altruistic the rationale \_might\_ be) -- especially when you, nor I, really
know the extent or scope of their actions.

I'm torn because I am interested in replacing every Democrat who sided
with the Republicans on this bill in future elections, yet I do support
you as our best hope for a better America. Let's say the glean is a bit
tarnished by this though.

Additionally, I don't really understand even what your rationale was so I
think you need to do a better job at openly communicating this kind of
information to your constituency.

I do hope that you will hold these, and the other known lawbreakers from
this administration, accountable once you obtain office and will uphold
the rule of law.

Regards,

-Jason

Official response email:

Dear Friend,

Thank you for contacting us and sharing your strong feelings about this important issue. Please find a statement from Senator Obama below.

We appreciate hearing from you.

Sincerely,

Obama for America,

---
Given the grave threats that we face, our national security agencies must have the capability to gather intelligence and track down terrorists before they strike, while respecting the rule of law and the privacy and civil liberties of the American people. There is also little doubt that the Bush Administration, with the cooperation of major telecommunications companies, has abused that authority and undermined the Constitution by intercepting the communications of innocent Americans without their knowledge or the required court orders.

That is why last year I opposed the so-called Protect America Act, which expanded the surveillance powers of the government without sufficient independent oversight to protect the privacy and civil liberties of innocent Americans. I have also opposed the granting of retroactive immunity to those who were allegedly complicit in acts of illegal spying in the past.

After months of negotiation, the House passed a compromise that, while far from perfect, is a marked improvement over last year's Protect America Act. Under this compromise legislation, an important tool in the fight against terrorism will continue, but the President's illegal program of warrantless surveillance will be over. It restores FISA and existing criminal wiretap statutes as the exclusive means to conduct surveillance - making it clear that the President cannot circumvent the law and disregard the civil liberties of the American people. It also firmly re-establishes basic judicial oversight over all domestic surveillance in the future. 

It does, however, grant retroactive immunity, and I voted in the Senate three times to remove this provision so that we could seek full accountability for past offenses. Unfortunately, these attempts were unsuccessful. But this compromise guarantees a thorough review by the Inspectors General of our national security agencies to determine what took place in the past, and ensures that there will be accountability going forward. By demanding oversight and accountability, a grassroots movement of Americans has helped yield a bill that is far better than the Protect America Act. 

It is not all that I would want. But given the legitimate threats we face, providing effective intelligence collection tools with appropriate safeguards is too important to delay. So I support the compromise, but do so with a firm pledge that as President, I will carefully monitor the program, review the report by the Inspectors General, and work with the Congress to take any additional steps I deem necessary to protect the lives - and the liberty - of the American people.

Questions For Democratic Wankers Who Support Fisa

Sat, 05 Jul 2008 10:32:00 -0700

It is infuriating me that the spineless Democrats are not taking a stand on FISA and are actually putting their own political spin on how it’s a “compromise” (read: “capitulation”, as noted elsewhere in the blogosphere) and a good thing. Here are several key questions I had been thinking myself, but not in such clear terms:

Daily Kos: Betting it all on criminal wiretapping prosecutions.

1. Why, if you believe there are or may be grounds for criminal prosecution, would you immunize against civil liability? What sense does that make, exactly? Why make life easier for people you’re telling us should be or could be subject to criminal liability?

2. Going the path in #1 says, “Don’t press your rights by yourselves, Mr. or Ms. Citizen. Let the government that just finished stripping you of them take care of that for you. Maybe.

3. Who are these Congressmen commiting the Barack Obama administration to a major criminal investigation spanning eight years of the Bush White House’s most secretive and most deeply shrouded abuses as its first official act, and have any of them asked Obama where he stands on this commitment?

4. The people promising you criminal prosecutions after ‘08 if you’ll just shut up and trust them to read the law and take care of things after the election are the same people who promised you effective “subpoena power” after ‘06 if you’d just shut up and trust them to read the law and take care of things after the election.

Open Note To Obama On The Fisa Immunity Provisions

Thu, 03 Jul 2008 11:10:00 -0700

In response to a moveon.org phone campaign, this is the message that I communicated to Obama’s campaign staff.

“The FISA bill is something that I am very concerned about. I know that Barack has said that he is not fond of the immunity provisions in the FISA bill. I wanted to call to encourage Barack to take a stand unlike many of the other Democrats who have voted for this bill in the past and also take a stand for the rule of law. We know this is something that the current administration cannot be counted on to do and we are looking for Obama to change that.”

You can also join in and communicate your desires via his own website: https://my.barackobama.com/page/group/SenatorObama-PleaseVoteAgainstFISA

Electoral Projections Blog

Sun, 29 Jun 2008 16:04:00 -0700

Got this link via a colleague and it has some of the most detailed, up-to-date data and analysis on the polling data and cruft coming from the punditrocracy about who’s going to win what and how they can win it. One to keep an eye on this election season. These will be some long months ahead! Right now it shows that Obama has an 88.6% chance of winning the election if it were held today.

FiveThirtyEight.com: Electoral Projections Done Right

Ncis Can'T Hold A Candle To Csi

Sun, 29 Jun 2008 15:44:00 -0700

I had watched one episode of NCIS early on in its life and just thought that the writing was _horrible_. I knew then that I didn’t need to watch any more episodes.

Well, someone I know was recently raving about NCIS so I decided to give it another shot–maybe they had gotten new writers? It was still _horrible_ writing. The writers tended to make most every line “cutesy”, “syrupy”, not like real people would talk at all. And the cast of characters are all their own caricatures. They fill the show with loads of dialogue that just detracts from the show. It seemed strained, like the writers are trying _way_ too hard to be funny. It wasn’t.

There were a lot of cut-shots where they would cut to someone else’s face to get their reaction. Why don’t they just insert their own laugh track while they’re at it?

I’ll stick with CSI and CSI New York. The writing is intelligent, the characters are all very intricate and interesting. The humorous lines are just enough. The only thing that I can’t stand on CSI are the guest writer episodes where they try something totally different – like making it a dark comedy. Those are terrible. Stick to the regular characters and format. Oh, and the thing I can’t stand on CSI New York is how overtly in-love with technology the writers are. It makes me sick how they try to shove as many techno-anythings into every episode. Once I saw the Cisco product placements I knew what was up. Now I know where Bill Gates sold his remaining tablet PCs…

Batch Transcoding Flv Audio To Oggvorbis Using Vlc

Sun, 15 Jun 2008 15:11:00 -0700

Here’s a handy bash script that I use to quickly batch transcode flash audio-only files into ogg/vorbis for playing on my Cowon D2:

for file in *.flv; do /cygdrive/c/Program\ Files/VideoLAN/VLC/vlc.exe -vvv $file –sout="#transcode{acodec=vorb,ab=192,channels=2}:standard{mux=ogg,dst=$file.ogg}" vlc:quit; done

Coolest Social Network Music Site

Sun, 15 Jun 2008 14:34:00 -0700

IMEEM - what’s on your playlist?

I stumbled across this site googling for samples of some songs on albums I was considering buying. They have postings of high-quality videos and clips of songs, with charts. Excellent for trying to find that song on the radio you never knew the name of but enjoyed.

Democratic Leaders Need A Spine Say No To Fisa Compromises

Sat, 14 Jun 2008 04:57:00 -0700

This points out how the Democrats aren’t capitalizing on this issue which is working against the Republicans. Show how the Democratic party is about freedom and the Republicans are about unitary executive and a police state.

Daily Kos: State of the Nation: McCain’s FISA Flip-Flops Still in the News

Now, take some action and tell your congresscritters to take a stand on our rights. Thanks to CREDO Mobile!

Say No to Senator Bond’s FISA Capitulation

For over 30 years, the Foreign Intelligence Surveillance Act (FISA) has dictated necessary and appropriate ways for the U.S. government to collect intelligence on its own citizens for the sake of national security. Two key provisions of this law are that:

* The government must obtain a warrant from the Foreign Intelligence Surveillance Court (FISC) before spying on a citizen. * Citizens have the right to sue if they believe they were spied upon illegally.

FISA provided broad leeway for every President from Carter to Clinton to conduct extensive intelligence-gathering operations. However, President Bush has decided that he is above warrants and judicial review, and major newspapers have reported that he has been using big telecoms like AT&T to spy on Americans without warrants for years.

From The So Dumb It'S Hilarious Department

Sun, 08 Jun 2008 15:52:00 -0700

A running family joke, but I laugh every time I hear this.

YouTube - Kitty Cat Dance

YouTube - cat i’m a kitty cat

ViewStateUserKey not entirely effective against CSRF

Sat, 07 Jun 2008 13:45:00 -0700

Oh, how timely! Just a few days ago, a blog post about the limitations of ViewStateUserKey as a means to prevent CSRF in ASP.Net applications. The bottom line:

developers can disable ViewState entirely, so it lacks central control (kind of like ripping out your firewalls and hoping everyone has an up-to-date and securely configured desktop firewall instead)
There are some issues with the mechanism working over load-balanced connections or across IIS app pools where session IDs are likely not shared.
Most importantly, the ViewState MAC is only checked on POSTback, so if you have apps that don’t use POSTbacks, you are still vulnerable.

The article also suggests that a CSRF Guard for .Net is needed. Well, they are in luck because it is: https://www.owasp.org/index.php/.Net_CSRF_Guard

ViewStateUserKey Doesn’t Prevent Cross-Site Request Forgery - KeepItLocked.net

Owasp Net Csrfguard

Thu, 05 Jun 2008 10:37:00 -0700

At the OWASP conference in San Jose last year, the Java OWASP CSRFGuard was presented and I met Eric Sheridan, its author. I noted that there was not an analogue for .Net so I started coding right then.

Well, it’s been a hobby project for some time. Eric and I have gone back and forth with design/feature ideas and are working toward feature-equivalent solutions for each language, albeit implemented within the appropriate language paradigms.

I have been coding away for the past several weeks, whittling down my TODO list, and am ready to release an alpha version soon. I need to figure out some logistical issues and get the assembly a strong name so it can be installed in the GAC. So, check it out and watch this space for the release announcement.

I also have lots of work to do to flesh out the full documentation on the wiki page.

.Net CSRF Guard - OWASP

Catholic Church Again Being Heavy Handed About Pro Life Supporters

Wed, 04 Jun 2008 11:20:00 -0700

This is really stupid. To single out only certain members of the church? I agree with Steve,

“I think it’s a mistake to deny Communion to public officials who, in their official capacity as policy makers, stray from the church’s doctrines. But this is adding insult to injury — targeting Catholic congregants based on their votes, rather than their beliefs and conduct.

In other words, at least in the abstract, John Kerry should be blocked from receiving Communion and Catholic voters who supported him should receive the same treatment.”

And why just pro-life stances? Isn’t the catholic doctrine that we are all sinners? In fact, you say before communion “I am not worthy to receive you [Jesus, via transubstantiation in the body & blood, aka bread & wine] but only say the word and I shall be healed”. You would think that this would be the _last_ thing they would want to deny to anyone. But I guess they have to keep up appearances…

Crooks and Liars » Communion need not be a political weapon

Christian Group Whining About Starbucks Quot New Quot Logo

Sat, 31 May 2008 16:11:00 -0700

Starbucks is switching back to their original logo, which Howard Schultz described as “bare-breasted and Rubenesque; [it] was supposed to be as seductive as coffee itself”. So, of course, the crazies who equate sex with the devil are going…crazy…over it. Can’t we send them back to the 16th century? they said “The company might as well call themselves Slutbucks.”

But this makes for quite a fun thought: You could get a Starbucks coffee and take it with you while you ride the South Lake Union Trolley (aka S.L.U.T.) It could be more fun than the Duck tour for tourists. It could even have a stopover at the Lusty Lady.

Another example where some Christian group is trying to push their version of “morals” on others. I’m fine if they want to boycott Starbucks. Maybe the lines will be shorter.

BBC NEWS | Business | Anger at ‘slutty’ Starbucks logo

There was not a unanimous consensus that Iraq had WMDs

Sat, 31 May 2008 04:27:00 -0700

It’s sickening that this easily-debunked story line is being trotted out in the media without being challenged. This posting lists several agencies who were not convinced.

Think Progress » McCain Reacts To McClellan: ‘Every Intelligence Agency In The World And Every Assessment’ Said Iraq Had WMD

The Bush administration did set up its own intelligence shops to disseminate faulty intelligence about Iraq’s alleged WMD. But “every” agency in the “world” did not buy the spin — several U.S. agencies were highly skeptical

O'Donnell Schools Buchanan

Sat, 31 May 2008 04:21:00 -0700

Oh, this is rich! Lawrence O’Donnell calls Pat Buchanan out for criticizing Scott McClellan for the very same thing he did under Nixon: not saying anything or opposing or resigning in the face of wrongdoing.

Crooks and Liars » Lawrence O’Donnell Humiliates Pat Buchanan

Why are self Respecting women still Catholic?

Sat, 31 May 2008 04:15:00 -0700

Can you say “Catholics hate women”? How many Catholics “turn the other cheek” at these anti-women policies their church “holy” officials are still supporting with extreme consequences for disobeying? Seriously! Isn’t it at the point where doing nothing to challenge the Vatican on these ancient misogynistic practices and beliefs means that you are complicit in perpetuating them (i.e. just as guilty)?

Vatican says will excommunicate women priests » Rational Review

“The Vatican issued its most explicit decree so far against the ordination of women priests on Thursday, punishing them and the bishops who try to ordain them with automatic excommunication. The decree was written by the Vatican’s Congregation for the Doctrine of the Faith and published in the Vatican newspaper L’Osservatore Romano, giving it immediate effect. A Vatican spokesman said the decree made the Church’s existing ban on women priests more explicit by clarifying that excommunication would follow all such ordinations. Excommunication forbids those affected from receiving the sacraments or sharing in acts of public worship. Rev. Tom Reese, a senior fellow at the Woodstock Theological Center at Georgetown University, said he thought the decree was meant to send a warning to the growing number of Catholics who favor admitting women to the priesthood.”

Ron Paul Grabs 24 Of Votes In Id Primary

Sat, 31 May 2008 04:10:00 -0700

Ouch. Even after winning the nomination McCain still can only get 70% of his own party’s votes–which is not unlike other state totals. And to have Ron Paul continue to get double-digits is very intriguing.

Paul has best showing yet, in Idaho - 2008 Presidential Campaign Blog - Political Intelligence - Boston.com

John McCain has the Republican nomination wrapped up, but Ron Paul isn’t going anywhere.

In fact, in Tuesday’s little-noticed Republican primary in Idaho, the iconoclastic Texas congressman had his best showing so far, grabbing 24 percent of the vote, nearly 30,000 votes in all.

Mainstream Media Defensiveness Indicates More Of Same Is Likely In Future

Fri, 30 May 2008 20:20:00 -0700

Media Matters - “Media Matters”; By Jamison Foser

Does anybody who isn’t employed by or related to George Bush still deny that the administration wasn’t truthful about Iraq? Or that the news media could have done a better job in the months preceding the war?

This was a rhetorical question in the article, but the answer is “yes”, unfortunately. Who are these who think the media did just a fine job of covering the run-up to the war? Well, the media themselves. I watched David Gregory defend himself with disgust on Hardball. Read this article Nieman Watchdog > Commentary > A refresher on how the press failed the people for more examples, but also some examples where the press rightly criticized itself. Given that even many journalists and media outlets have actually admitted some level of failing, it is even more baffling how many still claim that everything was as good as it could have been. This article is also notable in that it has larger excerpts from McClellan’s book criticizing the press than have been covered elsewhere.

It is too bad that someone hasn’t trotted out the names of the media executives who were quashing critical stories. I’d like to see some of them in the spotlight and hear their response to the charges.

The bottom line of course is that those media correspondents who are being so defensive indicate that they don’t think they needed to do anything differently so we’ll probably continue to see the same kinds of shoddy journalism and amplification of talking points that overemphasize distortions or lies.

The press amplifies the talking points of one or both parties in its coverage, thereby spreading distortions, half-truths, and occasionally outright lies in an effort to seize the limelight and have something or someone to pick on. And by overemphasizing conflict and controversy and by reducing complex and important issues to convenient, black-and-white story lines and seven-second sound bites the media exacerbate the problem, thereby making it incredibly hard even for well-intentioned leaders to clarify and correct the misunderstandings and oversimplifications that dominate the political conversation.

Exactly. Too bad it had to come so late Scott.

California Marrying Same Sex Couplesjust Like Gassing The Jews-

Thu, 29 May 2008 12:15:00 -0700

jews-

Um, yeah. Godwin’s law in full effect. Disgraceful!

‘Gas the jews’ vs. ‘Marry the gays’: ‘SaveCalifornia’ get cold feet - Good As You:: Gay and Lesbian Activism With a Sense of Humor

But it is also good to see New York State move to recognize same-sex marriages as well.

How can people compartmentalize so that they don’t see how “Separate but Equal” is the same argument as “Civil unions but not “marriage””? “Separate but equal is a set phrase denoting the system of segregation that justifies giving different groups of people separate facilities or services with the declaration that the quality of each group’s public facilities remain equal.” Hello? If that is illegal and immoral, then why not these laws? It’s the same thing and I predict eventually they will either be repealed or ruled unconstitutional. In fact, it violates the Fourteenth Amendment (Equal Protection Clause)

Economic Stimulus Act Of 2008 Notice Divulges The Last Four Of Your Ssn

Tue, 20 May 2008 10:52:00 -0700

I just got my second notice about my pending economic stimulus act rebate and saw to my dismay that it divulges the last 4 of my SSN. They mask out all the least-secret parts but leave the last 4 digits. Lame! Look for this format on the right-hand-side of the letter inside the very conspicuous envelope: XXX-XX-1234

So, be sure to shred these notices!

Debugging Nunit Tests In Visual Studio Express

Mon, 19 May 2008 15:09:00 -0700

One of the annoying things about VS Express (other than it for some reason not saving my user preferences) is that there is not an easy way to debug nunit tests from within the UI. There is also no way to attach to a process to debug, which is going to limit asp.net development utility. Maybe VS 2008 Express is improved in this regard? I’ll download and see.

Here are two great ways to debug nunit tests. I opted for the simpler option of creating a .csproj.user file and adding the section to each of the <PropertyGroup> sets like so:

 ...<br /> <StartAction>Program</StartAction><br /> <StartProgram>C:\\Program Files\\TestDriven.NET 2.0\\NUnit\\2.4\\nunit.exe</StartProgram><br /> </PropertyGroup><br />

Stu’s Blog: Debugging NUnit in Visual Studio Express

Michelle Malkin Video Draws Mysoginistic Feedback On Youtube

Sun, 18 May 2008 10:54:00 -0700

I am really getting tired of seeing the male response to crap like this stupid video that Michelle Malkin created involve sexual domination rhetoric against women. It debases the speaker and taints the debate and opponents of Malkin by proxy.

Unbelievable. I think the responses to the video are far, far, far worse than the video.

YouTube - VENT The Defeatocrats’ Cheer

Video cameras do not increase conviction rates

Wed, 07 May 2008 15:04:00 -0700

I’ll predict right now that Bruce Schneier will also blog about this.

So, you get much less safety/privacy, waste billions that could have been spent actually doing things that reduce crime, and no real benefit.

UK: CCTV boom has failed to slash crime, say police » Rational Review

“Massive investment in CCTV cameras to prevent crime in the UK has failed to have a significant impact, despite billions of pounds spent on the new technology, a senior police officer piloting a new database has warned. Only 3% of street robberies in London were solved using CCTV images, despite the fact that Britain has more security cameras than any other country in Europe.The warning comes from the head of the Visual Images, Identifications and Detections Office (Viido) at New Scotland Yard as the force launches a series of initiatives to try to boost conviction rates using CCTV evidence” (05/06/08)

Open Letter Flagrant Rantings Of An Anonymous Interneter

Mon, 05 May 2008 14:57:00 -0700

I had to turn this into an open letter response. I saw several of these messages being posted to blogs without any response. Most likely because it is so inflammatory and haphazard.

But, it was so tiring that I had to stop part way though. Maybe someone else can post other replies to finish this out…if you can make it that far.

-Jason

-—-Inline Message Follows—–

I did not write this…. But?????????????

Food For Thought…

We’re not sure anyone really likes any of the choices for President, but**_

this guy makes some good points. a few naughty words spoken, but_**

whoever this guy is, he seems to be on target.

“We’re not sure”? Who is “we”. There are a ton of people who are passionately in support of Barack Obama and I have seen this first-hand at precinct Caucuses. And there is a similar fervor among the Hillary supporters.

_ After long and serious thought, I have decided to endorse Senator_**_

John McCain for President. I have always voted for the person and have not

voted for anyone because some political party was telling me who I should

vote for._**

So? This type of paragraph in chain emails is one that tries to trick you into thinking the person is non-partisan when you can tell right from the tone of the discussion and the lack of facts that this author is highly partisan. Don’t fall for this trick.

**_ We all know the choices by now and, that said, I do believe that the

process of selecting a chief executive is deeply flawed. The words “money”

and “special interests” come to mind, among many others._**

Again, so? Are you implying that somehow McCain is not subject to these same influences when the dems are?

**_Here’s the way I see it:

Barack Obama, you are a fine public speaker. You are also an

extremely liberal Senator_**

As if being “liberal” is a bad thing. But, contrary to popular propaganda, Obama is not the most liberal senator. By the most objective measure around, he has several colleagues more “liberal” than he is. Again, not that there is, or should be, anything wrong with that. See voteview: https://voteview.com/

**_from the State of Illinois, which has a long and

rich history of political corruption of the first magnitude.** You are indeed**

a child of that system._**

So, you are implying without saying or providing any EVIDENCE that Obama is “corrupt”? Hogwash. In fact, Obama has a higher ranking than Clinton on transparency and ethics: https://thinkonthesethings.wordpress.com/2007/11/05/barack-obama-vs-hillary-clinton-records-on-transparency-lobbyists-and-ethics/

You have finally insulted my intelligence far beyond my capacity to**_

tolerate your insults.****** It has nothing at all to do with your skin color._****

Does anyone think this makes any sense at all? Does anyone actually think this is a coherent, logical thought progression? I’m beginning to think this whole thing is a long string of non-sequiturs (not surprisingly)

As**_

a matter of fact, it would be so COOL to finally have an African-American

for President. What a great statement that would be to the entire world that

we are indeed the greatest country on earth!_**

But, unfortunately,

**_General Colin Powell is not running, and YOU are

NOT the man for this job !_**

Where did this come from? Not even a shred of rationale? “If we had a black president, it should be Colin Powell, not Barack”

Barack baby, you want me

**_to believe that you have never heard the

sermons of your own pastor, the Right Reverend “God Damn America” Jeremiah

Wright. It is a matter of record that this has been your church for over 20

years. It is a matter of record that you were married there by this very

pastor, and that your children were baptized there._**

So what? There is no point here. Barack never said he “never heard the sermons”.

**_ The good Reverend saw fit to visit Khadafy in Libya with you and to

give a lifetime achievement award to Louis Farrakhan, of all people._**

In the words of a good friend of mine, this is “horseshit”. The author is trying to say that Obama went _with Wright_ to visit Farrakhan? There is no evidence of that. In fact, Wright went with Farrakhan to visit Kadafy. This author doesn’t even have facts, let alone have them in the right order.

We have all now seen

**_excerpts of his sermons all over the airwaves

by now. And you have publicly stated that this man IS your “spiritual

mentor”._**

I defy you to find a quote of this. The press has referred to him in this way, but Obama has denied this:

“He was never my “spiritual mentor.” He was – he was my pastor. And so to some extent, how, you know, the – the press characterized in the past that relationship, I think, wasn’t accurate.”

BUT, your pastor is NOT

the reason I am NOT voting for you.

Okay, let me guess. You’re not voting for Obama but you’re not going to tell us why. You’re just going to continue with more non-sequiturs.

****His ****

**_ words were disturbing enough, but it is your own HUGE church congregation,

seen jumping, hooting and howling to his words in the background that

disturb me the most. And please don’t tell me you attended church there and

never once heard a “discouraging word” in the 20 years you attended there.

Don’t tell me, that in addition to the good reverend, that you are now not

having anything to do with all those other people seen hooting and howling

out in the audience in the background of his fiery tirades._**

Oh, it is the congregation! Seriously?! Guilt by association? Surely Wright has said some strange things but lots of what he has said rings true. I bet this guy hasn’t heard more than a soundbite though.

But what about the kinds of hateful, judgemental, crazy things that white pastors are saying, such as Hagee,

“I believe that New Orleans had a level of sin that was offensive to God, and they were recipients of the judgment of God for that.” “military confrontation with Iran is foretold in the Bible as a necessary precondition for the Second Coming.”

“Hagee, pastor of the 16,000-member Cornerstone Church, last week had announced a “slave sale” to raise funds for high school seniors in his church bulletin, “The Cluster.” The item was introduced with the sentence “Slavery in America is returning to Cornerstone” and ended with “Make plans to come and go home with a slave.””

“Do you know the difference between a woman with PMS and a snarling Doberman pinscher? The answer is lipstick. Do you know the difference between a terrorist and a woman with PMS? You can negotiate with a terrorist.”

He is even alleged to have made some very anti-Catholic statements, although I have yet to see an original in-context quote of Hagee making these statements. I don’t believe Bill Donohoe as a credible quoter, since I think he’s afraid of being out-crazied (Donohoe said, ““Hollywood is controlled by secular Jews who hate Christianity in general and Catholicism in particular. It’s not a secret, OK? And I’m not afraid to say it”)

Oh, and yet this anonymous author is fine with McCain who said, ““all I can tell you is that I am very proud to have Pastor John Hagee’s support.” Hypocrite!

Even Oprah Winfrey got

**_disgusted and walked out. I am no Oprah fan,

but still she did the right thing._**

I could not find anything about Oprah getting “disgusted” and “walk[ing] out”. She did leave the church due to Wright eventually.

Now YOU look me in the

**_eye and ask me to believe that you never

heard such language in all the years you attended there ! This is like me

telling you that I attended dozens of Klan rallys and never once heard the

“N” word. Yep. And Bill Clinton “did not inhale”._**

Just because he heard it, doesn’t mean he believes it. And I don’t see any particular quotes you think we should be outraged about. Again, I don’t think you’ve heard/read more than soundbites.

Yes, Mr. Obama, we all

**_have friends who have said stupid things that

embarrassed us, but NOW you have asked me to believe something that is so

incredibly stupid that you are telling me that I am just stupid enough to

believe you. THAT is the main reason that I will never vote for you._**

But, you’ll believe all the stupid crap peddled by McCain? Really?

****I am ****

**_ deeply sorry, that in a county teeming with enormously talented African

Americans who would make a good President, that the political system has

chosen YOU._**

You haven’t shown any reason why. Just ranted…

You

are a pathetic and plastic excuse for an American, who will**_

not even salute the Flag during the Pledge of Allegiance. God forbid you

ever get near the Oval Office._**

OMFG! This guy is pulling out all the stops! This is such a load of propagandic BS that has been totally debunked. Obama is a model of the American dream, building himself up from adversity. The author here is an idiot.

Now, did I mention Bill

**_Clinton ?

AH YES ! This brings us to MRS. WILLIAM JEFFERSON CLINTON, who this

candidate really is, in spite of all the other names she may care to call

herself._**

What? Does that make sense to anyone?

This “feminist” piece

**_of work of course would like to be referred

to as MS. and we all know who wears the pant suit in that family._**

Oh, so now she’s a feminist (in quotes, whatever that means)? Any empowered woman is a feminist? What evidence/rationale? Oh yeah, there isn’t any provided. Moving along…

MS. Clinton, (sugar), it

**_is just as depressing to realize that there

are dozens of women who would also make great Presidents. But, fortunately,

the horrible state of the selection process has selected YOU._**

What is this guy talking about? I’m no big Hillary fan but this is just stupid.

Ms.

Clinton,**_

I’m sorry, but you could not tell the truth if we waterboarded your

worthless ass !_**

You might have something there about her not being forthright, although bringing in the “waterboarding” aka “water torture” is a nice right-wing touch, don’t you think?

Still you play the role

**_of the “embarrassed but dignified noble

wife”._**

Why all the quotes? What are you trying to say with this statement?

What utter malarky !

On what basis? Oh yeah, he doesn’t need to give one.

**_I am not voting for you for a world of reasons,

but the main one is the same as my not voting for Senator Obama._**

You still have not made a coherent argument describing what this position is and further, how McCain does not.

**_You

persistently insult my intelligence._**

Well, judging by this insane rant, it should be insulted.

**_It COULD be conceivably possible that

you did not know about Monica Lewinsky, extremely remote, but possible if we

stretch our imaginations a bit. But you turn around and then ask me to

believe that you also did not know about Paula Jones and the legion of other

women who were chewed up and spit out by your lecherous excuse for a

husband. Puleese turn off this broken record !!!_**

What is the broken record? Bill Clinton? So, your point is that her husband was a bastard and you are going to presume that you know what she did/did not know (there is no evidence provided where she claims to not have known nor that she has “ask[ed] [you] to believe” this). Plus, I don’t believe that Paula Jones was proven.

But let’s set aside your hubby’s flagrant pecadillos.

Yes, let’s not impugn her by criticizing someone who is not her, Bill Clinton. Moving along…

**_The real

reason I will never vote for you is that I don’t think the country can

survive EIGHT MORE YEARS of Whitewater, Travelgate, Filegate, Sandy Berger

stuffing his socks with classified intelligence, Janet Reno’s goon squad,

and the myriad other corruptions that seem to stick to you like your ugly

face._**

There wasn’t any there-there with those “scandals”. Who do you think was responsible for the flood of false accusations? And, again, nothing about Hillary specifically mentioned. Don’t you find that odd?

**_So our former President can’t keep his dick in his pants. The REAL

issue is that he committed perjury under oath when he lied about it and the

pathetically-attempted cover-up that followed._**

I guess the author couldn’t “keep [it] in his pants” long enough to avoid going back to impugning Hillary by criticizing Bill. Not even a whole paragraph could he wait!

**_Like you, he is totally incapable of telling the truth. He could not

do it if you tortured him, and in voting for you, we would get the BOTH of

you, all over again._**

Enough with the Bill talk. What about Hillary!?

**_The same folks who could have taken out Osama Bin Laden

over 3,000 dead Americans ago !_**

OMFG! I’ll refer you to the PDB that Bush and company IGNORED entitled, “Bin Laden Determined To Strike in US”. BUSH did NOTHING about Bin Laden or Al Quaeda. Clinton, and Richard Clarke, were doing something about it. See anything about what Richard Clarke has said.

**_And please stop telling me that you have “8 years of experience” to

lead us. You were the freakin' first lady already, not the Commander in

Chief. Jeez ! The sum of your “experience” is that of the most worrisome and

incompetent meddling in the history of the White House._**

There is some truth to the first part, but the last part is just ad-hominem. Where is the evidence?

You even cursed your**_

pitiful staff and the Secret Service agents who were and still are

unfortunately charged with risking their lives to protect your worthless,

thieving hide, and all at the expense of other people who have to work for a

living._**

When did she do this? I find no evidence of this. I can’t take anymore of this. Over & out.

**_Your single pathetic platform is to finance the illegal drugs,

alcoholism and bad habits of the very lowest and most irresponsible

freeloaders in America and to then “garnish the wages” (your own words) of

every law-abiding and hard-working American to pay for it. This disaster you

refer to as “Universal Health Care”. Where have you been the last 30 years ?

Did you not see that socialism is a failure wherever it has been tried ? Did

you not notice that the Soviet Union has collapsed since it gave no reward

to those who worked the hardest for the fruits of their own labors to pay

for those who will not ??

It is interesting to see all the dead bodies that you and your hubby

have left in your wake. Suicides, mysterious deaths, cover-ups that make

Richard Nixon look like a rank amateur. The utter contempt and unbelievable

arrogance of some of your strongest supporters, most notably the recently

resigned and disgraced Governor Eliot Spitzer, the epitome of hypocritical

and malevolent arrogance gone wild, one of your most ardent, wealthy and

powerful political supporters. A man the news media refuses to admit IS a

“super delegate” in your own political machine, a fine example of your own

“adopted” state of New York. No wonder you moved there to run for Senator !

The environment there is perfect for the likes of you !

Yes, I would vote for a woman, but I will NOT vote for YOU !

Which leaves us with Senator John McCain.

John, you are a flawed man. You are a bit old, a bit looney, and you

have a notoriously bad temper. This perfectly qualifies you, in my humble

opinion, to lead us for the next eight years. I WANT your trembling hand on

the nuclear button.

Think about it.

We have Kim Jong IL, Chavez and Ahmadenijad all running around like

lunatics, threatening America and threatening to plunge the world into

nuclear Armageddon. We have Putin and the Chinese blustering and rattling

their sabres at us. I want John McCain in the Oval Office and I want him to

be really pissed off at all these other nut jobs around the planet.

John, once you are elected, I want you to go into the Oval Office and throw

one of your perfect FITS. Jump up and down and throw something through a

plate glass window. Rip the drapes down and foam at the mouth a bit. And I

want the whole thing on camera so that Ahmadinejad can see it. I want ALL of

these “world leaders” to lay awake at night and to break out in a cold sweat

every time they think of messing with the United States of America.

_**

Lieberman Website Was Not Hacked It Crashed

Tue, 29 Apr 2008 11:19:00 -0700

Lieberman is a wanker for many other reasons than this. But people do love to blame the faceless, nameless hacker before they exhaust their own likely culpability for an incident so whether it is purely political or the IT blame-game, it’s typical.

Media Matters - Media that reported Lieberman’s hacking charge against Lamont supporters have yet to report FBI found “no evidence of (an) attack”

Summary: Despite having reported the allegation by Sen. Joe Lieberman’s campaign that supporters of Ned Lamont had “hacked” Lieberman’s campaign website, ABC, CNN, and CBS have yet to report that an FBI investigation reportedly found “no evidence of (an) attack.” The Advocate of Stamford, Connecticut, reported on April 9 that an October 2006 FBI email indicated that the FBI had found Lieberman’s website “crashed because Lieberman officials continually exceeded a configured limit of 100 e-mails per hour the night before the primary.”

More Opportunity To Take Progressive Action

Fri, 18 Apr 2008 04:25:00 -0700

Moveon.org has a petition to media outlets to avoid a repeat of the recent ABC “news” “debate” which involved spending most of the time on inane “gotcha” kinds of topics and nothing on substantive issues. It was a horrid debate and was resoundly chided by most all critics.

“Debate moderators abuse the public trust every time they ask trivial questions about gaffes and ‘gotchas’ that only political insiders care about. Enough with the distractions–ABC and other networks must focus on issues that affect people’s daily lives.”

sign the petition to ABC and other media outlets and pass it on to friends who are also fed up

Also, John Conyers has a petition that you can use to notify your representatives in the senate to urge them to support the House version of the FISA bill that does not have immunity provisions for telecoms in it:

Last month, the U.S. House of Representatives passed a strong and balanced FISA bill, legislation that protects America’s national security while defending civil liberties – without granting retroactive immunity to phone companies. Retroactive immunity would abet the Bush-Cheney Administration’s efforts to avoid accountability for its actions.

Urge the Senate to support the House’s strong and balanced FISA bill – forward an email to your Senators now!

Progressive Democratic Outrage

Thu, 17 Apr 2008 10:33:00 -0700

I was incensed when the democratic senate passed the horrid FISA bill. It’s good that congress is actually standing up for what is good though and holding a tough line. I just wish the senate would get on board and at least do something, even if it will be vetoed.

And this frustration can be seen in what I wrote for the democratic petition to impeach Bush and Cheney for torture:

Progressives like me around the country are tired of the do-nothing democratic congress continuing to let these atrocities go unchallenged and unpunished. What does an administration have to do these days to be held accountable? Torture? I guess they get a pass on that. Spying on Americans? Guess not that either. Holding citizens and others without Habeas Corpus protections or any due process? Nope on that account as well. We can only hope that Bush will get caught in some prostitution or sex scandal so that he might have some chance of being impeached I guess.

Get it together Democrats! Take a stand to protect what this country stands for–as embodied in our constitution. Stop being the party of the spineless trash-talkers and do something active protect the constitution and our freedoms before they are gone forever.

Join me and sign the petition. Reminds me of a funny but sad bumper sticker I saw that said, “Will somebody blow this guy so we can impeach him?” with a picture of George W. Bush.

Climate Denier High School Textbook Clumsily Defended By Publisher Houghton Mifflin

Sun, 13 Apr 2008 12:10:00 -0700

Think Progress » Blog Archive » Houghton Mifflin offers misleading defense for climate-denier high school textbook.

Houghton Mifflin issued this statement in response to the growing controversy:

The authors do not provide a history of global warming; rather they use the issue to illustrate “entrepreneurial politics.” As part of this illustration, the book cites a wide range of sources, from the Intergovernmental Panel on Climate Change to Nobel Prize Winner Al Gore. Late last year, we released the 11th edition of “American Government,” which included some revisions to the “entrepreneurial politics” section. These revisions reflect current developments in environmental policy research.

Also, follow the link for a point-by-point debunking of the Houghton statement. Ugly anti-science. These guys are pitting climate change “skeptics” (aka deniers) on par with the consensus of scientific opinion on the matter. Typical ploy where a denier tries to make equivalent a small sect of skeptical voices against the tide of a scientific consensus on an issue as if there is equal weight.

Bill Kristol Consistently Wrong

Sun, 13 Apr 2008 11:45:00 -0700

This is a great quote that sums up Kristol:

William “The Bloody” Kristol who apparently thinks that enthusiastic consistency makes up for being 100% wrong on about everything he says.

And two other favorites are:

“Oh, Bill Kristol, are you ever right? – John Stewart

“the first to be wrong about WMD in Iraq in 1997” – John Stewart

Crooks and Liars » FOXNews Sunday: Bill Kristol Says Iraq is “Good” for McCain; Williams Says Kristol “Strains Credibility”

10 Home Security Tips

Tue, 08 Apr 2008 17:23:00 -0700

A pretty good list to keep in mind for securing your house.

I would also avoid keeping curtains open with a direct view into what kind of expensive stuff you have waiting inside. I’ve seen many a house these days with nice LCD or plasma TVs in the living room visible from the front door…

One of the best home security tips is to get to know your neighbors so you can watch out for each other.

10 Quick Security Tips @ Burglary Prevention Council

2008 Issa Northwest Regional Security Conference April 23rd

Mon, 07 Apr 2008 03:52:00 -0700

Sign up for the cheap and excellent 2008 ISSA Northwest Regional Security Conference. It is going to be on April 23rd in the same location, the Olympia Red Lion hotel. You don’t have to be an ISSA member to attend – you just have to pay a tiny bit more. And did I mention there will be a hosted social hour afterward where you can get your mingle & drink on?

There will be an exciting and interesting keynote. Details will be published within the next 24 hours.

This is my 4th year on the conference planning committee, but my 1st year actually participating in the conference itself. I don’t know if the website has been updated yet, but I’ll be on the panel discussion “Aligning Security with Business Strategy”, which should be interesting. The other participants are consultants and one government CIO so there should be some diverse opinions. I’m going to be writing up my thoughts shortly.

I will also be publishing my criteria for how to select the most optimal speakers for a conference in case anyone else is planning to take part in a similar endeavor.

Hope to see you down at the conference!

Dangers Of Publishing Too Much Information About You Online

Sun, 06 Apr 2008 06:10:00 -0700

I am often surprised at how much information bloggers put about their daily activities online. I myself prefer to publish information about what I’ve done _after_ I get back to avoid blabbing to the world when I will be gone. And, I don’t have my calendar publically-available either. Do you? How much do you leak out about yourself online?

Death by Google Calendar: How I Identified you to rob you

Copy Protection Sucks

Sat, 05 Apr 2008 17:49:00 -0700

Okay, I’ve got an Xbox Media Center setup and have found that some new DVDs, namely Rendition (2007), simply will not play in my XBMC. And, it causes VLC to crash. Windows media player hangs after the previews.

But, it will play just fine in Cowon’s excellent JetAudio software.

Turns out it’s because of some ill-conceived new copy protection that appears designed to thwart software-based DVD players (and presumably rippers).

However, the company is only ironically _forcing_ people to rip the DVD just to play it because the copy protection won’t allow software-based players (and possibly many hardware-based ones as well) to play the DVD at all.

DVDFab Decryptor + DVDShrink + Auto Gordian Knot to the rescue.

Comparing Obama Vs Clinton

Sat, 05 Apr 2008 00:43:00 -0700

There are significant differences. Here are some key ones that made me a supporter (and precinct delegate) of Obama:

On civil liberties. I was incensed that Clinton not only missed the vote on the FISA reauthorization bill that passed the senate, but that she made no attempt to lead against it at all beforehand. Obama, OTOH, did not vote but spoke out against it.

LCV ranks Obama higher on the environment I do wish that he would be more aggressive in some positions, such as pushing for doubling fuel economy standards far sooner than within 18 years as he has pledged. But I know this has been a big issue for the big auto lobbyists, which is why fuel standards haven’t changed since the 90s so this is probably a starting point at least for negotiations.

Barack Obama vs. Hillary Clinton Records on Transparency, Lobbyists, and Ethics For every item considered, Obama either Ties Clinton or comes out on top. Some highlights:

Released his tax returns. Clinton has not.
Released the names of all campaign contribution bundlers – regardless of funding level
Disclosed congressional earmarks
Co-sponsored campaign finance reform legislation
Takes no washington lobbyist contributions

Obama’s healthcare plan will likely end up insuring more people, even though Clinton’s takes a heavy-handed approach of mandatory participation (which I only support if it is a single-payer system). Also see Jonathan Alter’s excellent and compelling piece on how Obama’s plan is the right one for the times.

Obama on foreign policy. He has made clear that he would meet without preconditions with foreign leaders because he believes, as I do, that talking to your friends and adversaries is how you resolve conflict. Shunning foreign powers or holding out for our conditions, as with North Korea, didn’t even last as an approach in the Bush Administration. And for good reason. It’s not good policy but that’s what Clinton will continue.

Clinton also voted for the Iran amendment that categorized the Iranian guard as a terrorist organization, which also goes against the notion of diplomacy. This vote was opposed by Obama and others.

Clinton voted for the Iraq war and has never apologized for it, although in a later debate came close by admitting it was a mistake.

Obama on technology innovation. Clinton didn’t even seem to know that Obama had actually already gotten legislation passed that enabled searching online congressional records when she talked about how great that would be in a speech. And Obama is explicitly pro-net-neutrality. I wish he had put forth a more aggressive (than his pledged $15 billion/year) Manhattan-project-like initiative for alternative energy / energy independence but he is a big supporter of this.

Obama is also explicitly against consolidation of media ownership, which has corrupted the news and information available to Americans.

Other vote differences: Clinton-Obama differences clear in senate votes Great blog entry comparing each on various positions

Campaign tactics: Obama has run a very smart campaign. He has not made the mistakes of John Kerry and immediately and strongly addresses false information and false criticisms from the media and opponents. Clinton must have some really poor advisors since she has resorted to some tactics that are hurting the Democratic party by bolstering the Republican candidate’s resume over Obama’s.

Crazy Religious Person Of The Moment

Sun, 30 Mar 2008 15:23:00 -0700

Man found with woman’s body packed in dry ice in his hotel room

Airborne Settles Class Action Lawsuit

Tue, 25 Mar 2008 14:20:00 -0700

Airborne Agrees to Pay $23.3 Million to Settle Lawsuit Over False Advertising of its “Miracle Cold Buster” ~ Newsroom ~ News from CSPI

Lying scum.

If you are taking Airborne, try Obecalp instead. It works a lot better.

And if you take three per day, as suggested on the box, you are in danger of overdosing on Vitamin A.

Bush Is Overtly Pro Torture

Sat, 08 Mar 2008 15:18:00 -0800

What an ignorant, evil, imbecile bastard.

Crooks and Liars » Bush Vetos Anti-Torture Bill, Says Torture One Of “The Most Important Tools In The War On Terror”

1917 Bare Breasted Lady Liberty Coin Shunned By Puritanical Americans

Tue, 04 Mar 2008 01:06:00 -0800

Recently learned about this on History Detectives. More evidence of the kind of crap we have to deal with because of the mixing of religion and politics and our puritanical heritage…

The 1916 Lady Liberty coin featured a design of Lady Liberty exposing one breast. There was outrage of this being “obscene” and in 1917 the breast was covered in a coat of mail. I wonder if John Ashcroft’s relatives were involved with this controversy?

The 1916-1917 Standing Liberty Quarters - Lady Liberty Exposed - The Bare-Breasted Liberty Coin - Standing Liberty Naked Coin

Crackpot Science Emf Crank Dr George Carlo

Mon, 03 Mar 2008 14:02:00 -0800

I couldn’t believe what I was hearing on the radio when I heard this. I took a voice note that I’m now transcribing for your blogreading pleasure. Here is a transcription of my notes:

5:44pm sat oct 20th 2007

On am1090 radio, some guy claiming that "information carrying" radio waves (which we have never seen or experienced before
(in nature) as humans) actually cause cells to treat the waves as a foreign invader (in blood or
elsewhere). He said that they actually close down the cell membrane so the cells don't get nutrients.

His name is Dr. George Carlo

He was in one of the cell phone safety studies from 1993.

As someone with an Electrical Engineering undergrad degree and a very skeptical mindset, I was floored to hear something as ridiculous as the claim that “information carrying” radio waves are somehow more dangerous than those naturally-occurring radio waves before humans. The information is encoded on the radio waves as a modulation of frequency, phase, amplitude or some already-existent property of the radio waves. It would not make a radio wave go from being benign to dangerous.

And to claim that they actually close down the cell membranes?? Ludicrous!

But Dr. Carlo came across as really knowledgeable and spouting out “facts” so he would probably be a difficult debate target.

Of course a search for Dr. George Carlo turns up loads of credulous cruft (as is typical with pseudoscience and fringe claims on the Internet)

Dr. Steven Novella from the Skeptic’s Guide to the Universe podcast has a posting on his Neurologica Blog about Wireless Technology and Autism where he discusses some “research” done by Dr. Carlo that was published in an obscure journal – not a mainstream journal. This guy seems to be poking at the fringes of science to push his agenda.

One critical review is a rebuttal to a supposed email from Dr. Carlo on a skeptical blog: Dr George Carlo responds to Andrew Goldacre via Bad Science blog.

Email Factcheckorg With Dubious Political Claims

Mon, 03 Mar 2008 13:45:00 -0800

Very timely after my Obama open letter…

 Dear Subscriber:

We want your help.

 In the weeks to come, many of you may be receiving dubious political
mailers, chain e-mails, phone calls or other political communications
attacking or supporting a presidential candidate.

 Please consider forwarding these "under the radar" political messages
to us for evaluation.

 Please be alert for anything like the false e-mail attack on Obama
that we debunked Jan. 10, or the misleading postcard attacking Romney
that we took on Jan. 15.

 We would also be interested to get recordings of any dubious claims
made in phone calls or left on answering machines, whether they come
from live callers working from scripts, or are automated "robo-calls."
These might be in the form of phony public-opinion polls in which the
caller asks something like, "Would you change your vote if you learned
that Candidate X didn't pay her income taxes last year?"

 These kinds of messages are often aimed at voters in specific
geographic areas, or at specific demographic groups, and FactCheck.org
is seldom on the list. But with your help we will do our best to keep
distortions and falsehoods from spreading by these means.

 -Brooks Jackson

 If you can scan hard copies into your computer, or make digital audio
files, please e-mail to:
 [Editor@FactCheck.org](mailto:Editor@FactCheck.org)
Make the subject: Attn: Brooks Jackson

Otherwise, please send hard copies or physical recordings to:
Brooks Jackson
FactCheck.org
320 National Press Building
Washington DC 20045

Notable Quote On Change

Mon, 03 Mar 2008 13:42:00 -0800

"The chief cause of problems is solutions." Eric Sevareid, 1970

Global Warming Deniers Rebuttal

Mon, 03 Mar 2008 13:30:00 -0800

This is an excellent post to the SGU forum you can hand to any global warming denier.

The Skeptics’ Guide to the Universe Forum :: View topic - Global Warming & CO2 cause or effect?

Aclu Fisa Fact Check

Mon, 03 Mar 2008 13:27:00 -0800

Good to check out what kind of wool the Bush administration is trying to pull over your eyes on FISA. And the weanie democrats in the House seem to be following in the (lack of lead) of the Senate democrats and seem likely to give the telecoms retroactive immunity _even though nobody (not even the senators voting) knows what exactly they have done or for how long or under what circumstances_

You’d think they would want to find out what they are granting immunity for first, right?

American Civil Liberties Union : FISA Fact Check: Setting the Record Straight on the White House

More People Quot Unaffiliated Quot With Religion In The Us

Mon, 03 Mar 2008 13:25:00 -0800

A completely unscientific mashup of survey data from a couple different surveys for comparison.

1990

2001

2008

Percent Christian

86%

77%

78.4%

Follow no organized religion

14.1%

16.1%

4.7% believe in “other faiths”. That means that 20.8% of Americans (about 47 million Americans) have either no faith or a non-Christian faith.

In 2001, Washington State had 25% in the “unaffiliated” with religion category. Surprisingly, our state is much less religious. Funny how many freaking churches there are everywhere though.

4% of the 16.1% say they are atheist or agnostic. So, I’m definitely in the minority. But the overall “unaffiliated” minority is still growing. And, it seems to be growing more among the next generation, which is a good sign “one-in-four [18-29] say they are not currently affiliated with a particular religion.”

Survey data from 35000 Americans: https://pewforum.org/news/rss.php?NewsID=15041 https://www.biblicalrecorder.org/content/news/2008/02_25_2008/ne25022008study.shtml (this link has images of the full survey results) https://www.religioustolerance.org/chr_prac2.htm

Open Letter Response Racist Obama Email Circulating

Mon, 03 Mar 2008 13:05:00 -0800

I had to respond to this email.; It made me so angry that such lies and racist remarks get passed around so carelessly. People don’t think that forwarding a simple email could possibly be harmful. Well, these falsehoods are making their way to other people and they are changing people’s voting plans.

This is just _one example_ of where people have believed this Internet filth: https://www.huffingtonpost.com/2008/03/02/ohio-voter-on-60-minutes_n_89476.html

There is _real harm_ from forwarding falsehoods on the Internet. Stop them before they destroy anyone else’s life or reputation.

And for Allah’s sake, do some freaking research before forwarding crap!!!

= My response:

This is one of the most outrageous, racist (against Obama and blacks) and patently false emails I have seen in a while. It is roundly debunked on every level. And it only takes a couple seconds to check Snopes and even Google!

Refuse to be part of any swiftboat-style smear campaign based on lies and racist propaganda such as this.

https://www.snopes.com/politics/obama/church.asp https://www.snopes.com/politics/obama/muslim.asp https://urbanlegends.about.com/library/bl_barack_obama_muslim.htm

“no evidence supports a claim that Obama is currently, or ever has been, a Muslim (radical or otherwise)”

-Jason

ORIGINAL, DESPICABLE, UNTRUE CHAIN EMAIL:

Obama mentioned his church during his appearance with Oprah. It’s the Trinity Church of Christ. I found this interesting.

Ob********ama’s church:

Please read and go to this church’s website and read what is written there. I checked the church website and what I found is very alarming.

Barack Obama is a member of this church and is running for President of the U.S. If you look at the first page of their website, you will learn that this congregation has a non-negotiable commitment to Africa****. No where is**** AMERICA even mentioned. Notice too, what color you will need to be if you should want to join Obama’s church… !!! Doesn’t look like his choice of religion has improved much over his (former?) Muslim upbringing. Are you aware that Obama’s middle name is Hussein? Strip away his nice looks, the big smile and smooth talk and what do you get? Certainly a racist, as plainly defined by the stated position of his church! And possibly a covert worshiper of the Muslim faith, even today. This guy desires to rule over********America while his loyalty is totally vested in a Black Africa****! I cannot believe this has not been all over the TV and newspapers. This is why it is so important to pass this message along to all of our family & friends. To think that Obama has even the slightest chance in the run for the presidency, is really scary.****

2008 Washington State Democratic Caucus

Sun, 10 Feb 2008 16:00:00 -0800

I participated in my first caucus this weekend. First, I have to say “Go Fightin’ 34th!”

My wife and I had to park several blocks away because there were so many people attending!

We were told that in 2004, there were _maybe_ 15 people attending for my precinct (one of 10 or more in my district). This time there were at least 60! Can’t wait to see the official tally.

Most of the people there were older (35+ I’d guess). Not that many young people. But I’m not surprised since my district and precinct don’t necessarily include a lot of affordable housing for young people. It’s an older area.

On the initial voting, there were 4 delegates for Obama, 2 for Hillary, and 1 for undecided. There were maybe 8-10 people who were undecided so it was fun to have the debate and try to rally people to your side. We were asking the undecideds what they had questions about and mostly it was too close to call for them or they didn’t understand enough about the details of the candidates to make a decision and wanted to be persuaded

We ended up swaying enough from the other camps to take that undecided delegate into the Obama camp so the final was 5 Obama, 2 Hillary. I’m one of the 5 delegates that will be at the larger conventions on the 5th and 19th (we had a hard time finding people who were in-town able to make it).

Fortunately, we were in a school and each precinct got to find an open classroom so we weren’t all jammed into the auditorium. So, it was easy to hear the points during the debate.

We had one person who was a conservative Independent and Iraq war vet who spoke passionately and emotionally about why he is for Obama. He is in the camp of “we broke it, we need to fix it” with Iraq so was not for the hawkishness of the other candidates.

Most had good reasons for supporting their candidate, although I wish there could have been more substantive talk on the issues. I need to come more prepared next time. It was pretty energizing to see so many more people out there. When I went door-to-door in 2004, it didn’t feel like I made much of a difference (no wonder Bush won again!)

Looks like the final results for my 34th precinct are in:

Obama: 736 delegates (70%) Clinton: 293 delegates (28%) Uncommitted: 15

Money raised for dues and contributions to the 34th: $29,000.

FYI, the upcoming caucus schedule is:

Caucus Schedule

• Saturday, February 9th: Precinct Caucuses (see below)

• Saturday, April 5th: 34th Legislative District Caucus

• Sunday, April 13th: King County Democrats Convention

• May: Congressional District Caucuses (dates TBD)

• Saturday, June 14th: Washington State Democrats Convention

• August 25-28: National Democratic Convention, Denver

See you on the 5th!

Palm Sized Linux Computers

Sun, 10 Feb 2008 15:50:00 -0800

Very cool, and reasonably-priced, tiny linux computers. Even with bluetooth!

gumstix - dream, design, deliver

Bobbear Information On Money Laundering Fraud

Tue, 01 Jan 2008 08:40:00 -0800

I’m going to be digging into this site. Hat tip to the F-Secure blog for this site.

Money Laundering Fraud

Pci Pa Dss Draft Does Away With Requirement For Persisting Credit Card Data

Tue, 01 Jan 2008 08:39:00 -0800

One of my biggest beefs with the security technology industry and even with auditors and legislators has been to mindlessly push encryption as the solution to data theft problems.

To quote Bruce Schneier again:

The ultimate solution. Well, the payment application vendors, supposedly prodded by the likes of Visa and Mastercard, have been recording varying levels of details about payment transactions for 18 months. Thus, the credit card companies have been part of the problem here and with this requirement change, they can become part of the solution for once. They have a great racket…

I did a very detailed decision tree previously that I’ll have to get out there for helping design systems with privacy in mind decide what they should store and if they do store it, how long to store it and how to protect it. The flow starts with the question: Do you really need to store this data? If yes, the next question would be: For how long? If you start with encryption, you miss out on even asking these questions which could result in _more security by design_ and _lower risk_.

It all depends on your threat model whether encryption solves your problem or not. If the data theft is due to an application or business logic flaw, then encryption is unlikely to do anything for you (e.g. an XSS attack can reveal encrypted data just fine…)

Group drafts rules to nix credit-card storage

URI vs. URL

Tue, 01 Jan 2008 08:36:00 -0800

I’ve wanted a good operational definition for when you should use URI or URL and so here’s my attempt:

Summary:

URI refers to a resource. e.g. urn:isbn:0-395-36341-1 for a book by ISBN

A URL is a type of a URI that provides additional information that URIs don’t necessarily provide (but they can):

URLs tell WHERE you can obtain a particular representation of a resource – hence the “Locator” in the name.
e.g., you use HTTP or FTP to access this server at this address and this specific resource (GIF file, PHP page, etc.)

A resource with a given URI could have multiple different URLs. The same ISBN URI above can be found at Amazon or many other online URLs, for example.

Ajaxian » URI vs. URL: What’s the difference?

Uniform Resource Identifier - Wikipedia, the free encyclopedia

Caja Capability Model For Javascript

Tue, 01 Jan 2008 08:31:00 -0800

This could be one of the coolest things to come along in a while. I heard it mentioned at OWASP and then just found an article on Financial Cryptography about it as well.

FYI, wikipedia article on Capability-based security

Links » Caja: Capability Javascript

…rather than modify Javascript, we restrict it to a large subset. This means that a Caja program will run without modification on a standard Javascript interpreter - though it won’t be secure, of course! When it is compiled then, like CaPerl, the result is standard Javascript that enforces capability security. What does this mean? It means that Web apps can embed untrusted third party code without concern that it might compromise either the application’s or the user’s security.

Computer Failure Causes Closure Of Seattle Downtown Transit Tunnel

Tue, 01 Jan 2008 08:29:00 -0800

This one boggles the mind. I had to send it for publication in Risks.

The Risks Digest Volume 24: Issue 93

Computer Failure Causes Closure of Seattle Downtown Transit Tunnel

The tunnel was opened, and then closed again the next day due to continued problems:

Bus tunnel closure continues

Technicians from Sound Transit, Metro and General Electric Transportation, which was contracted to install the electrical and computer systems, were trying Wednesday evening to figure out what caused a connection between the tunnel and the control center to fail Monday, work Tuesday, and then fail again.

The tunnel’s electrical systems, which control the lights and ventilation, are working, Sound Transit spokesman Bruce Gray said. But the disruption prevented Metro’s control center from remotely running the systems. For safety, Sound Transit and Metro decided to keep the tunnel closed.

It is supposedly open again:

RPIN - View News Release ** Downtown Seattle Transit Tunnel open Thursday morning (Dec 27th)**

Avoiding Uri Comparison Security Bugs In Windows Apis

Tue, 01 Jan 2008 08:23:00 -0800

-apis

This post is directly related to some work I’m going to be doing so I was happy to stumble across it in my feed reader.

Bottom line: Use IUri::IsEqual.

Future extra credit: use Reflector to find out what .Net methods for URI comparison there are and if they marshal to the good or bad methods mentioned here…

IEBlog : URI Comparison Functions

Investigating URI parsing related issues in various products, I’ve run across many instances of code erroneously attempting to compare two URIs for equality. In some cases the author writes their own comparison and seems to be unaware of URI semantics and in other cases the author delegates to a Windows provided function that doesn’t quite work for the author’s scenario. In this blog post I’ll describe some of the unmanaged URI comparison functions available to Win32 developers, and a few common mistakes to avoid.

Beware Of 5 Star Software Ratings

Tue, 01 Jan 2008 08:06:00 -0800

There are so many sites that allow downloading and rating software; you have to find the few that you can trust and use those. And use multiple sources of information to validate the ratings.

Beware of Five-Star Vaporware - security Fix

U.K. computer programmer Andy Brice was proud of the awards and accolades his software had won from his peers online. That is, until he noticed that pretty much everyone else’s software received the same “5-star” rating and high praise from various software directories and download sites.

Curious about just how thorough the sites are at reviewing software, Brice submitted a fake program that did absolutely nothing.

On The Horrible New Wiretapping Law

Tue, 01 Jan 2008 08:03:00 -0800

Susan Landau - A Gateway for Hackers - washingtonpost.com

Current administration policy is replete with examples of quickly enacted efforts whose consequences led to the opposite effect. (Beware of what you wish for . . . .) With Congress caving last week, the National Security Agency no longer needs a Foreign Intelligence Surveillance Act (FISA) warrant to wiretap if one party is believed to be outside the United States. This change looks reasonable at first, but it could create huge long-term security risks for the United States.

California Limits Use Of E Voting Systems But Does Not Go Far Enough

Tue, 01 Jan 2008 08:02:00 -0800

It was unclear from my cursory read of the materials whether machines will require voter verifiable paper audit trails. At least the Sequoia and Diebold machines must have their ballots hand-counted so it does sound like all-electronic voting is dead for those machines at least.

The full details are available here: https://www.sos.ca.gov/elections/elections_vsr.htm

Read Rebecca Mercuri’s comments in Risks on this announcment: California Voting System Hacking Report

My favorite gem:

…let’s just throw more money atadditional security mechanisms and training while we all pretend that we’reconducting legitimate elections. Good job, guys, thanks for letting the CASoS off the hook.

Here’s a novel thought: why not just throw this crap in the junk heap whereit belongs, vote on paper, and let the citizens do the counting? Maybe foranother $1.8M some State can get a team of PhDs to validate that conclusion.

California Puts Limits on Use of E-voting Systems

California Secretary of State Debra Bowen has mandated tough new security standards for the state’s e-voting systems and curtailed their planned use after an independent review of the technology.

“Citizens do not have confidence that elections have been fairly decided, because they don’t have faith in the integrity of the tools,” Bowen said during a teleconference on Aug. 3.

The state will allow e-voting machines made by Diebold Election Systems Inc. and Sequoia Voting Systems Inc. to be used only under strict conditions. Polling stations won’t be able to have more than one of those systems in place, and county registrars will have to take steps such as reinstalling the software and firmware for the devices and resetting their encryption keys.

Bowen mandated similar security measures for Hart InterCivic Inc.’s e-voting systems, but without the single-machine limitation. She decertified products from Election Systems & Software Inc. after it was late in providing researchers with access to them. The ES&S systems are being evaluated now and could be approved for use in next year’s presidential primary, she said.

E-voting systems were used by one quarter to one-third of California voters in last November’s election, Bowen said.

But during a state-sponsored review of the machines and their source code, a team of penetration testers found 15 security problems, including the ability to exploit flaws in Windows.

The team reported that it was also able to overwrite firmware, bypass system locks, forge voter cards and install a wireless device on the back of a Diebold server.

Dspam Cvs Binaries And Patches Available For Debianubuntu

Tue, 01 Jan 2008 07:47:00 -0800

I finally have my patches and binaries for the latest version of dspam cvs available at my oz.net page for download. There have been upwards of 30 patches applied to dspam 3.8.0 in the cvs version that fix all kinds of bugs so it is nice to be able to run the latest and greatest. It is likely to be more stable than the 3.8.0 binaries out there even for bleeding edge… Lots of memory leaks fixed as well in this version.

You can follow similar instructions from my previous post:

Postfix + DSPAM 3.8.0 + Ubuntu if you want to build this from scratch.

Open Letter Response To Chain Email Regarding Anti Muslim Sentiments And Opposition To Usps Eid Stamp

Thu, 27 Dec 2007 06:26:00 -0800

An earlier response.

Oh, brother. There is nothing wrong with this country except that we need a do-something congress and to way 468 days for a new president. We live in a pluralistic society. We do NOT live in a Christian nation, although there are those in the American Taliban who would love a theocracy as much as the Islamic extremists.

There are millions of MUSLIMS who are also AMERICANS. The two are not mutually-exclusive.

The atrocities described below were the result of EXTREMISM; the acts are generally known to be incompatible with traditional ISLAM teachings so they are not condoned by most MUSLIMS–only a radical extreme group. And let us not ignore how the below comes off as CHRISTIAN EXTREMISM EQUALLY AS ABHORRENT AS MUSLIM EXTREMISM (death to the infidels and all that. The below reads as if it could have simply said “death to the muslims”).

The swath below uses anecdotes to try to make it seem as if MUSLIMS are somehow not worthy of any dignity or respect. A similar list could be written about CHRISTIANS, but that doesn’t mean that we shouldn’t have Christmas stamps, does it? For example:

The Christian Crusades from 1095-1272 resulted in the deaths of 1 million people

The Spanish inquisition from 16th-18th century resulted in the deaths of 350,000 people. Many were also tortured by some of the most hideous methods ever devised and carried out by the clergy.

The Witch Hunts from the 15th-17th century resulted in the deaths of about 100,000 people

The Irish Republican Army (IRA) bombed and killed many in the disputes between Protestants and Catholics.

Abortion clinics have been bombed and doctors shot dead by religious extremists.

…all in the name of religion. And this email wants to keep the Crusades going I guess.

Or, maybe we can look inward before we “cast the first stone” at those of other faiths and ethnicities

Remember the AMERICAN bombing of Oklahoma City? Remember the AMERICAN UNABOMBER attacks? Remember the AMERICAN and CHRISTIAN Olympic Park Bombings? Remember the AMERICAN KKK lynchings and other domestic terrorist attacks?

This kind of us vs. them mentality and religious intolerance, xenophobia, hatred, and ignorance is exactly what drives the extremists all religions. I’ll bet there’s a version of this substituting CHRISTIAN below circulating around Al-Qaeda training camps.

I ask: when can we all at least act like Christians and “love thy neighbor”?

-Jason

Neil wrote:

> 
> 
> 
> 
> Note: forwarded message attached. 
> 
> 
> 
> ![](04.gif) ...Neil 
> 
> 
> * * *
> 
> 
> 
> 
> * * *
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Subject:
> 
> 
> Fw: Subject: What The Hell is The Matter with this Country??
> 
> 
> 
> From: redacted@example.com
> 
> [](mailto:jbudzak@comcast.net)
> 
> Date:
> 
> 
> Mon, 08 Oct 2007 21:54:53 +0000
> 
> To:redacted@example.com
> 
> 
> 
> \-------------- 
> 
> > Forwarded Message: -------------- 
> >   
> > 
> > \----- Original Message ----- 
> > 
> > **Subject:** Subject: What The Hell is The Matter with this 
> > Country??
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > **Subject:** What The Hell is 
> > The Matter with this Country?? 
> > 
> > 
> > **_ 
> > USPS  New Stamp 
> > 
> > _****_ 
> > This  one is impossible to believe. Scroll down for the text. 
> > 
> > _** 
> > 
> > <!-- ![](stamp.jpg) -->
> > 
> > **_ 
> > 
> > If  there is only one thing you forward today.....let it be  this! 
> > 
> > _**  ** 
> > 
> > REMEMBER the MUSLIM bombing of Pan Am Flight  103! 
> > REMEMBER the MUSLIM bombing of the World Trade Center  in 1993! 
> > REMEMBER the MUSLIM bombing of the Marine  Barracks in Lebanon! 
> > REMEMBER the MUSLIM bombing of the  military Barracks in Saudi Arabia! 
> > REMEMBER the MUSLIM  bombing of the American Embassies in Africa! 
> > REMEMBER the  MUSLIM bombing of the USS COLE! 
> > REMEMBER the MUSLIM attack  on 9/11/2001!**
> > 
> > **REMEMBER all the AMERICAN lives that were  lost in those vicious MUSLIM attacks! 
> > 
> > **** 
> > 
> > 
> > 
> > 
> > 
> > Now  the United States Postal Service REMEMBERS and HONORS the EID 
> >  MUSLIM holiday season with a commemorative first class 
> > 
> > _Holiday postage stamp. Bull! 
> > 
> > _ 
> > 
> > REMEMBER  to adamantly and vocally BOYCOTT this stamp 
> > 
> > _When purchasing your stamps at the  post office. To use this 
> > stamp would be a slap in the face to all  those AMERICANS who died at 
> > the hands of those whom this stamp  honors. 
> > 
> > _ 
> > 
> > REMEMBER  to pass this along to every patriotic AMERICAN you  know!!!** 
> > 
> > 
> > 
> > 
> > 
> > 
> > * * *
> > 
> > 
> 
>

Open Letter Response To Theodore Roosevelt'S Opinions On Immigrants

Thu, 27 Dec 2007 06:18:00 -0800

Another installment. A light response; was getting warmed up. I’m interested in rational discourse instead of everyone assuming that everyone believes in what they do; maybe get people to think critically about their own opinions a bit more.

This makes me curious about a couple of questions of the recipients:

1. Which specific points that the president made below do you agree with? 2. Do you think that the fact that a former president said this makes it more compelling? If so, how do you reconcile this with the founding fathers who were slaveowners or believed that women shouldn’t be allowed to vote, etc.? 3. How do you reconcile the president’s statements below, “the person’s becoming in every facet an American, and nothing but an American” and “Any man who says he is an American, but something else also [i.e. Polish, Irish, etc.], isn’t an American at all. We have room for but one flag, the American flag” with pride of origin that we as Pollocks might want to celebrate? Or is there a disconnect where it’s okay for us but not for others? Where do you draw the line and why?

I thought it would be more interesting and enlightening if maybe we can get a dialogue started than simply passing these kinds of emails around without knowing just where people stand on these things. Especially if the intent of these emails is to try and change people’s minds; the emails serve only to preach to the choir who already buy into the sentiments unless there is something else compelling about them.

Cheers and Happy Holidays!

-Jason

redacted@example.com wrote:

> 
> 
> bob
> 
> \----- Original Message ----- 
> 
> **From:** redacted@example.com
> 
> **Sent:** Tuesday, December 18, 2007 7:38 AM
> 
> **Subject:** A MUST read.....
> 
> 
> 
> 
> 
> > _**A great history and genealogy lesson.  **_
> > 
> > The year is 1907, one hundred years ago..... READ PRINT UNDER PICTURE
> > 
> > ![](file://c:%5c/ATT0000111.jpg)
> > 
> > 
> > 
> > Theodore Roosevelt's ideas on Immigrants and being an AMERICAN in 1907. 
> > "In the first place, we should insist that if the immigrant who comes here in good faith becomes an American and assimilates himself to us, he shall be treated on an exact equality with everyone else, for it is an outrage to discriminate against any such man because of creed, or birthplace, or origin. But this is predicated upon the person's becoming in every facet an American, and nothing but an American...There can be no divided allegiance here. Any man who says he is an American, but something else also, isn't an American at all. We have room for but one flag, the American flag... We have room for but one language here, and that is the English langua ge... and we have room for but one sole loyalty and that is a loyalty to the American people." 
> > Theodore Roosevelt 1907 
> > Every American citizen needs to read this! 
> > KEEP THIS MOVING 
> > ![](file://c:%5c/ATT0000222.gif)
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> 
> 
> 
> * * *
> 
> 
> 
> 
> 
> 
> * * *
> 
>

Open Letter Response To Chain Email Supposedly From Ben Stein About Christmas

Thu, 27 Dec 2007 06:13:00 -0800

Here is another open letter installment. I have had several in the hopper recently…

-Jason

I would be interested more in which of the specific points below people actually believe in. I can’t imagine you believe in all of them, but maybe you do. I’d be interested in the rationale.

I’ll offer my point-by-point commentary below.

BTW, Ben Stein is surprisingly kind of a nut-job. He’s got a new documentary coming out that is full of crackpot conspiracy theories about Intelligent Design (which is NOT science) is somehow being suppressed by the scientific establishment. Intelligent Design is the new name for Creationism. It is also the banner for those on the religious right who simply want to criticize evolution, one of the most well-tested and fundamental scientific theories of our time.

I’ll pose some very succinct questions here as well to hone in on what people who believe some or all of the below actually believe:

1. How do you think our society would fare any differently from the other theocracies? e.g. most people loved the Taliban in Afghanastan but their society suppressed other beliefs and oppressed women and others under the auspices. 2. How do you think that our Government can guarantee religious freedom and tolerance for ALL beliefs if it is actively promoting the Christian beliefs and agenda? How can you guarantee that competing beliefs will not be drowned out by the “tyranny of the majority”? 3. There are over 20,000 Christian denominations in the United States. Which one should be the foundation for a Christian American nation? A bonus question: which version of Christian salvation is correct: a) All you have to do is Believe and you are saved. b) You have to be a good person and can be saved even if you don’t believe? Christian religions cannot even agree on such a basic dogmatic tenet! 4. If another religion or belief system became the dominant religion in America, should we change and have our Government promote that religion? e.g. Judaism or Mormonism or Islam or even atheism (although it is not a religion)? 5. What do you think about the author of this email (not necessarily who sent it – the original author, and not Ben Stein) being dishonest and violating one of the 10 commandments by misattributing text below to Ben Stein that he never said in an attempt to get more people to believe it? Is that Christian?

But be sure to read the below before you answer these.

-Jason

Vincent wrote:

> 
> 
> 
> 
> 
> > * * *
> > 
> > Date: Tue, 11 Dec 2007 10:41:03 -0800 
> > From: [redacted@example.com](https://www.blogger.com/blogger.g?blogID=7617793329353943789) 
> > Subject: Fwd: FW: Ben Stein 
> > To: [redacted@example.com](mailto:stalvord@yahoo.com)[](https://www.blogger.com/blogger.g?blogID=7617793329353943789) 
> > 
> > 
> > 
> > Note: forwarded message attached. 
> > 
> > ![](https://us.i1.yimg.com/us.yimg.com/i/mesg/tsmileys2/04.gif) ....Neil 
> > 
> > * * *
> > 
> > [ 
> > ](https://us.rd.yahoo.com/evt=51733/*https://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ) 
> > 
> > > \--Forwarded Message Attachment-- 
> > > From: redacted@example.com[](https://www.blogger.com/blogger.g?blogID=7617793329353943789) 
> > > To: [redacted@example.com](https://www.blogger.com/blogger.g?blogID=7617793329353943789)[](mailto:nagruchalla@yahoo.com) 
> > > Subject: FW: Ben Stein 
> > > Date: Tue, 11 Dec 2007 09:43:30 -0800 
> > > 
> > > 
> > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > _ If they know of him at all, many folks think Ben Stein is just a 
> > > > > quirky actor/comedian who talks in a monotone. He's also a very intelligent 
> > > > > attorney who knows how to put ideas and words together in such a way as to sway 
> > > > > juries and make people think clearly. 
> > > > > _

\[Jason\] Being intelligent and an attorney are supposed to somehow convince people to believe \_opinions\_ below about various subjects more than otherwise?  Those are irrelevant characteristics, especially when the topic has nothing to do with the law or intelligence.  Maybe if he were giving his legal opinion that might hold some sway, but the statements have to stand on their own regardless of one's credentials. 

> > > > > _ 
> > > > > The following 
> > > > > was written by Ben Stein and recited by him on CBS Sunday Morning Commentary. 
> > > > > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~__   
> > > > > I am a Jew, and every single one of my ancestors was Jewish. And it does not 
> > > > > bother me even a little bit when people call those beautiful lit up, bejeweled 
> > > > > trees Christmas trees. I don't feel threatened. I don't feel discriminated 
> > > > > against. That's what they are: Christmas trees. 
> > > > > _

\[Jason\] Well, christmas trees weren't always associated with Christmas.  As with many Christian symbols, the Christmas tree was formerly a Pagan tradition.  Note that Ben Stein was not reputed as a historical scholar so I guess his error can be understood.  See [https://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/12/25/MNV6U3MJI.DTL](https://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2007/12/25/MNV6U3MJI.DTL) for more info. 

> > > > > _ 
> > > > >  It doesn't bother me a bit when people say, 'Merry Christmas' to me. I don't think_
> > > > > 
> > > > > > > _they are slighting me or getting ready to put me in a ghetto. 
> > > > > > > In fact, I kind of like it. It shows that we are all brothers and sisters celebrating_
> > > > > > > 
> > > > > > > _this happy time of year. It doesn't bother me at all that there is a manger scene on display at a key 
> > > > > > > intersection near my beach house in Malibu. If people want a creche, it's just as 
> > > > > > > fine with me as is the Menorah a few hundred yards away.. 
> > > > > > > _

\[Jason\] So long as these are not on public lands supported by the Government in any way, then nobody should feel threatened.  But if they are, everyone should be a bit concerned when the Government starts taking sides in religious matters.  I've said it before and I will say it again:  Keeping the Government out of religious matters entirely is key to even you maintaining your ability to practice your brand of faith in the future.  The minute the Government starts taking sides, they threaten \_your freedom\_ as well.  Recall the revolutionary war that we won over England in 1776 that was in large part over religious freedom from the oppression of the Church of England over other denominations... 

> > > > > > > _ 
> > > > > > >     
> > > > > > >  I don't like getting pushed around for being a Jew, and I don't think 
> > > > > > > Christians like getting pushed around for being Christians. I think people who_
> > > > > > > 
> > > > > > > _believe in God are sick and tired of getting pushed around, 
> > > > > > > period._

\[Jason\] Who is pushing who around?  He does not cite any examples.  He seems to be speaking in general about those who (rightly) want to keep Religion out of the Government.  Again, this is a Good Thing.  And it should not be perceived as threatening to religious people.  Keeping the government out of religious matters ensures religious freedom for ALL people.  Lack of religion in government does not imply lack of morals for society!! (I think we can see that government does just fine in the immorality department with or without religion...but that's another topic).  They are obviously mutually-exclusive.  
 

> > > > > > > _I have no idea where the concept came from that America 
> > > > > > > is an explicitly atheist country? I can't find it in the Constitution, and I 
> > > > > > > don't like it being shoved down my throat. 
> > > > > > > _

\[Jason\] What in the hell is he talking about?  This came out of left field!  Who is he claiming has the "concept" that America is an "atheist" country?  Nobody says that.  This is called a "straw man" argument.  Our founding fathers believed that our government must be a Secular institution, but that does not mean "atheist".  What does he think "atheist" would mean in this context?  It seems that he is conflating "atheist" with "anti-theists".  Atheists are not necessary ANTI-religion.  Atheism just means a lack of belief, which at its root is not a whole lot different than being secular, which as I mentioned already is a Good Thing for government.  Secular government ensures religious freedom for ALL people.  Imagine trying to be a Christian in Iraq or some other place under Sharia law?  Bad things have always happened in history when religion joined with governmental power. 

> > > > > > > _ 
> > > > > > > Or maybe I can put it another way: where did the idea come from that 
> > > > > > > we should worship Nick and Jessica and we aren't allowed to worship God as we 
> > > > > > > understand Him? I guess that's a sign that I'm getting old, too. 
> > > > > > > _

\[Jason\] Again, what the hell is he talking about?  Certainly, I would agree with his suggestion that the public at large is overly obsessed with celebrity and celebrities.  But again, who is he saying actually claims that "\[we\] aren't allowed to worship God as we understand Him?".  Nobody says that.  This is another straw-man argument.  As espoused in our Constitution, everyone has the right to believe in their religion but the government has to stay out of it ("Congress shall make no law respecting an establishment of religion...or prohibiting the free exercise thereof" from the very first amendment to the US Constitution) 
 
Article 11 of the Treaty with Tripoli in 1797 (just years after the revolutionary war ended) declared that "the government of the United States is not in any sense founded on the Christian religion..."  This treaty was ratified by all of Congress and the first two presidents of our country. 
 
Here is a lot more info on what our founding fathers actually intended (and many of them were actually Deists (not Christians!) and believed in god, but they knew the government needed to stay out of it).  [https://www.infidels.org/library/modern/farrell\_till/myth.html](https://www.infidels.org/library/modern/farrell_till/myth.html) 

> > > > > > > _ 
> > > > > > > But there are a lot of us who are wondering where Nick and Jessica came from_
> > > > > > > 
> > > > > > > _and where the America we knew went to. 
> > > > > > > _

 
\[Jason\] **Just so you know, this is where Ben Stein's comments end.  The rest were tacked on later and dishonestly attributed to Ben Stein.**  Source:  [https://www.snopes.com/politics/soapbox/benstein2.asp](https://www.snopes.com/politics/soapbox/benstein2.asp) 

> > > > > > > _ 
> > > > > > > In light of the many jokes we send to one another for a laugh, this is a little_
> > > > > > > 
> > > > > > > _different: This is not intended to be a joke; it's not funny, it's intended to get you thinking.. 
> > > > > > > _

 
\[Jason\] I'm really interested if anyone actually shares any of the opinions below, and what they believe about it.  Because there are a whole pile of different things here. 

> > > > > > > _ 
> > > > > > >   
> > > > > > > Billy Graham's daughter was interviewed on the Early Show and Jane Clayson asked her 'How could God 
> > > > > > > let something like this Happen?' (regarding Katrina) 
> > > > > > > _

\[Jason\] A very good question.  How is it that a loving God who cares about us and is all-knowing could let something so horrific happen to thousands of innocent people?  This is called "The Problem of Evil" -- as in, how can one reconcile the existence of so much evil in the world with a loving all-powerful God?  There have been many who try to answer this, but none satisfactorily yet. 

> > > > > > > _Anne Graham gave an extremely profound and insightful response. 
> > > > > > > She said, 'I believe God is deeply saddened by this, just as we are, but for years 
> > > > > > > we've been telling God to get out of our schools, to get out of our government 
> > > > > > > and to get out of our lives. And being the gentleman He is, I believe He has calmly backed out. How can we expect 
> > > > > > > God to give us His blessing and His protection_ if we demand He leave us alone?' _(She said the same thing 
> > > > > > > when interviewed after 9-11)_.

\[Jason\] I don't think I would use the words "profound" or "insightful" to describe this.  Here is what she said (paraphrasing): 

> "God turns his back on everyone and does not protect us from any bad things because many (rightly) insist that the Government stay out of Religious matters."

What an petulant, indiscriminate baby that God is!  He'll show you by punishing _**innocent people**_ instead of the ones he really should be mad at!  Wow, sounds just like one of those lovely old testament stories about the vengeful God that were supposed to be over after the "New testament/covenant"...  And he is supposed to love us?  Ouch.  Watch your babies 'cause this God may start killing some first-borns again... 

> > > > > > > 
> > > > > > > 
> > > > > > > _In light of recent events...terrorists attack, school shootings, etc. I think it started when Madeleine_
> > > > > > > 
> > > > > > > _Murray_ _O'Hare (she was murdered, her body found recently) complained she didn't want prayer_
> > > > > > > 
> > > > > > > _in our schools, and we said OK. Then someone said you better not read the Bible 
> > > > > > > in school. The Bible says thou shalt not kill, thou shalt not steal, and love your neighbor as yourself. And we said OK. 
> > > > > > > _

\[Jason\] I think "it" (our secular government) started when our country was founded on the principle of Religious Freedom (which includes the freedom to \_not\_ believe as well) as embodied in the Very First Amendment to our constitution.  Every society regardless of religion tends to believe in the killing and stealing are bad parts (well, there have been notable exceptions, such as the inquisition, the crusades, and 9-11).  But that doesn't mean the rest of it is widely believed or should be promoted.  For example, those same religions also do not condemn slavery.  They actually say that disobedient children should be stoned to death.  Oh, and women who marry but are not virgins deserve to be stoned to death.  Adulterers:  They should be put to death.  If you don't believe me, I can show you where to look in the Bible. 
 
And for those of you who are pro-public-displays-of-the-ten-commandments, most of the 10 commandments have nothing to do with the law.  In fact, the very first is "Do not have any other gods before Me."  How can you reconcile putting that in a public square--it is overtly anti-any-other-non-christian-religion!  Oh, and surprisingly there are two sets of 10 commandments in the Bible but people only seem to be interested in the one set of 10 and not the other...  You should check out [https://en.wikipedia.org/wiki/Ten\_Commandments#Text\_of\_the\_Ten\_Commandments](https://en.wikipedia.org/wiki/Ten_Commandments#Text_of_the_Ten_Commandments) for more details on how even different denominations divide up the commandments differently.  How many of you honor this commandment from the second set (often known as the Ritual Decalogue):  "Sacrifice firstborn male animals to Yahweh. The firstborn of a donkey may be redeemed; redeem firstborn sons."?   

> > > > > > > _ 
> > > > > > > Then Dr. Benjamin Spock said we shouldn't spank our children when they misbehave because 
> > > > > > > their little personalities would be warped and we might damage their self-esteem 
> > > > > > > (Dr. Spock's son committed suicide). We said an expert should know what he's 
> > > > > > > talking about. And we said OK. 
> > > > > > > _

\[Jason\] Okay, they are going off the deep-end here.  How many people think that weaving in hitting kids here makes sense?  Oh, they must believe those parts about stoning to death disobedient children. 

> > > > > > > _ 
> > > > > > > Now we're asking ourselves why our children have no conscience, why they don't know right_
> > > > > > > 
> > > > > > > _from wrong, and why it doesn't bother them to kill strangers, their classmates, and themselves. 
> > > > > > > 
> > > > > > > Probably, if we think about it long and hard enough, we can figure it out. I think it has a great deal_
> > > > > > > 
> > > > > > > _to do with 'WE REAP WHAT WE SOW.'_
> > > > > > > 
> > > > > > > _Funny how simple it is for people to trash God and then wonder why the world's going to hell._

\[Jason\] Yes, their God is such a baby he is going to destroy everyone for the few who may not believe (but certainly not those few--that would be too easy).  I don't know what they are talking about by saying "trash God".  Nothing here mentioned any evidence that people are "trashing" God.  Keeping religion out of Government is NOT "trashing" God.  Typical straw-man argument again. 

> > > > > > > 
> > > > > > > 
> > > > > > > _Funny how we believe what the newspapers say, but question what the Bible says. 
> > > > > > > _

\[Jason\] Well, most of the time, Newspapers report facts, and the Bible has stories that people have been arguing about the meanings of for centuries.  And there are so many conflicting accounts in the Bible that you \_have\_ to question it.  They must be running out of straw by now.... 

> > > > > > > _ 
> > > > > > > Funny how you can send 'jokes' through e-mail and they spread like wildfire but when you start sending messages 
> > > > > > > regarding the Lord, people think twice about sharing. 
> > > > > > > _

\[Jason\] Which people?  That's just paranoid crazy talk!  Of course, not everyone believes as you do so you would be right to think twice before sharing just as you probably would.  Again, more straw-men. 

> > > > > > > _ 
> > > > > > > Funny how lewd, crude, vulgar and obscene articles pass freely through cyberspace, but public 
> > > > > > > discussion of God is suppressed in the school and workplace. 
> > > > > > > _

\[Jason\] Seems as if plenty of God-ladened articles pass through cyberspace.  This statement is a non-sequitur.  Religion and God are personal matters.  Only in America do people seem to think they should be public.  Take a trip to any other western country and you'll find far less of this. 

> > > > > > > _ 
> > > > > > >   
> > > > > > > Are you laughing? 
> > > > > > > 
> > > > > > > Funny how when you forward this message, you will not send it to many on your address list because 
> > > > > > > you're not sure what they believe, or what they will think of you for sending it. 
> > > > > > > _

\[Jason\] That's probably a good thing to be considerate of other's feelings.  Not sure what your religion says about that, but "do unto others as you would have done unto you", right?  I'll send along some excerpts from Book of Mormon for you if you think it's okay to not care whether someone believes something or not...  There's this guy who was shown a golden plate by angels and he translated it using magical glasses and a seer stone... 

> > > > > > > _ 
> > > > > > > Funny how we can be more worried about what other people think of us than what God thinks of us. 
> > > > > > > _

\[Jason\] Being considerate of others is not the same thing as being "worried about what other people think of us".  And this is a non-sequitur.  Even if we cared what others thought of us, how does that imply we therefore care \_more\_ about this than what god thinks of us?  

> > > > > > > _ 
> > > > > > > Pass it on if you think it has merit. If not t hen just discard it... no one will know you did._

\[Jason\] For the record, I'm not passing this on because it has merit.  I think the broader questions it raises and the hope that it will inspire some dialogue have merit. 

> > > > > > > _But, if_
> > > > > > > 
> > > > > > > _you discard this thought process, don't sit back and complain about what bad shape the world is in._

\[Jason\] Oh brother.  If someone thinks this is crap, they have no right to complain about the world?  Nice childish debating tactic:  agree with me or you don't have any right to complain. 

> > > > > > > 
> > > > > > > 
> > > > > > > _My Best Regards. honestly and respectfully, 
> > > > > > > 
> > > > > > > Ben 
> > > > > > > Stein_

\[Jason\] Again, Ben Stein did NOT write this last part.  This is a dishonest fraud typical of these kinds of chain emails designed to use someone's celebrity or authority to bolster a viewpoint that they don't necessarily share...  Isn't there something in the Bible about bearing false witness?  I guess they don't believe in \_that\_ part of the Bible and 10 commandments... 

> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > > > * * *
> > > > > > > 
> > > > > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > * * *
> > > > 
> > > > 
> > > > [](https://www.windowslive.com/?ocid=TXT_TAGLM_Wave2_powerofwindows_112007)

Open-letter-response-to-chain-email-about-senators-supposedly-voting-against-english-as-the-official-language

Thu, 27 Dec 2007 06:08:00 -0800

I have thought for a while about publically posting my responses to these kinds of emails that come my way and are often filled with lots of misinformation, vitriol, and seriously lacking in facts or any sense of a cogent argument or position.

Occasionally, one comes along that I just can’t sit by and let idly fly by. They are usually forwarded along without any additional comments and the presumption is I guess that the one forwarding believes the general sentiments. But I think it’s more interesting to know which parts people believe in or not, and why. Certainly they tend to pack in a lot of crap in one email that I find it hard to believe everyone believes everything about them.

Also, when I go look up information about these to fact-check them, I often find credulous people posting them (from the “me too” crowd) and nobody other than snopes and some other sites seem to come back with any commentary or dissection.

So, here is the first in a series of open letter responses to these emails that I have already forwarded back to the few family/friends who have been subjected to these already. Enjoy. Oh, and if you came here from Google, welcome.

-Jason

I would love to actually hear which parts of the below email people actually believe in. I’ll try to summarize them into yes/no questions for easy replying to see where people stand:

1. English should be the official language of the United States (yes/no)? 2. Those in our country whether citizens or not who don’t know how to speak English should be put on boats and (fill in your banishment ideas here: _______) (yes/no)? 3. Only “illegal aliens” do not speak English. The “legal ones” are fine whether they speak English or not (yes/no)? 4. You agree with these sentiments and punishments from below for voting against a piece of legislation: “Your vote reflects betrayal, political surrender, violates your pledge of allegiance, dishonors historical principle, rejects patriotism, borders on traitorous action and, in my opinion, makes you unfit to serve as a United States Senator… impeachment, recall, or other appropriate action is warranted. " (yes/no)? 5. Anyone who has a disagreement with _your_ political opinion is “unfit to serve” and is not “patriotic” or “traitorous” (yes/no)? 6. You agree with the implied sentiments and suggested punishments for casting a vote from below, “willfully take actions during wartime that damage morale, and undermine the military are saboteurs and should be arrested, exiled or hanged.” (yes/no)?

By the way, the text below is a retread from a year prior it seems: https://www.snopes.com/politics/immigration/englishvote.asp And it is not even correct in stating that it was voting against “English as the official language”. It had to do with whether the government would provide access to services in languages other than English. https://www.truthorfiction.com/rumors/e/english-official.htm

Some extra credit questions:

1. What is the worst fear that you have if English is not declared the official US language? 2. What would change (or would you hope would change) if we were to have English as the official US language? 3. If you agree about those who don’t vote on a language bill as being “unpatriotic”, etc., then what is your basis/rationale for believing this? i.e. what about the vote or belief is unpatriotic (where patriotism means: " Love of and devotion to one’s country.”) or worse “traitorous”?

Cheers,

-Jason

Neil wrote:

> 
> 
> Note: forwarded message attached. 
> 
> ![](04.gif) ...Neil
> 
> * * *
> 
> * * *
> 
> 
> 
> Subject:
> 
> Fwd: Is your senator listed here?
> 
> From:redacted@example.com
> 
> [](mailto:jbudzak@comcast.net)
> 
> Date:
> 
> Sat, 08 Dec 2007 21:28:07 +0000
> 
> To:redacted@example.com
> 
> ,
> 
> 
> 
> > \-------------- Forwarded Message: -------------- 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > * * *
> > 
> > Check out AOL Money & Finance's list of the [hottest products](https://money.aol.com/special/hot-products-2007?NCID=aoltop00030000000001 "https://money.aol.com/special/hot-products-2007?NCID=aoltop00030000000001") and [top money wasters](https://money.aol.com/top5/general/ways-you-are-wasting-money?NCID=aoltop00030000000002 "https://money.aol.com/top5/general/ways-you-are-wasting-money?NCID=aoltop00030000000002") of 2007.
> 
> !DSPAM:4,475ee5da32571006577316! 
> 
> * * *
> 
> 
> 
> Subject:
> 
> Fwd: Is your senator listed here?
> 
> From:redacted@example.com
> 
> [](mailto:Jfobes@aol.com)
> 
> Date:
> 
> Sat, 8 Dec 2007 03:52:33 +0000
> 
> To:
> 
> 
> 
> 
> * * *
> 
> 
> 
> Subject:
> 
> Is your senator listed here?
> 
> From:redacted@example.com
> 
> Date:
> 
> Fri, 7 Dec 2007 18:06:58 EST
> 
> To:
> 
> To:
> 
> 
> 
> 
> 
> 
> 
> 
> **I agree, and don't care what religion, political choice or anything else anyone has, this is r****eally a disgrace!  Illegal is Illegal and I don't understand why we as Americans can tolerate** **this stuff.  Just how do these people get where they are?  Must be us not caring or doing** **the right thing.  Please let everyone see this.**
> 
> 
> 
> 
> 
> _**_33 Senators Voted Against English as_**_ _**_America 's Official Language June 6, 2007_**_**___On Wed, 6 Jun 2007 23:35:23 -0500, "Colonel Harry Riley___** _**_USA ret" wrote:_**_**___Senators,__ 
> 
> __Your vote against an amendment to the Immigration Bill 1348, to make English___** _**_America 's official language is astounding.. On D-Day no less when we honor those that sacrificed in order to secure the bedrock character and principles of America ._**_
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _**_    I can only surmise your vote reflects a loyalty to illegal aliens. _**_**_ 
> 
> __    I don't much care where you come from, what your religion is, whether you're black, white or some other color, male or female, democrat, republican or independent, but I do care when you're a United States Senator, representing citizens of America and vote against English as the official language of the United States __ 
> 
> __        Your vote reflects betrayal, political surrender, violates your pledge of allegiance, dishonors historical principle, rejects patriotism, borders on traitorous action and, in my opinion, makes you unfit to serve as a United States Senator... impeachment, recall, or other__ 
> __appropriate action is warranted. ___**
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _**_Worse, 4 of you voting against English as_**_ _**_America 's official language are presidential candidates: Senator Biden, Senator Clinton, Senator Dodd, and Senator Obama._**_**___    Those 4 Senators vying to lead America but won't or don't have the courage to cast a vote in favor of English as America's official language when 91% of American citizens want English officially designated as our language.  __ 
> 
> __    This is the second time in the last several months this list of Senators have disgraced themselves as political hacks... unworthy as Senators and certainly unqualifed to serve as President of the United States. __ 
> 
> __    If America is as angry as I am, you will realize a back-lash so stunning it will literally rock you out of your panties... and preferably, totally out of the United States Senate.__ 
> 
> __The entire immigration bill is a farce... your action only confirms this really isn't about___** _**_America ; it's aboutself-serving politics...despicable at best._**_
> 
> 
> 
> 
> 
> _**_    "Never argue with an idiot; they'll drag you down to their level and beat you with experience." ~ anonymous_**_
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _**_The following senators voted against making English the official language of_**_ _**_America :_**_**_ 
> 
> __Akaka (D-HI) __ 
> __Bayh (D-IN) __ 
> __Biden (D-DE) Wants to be President?__ 
> __Bingaman (D-NM) __ 
> __Boxer (D-CA) __ 
> __Cantwell (D-WA) __ 
> _**_**_Clinton (D-NY) Wants to be President?_**__**_Dayton (D-MN)_**_**_ 
> __Dodd (D-CT) Wants to be President?__ 
> __Domenici (R-NM) Coward, protecting his Senate seat...__ 
> __Durbin (D-IL) __ 
> __Feingold (D-WI) Not unusual for him__ 
> __Feinstein (D-CA) __ 
> __Harkin (D-IA) __ 
> __Inouye (D-HI) __ 
> __Jeffords (I-VT) __ 
> __Kennedy (D-MA) __ 
> __Kerry (D-MA) Wanted to be President__ 
> __Kohl (D-WI) __ 
> __Lautenberg (D-NJ) __ 
> __Leahy (D-VT) __ 
> __Levin (D-MI) __ 
> __Lieberman (D-CT) Disappointment here....__ 
> __Menendez (D-NJ) __ 
> __Mikulski (D-MD) __ 
> _**_**_Murray (D-WA)_**_**_ 
> __Obama (D-IL) Wants to be President?__ 
> __Reed (D-RI ) __ 
> __Reid (D-NV) Senate Majority Leader__ 
> __Salazar (D-CO) __ 
> __Sarbanes (D-MD) __ 
> __Schumer (D-NY) __ 
> __Stabenow (D-M)___**
> 
> 
> 
> 
> 
> _**_"Congressmen who willfully take actions during wartime that damage morale, and undermine the military are saboteurs and should be arrested, exiled or hanged." _**_**_ 
> __    ~ President Abraham Lincoln  "   Amen  "__ 
> 
> __Please forward to as many people as you know. WE NEED THIS INFORMATION__ __PASSED ON TO EVERY RED-BLOODED AMERICAN!!!!!!___**
> 
> 
> 
> 
> 
> 
> 
> * * *
> 
>

Bush A Little Reading Can Be Dangerous

Thu, 27 Dec 2007 05:52:00 -0800

Oy vey. Bush should learn what a slippery slope argument is. That’s what he used to convince himself that allowing _any_ stem cell research could lead to eugenics ala Brave New World. And I thought Jesus told him it was evil… Well, now we know why he isn’t opposing In Vitro fertilzation since it apparently is not related to anti-abortion kind of sentiments (every embryo is sacred, every embryo is good).

Think Progress » Aldous Huxley’s ‘Brave New World’ Convinced Bush To Ban Embryonic Stem Cell Research

In a new piece in Commentary magazine, Jay Lefkowitz — who advised Bush on stem cells — reveals how the President formulated his 2001 policy. While Bush heard from a variety of groups on both sides of the issue, the turning point appeared to come when Lefkowitz read from Aldous Huxley’s fictional novel, Brave New World, and scared Bush

How To Practice Safe Computing

Thu, 29 Nov 2007 16:21:00 -0800

For the home user out there without an IT department or computer science degree it is unfortunate that the software industry has put such a buggy, generally insecure, high-maintenance headache of a machine on the market they call a computer.

But, you can’t do much about that (except lobby for liabilty for software security). And it’s the holiday season when the spammers and scammers come out of the woodwork. I’ve already seen a huge spike in spam activity. Here’s what you should do to protect yourself.

[Note that I have written these as positive statements of what you _should_ do because research has shown that when you try to tell people about a myth or anything, they often remember the words of the bad examples but forget that the example was incorrect so they end up being trained to believe a falsehood on accident. So, staying all positive should help your brain help you to remember how to practice safe computing.]

General security practices:

Know that You are a target! Yes, there are people who want to break into your computer for all kinds of reasons. They may not care about stealing your high-school term paper, but they would love to either steal your passwords, credit card numbers, or even just add your computer to their network of others that are used to send spam, host malicious websites, and attack other systems on the Internet. Your CPU cycles are valuable on the black market!
Run Windows Update and install patches regularly! New patches come out about every first Tuesday of the month for Windows so make sure you keep up!
Upgrade your browser! Internet Explorer 7 or Firefox 2.x are much, much, much more secure than the old Explorer was. You can avoid lots of attacks with this simple change and get better active protection while surfing the Internet.
Do not surf the Internet on a Windows XP or Windows 2000 computer as an Administrator! This makes it way too easy for bad software to be installed that can ruin your day. Create yourself an Administrator account that you can use for installing software, printers/hardware, and patches. For everything else day-to-day, use an account that is only in the Users group. Ask a geek for help setting this up! It is simple but can really tighten your security.
Also, when you have friends come over to use your computer, create a separate account for MyGuests that is only a lowly User so you don’t let them screw up your computer or infect it with viruses. Who knows what they will change or install (or whether they even know what they did…)
Make sure all the rest of the software you have installed is also patched. Run the update managers included in each package, such as iTunes, Firefox, and Acrobat Reader. A ton of security holes are in these programs so keep them patched to – Microsoft sure won’t patch them for you! A good program to use for this is the free Secunia Personal Software Inspector (PSI)
Run a decent anti-virus, anti-spyware, and firewall program. Oh, and be sure that your virus signatures are up-to-date!!
I recommend AVG Freeware for the budget-conscious or Kaspersky or F-Secure for those wishing to purchase solid vendor packages. I wouldn’t let my worst enemy use McAfee and Norton is oft a resource hog.
Do use different passwords for financial and shopping sites than you might use for your email, myspace, recipe site, etc.
If someone steals your email password, you don’t want them to also be able to get into your Quicken or online banking site!
Use a free and secure password manager program such as KeePass to keep track of your passwords and other sensitive data and help you fill in online forms!
You have no excuse for using bad passwords because these programs can help you use stronger passwords that you don’t need to remember – or even type in yourself!
Be very careful when accessing financial sites or shopping sites from computers at a hotel, library, school – and especially at your relatives or friend’s houses. If you can, wait until you can use a trusted computer. You wouldn’t drink an unmarked cup of mystery liquid you just found next to a stop sign, and you should reserve similar caution when using an unmarked computer you just don’t know is secure or not.
If you must do something risky from a public computer (like at an Internet cafe in France…) then change your password right away when you return home!
Check your credit reports from all three credit bureaus every year For Free! But only use this site Annualcreditreport.com since it is the official one organized by the FTC to get you your reports that you are guaranteed by US law.

Shopping tips:

Use reputable websites if at all possible when making online purchases. Deal with the amazons and bestbuys of the Internet and be wary of some vendor you’ve never heard of. When in doubt, ask someone to help you check an offer or website out for you!! If it sounds too good to be true, it probably is.
Check your credit card and bank account statements often, especially during the holiday season. Use the power of online websites to stay up-to-the-minute and catch unauthorized charges early to minimize your losses. Federal law allows banks to not cover fraudulent charges if you don’t report them in a timely manner! You are normally only liable for $50 maximum if you report it promptly. Although these days, I recommend getting a $0 liability credit card and then you don’t have to worry at all. But you don’t really need to fret so much anyhow since you aren’t really liable for much. And the risks of using checks these days far outweigh many other online risks.
I recommend against using Debit cards online just because the laws protecting consumers are VERY different for those and your banks DO NOT have to honor any maximum liability caps (though most do). You should only use them if you could handle the worst case event of all of your money in your checking (and if you have overdraft–your savings) being siphoned out and want to deal with the hassle of dealing with some shmo in the fraud/risk department of your bank begging to get provisional credit back so you can buy groceries or beanie-babies or what-have-you. I’ve had my debit card stolen and it can be a real P.I.T.A. It would be much nicer if it was someone else’s money that got stolen…like your bank’s.

Email tips:

Spammers and scammers love it when you forward chain emails because they know they can trick you into doing their dirty work for them and spread their lies and filth. Stop these dead in their tracks and just delete them when you receive them. Do not forward them, even though your friend Susie sent it to you. You don’t need to send that chain email around “just in case” you might get bad luck from not continuing the chain. You may be giving your friends bad luck if you happen to send something malicious…
If you must send something out to a large swath of people, check the veracity of the claims at Snopes before doing so. It only takes a second. And Snopes should be easy to remember. There is so much misinformation on the Internet and you are part of the problem if you keep sending it around.
Ignore any email claiming to be from a (Bank, paypal, ebay, amazon, etc.) and needing you to “verify your identity” or similar. Those are all scams. All of them. I’m serious. And the ones that aren’t are from companies that you absolutely should not be doing business with anyway because they obviously do not know or care how to protect your security.

For the Advanced Placement members of the class:

Use the excellent secure-deletion program Eraser to shred files securely from your computer. The basic Trash can does not remove all traces of your data, just like throwing it in the trash is not as good as in a cross-cut shredder.
Question sites that require you to provide personal information to get something, even software downloads. Often there is nothing preventing you from putting in bogus information. You can also try the website BugMeNot for lots of free logins and passwords to sites that require you to register so you can avoid proliferating your name, address, etc..
Opt-out of junk mail at home, and opt-out of telemarketing. Also call 1-888-5-OPTOUT (888-567-8688) to tell all three credit bureaus to not sell your info for pre-approved credit applications. It works. You will get tons less junk mail that you have to shred.

Other resources:

SONY compromised?

Mon, 26 Nov 2007 14:50:00 -0800

I noticed that one of the throw-away email addresses I registered years ago for sony style product registration and accessories is now receiving spam. Was sony compromised or did they have an insider sell their addresses? Who knows… I know that I didn’t give it out to anyone…

Postfix Dspam 380 Ubuntu

Sun, 25 Nov 2007 13:13:00 -0800

I have been wrestling with my dspam configuration on Ubuntu for quite some time and think I finally got it set up the optimal way. It took building a custom modern dspam package myself, with the help of a kind soul who built a custom package for Debian etch.

I get tens of thousands of spam messages to my personal accounts each month. And there are many more going to other users at my domain. It has been getting worse recently. This primarily caused me to take more drastic action and implement realtime blackhole lists to block spam from even entering my mail system. It is absolutely stunning to see how much spam gets blocked vs. how much gets in now. I haven’t calculated the stats but on a cursory look at my logs, it is well over 70% that is being dropped on the floor now.

I was having a really bad issue with dspam 3.6.8 that comes with Ubuntu. Turns out this is a very old version of dspam. 3.8.0 has been out for well before the current 7.10 release yet it is only now being looked at for inclusion in 8.04 in April 2008. Ugh. Part of the problem is that upstream Debian hasn’t upgraded yet in any of their repositories – even unstable. Reference: https://bugs.launchpad.net/ubuntu/ source/dspam/ bug/160139

Alas, I set about building my own. I found a great resource at https://packages.kirya.net/debian/pool/main/d/dspam/ that had binary builds for debian etch and the source packages. Rather than wrestle with redoing the work of applying 3.6.8 patches to 3.8.0, I started with this and it actually builds everything cleanly on Ubuntu 7.04 just fine.

First thing is to make sure you have all of the prerequisites for building packages and building dspam. dspam requires at least mysql, postgres, ldap, zlib and other libraries to build, as well as automake and other build tools.

sudo apt-get install build-essential 
sudo apt-get build-dep dspam 

```Obtain the source code and debian patch:```
wget https://packages.kirya.net/debian/pool/main/d/dspam/dspam\_3.8.0-1.1etch1.diff.gz 
wget https://packages.kirya.net/debian/pool/main/d/dspam/dspam\_3.8.0.orig.tar.gz 

```Unpack everything and apply the patch```
tar xvzf dspam\_3.8.0.orig.tar.gz 
gunzip dspam\_3.8.0-1.1etch1.diff.gz 
cd dspam-3.8.0 
patch -p1 < ../dspam\_3.8.0-1.1etch1.diff 

```Now, build everything, including the .deb packages to install. You can skip this and do debian/rules install (as root) if you want to install without packages after compiling.```
chmod 755 debian/rules 
fakeroot debian/rules binary 

```Now, install the new packages. Note there is a new dependency on a base libdspam7 package for any of the driver packages. I use mysql by the way.```
cd .. 
sudo dpkg -i libdspam7-drv-mysql\_3.8.0-1.1etch1\_i386.deb \\ 
libdspam7\_3.8.0-1.1etch1\_i386.deb \\ 
dspam\_3.8.0-1.1etch1\_i386.deb \\ 
dspam-webfrontend\_3.8.0-1.1etch1\_all.deb \\ 
dspam-doc\_3.8.0-1.1etch1\_all.deb 

```There were some changes in the config file from 3.6.8 to 3.8.0 so I would suggest starting with the new config file and integrating your customizations. This worked the best for me, although I did forget a few settings here and there so diff is your friend. That's all it took to get upgraded. My final working DSPAM postfix configuration went through some modifications as well. I originally had DSPAM integrated as a content\_filter, but that runs dspam for all incoming \_and outgoing\_ messages. I didn't think this would be a problem at first, but after seeing it in action it became confusing for end users. What can happen in this configuration is dspam can tag the message subject with your SPAM tag when \_the recipient\_ (which is often a mailing list) has dspam run on it, but then dspam is run again for each individual recipient upon delivery so can end up deciding that the message is not spam, but the subject is left alone. Thus, users receive a message tagged as spam that isn't, according to their dspam decision. I instead set up using this general guideline, which is excellent: [https://gentoo-wiki.com/HOWTO\_Spam\_Filtering\_with\_DSPAM\_and\_Postfix](https://gentoo-wiki.com/HOWTO_Spam_Filtering_with_DSPAM_and_Postfix) I don't use ClamAV though so that's the major difference. I've seen so many security notices sent to Bugtraq that I'm not sure the cure is better than the disease... I wanted system-wide spam and notspam retraining aliases though, so I included another transport filter in my configuration to handle those special users first before dspam got to them:```
smtpd\_recipient\_restrictions = 
 check\_recipient\_access hash:/etc/postfix/dspam\_retrain\_aliases, 
 permit\_mynetworks, 
 reject\_unauth\_destination, 
 check\_recipient\_access pcre:/etc/postfix/dspam\_incoming\_filter, 
 .... 
 permit 

```Then, in the dspam\_retrain\_aliases file I have:```
dspam-fp@dspam-fp.example.com FILTER dspam-fp:innocent 
dspam-add@dspam-add.example.com FILTER dspam-add:spam 

```These trigger the following filters in /etc/postfix/master.cf. Note: you need to set up these subdomains in DNS first! You could probably do something like this without subdomains but that's how I and others have gotten it to work.```
\# only allow local network to post to these entries 
dspam-add unix - n n - - pipe 
 flags=Rhq user=dspam argv=/usr/bin/dspam --mode=toe --user dspam-add@dspam-add.example.com --class=spam --source=error 
 -o smtpd\_recipient\_restrictions=permit\_mynetworks,reject 
 -o mynetworks=192.168.1.0/24 
 
\# only allow local network to post to these entries 
dspam-fp unix - n n - - pipe 
 flags=Rhq user=dspam argv=/usr/bin/dspam --mode=toe --user dspam-fp@dspam-fp.example.com --class=innocent --source=error 
 -o smtpd\_recipient\_restrictions=permit\_mynetworks,reject 
 -o mynetworks=192.168.1.0/24 

```I also added in some header\_checks to reject emails with foreign character sets in them to block additional spams. I've been getting a ton of greek spam and other mid-east charsets it seems.```
\# Using this to block lots of non-US character set emails 
header\_checks = regexp:/etc/postfix/header\_checks 

```And I combined several regexes from various Internet sources in there:```
/^Subject:.\*=\\?big5\\?/ REJECT No foreign character sets, please. 
/^Content-Type:.\*charset=.\*big5/ REJECT No foreign character sets, please. 
/^Subject:.\*=\\?euc-kr\\?/ REJECT No foreign character sets, please. 
/^Content-Type:.\*charset=.\*euc-kr/ REJECT No foreign character sets, please. 
/^Subject:.\*=\\?gb2312\\?/ REJECT No foreign character sets, please. 
/^Content-Type:.\*charset=.\*gb2312/ REJECT No foreign character sets, please. 
/^Subject:.\*=\\?iso-.\*-jp\\?/ REJECT No foreign character sets, please. 
/^Content-Type:.\*charset=.\*iso-.\*-jp/ REJECT No foreign character sets, please. 
/^Subject:.\*=\\?koi8\\?/ REJECT No foreign character sets, please. 
/^Content-Type:.\*charset=.\*koi8-r/ REJECT No foreign character sets, please. 
/^Subject:.\*=\\?ks\_c\_5601-1987\\?/ REJECT No foreign character sets, please. 
/^Content-Type:.\*charset=.\*ks\_c\_5601-1987/ REJECT No foreign character sets, please. 
\# headers with 8 special characters... spam 
/\[^\[:print:\]\]{8}/ REJECT Special chars in header a no-no. 

```Hope this summary helps someone... 
 
Update: Fixed the build-dep installation command above. Copy/paste error...

Coolest New Find Wifimugorg

Mon, 19 Nov 2007 05:17:00 -0800

What a great find! “A Guide to Seattle’s Free Wireless Coffee Shops” They even have them categorized by neighborhood and even ones that are open late (it is annoying how much stuff in Seattle seems to close early…)

The beauty of wikis keeps popping up all over the place. I was just marvelling at how much data there is on the OWASP wiki and how easy it was to share new information. Now, if there was only a PC interface to your brain so you could actually consume all that data being generated…

Home Page: Coffee and Wireless in Seattle

Seattle is rich in good, independent coffee shops that offer free, or mostly free wireless access. This wiki is intended to be a guide to the best places in the city to huddle over a table with your laptop, a cup of something hot, maybe a pastry, and get online.

smbfs is deprecated

Sat, 10 Nov 2007 12:39:00 -0800

Wow, I haven’t been paying close enough attention. Fortunately the problems with smbfs were bothersome enough for me to do some research and find that it is no longer maintained and that cifs is much more stable. Most of the arguments are directly mappable between the two so migrating is a cinch.

If you are getting any of these kinds of errors, especially after hitting the file share really hard – even with reads – then consider switching.

 
\[167285.988223\] smb\_lookup: find //.Trash-core failed, error=-5 
\[167296.124968\] smb\_add\_request: request \[ea3c5100, mid=53572\] timed out! 
\[167315.978636\] smb\_add\_request: request \[ea3c5200, mid=53573\] timed out!

Joey Stanford :: Resolution to Mounting Samba Shares - Don’t use smbfs

Redaction Cat Is Out Of The Bag For Wells Fargo

Sat, 20 Oct 2007 09:18:00 -0700

From Risks Digest 24.82

This is just like when Starbucks used to redact all but the last 5 digits of your credit card number on receipts. So anyone with a Starbucks receipt + any other receipt could piece together the whole card number. D’oh!

From the juxtaposition wayback machine: https://juxtaposition.axley.net/archives/2006/06/visa_prohibits.html



> Date: Mon, 3 Sep 2007 14:12:06 -0700 (PDT) 
> From: Tom Watson 
> Subject: Redacted account numbers 
> 
> My bank (Wells Fargo) in its infinite wisdom has decided to change the way 
> it attempts to redact account numbers. In looking over the transactions for 
> an infrequently used account (I only have it because my ex-wife is a signer, 
> and who knows when I'll need to cash a check with her name on it!) I noticed 
> that the method had changed from the July to August automatic transfers I 
> have to keep the account active. In July, the account number is listed with 
> THE LAST 3 digits as 'X'. In August, the method is now all 'X' EXCEPT FOR 
> THE LAST 4 digits. I just looked and said to myself "what is wrong with 
> this picture?". The risk: when you change methods of redacting, change ALL 
> occurrences, not just the new ones. You may just totally unredact what you 
> were attempting to hide. 
> 
> Fortunately in my case, I know the account number anyway, so TO ME it is no 
> big deal (unless I print out something), but I'm aware, which is the the 
> thing to be. 
> 
> I sent the bank a note as well. I don't hold out much hope for anything 
> constructive in return, but we will see. 
> 
> \[It seems pretty stupid to make such a change that completely exposes the 
> account number to anyone with records before and after sanitization. PGN\]

Security Tools and Browser Extensions

Sat, 20 Oct 2007 09:16:00 -0700

This site has a huge list of Firefox Extensions (Add-Ons) that are security tools.

https://www.security-database.com/toolswatch/FireCAT-Firefox-Catalog-of,232.html

And then there’s always this great list of general tools.

Top 100 Network Security Tools

After the tremendously successful 2000 and 2003 security tools surveys, Insecure.Org is delighted to release this 2006 survey. I (Fyodor) asked users from the nmap-hackers mailing list to share their favorite tools, and 3,243 people responded. This allowed me to expand the list to 100 tools, and even subdivide them into categories. Anyone in the security field would be well advised to go over the list and investigate tools they are unfamiliar with. I discovered several powerful new tools this way. I also point newbies to this site whenever they write me saying “I don’t know where to start”.

Gartner Chides Pci Ssc

Sat, 20 Oct 2007 09:12:00 -0700

i-ssc

Governance is an important part. If the PCI SSC member companies want to ward off Government regulation, they need to be more transparent certainly. How is it that they could end up with such milquetoast controls as simply “encryption” or “web application firewalls” being equivalent to “source code security review” is a testimony to what happens in the smoke-filled rooms there.

Gartner analyst chides PCI Security Standards Council - IT Security News - SC Magazine US

The Payment Card Industry Security Standards Council (PCI SSC) has taken two steps forward and one back by the creation of a new Board of Advisors, according to Gartner analyst Avivah Litan.

Av Fightclub

Sat, 20 Oct 2007 09:09:00 -0700

You get to talk about this Fightclub. Kaspersky wins again.

I would be somewhat wary of ClamAV though since it seems to suffer from loads of security holes: https://secunia.com/product/2538/?task=statistics_2007 versus the Kaspersky results: https://secunia.com/product/10470/?task=statistics_2007

Also, refer back to the previous posting Juxtaposition: Antivirus bakeoff public results for another source of AV comparisons.

untangling the future… » Blog Archive » AntiVirus Fightclub Results!

Only three (Clam, Kaspersky, Norton) call all of these. Three others (F-Prot, Sophos, Mcafee) missed a few ranging from an 80-90% catch rate - not very good considering these are all really common viruses, but certainly better than others. GlobalHauri and the gateway appliances (Sonicwall, Fortinet, Watchguard) all performed poorly - catching about 60% and less of these common viruses. Watchguard would only catch one virus (the eicar test virus), which is odd because I thought they used the ClamAV engine.

Get Mitnick'S Quot Business Quot Card Complete With Lockpick Tools

Sat, 20 Oct 2007 09:01:00 -0700

This is really cool. I’ve got to send in for mine. Which password should I send…

On a related note, I was running a table for the ISSA Puget Sound and we had a raffle where we asked for business cards or alternatively, a piece of paper with your name and contact information. As a joke, we asked people for their email password and/or their Social Security Number. There were actually some people willing to give them up.

Mitnick Security Consulting, LLC

Send a self-addressed stamped envelope, your IP address and password to:

2245 N. Green Valley Parkway Suite 411 Henderson, NV 89014

Top 10 Craziest Conspiracy Theories

Sat, 20 Oct 2007 08:58:00 -0700

Hard to believe that people believe this stuff. But in a country where 61% of people believe the story of Noah’s Ark literally, I can believe it I guess.

Hakspace.net - Top 10 Wackiest Conspiracy Theories

Physical Security Lacks Physical Security

Sat, 20 Oct 2007 08:57:00 -0700

I can’t believe that these systems have such a horrible design!

Basically, these guys showed how you can inject a tiny device that can record the data that the scanner reads in such that you can create devices to replay it later.

2 Screws, 1 Plastic Cover, How Many Airports Infiltrated?

besides a meat cleaver or, in the case of your eyeballs, a soup spoon, these systems are all laughably easy to bypass, thanks to a primitive protocol called Wiegand that just about all ACSes (access control systems) have inherited.

At the Defcon hackers conference here on Aug. 4, Zac Franken laid out on a table the components typical of a physical proximity card system, the essential elements of which, at least when you’re talking about the way the ACS decides whether or not to let you in, are the same as a biometrics system. (Franken manages an IT company in London. Like many Defcon presenters, he asked for restricted identification.)

And then Franken proceeded to demonstrate how $10 worth of hardware will enable you to stick a quick connect microprocessor on a spliced wire, and flip the switch on whether the ACS thinks you’ve got access rights. The quick connect device contains a small, programmable microcontroller called a PIC chip. In a nutshell, pop the plastic cover, pull the wire, snip, snip, snap on your quick connect, seal it up, pass your proximity card, green blink, and—bzzzzt—you’re in.

Run Linux From Flash Drive Under Windows Using Qemu

Sat, 20 Oct 2007 08:56:00 -0700

-qemu

Very cool. I need to try this on my flash drive.

Using Ubuntu Linux on a flash drive and run it under Windows

The following article is going to tell you everything you need to know in order to make a USB flash drive with Ubuntu Linux installed, similar to the ones we sell here at PenLinux.com

Commerce Bank Database Hacked

Thu, 18 Oct 2007 01:47:00 -0700

Another article said that they thwarted the attack by “shut[ting] it (the database) down”.

I wonder how they were able to have such poor security that someone could compromise their database yet they could respond in seconds to limit the unauthorized access to 20 out of 3000 records. Something doesn’t seem to add up to me, unless perhaps they detected a breach and were monitoring what the attackers were doing and only when they got into the database did they pull the plug on them.

Commerce Bank Thwarts a Major Database Hack

Commerce Bank NA, which operates in Missouri, Kansas, Illinois, Oklahoma and Colorado, last week said a hacker had breached a database with about 3,000 customer records and accessed 20 of them.

Bank Of India'S Website Compromised

Tue, 16 Oct 2007 08:13:00 -0700

Courtesy the F-Secure blog they show a case where the Bank of India website was compromised to include malicious iframes, one of which

“…contains an obfuscated JavaScript that uses exploits to download and run a file called loader.exe. This file is a small downloader which downloads additional files that are different password stealing trojans, additional downloaders, et cetera.”

The stupid thing about this is that if the attackers had quietly compromised this site and done some intelligent money transfers, or web-based password capture, this may have gone unnoticed for some time. But they took their compromise and used it to hammer user’s PCs with known malware that I’m sure got Antivirus programs alarming. Not too subtle.

Good case for SSL-encrypted pages and not clicking “okay” to the “allow unencrypted content to load in encrypted pages?” dialog boxes in the browser… Also good case for using a browser other than IE6.

Bank of India’s Website Compromised - F-Secure Weblog : News from the Lab

Summaries of State Breach Disclosure Laws

Mon, 08 Oct 2007 04:01:00 -0700

It is truly a fallacy the people putting forth the talking point that the differences in state breach notification laws need to be “fixed” with a federal law that usurps all state laws. If you look at the two page chart, it really is not that difficult to know what to do. You end up just taking the “expedient common denominator”. These are handy reference charts for your cube at work.

Emergent Chaos: Breach Laws Charts

Best Science Images Of'07

Sun, 07 Oct 2007 16:06:00 -0700

Too bad they don’t have larger high-res versions. These would make very cool desktop backgrounds.

National Geographic News Photo Gallery: Best Science Images of 2007 Honored

Filtering Out Press Release Spam

Sun, 07 Oct 2007 15:55:00 -0700

This may become useful. I’ve actually gotten so annoyed at organizations that insist on sending at least one marketing email per day that I had to unsubscribe from all of their mailings to get some peace of mind. Restoration Hardware, America’s Test Kitchen, Costco are three of the big offenders that drive me crazy.

How to filter out press releases from your email - Boing Boing

If you get too many press releases emailed to you, try Merlin Mann’s trick of creating a filter that diverts or deletes emails containing the string “For Immediate Release.” I just found 11,000 messages in my mail with that string in it.

James Randi Is Taking On The Audiophiles

Sun, 07 Oct 2007 15:39:00 -0700

This is hilarious. I feel sorry for people who either really have such extraordinary hearing that they can’t use ordinary $19.99 cables in their home theater setup, or have deluded themselves into thinking that they can really tell the difference.

James Randi shows how ridiculous it is to spend $860 a foot for cables.

James Randi Calls Out Audiophile: I’m Sure the Crickets Will Sound Fantastic - Boing Boing Gadgets

James Randi’s Swift - October 5, 2007

Appendix Mystery Solved

Sat, 06 Oct 2007 09:50:00 -0700

Well, I had mine taken out two years ago so I hope I’m not at a disadvantage after the next GI bug.

Function of the appendix found? A good bacteria safehouse. - Boing Boing

“Immunologists from Duke University believe they’ve found the function of the supposedly useless and often dangerous appendix: It’s a reserve store of good germs to ‘reboot’ your digestive system in case another bug wipes out the germs necessary for human survival.”

Internet Discount Shopping Sites

Mon, 24 Sep 2007 13:56:00 -0700

I know people who use fatwallet.com and techbargains.com quite a bit. I wasn’t aware of the others, many of which have coupon codes. I always wondered where people got those codes, aside from direct email marketing.

Our Favorite Internet Discount Shopping Sites

One reason we use the internet is to buy merchandise at a discount to retail. Do you know how to find the lowest prices? Did you know that internet coupons, rebates, and codes are available that will make your purchases even less expensive?

I have assembled my favorite sites on one page to make your discount internet shopping easier.

Marijuana Arrests At All Time Quot High Quot-

Mon, 24 Sep 2007 12:02:00 -0700

“A pot-smoker is arrested every 38 seconds in America”.

God damn it’s time to decriminalize this. We have real police work that could be done instead of wasting police, jail, and court time on this crap. I can only imagine what it was like during alcohol prohibition. Sheesh.

Marijuana Arrests at All-Time High - TalkLeft: The Politics Of Crime

Lucky I'M Not A Kid These Days

Wed, 22 Aug 2007 16:54:00 -0700

…I would likely be arrested, expelled, or something. This is insane that drawings of what even “looked like a gun” are treated as “a threat”. We drew all kinds of war pictures and other lurid things in grade school and high school that would probably get us painted as even worse by today’s “standards”.

Zero tolerance policies are actually Zero thought policies. They allow schools to make one-size-does-not-fit-all decisions without any reprieve or mitigating circumstances. Imagine if the justice system worked that way.

AZ: School suspends boy for drawing gun » Rational Review

School officials suspended a 13-year-old boy for sketching what looked like a gun, saying the action posed a threat to his classmates.

Intuit Quicken Backdoor Encryption Key Cracked

Wed, 22 Aug 2007 16:47:00 -0700

Turns out there is a 512-bit master encryption key used in all versions of Quicken since 2003 that allows for Intuit to decrypt your data (or potentially allow the Government to do so, as the conspiracy theorists are theorizing)

Pforzheimer acknowledged that there is a way to access encrypted Quicken files without a password, but that the ability is hardly secret. “It’s for Quicken users who have forgotten their passwords - and only done when they call customer service or support.”

Wonder how good their controls are for authenticating the owner of the files sent to them that they happily decrypt for $10? Or how good their controls are on who has access to the decryption key? At least they should have disclosed to customers that they had this capability.

I have not found any technical details on the backdoor as it is likely proprietary info that Elcomsoft will use to make money with.

Russian security software firm Elcomsoft announced on Friday that the company’s researchers had cracked the master password that secures encrypted Quicken files and which allows the software’s developer, Intuit, to retrieve lost passwords.

Elcomsoft cracks Quicken “backdoor”

Iphone Insecurity Hype

Wed, 22 Aug 2007 16:38:00 -0700

Leave it to a new technology for chicken-little “analysts” to begin crying that the sky is falling.

What are the “problems” these analysts cite?

“no thought to enterprise security”
“may allow hackers to pilfer private data stored on or sent from iPhones”
“iPhones are unlikely to have a remote “lock and wipe” function that erases the device’s data in the event that it’s lost”
“iPhone’s “closed” operating system makes it impossible to install protection software” (like antivirus)

So, iPhone is not a Blackberry. And Blackberries, with the BES server, have some great enterprise class features. But does the lack of some of those features mean the iPhone is a “security nightmare”? That is just rhetorical hyperbole IMO.

And then there’s Gartner:

“We’re telling IT executives to not support it because Apple has no intentions of supporting (iPhone use in) the enterprise,” Gartner analyst Ken Dulaney says. “This is basically a cellular iPod with some other capabilities and it’s important that it be recognized as such.”

Sage advice from an IT support standpoint. But do we all need to start battling with executives over them using iPhones as the next network security scourge? Probably not. Most iPhones are likely to be used to synchronize data to a PC. Assuming you have adequate protection on your desktops and network from viruses, the risk is no different from iPods or any other device someone decides to plug into their laptop and sync data (contacts or calendar). So, this is not a new risk.

There are certainly going to be some data loss risks with the iPhone, but those are not necessarily new to the iPhone. There are many other devices people can hook up that perform similar functions and can hold enterprise data that also don’t support centralized control. You should design your security controls with that reality in mind so you don’t have to say the sky is falling with every new device out there. There are solutions to lock down USB ports with policy if you so choose, for example. Analysts: iPhone Has Neither Security nor Relevance

Onsecurity Podcast Taking Issue With Pci Dss Web Application Firewall Requirements

Wed, 22 Aug 2007 16:00:00 -0700

I already have noted that equating a web app firewall to a security source-code-reviewed and threat-modeled application is ridiculous. Dinis Cruz will remind you that the most devastating web application flaws are business logic flaws that none of these devices will find. Even web application scanners are ineffective for most things beyond low hanging fruit.

Holes in the Firewall?

Holes in the Firewall? Are there shortcomings in the application layer firewall requirements set by the PCI Security Standards Council? Paul Henry, vice president of technology and evangelism at Secure Computing Corp., thinks so, and explains to Lisa Vaas in the OnSecurity podcast.

Linksys Unofficial Firmware Dd Wrt

Wed, 22 Aug 2007 15:52:00 -0700

I may want to check into this as a nicer alternative for my WAP54G instead of HyperWRT, which is no longer maintained. There is a compact version for devices with limited memory. Wonder if it still has the samba driver in it…

DD-WRT

DD-WRT is simply a project which was originally based on the official GPL Sources of Sveasoft Alchemy. but turned later to a OpenWRT Kernel vase firmware variant. Due the nature of GPL based projects, this firmware will be also release under this license. Initially i wrote this modification to make it possible, to use the Linksys WRT54G/GS inside our Wireless Lan network as cheap replacement for our professional Lancom and Orinocco access points. so what was missing? first, we are using radius authentication with a central account management inside our network for user authentication. There is already a radius application available for OpenWRT, but openwrt was no choice since it is not user friendly for a non computer professional without any linux knowledge. so i just integrated it with some small enhancements in the alchemy software. my wrt-radauth modifications:

Secure Programming with Static Analysis

Wed, 22 Aug 2007 15:40:00 -0700

I will definitely be checking this book out.

From: Brian Chess brian@fortifysoftware.com Subject: Secure Programming with Static Analysis Jacob West and I are proud to announce that our book, Secure Programming with Static Analysis, is now available. https://www.amazon.com/dp/0321424778 The book covers a lot of ground. * It explains why static source code analysis is a critical part of a secure development process. * It shows how static analysis tools work, what makes one tool better than another, and how to integrate static analysis into the SDLC. * It details a tremendous number of vulnerability categories, using real-world examples from programs such as Sendmail, Tomcat, Adobe Acrobat, Mac OSX, and dozens of others.

Sign up for Google Technical Talks in Seattle

Wed, 22 Aug 2007 15:38:00 -0700

Technically, they are in the Kirkland office. Sign up and get notified of upcoming talks. I attended one by Vint Cerf that was very elucidating.

Join us for Technical Talks in Seattle

Ext2 Driver For Windows

Wed, 22 Aug 2007 15:34:00 -0700

I had previously used ext2fsd, but that was quite a pain to set up. This has a nice installer and lets you map your Linux drive right to a drive letter in Windows because it is a full kernel-mode file system driver (Installable File System driver). It supports read/write too. Doesn’t support any security on the drive so caveat emptor.

It doesn’t support any partitions using volume management either (not a surprise).

Ext2 IFS For Windows

provides Windows NT4.0/2000/XP/2003 with full access to Linux Ext2 volumes (read access and write access). This may be useful if you have installed both Windows and Linux as a dual boot environment on your computer.

Quot I Ain'T Afraid Quot-

Wed, 22 Aug 2007 15:19:00 -0700

Heard a snippet of this great song by Holly Near that I heard on a podcast. You can get the song on her website for free.

Some choice lyrics:

I ain’t afraid of your Yahweh I ain’t afraid of your Allah I ain’t afraid of your Jesus I’m afraid of what you do in the name of your God

Free MP3 Download

Free MP3 Download “I Ain’t Afraid” 5.4 MB This is one of the great songs from the CD Edge Copyright 2000 Hereford Music

Google Goes Quot Offline Quot With Gears

Sat, 11 Aug 2007 12:44:00 -0700

This is a great development. The main thing I used GreatNews for was its ability to sync and view postings offline (although many RSS feeds are lame and truncate the stories…) Of course, GreatNews doesn’t work on Linux so Google Reader can now be my main feed reader. It’s great for podcasts too if you want to listen on the PC.

Of course, Google’s delivery of the firefox extension is from a non-SSL link… See slight paranoia: A Remote Vulnerability in Firefox Extensions for why this can be hazardous to your computer’s health.

Official Google Reader Blog: Oh Sam I Am, can I read it on the tram?

Google Gears, a browser plugin that enables offline web applications. Once you’ve installed Google Gears, you can download your latest 2,000 items so they’re available even when you don’t have an internet connection. To get started, simply click the “Offline” link in the top right of Google Reader.

Linux Usb Bugs

Sat, 11 Aug 2007 12:41:00 -0700

Seems as if many devices don’t like Linux’s USB device autosuspend feature. Many will stop functioning and will need to be disconnected and reconnected to function again. I’ve got a multi-card reader that will hang and get these errors. It was a problem on my old computer and is still plaguing me on my new one. Glad to see that it’s going to be fixed. Newer kernels >= 2.6.22 have a feature that lets you turn autosuspend off without having to recompile the kernel:

sudo echo -1 > /sys/module/usbcore/parameters/autosuspend

[linux-usb-devel] usb-storage autosuspend bug?

Bug #85488 - Comment #363

Bug #85488 in linux-source-2.6.20 (Ubuntu): “some usb_devices fault if usb_suspend enabled”

Googling From Seattle

Sat, 11 Aug 2007 12:34:00 -0700

The rumours are true. Google is officially both on the Eastside and Westside now. Now they could make me an offer I couldn’t refuse… I wouldn’t prefer to work in Kirkland but even Fremont would be a jaunt more than Downtown.

Business & Technology | Google takes space in Fremont for expansion | Seattle Times Newspaper

Google, based in Mountain View, Calif., plans to sublease about 60,000 square feet from Getty Images at the Waterside Building on North 34th Street.

That amount of space would accommodate about 240 workers, according to commercial real-estate brokers.

Google now has an engineering center in Kirkland and sales offices at another building on North 34th Street in Fremont. The new space will be used for additional R&D engineers, said Sunny Gettinger, a Google spokeswoman. She declined to say how many people Google plans to add in Fremont.

“Seattle is just very rich in engineering talent, We’re running out of space in our other offices there, and we’re continuing to grow,” Gettinger said.

I 35w Bridge Collapse Photos

Sat, 11 Aug 2007 12:31:00 -0700

These are pretty amazing and tragic to look at. I hope Seattle gets going on replacing the Alaskan Way Viaduct that I travel on every day to work…

Collapse

By some estimates, it would only take about 9 billion dollars a year for 20 years to clear the backlog across the country of our crumbling infrastructure. It took lots of Federal monies to build it; it’s going to take Federal money to fix it. Instead, we’re spending close to a Trillion dollars on the Iraq war. Politicians: look around you. The enemy is you for not funding the proper priorities. It’s us for not demanding it and holding you accountable.

I’ve also heard about some deficiencies in the procedures followed for reviewing bridge safety that need to be fixed. Typically, bridges are reviewed on a 2 year cycle and estimates are made about their longevity and safety for 5-10 years into the future. However, given that it may take at least 5-10 years to get a repair/replacement project passed, funded, and completed, it may be too late even then.

If you are interested in how things like this can happen, check out Why Buildings Fall Down: How Structures Fall

Micro Generator Turns Environmental Vibes Into Electricity

Sun, 22 Jul 2007 15:36:00 -0700

This is so cool.

Micro-generator feeds on good vibrations - tech - 04 July 2007 - New Scientist Tech

A sugar-cube-sized electric generator that feeds on environmental vibrations has been developed. It could power swarms of wireless sensors or even medical implants, researchers claim. The new micro-generator harvests power electromagnetically, exploiting the wobbling of several magnets attached to a millimetre-sized cantilever. It measures just 7.0 millimetres by 7.0 mm by 8.5 mm, and the team behind it say it is the most efficient micro-generator yet developed. The generator converts 30% of environmental kinetic energy into electrical power, and could keep all sorts of low-power devices running without batteries – particularly when alternatives like solar power are not an option.

Ubuntu 6.10 > 7.04 upgrade: Apache 2.2 ldap changes

Sun, 22 Jul 2007 15:34:00 -0700

Just suffered through some lame apache module syntax changes on Ubuntu after upgrading to 7.0.4. This is why I don’t skip major versions…

Here is my functioning template on Ubuntu 7.04 Feisty:

 
AuthBasicProvider ldap 
AuthName "Secret Website" 
AuthType Basic 
AuthzLDAPAuthoritative on # prevent other mods from authenticating this user on failure 
\# protocol://server:port/base?attribute?scope?filter 
AuthLDAPURL ldap://localhost:389/blah 
AuthLDAPBindDN blah 
AuthLDAPBindPassword "secret" 
\# require membership in LDAP group for access 
require ldap-group cn=mygroup,ou=Groups,dc=example,dc=com 

```There were several major changes that kept my site from working after the upgrade: 
 
Deprecated directives: 
 
AuthLDAPAuthoritative (now AuthzLDAPAuthoritative) 
AuthLDAPEnabled 
 
New directive required: 
 
AuthBasicProvider ldap 
 
This tells the mod\_auth\_basic module to defer to the mod\_authnz\_ldap module for authentication instead of handling it on its own.  If you don't specify it, you get this lovely cryptic error in your server error log:  

> ```
> \[error\] Internal error: pcfg\_openfile() called with NULL filename
> ```

require group now only is used for local UNIX groups.  For LDAP, you have to use require ldap-group.

Washington teen caught by FBI using spyware

Sun, 22 Jul 2007 15:24:00 -0700

The FBI is becoming clever with technology – and the local bureau at that. Very nice work.

FBI’s Secret Spyware Tracks Down Teen Who Made Bomb Threats

FBI agents trying to track the source of e-mailed bomb threats against a Washington high school last month sent the suspect a secret surveillance program designed to surreptitiously monitor him and report back to a government server, according to an FBI affidavit obtained by Wired News.

…

The software was sent to the owner of an anonymous MySpace profile linked to bomb threats against Timberline High School near Seattle. The code led the FBI to 15-year-old Josh Glazebrook, a student at the school, who on Monday pleaded guilty to making bomb threats, identity theft and felony harassment.

Cool Biology News Building Life And A Brain

Sun, 22 Jul 2007 14:50:00 -0700

Very cool developments in biology.

Interesting that the first article involves changing cells from one species to another. Wonder what the Intelligent Design folks would say about that (they often argue that we have never observed one species becoming another)

Daily Kos: Science Friday: The Legos of Life

The team at the J. Craig Venter Institute took all of the genes from one species of bacteria, Mycoplasma mycoides, and transferred them into another, Mycoplasma capricolum. The result: The genes from the mycoides took over, changing the cells from one species to another simply by moving around DNA.

ABC News: Scientist Build a ‘Brain’ From Rat Cells

The Combination of Biology and Technology Can Be Trained to Fly a Flight Simulator

Happy Hour Guides

Sun, 22 Jul 2007 14:29:00 -0700

I just found out about Unthirsty, but even that site now has competition from MappyHour – a Google mashup site with links to happy hour reviews.

But this site is still a great staple: Seattle Travel’s Seattle Happy Hour Guide. It has happy hours listed by neighborhood.

Scooter Limbo

Fri, 06 Jul 2007 16:36:00 -0700

This is ridiculousness on top of unbelievable ridiculousness and makes me even more pissed about the Bush Administration.

They commute Scooter’s sentence before he serves any prison time, then assume he will instead get probation, except you have to serve some time to be eligible for a judge to do that. So, Scooter may not get anything other than the $250k fine. Wankers.

Crooks and Liars » John Dean: Bush’s Commutation Conflicts With His Own DoJ Guidelines

White House Counsel Fred Fielding either did a very shabby or very sneaky job of handling the details of Libby’s commutation, as it is hard to believe that someone as experienced as Fielding wouldn’t anticipate the confusion we see now. I guess it really doesn’t matter to them in the long run, their buddy Scooter will do zero prison time for his part in treasonous crimes against his country while Paris Hilton spent nearly a month in jail for a parole violation. They must be proud…

Local Call To Bring Troops Home

Fri, 06 Jul 2007 16:33:00 -0700

Olympia, WA – my state capitol – makes the “pages” of Daily Kos.

Daily Kos: Bring them home.

How many more Americans will forfeit their lives on the battlefield between now and then? How many more tax dollars will be spent to stall America’s inevitable departure?

It’s time to end the American bloodshed. It’s time to bring the troops home.

That darned right Winged media

Fri, 22 Jun 2007 16:47:00 -0700

This is causing all kinds of swirl in the right-wing punditry circles. It’s nothing that we didn’t already suspect but the imbalance is staggering, especially when the majority of Americans support positions which are not in line with the majority of the right wing punditocracy. Read the linked summary to see just how imbalanced it is (e.g. 91% conservative vs 9% progressive programming)

Think Progress » REPORT: The Right Wing Domination Of Talk Radio And How To End It

The Center for American Progress and Free Press today released the first-of-its-kind statistical analysis of the political make-up of talk radio in the United States. It confirms that talk radio, one of the most widely used media formats in America, is dominated almost exclusively by conservatives.

The new report — entitled “The Structural Imbalance of Political Talk Radio” — raises serious questions about whether the companies licensed to broadcast over the public radio airwaves are serving the listening needs of all Americans.

And Ed Schultz (one of my favorite talk radio show hosts) provides some hard facts that are hard to deny that provide rationale for the criticism:

Think Progress » Ed Schultz: ‘How Many Markets Do I Have To Beat Hannity In Before I Get 200 Or 300 Stations?’

Schultz — the host of the most popular progressive radio show in the country — debunked the right-wing myth that conservatives dominate simply because they are winning in a “free market.” Schultz explained that the market is being controlled by a few ownership groups that are forcing conservative talk shows into local markets:

Appeals Court Affirmed Ruling Stored Communications Act Violates 4th Amendment

Fri, 22 Jun 2007 16:43:00 -0700

More good news in restoring constitutional governance to this country.

SANS Institute - SANS NewsBites

A US federal appeals court upheld a lower court ruling that said law enforcement agents need warrants to seize web-based email. The Sixth Circuit Court of Appeals said webmail users have a “reasonable expectation of privacy” regarding the content of messages stored on a remote host. The original 2006 ruling, unsuccessfully appealed by the US government, said the Stored Communications Act (SCA) violates the Fourth Amendment. The SCA had been used for 20 years to access stored email without a warrant.

Tony Snow: wanker of the week

Fri, 22 Jun 2007 16:29:00 -0700

He actually said this:

Think Progress » Snow On Stem Cell Veto: ‘This Is The President Putting Science Before Ideology’

“…critics quite often who make those complaints are, whether deliberately or not, misstating the nature of the president’s commitment to stem cell research and paying little or no heed or giving no credit to the president’s unique and unprecedented role in supporting stem cell research.”

And he even completely lied about previous statements he made. Do they not know this sh*t is taped? And why doesn’t the mainstream media call them on this crap?

Crooks and Liars » The Daily Show catches Tony Snow Lying

“No, that is something — we have never said that.”

Mr Wizard Rip

Tue, 12 Jun 2007 13:47:00 -0700

Wow. I loved his show when I was younger. Sorry to see him go. Hopefully Bill Nye the Science Guy is filling his shoes sufficiently.

Boing Boing: Mr. Wizard (1917-2007)

There is some justice left in the US

Mon, 11 Jun 2007 16:12:00 -0700

And some damning language about the Administration’s position and tactics. Of course Gonzo provided the legal opinions to back up the bankrupt positions of the administration in these regards. For shame on all of them.

Crooks and Liars » Court Overrules Bush’s ‘Enemy Combatant’ Policy

The Bush administration cannot legally detain an immigrant it believes is an al-Qaida sleeper agent without charging him, a divided federal appeals court ruled Monday.

Think Progress » BREAKING: Bush Administration Loses Major Terror Detention Case

“To sanction such presidential authority to order the military to seize and indefinitely detain civilians, even if the President calls them ‘enemy combatants,’ would have disastrous consequences for the constitution — and the country,” the court panel said.

Let The Impeachment Begin

Mon, 11 Jun 2007 16:04:00 -0700

The “they” is the Democrats. We know we can’t count on the Republican wankers to do the right thing, only what’s right for their base. But can we count on the Democrats? So far, it doesn’t look good.

I’d be down for an independent ticket for 2008, so long as it doesn’t put another Republican in the white house like Nader helped with last time. However, it is looking like the Dems have a good set of candidates to choose from thus far. But who of them can _lead_? We’ll see.

Daily Kos: Gonzo No Confidence Vote Fails

If they are serious in having no confidence in Gonzales (and who couldn’t be, outside of Bush?) then it’s time to begin the process for the next step: impeachment.

Gop Throwing Off The Stupidity Curve

Mon, 11 Jun 2007 15:54:00 -0700

The majority of the 68% of Republicans who believe the genesis story (higher than the 53% of all Americans) literally must include that 36% of Americans who also still stand behind the president…

And these beliefs have a special protection under the law because???

Crooks and Liars » Evolution confusion a partisan problem

The problem isn’t just that Americans in general are confused, but rather that the GOP is throwing off the curve.

Proving You Are Humanto A Computer

Mon, 11 Jun 2007 15:47:00 -0700

There have been some sites where I’ve suffered the same fate. Do they want me to match case? What the heck does the captcha say?

From the NYTimes article a great quote:

“You can make a captcha absolutely undefeatable by computers, but at some point, you are turning this from a human reading test into an intelligence test and an acuity test,” said Michael Barrett, the chief information security officer at PayPal, a division of eBay. “We are clearly at the point where captchas have hit diminishing returns.”

Talking Points Memo: by Joshua Micah Marshall June 11, 2007 10:54 PM

Of late, I’ve had several captcha fill-ins I was asked to type in where I actually had a difficult time figuring out what the letters were. And I’m human. Really.

To make matters worse, researchers (university ones, not independent hackers) are devising ever-clever ways of beating the tools.

It all depends on your threat model just how obscure you need your captchas to counter the threat but beware captcha’s days are likely numbered.

7 Senators Vote Against Habeas Corpus

Sat, 09 Jun 2007 10:23:00 -0700

Senator Brownback (US Presidential Candidate) and 6 other Republican Senators voted against the Restoration of Habeas Corpus act. Un-freaking-believable.

Crooks and Liars » Jonathan Turley Slams Bush, Republicans On Habeas Corpus

Great Photo Of Paris Hilton

Sat, 09 Jun 2007 10:19:00 -0700

I hate to add to the excessive frenzy over Paris going to jail, but there are some choice photos of her hysterical. And the fact that she is heading back to jail is a good thing for equal justice in the eyes of the law.

The Sydney Morning Herald: national, world, business, entertainment, sport and technology news from Australia’s leading newspaper.

Hilton’s release for an undisclosed medical condition - and the decision to allow her to serve the time at her luxurious home - caused outrage among civil rights leaders and many Americans, who argued it could be interpreted as affording the socialite favours not available to other, less famous, inmates.

Scientists Store Data In Live Neurons

Sat, 09 Jun 2007 09:52:00 -0700

This is a remarkable development. We are learning more and more about the brain all the time… I can’t wait to get my Matrix-like Jiu-Jitsu and Kung Fu chips so that I can be an Ultimate Fighting champion.

Data stored in live neurons - tech - 08 June 2007 - New Scientist Tech

Information has been stored in live neurons for the first time, bringing closer the creation of “cyborg” computer chips that combine electronic circuits with human cells.

8 Trax Shows In July

Sat, 09 Jun 2007 09:48:00 -0700

Some good friends of mine have a for-fun cover band they call the 8 Trax. They are playing two shows July 13 and 14 at Jimmy Jack’s. They are big 60s/70s music fans so prepare for Freebird, lots of Zeppelin, AC/DC, and more. It’s always a fun time and looking at the location, there should be some fun people-watching as well.
https://www.jimmyjacks.com/schedule.html

Meebo Web 20 Im Client

Sat, 09 Jun 2007 09:42:00 -0700

Meebo is one of the most beautiful web applications I have ever seen. I can’t wait to see what other kinds of rich web interfaces come to everyday applications after seeing what they have been able to do with this IM client.

I have a colleague who has abandoned proprietary IM clients and uses meebo instead.

House Joins Senate In Approving Stem Cell Research Expansion

Sat, 09 Jun 2007 09:28:00 -0700

This is a good sign. Although Bush is likely to veto this even though a majority of the US public does not agree with his position.

Everything that I have heard about regarding Stem Cell Research says that it is a long shot, but has so much potential benefit that, like SETI, is worth investing resources in studying. Regardless of the benefits, the government should not be putting restrictions on what kind of basic research scientists can engage in.

RichardDawkins.net - The Official Richard Dawkins Website

The House gave final Congressional approval on Thursday to legislation aimed at easing restrictions on federal financing of embryonic stem cell research, but Democratic leaders in both chambers conceded they were short of the votes needed to override a veto threatened by President Bush.

On a vote of 247 to 176, the House overwhelmingly passed the bill, with more than three dozen Republicans joining a Democratic-led effort to authorize federal support for research using stem cells from spare embryos that fertility clinics would otherwise discard. The Senate approved the legislation in April.

“Science is a gift of God to all of us and science has taken us to a place that is biblical in its power to cure,” said Speaker Nancy Pelosi, Democrat of California, arguing for the bill’s passage. “And that is the embryonic stem cell research.”

New Book And Blog Rule The Web

Sat, 09 Jun 2007 09:20:00 -0700

Both sound pretty cool. I’ll add to my RSS reader and look out for any new and unique sites.

Rule the Web

Welcome! My name is Mark Frauenfelder, and this is my new blog about a book I wrote called Rule the Web: How To Do Anything and Everything on the Internet – Better, Faster, Easier. It’s be a guide to cool ways to use the Internet to make your life better. It’s not a comprehensive list of every website out there — instead, it shows you how to enhance different areas of your life — your creativity, work, education, travel, health, leisure, and so on.

Sam Harris On The Feasibility And Superiority Of Secular Morality

Sat, 09 Jun 2007 09:15:00 -0700

I think it is one of the weakest arguments that Religious people make when they claim that people need religion as a necessary condition to have a moral compass. Especially when you actually read the crap that passes off as “moral guidance” in the bible.

The worst outcome of the religious-based morality is that they do not follow a system that intends to minimize suffering and increase love. There are such divisive aspects of religious-based morality that result in the exact opposite (e.g. “God Hates Fags”, anti-birth-control policies that result in teen pregnancy that ruins lives, etc.). And then there are the passive fundamentalists who believe that all they need to do is believe in Jesus as their personal saviour and they will go to heaven without having to account for _anything_ moral in this life. These folks offer up some of the most vile, divisive policies such as the late Jerry Falwell did during his life.

This is my favorite section of the article that nicely summarizes some very damning criticism of the bible as a moral compass:

RichardDawkins.net - The Official Richard Dawkins Website

If a book like the Bible were the only reliable blueprint for human decency that we had, it would be impossible (both practically and logically) to criticize it in moral terms. But it is extraordinarily easy to criticize the morality one finds in the Bible, as most of it is simply odious and incompatible with a civil society.

The notion that the Bible is a perfect guide to morality is really quite amazing, given the contents of the book. Human sacrifice, genocide, slaveholding, and misogyny are consistently celebrated. Of course, God’s counsel to parents is refreshingly straightforward: whenever children get out of line, we should beat them with a rod (Proverbs 13:24, 20:30, and 23:13–14). If they are shameless enough to talk back to us, we should kill them (Exodus 21:15, Leviticus 20:9, Deuteronomy 21:18–21, Mark 7:9–13, and Matthew 15:4–7). We must also stone people to death for heresy, adultery, homosexuality, working on the Sabbath, worshiping graven images, practicing sorcery, and a wide variety of other imaginary crimes.

Most Christians imagine that Jesus did away with all this barbarism and delivered a doctrine of pure love and toleration. He didn’t.

Should you buy the "Forever stamp"?

Sun, 03 Jun 2007 17:06:00 -0700

It may seem enticing to buy the “Forever stamps” that will always be accepted no matter if the cost of 1st class postage jumps to $1.00. But, if you actually look at the trends in a) postage increases and b) 1st class mail decline it is not a good economic argument.

Imagine today in 2007 you bought 100 “Forever stamps” for $0.42 each ($42.00 in stamps). Due to inflation of 3%, those stamps would be worth $75.86 in 2027 dollars. However, given that stamps increase a max of 10 cents per decade, those stamps would likely only _really_ be worth $62.00 (~$16 less than you could buy stamps for in 2027 dollars).

Furthermore, if you just invested the $42.00 at 5% interest (there are many great online savings offers to choose from now that will pay that with a liquid account), that $42.00 would have grown to $111.44 in 2027, an increase of almost three times your initial principal. You could buy the $62.00 worth of stamps in 2027 and still have about $60 in your pocket.

So, save your money ;-)

Rising cost of U.S. Postage Stamps

Every decade since the 1970s has seen around eight to ten cents increase in the cost of a stamp.

Exploiting Security Procedures

Sun, 03 Jun 2007 16:54:00 -0700

I need to post a photo of the sign in my building that actually tells you that the locked stairwell doors will be unlocked if the fire alarm is tripped. Hmm, so to break in all I have to do is…

Schneier on Security: Attackers Exploiting Security Procedures

TJX sued by banks for not disclosing security breach

Sun, 03 Jun 2007 16:52:00 -0700

TJX sat for months knowing full well they had been breached but didn’t notify anyone. The downstream impacts for issuers alone are potentially huge. What do you do knowing that you have a list of customers whose cards you know were breached? Do you replace them all as a precaution? Who pays for that cost? Or do you monitor and hope for the best? Who pays for the cost of the added monitoring?

Schneier on Security: Lawsuit for Not Disclosing a Security Breach

The TJX breach was worse than first thought. The company initially believed that attackers had access to its network between May 2006 and January 2007. However, TJX recently admitted that thieves were inside the network several other times, beginning in July 2005. In last month’s SEC filing, the company said the stolen data covers transactions dating back even further, to December 2002. The Federal Trade Commission (FTC) is investigating the breach.

TEMPEST in a Laptop

Sun, 03 Jun 2007 16:46:00 -0700

TEMPEST risks extended from CRTs to LCDs. This is really cool stuff.

New Scientist Technology Blog: Seeing through walls

A radio antenna and radio receiver - equipment totalling less than £1000 - is all you need. Kuhn managed to grab the image to the left through two intermediate offices and three plasterboard walls.

How To Use Google To Find Breach Disclosures

Sun, 03 Jun 2007 16:31:00 -0700

Adam Shostack provides some useful information on companies who have publicly disclosed data breaches and how to find more later on. Gotta love the Internet.

Emergent Chaos: Breaches in SEC Reports

this Google search against the edgar-online site works well:

(“disclosure of personal information”|“security breach”) (“10-K”|“10K”|“10-Q”|“10Q”) site:edgar-online.com

I Missed Toorcon Seattle

Sun, 03 Jun 2007 16:24:00 -0700

‘Twas May 11-13th. I need to keep up on my security blogs and news more… I’ll be looking for it next year though.

Speaking of Seattle security groups, I need to find out what’s up with SeaSec. Seems to have gone stagnant. I’ve emailed and not gotten responses. I organize a periodic get together of security folks from my company; perhaps I should expand it to outside entities? It serves much the same purpose, although more laser-focused for my employer.

ToorCon Seattle (Beta)

We just wanted to thank everyone for coming and participating this year. It is definitely one of the best and most fun events that we’ve thrown

Anecdotal List Of Phishing Impacted Institutions

Sun, 03 Jun 2007 16:18:00 -0700

I get at least 400 spam emails every day. Until I get my new filter setup better trained, I’ve had to manually review my spam folder more than I’ve had to with my older system. It is illuminating seeing many of the patterns that show up, but in the past month, these are the most frequently seen institutions:

BB&T (Branch Banking & Trust Company)
PayPal
National City bank
Regions Bank
Aegis Capital Group

I’m also getting tons of spam referring to the recipient as Rickie Peters. Who the hell is this and why would this be a good tactic for the spammers. That isn’t me, BTW.

Security experts are people and people are bad at evaluating risk

Sun, 03 Jun 2007 16:05:00 -0700

This is another great essay from Bruce in Wired magazine about how people miscalculate risks. This subject really fascinates me, which is at the heart of many superstitions and beliefs that people can’t seem to shake, even though they use their iPods and HDTVs and seem to believe in science as a way to knowledge of the world. Schneier on Security: Rare Risk and Overreactions

Novelty plus dread equals overreaction.

And, on a related note, Ian Grigg discusses how us security people are just as bad at calculating risks and dealing with relative risks – in general. There comes a time in your security career when you have to realize that the goal is never to _eliminate_ risk. A good security person knows how to evaluate risks (read: threat model) and to come up with viable solutions to move forward and _reduce risk to a manageable level_. This is especially true in the business world. Being in business is risky and comes about by people at all levels taking risks. Security risks are just one class of risks that a company needs to weigh as part of the economic equation. If you can get to the level of a solution provider, you will find it more rewarding than trying to play adversarial whack-a-mole with business people and every little potential risk that comes up. Vulnerabilities != risk, necessarily. Repeat that until it sinks in.

Although I don’t believe the answer involves trying to come up with crazy ways to “quantify” risk. That has been a holy grail and likely will continue to be. The more I read about quantum mechanics though, the more I’m seeing a potential for a probabilistic model for security. However, the lack of quality data about incidents to base statistics on still leaves such a huge margin of error that getting any model to be more precise than the typical Low - Medium - High - Critical scale is a stretch.

Financial Cryptography: The Myth of the Superuser, and other frauds by the security community

…experts in the field of computer crime and computer security are seemingly uninterested in probabilities. Computer experts rarely assess a risk of online harm as anything but, “significant,” and they almost never compare different categories of harm for relative risk.

Free The Spectrum Therefore Free The Network

Sun, 03 Jun 2007 15:50:00 -0700

This is a great point. The wireless carriers get rich by using the public airwaves; why should they be able to do what AT&T and other companies did and block access to their network? The Internet is a great success story in how much innovation in such a short period of time can come about from open access to myriad devices. I also see wireless LANs as a success story as well with innovation with unlicensed spectrum, that may reveal how in the digital age, keeping the public from using their spectrum is not necessarily even technically required any longer and may be harming development of newer applications. But the lawyers, such as those at AT&T Wireless where I used to work, who fought to control the spectrum and make it illegal for the public to use (since the mobile network lacked actual network security at the time), didn’t think of such repercussions.

Boing Boing: How the right to attach can keep spectrum free

From the article:

…any winner of the auction respect a rule that gives consumers the right to attach any safe device (meaning it does no harm) to the wireless network that uses that spectrum. It’s called the Cellular Carterfone rule, after a 1968 decision by the FCC in a case brought by a company called Carter Electronics that wanted to attach a shortwave radio to AT&T’s network. That decision resulted in the creation of the standard phone jack.

Bad Religion Linkfest

Sun, 03 Jun 2007 15:41:00 -0700

A series of links that all came up about religion recently that evince the darker side of religion.

BBC NEWS | Programmes | Panorama | Row over Scientology video: BBC’s Panorama: Scientology and Me Scientology has tried, unsuccessfully, to block this documentary showing the innards of its religion/cult. I found out recently that this playbook for silencing critics was written by founder L. Ron Hubbard. Nice.

“Fair Game” was introduced by Hubbard, and incites Scientologists to use criminal behavior, deception and exploitation of the legal system to resist “Suppressive Persons”, i.e. people or groups that “actively seeks to suppress or damage Scientology or a Scientologist by Suppressive Acts”. He defined it “Fair Game” as: ENEMY — SP Order. Fair game. May be deprived of property or injured by any means by any Scientologist without any discipline of the Scientologist. May be tricked, sued or lied to or destroyed.

And, sickening (literally) attempts to block a breakthrough vaccine that can stem suffering and disease for so many. US conservatives block cancer vaccine for girls - 14 May 2007 - New Scientist

Plans to vaccinate young girls against the sexually-transmitted virus that causes cervical cancer have been blocked in several US states by conservative groups, who say that doing so would encourage promiscuity.

Advocates of the vaccine point out that the jabs work against human papillomavirus (HPV) - which causes virtually all cases of cervical cancer - and are safe.

The latest data from a large clinical trial of Merck’s cervical cancer vaccine, Gardasil, found it offered 100% protection against cervical, vulval and vaginal diseases, caused by HPV (types 6, 11, 16 and 18) and 98% protection against advanced pre-cancers caused by HPV types 16 and 18 (New England Journal of Medicine: vol 356, p1915).

And you thought veteran’s healthcare couldn’t get worse than rat and cockroach - infested facilities? Crooks and Liars » How About A Little Dose of Fundamentalism To Make The Medicine Go Down?

Navy veteran David Miller said that when he checked into the Veterans Affairs Medical Center in Iowa City, he didn’t realize he would get a hard sell for Christian fundamentalism along with treatment for his kidney stones.

In Indiana, a fight over ‘In God We Trust’ license plates - Los Angeles Times Short version: Indiana exempts the plates with this slogan from extra charges applied to similar sloganized plates. State-sponsorship of a religious belief system?

YouTube - Bill Maher interviews Christoper Hitchens Mr. Hitchens is in the class of “abrasive atheists” but he is always entertaining and this interview is a true gem.

Senator Brownback tries to backpedal from his freedom of speech moment at the first Republican debate where he joined two other Republicans in professing to not believe in evolution. Of course, his position is a tired one that many evolution-deniers take in that they create a straw man argument about what “evolutionists” believe. It is not part of the theory that “there is no divine causality”. Perhaps it was Darwin’s title “The Origin of Species” that throws believers off. He wasn’t saying that there emphatically was not a divine origin of life. What I Think About Evolution - New York Times

The most passionate advocates of evolutionary theory offer a vision of man as a kind of historical accident. That being the case, many believers — myself included — reject arguments for evolution that dismiss the possibility of divine causality.

Georgia was already on my list of states I’d never want to live in, let alone educate my kids in. Ga. judge: Keep Potter books in school | Chron.com - Houston Chronicle

The adventures of boy wizard Harry Potter can stay in Gwinnett County school libraries, despite a mother’s objections, a judge ruled Tuesday. Laura Mallory, who argued the popular fiction series is an attempt to indoctrinate children in witchcraft, said she still wants the best-selling books removed and may take her case to federal court.

A report by Media Matters reveals how extremist religious figures in America are often spoken of as if they speak for a majority of Americans. Media Matters - Left Behind: The Skewed Representation of Religion in Major News Media

this study documents, coverage of religion not only overrepresents some voices and underrepresents others, it does so in a way that is consistently advantageous to conservatives.

This is what I find more disturbing, however, and the O’Reilly’s of the world perpetuate this distortion:

Religion is often depicted in the news media as a politically divisive force, with two sides roughly paralleling the broader political divide: On one side are cultural conservatives who ground their political values in religious beliefs; and on the other side are secular liberals, who have opted out of debates that center on religion-based values. The truth, however is far different: close to 90 percent of Americans today self-identify as religious, while only 22 percent belong to traditionalist sects.

Ahh, the war on reason and science continues. recordonline.com - Science museum serves those with no use for science

To the embarrassment of thoughtful believers, the Creation Museum has been built for people who were born yesterday, or more or less yesterday, because they don’t believe in the great geologic periods that spoilsport science insists upon.

Well, if he can use scripture to justify bigotry against gays, how about scripture to justify slavery or beating your wife or many other vile things in that book. Romney cites Scripture in defending opposition to gay marriage - Boston.com

Romney, seeking to become the first Mormon president, also tries to allay any concerns about his religion.

Dhs Hires More People With Head In Clouds

Sun, 03 Jun 2007 09:20:00 -0700

This is rich. Just what the DHS needs, more people not grounded in reality.

Schneier on Security: DHS Uses Actual Science-Fiction Writers to Help Develop Movie-Plot Threats

Which is all the more rich since DHS is not focused on terrorism. More and more I’m with Ron Paul when he said that the DHS should be abolished.

Google Street View You Have No Privacy

Sun, 03 Jun 2007 09:01:00 -0700

This new feature is a little eerie to me. You can clearly read license plate numbers on cars, see people dining at street cafes. The photo on this link even shows a woman showing a little too much on the thong-side.

Boing Boing: Google Street View: would it be more/less evil if it were CIA or NSA?

Would we feel differently about street-level image mapping if it were done by a government agency? The FBI? CIA? NSA? DHS? Not implying that it should be, and this isn’t “backlash.” Just asking aloud.

Here is how they are gathering these images. A company drives up and down the streets with a camera that takes images in all directions. Cool stuff, but like I said, eerie.

Google Street View technology

Democrats Giving In Emboldens Our Enemies And Endangers Our Troops

Sun, 03 Jun 2007 08:52:00 -0700

That’s right spineless Democrats. By giving Bush the extra funding supplemental for the Iraq war, you’ve sent a message to our enemies that we’re not leaving any time soon, which is likely to make us and the troops _less safe_. Why can’t you people get the message out that extending the war “emboldens our enemies” to counter the falsehood that it’s the timetables that do this? Sheesh. And you wonder why they can barely win even in an environment like this.

Iraq Veterans Demand White House Recant Endorsement of Endless War in Iraq - AMERICAblog: A great nation deserves the truth

Iraq Veterans Demand White House Recant Endorsement of Endless War in Iraq

VoteVets.org says ‘The bulls-eye on the back of our troops just got a whole lot bigger, and the president is to blame’

Matt Blaze Solves Randis Million Dollar Challenge For Remote Viewing

Tue, 29 May 2007 15:14:00 -0700

Well, he remote viewed the answer, but only used his superhuman crypto skills; nothing paranormal. Bit commitment schemes are pretty useful in cryptography. But, you have to do them correctly.

...one of James Randi's "million dollar
paranormal challenges" is protected by a surprisingly weak (dictionary-
based) commitment scheme that is easily reversed and that suffers from
collisions. For details, see my blog entry about it: [](https://www.crypto.com/blog/psychic_cryptanalysis/)[Matt Blaze: James Randi owes me a million dollars](https://www.crypto.com/blog/psychic_cryptanalysis/)

Matt made a great observation in his message about this that goes along with my recent post about Crypto Maxims I can say that many of the crypto APIs I have seen are either too complicated to get right unless you are an expert, or they allow easy access to crypto primitives such that programmers are often compelled to make mistakes by oversimplifying a complex solution and not knowing what they are missing. Getting more of this information out of academic papers and into the hands of practitioners and API / framework designers would be a big win for the security field.

It occurs to me that the lack of secure, practical crypto primitives and
protocols that are intuitively clear to ordinary people may be why
cryptography has had so little impact on an even more important problem
than psychic debunking, namely electronic voting. I think "intuitive
cryptography" is a very important open problem for our field.

Holograms Feel Good Security

Tue, 29 May 2007 14:42:00 -0700

I always wondered how something that obviously does not add much additional cost to low-cost items could offer any real protection. Turns out they don’t.

A great quote below too.

Fake Holograms a 3-D Crime Wave

It turns out, they’re aren’t as secure as they are sparkly.

Groupthink And The Inertia Of Ideas

Tue, 29 May 2007 14:36:00 -0700

This was posted to the cryptography mailing list as an example of how long it can take for experts to believe evidence. Ulcers for years were thought of to be caused by stress (and many people still think so to this day) but are now known to be caused by bacteria Helicobacter pylori. I just read about how if 40 years ago someone had even suggested that a condition such as ulcers was caused by an infection it would have been heresy. However, they are finding even now that HPV is linked to cervical cancer and there could be other links between viruses/bacteria and other conditions.

History of Ulcer Diagnosis and Treatment | CDC Ulcer

History of Ulcer Diagnosis and Treatment

I Bet You Thought Wep Couldn'T Get Any Worse

Tue, 29 May 2007 14:24:00 -0700

WEP has been cracked _again_ and read the description–it is a devastating break. Crypto by committee, especially when not done by expert cryptographers with a well-defined threat model, is really, really bad. This page also summarizes some of the previous weaknesses of WEP.

I hope you have switched to WPA or an alternative by now if you care about wireless privacy and keeping people off of your network.

If this isn’t enough to run a VPN like OpenVPN or IPSec (although I don’t favor IPSec anymore for many reasons; that’s another crypto by committee with its own problems).

aircrack-ptw

We were able to extend Klein’s attack and optimize it for usage against WEP. Using our version, it is possible to recover a 104 bit WEP key with probability 50% using just 40,000 captured packets. For 60,000 available data packets, the success probability is about 80% and for 85,000 data packets about 95%. Using active techniques like deauth and ARP re-injection, 40,000 packets can be captured in less than one minute under good condition. The actual computation takes about 3 seconds and 3 MB main memory on a Pentium-M 1.7 GHz and can additionally be optimized for devices with slower CPUs. The same attack can be used for 40 bit keys too with an even higher success probability.

Aacs Crack Overview

Tue, 29 May 2007 14:14:00 -0700

Excellent high-level description of what went into the AACS crack. This arms race is even funnier now that the replacement key has been [cracked \_before\_ it has been released](https://arstechnica.com/news.ars/post/20070517-latest-aacs-revision-defeated-a-week-before-release.html). Media industry: you lost the battle against your customers before it was started. 
 
\-Jason

-—-Original Message—– From: owner-cryptography@metzdowd.com [mailto:owner-cryptography@metzdowd.com] On Behalf Of “Hal Finney” Sent: Saturday, May 05, 2007 11:25 AM To: cryptography@metzdowd.com; sidney@sidney.com Subject: Re: Yet a deeper crack in the AACS

\> Article "AACS cracks cannot be revoked, says hacker" 
\> 
\> [https://arstechnica.com/news.ars/post/20070415-aacs-cracks-cannot-be-revoked-says-hacker.html](https://arstechnica.com/news.ars/post/20070415-aacs-cracks-cannot-be-revoked-says-hacker.html) 
\> 
\> Excerpt: "The latest attack vector bypasses the encryption performed 
\> by the Device Keys -- the same keys that were revoked by the WinDVD 
\> update -- and the so-called 'Host Private Key,' which as yet has not 
\> been found. This was accomplished by de-soldering the HD DVD drive's 
\> firmware chip, reading its contents, and then patching it. Once that 
\> was done, the firmware was soldered back onto the drive."

This article was not too accurate, and further progress has been made. At this point it is possible to remotely patch the firmware of a particular kind of HD-DVD drive so that it will provide certain information without the usually required authentication. This makes it easy to retrieve the per-disk “Volume ID”, which must be combined with the widely-published Processing Key to generate the media keys that can decrypt content. If this Processing Key is invalidated on future releases, this hack will not be useful until new keys are discovered. It provides only part of the picture.

The hack was a real accomplishment because firmware updates had to be authenticated with what was apparently something like an AES-based CBC-MAC. The hackers had to figure this out without much background in cryptography and working only with dumps of the firmware that used a somewhat obscure embedded CPU. They had to figure out what CPU was being used, find a disassembler for it, and examine assembly language dumps to deduce that crypto was involved, recognize AES, and see how to create their own checksums that would make their firmware updates succeed. Just goes to show the motivation and hard work that hackers bring to these efforts, largely for the love of the challenge.

It’s possible that the ability to modify firmware will lead to more successes for the hackers in the future, perhaps helping them to break into future versions of software players to extract their embedded keys. I peruse the doom9.org forums from time to time, where this work took place right out in the open, before the public eye. Definitely some smart people involved there.

Hal Finney

-——————————————————————– The Cryptography Mailing List Unsubscribe by sending “unsubscribe cryptography” to majordomo@metzdowd.com

Cryptomaxims For Crypto Applications

Tue, 29 May 2007 14:08:00 -0700

This is a great idea. A member of the cryptography mailing list started a wiki to develop a list of Maxims for Cryptography. I often see security practitioners criticize others for not knowing about some obscure “don’t do this” from the scientific literature; but nobody ever maintains a running list of the state-of-the-art knowledge of “dos and don’ts” to help people avoid future mistakes.

Although there is something to be said for people who don’t keep up with the latest in a security field of study from practicing it – and for us to be wary of those who do so.

CryptoMaxims - security Wiki

This page is about proper use of cryptography.

Dnssec Explained And Criticized

Tue, 29 May 2007 14:02:00 -0700

Ouch.

Matasano Chargen » A Case Against DNSSEC, Count 2: Too Complicated To Deploy

dnssec is the worst design-by-committee effort i’ve ever seen, both in terms of how late it is, how fuzzy the goals have been, how often the goals have changed, and how complicated and heavy it is now that it is trying to be all-things-to-all-people. (Paul Vixie)

Untrusted apt repositories may be harmful

Tue, 29 May 2007 13:59:00 -0700

Something to keep in mind the next time you take a shortcut and add a new repository to get the latest & greatest software for your linux distro. Sometimes it is better to apt-get source and run run debian rules binary to get your own packages. Of course, that’s not quite working for me with Thunderbird 2 right now…

[Ubuntu Untrusted Repository “gift” on Flickr - Photo Sharing!](https://www.flickr.com/photos/trevi55/296804891/ “Ubuntu Untrusted Repository “gift” on Flickr - Photo Sharing!”)

Antivirus Bakeoff Public Results

Tue, 29 May 2007 13:52:00 -0700

This site does comparitive testing of a host of leading Antivirus software and publishes the results online. AVG did fairly poorly in the latest polymorphic tests from Feb 2007 compared to others and in DOS viruses.
https://www.av-comparatives.org/

7 Habits Of Highly Effective It People

Tue, 29 May 2007 13:49:00 -0700

His original intent was specifically to discuss program management skills (at Microsoft), but I think this general framework is a good one for any effective IT person. I employ several of these in my security work and of course any of them can always be improved.

J.D. Meier’s Blog: 7 Habits of Highly Effective Program Managers

* Habit 1, Frame problems and solutions. * Habit 2, Sell visions. * Habit 3, Deliver incremental value. * Habit 4, Manage communication. * Habit 5, Connect with customers. * Habit 6, Execute. * Habit 7, Leverage the system.

Notable Security Quote On The Advice Of Experts

Tue, 29 May 2007 13:43:00 -0700

If you’re sick and you go to a doctor, do you tell the doctor “you’d better come up with some very clear arguments if you want me to follow your advice”? Do you tell your doctor “you’d better build a strong case before I will listen to you”? I would hope not. That would be silly. Doctors are medical professionals with a great deal of training and expertise in the subject. They can speak with authority when it comes to your health. So why do people with no training in security think that they can freely ignore the advice of security professionals without any negative consequences?

-- David Wagner April 22, 2007, cryptography mailing list

Hmmm. I’ve _never_ had this happen to me in my security career…

More Notable Security Quotes

Tue, 29 May 2007 13:41:00 -0700

Great list of quotes on another security blog to add to the periodic quotes I come across.

Musings on Information Security :: Quotable security quotes

Right Wing Quot Judicial Activism Quot-

Tue, 29 May 2007 09:13:00 -0700

I’m sure the “liberal media” is not going to cry foul that the high court is engaging in “judicial activism”. Justice Ginsburg pretty much calls them on it though:

People For the American Way - Latest 5-4 Ruling Further Proof of the Alito Effect

“In her dissent, Justice Ruth Bader Ginsburg accused the majority of straying far ‘from interpretation of Title VII with fidelity to the Act’s core purpose.’

Cheney Proves He Can Be Even More Shortsighted And Evil

Tue, 29 May 2007 09:08:00 -0700

Crooks and Liars » Cheney Criticizes Geneva Convention in Commencement Address

I’d say that’s perfectly emblematic of this administration: In the context of moral and ethical circumstances, dismiss as irrelevant the standards held by the entire rest of the world.

I think that C & L misses the most disturbing aspects of Cheney’s remarks:

It’s not that the sentiments go against what the rest of the world believes; they go against what _our founding fathers_ believed. The rule of law; presumption of innocence. But, the administration sees nothing wrong with presuming that just because we captured “them”, “they” are “killers”. What about all of those FBI and CIA stings that netted…nothing…but violated civil liberties. What about those imprisioned and released months or years later without any charges? Were they “killers”? If not, why deny them legal protections?
And the most disturbing thing (and what truly shows how evil Cheney and his ilk are) is that they see nothing wrong with depriving violaters of the law of any due process or human rights. And they justify it with a childish “well, they did it first!” or “they wouldn’t do that for you”. That’s the point! If we are going to profess to have the moral high ground, then we can’t debase ourselves to their supposed level on a whim. That’s relativistic morality. And is what is going to be putting our troops and captives in danger even more so in the future.

I would love to see a realistic episode of 24 where Jack Bauer tortures a “terrorist” suspect only to find that the person was innocent. There was a situation this season where a CTU worker was somewhat tortured and turned out to be innocent but they did not dwell on it enough to make the point about the dangers.

Gonzales Grilled By Fellow Classmates In Wapo Open Letter

Thu, 17 May 2007 11:24:00 -0700

Ouch. Several of the signatories are from Seattle. Cheers for saying what needs to be said.

Alberto’s Harvard Class (’82) Places Ad in Washington Post.

As lawyers, and as a matter of principle, we can no longer be silent about this Administration’s consistent disdain for the liberties we hold dear. Your failure to stand for the rule of law, particularly when faced with a President who makes the aggrandized claim of being a unitary executive, takes this country down a dangerous path.

Your country and your President are in dire need of an attorney who will do the tough job of providing independent counsel, especially when the advice runs counter to political expediency. Now more than ever, our country needs a President, and an Attorney General, who remember the apt observation attributed to Benjamin Franklin: “Those who would give up essential Liberty to purchase a little temporary Safety, deserve neither Liberty nor Safety.” We call on you and the President to relent from this reckless path, and begin to resto

Falwell Controversy Timeline

Tue, 15 May 2007 11:12:00 -0700

Ahh. Wonder who will take his place to continue the divisive self-righteous condemnations? What will we all do…

There is a short timeline of many of the controversial public incidents with Falwell at The Carpetbagger Report.

The Carpetbagger Report » Blog Archive » Jerry Falwell dies at age 73

Seattle City Light Billing Scam Warning

Mon, 14 May 2007 15:04:00 -0700

This kind of thing was going on long before “phishing” was coined. It’s the same thing in a different technology medium.

FOR IMMEDIATE RELEASE CONTACT: Scott Thomsen April 25, 2007 phone: 206/615-0978 pager: 206/386-4233

BILL COLLECTION SCAM TARGETS WEST SEATTLE Customers Urged to Protect Credit Card Information from Con Artists

SEATTLE - Seattle City Light is urging its customers to be on guard against telephone con artists posing as utility bill collectors who appear to be targeting customers with Asian surnames in the West Seattle area.

In the past few days, several customers reported they received phone calls from people claiming to be City Light employees. One customer’s account was fraudulently tapped for more than $3,000.

In the scam, the callers claim there is a problem with payment of the customer’s bill by check and demand credit card information to resolve the matter. This is similar to incidents reported to City Light in January and earlier this month.

Carol Dickinson, director of customer relations and account services, said City Light wants to help its customers protect themselves from such scams.

“We do not make outbound calls to customers asking for money to pay their bill or to ask for credit card payments or personal account information as part of our daily work,” Dickinson said. “We respect customer privacy and take security of customer account and payment information seriously. We take many proactive steps to ensure that customer information is kept safe.”

City Light sends at least two written warnings to customers who are about to have their power turned off, asking them to contact the utility directly to make a payment.

City Light also would like to remind customers:

Seattle City Light never asks customers over the telephone for credit card information to pay their bills.

Seattle City Light does not call customers on weekends.

Seattle City Light employees carry identification with the City Light logo and will always display it when asked.

All City Light customers are advised to take down the name and telephone number of anyone who calls and represents themselves as a City Light employee. Also, before customers provide any credit information, they should call City Light at 684-3000 to verify that the request is legitimate. If a customer believes he or she has been contacted by a con artist, they are urged to contact the Seattle Police Department at (206) 625-5011 to report the incident.

Hitchens And Hannity On The Hot Seat

Mon, 14 May 2007 12:55:00 -0700

This is pretty funny, to Hannity: “You seem to have never read any of the arguments against your viewpoint”. Hannity’s immediate response was, “Yes I have. I’ve read them all.” Oh brother.

Crooks and Liars » Hitchens vs. Hannity on Religion and God

The ACLU defends YOUR rights too

Mon, 14 May 2007 12:48:00 -0700

This is also one that puzzles me. I think it is primarily that some people dislike some of the causes that the ACLU has taken up (e.g. against ridiculous religious wackos trying to instill their brand of religion or morality as the law of the land) and so they discard the whole organization out of pocket. But their slogan, “Freedom can’t defend itself” speaks to exactly what they are here for: to defend The Bill of Rights. You know, the Bill of Rights is what gives the religious people their freedom to practice religion. Too bad they don’t see that the ACLU is also fighting for their rights too.

Card-carrying genuine patriotism at Pandagon

In terms of venerable institutions that are the target of right wing rage, the one that always puzzled me the most is the ACLU. I mean, I don’t doubt why it’s the target of so much hatred—wingnuts are well-known for thinking the word “freedom” looks good on a bumper sticker but shoudn’t actually be practiced as a matter of policy—but I’m shocked that even mainstream Republican politicians indulge in blatant disdain for an institution that defends the most fundamental principles of our democracy. The facade that Republicans care about individual liberty completely falls apart when Bush Sr. use the term “card-carrying member of the ACLU” as an insult.

By the way, our founding fathers were primarily Deists; we are not a Christian nation.

Founding Fathers were primarily Deists, Holmes says | University Relations

The predominant theology of the early Colonial period was Deism, the idea that God created the world but then had no further role in its functioning, Holmes explained to the audience.

“It’s wrong to see [Washington] as other than a Christian,” Holmes said. He added that the best description of Jefferson’s religion was Unitarian while noting the author of the Declaration of Independence called the concept of the Trinity “Greek arithmetic.”

Another Nail In Quot Abstinence Only Education Quot Coffin

Sat, 14 Apr 2007 02:40:00 -0700

Abstinence Education Does Not Impact Sexual Beahvior

A recent study of four abstinence education programs finds that the programs had no effect on the sexual abstinence of youth. But it also finds that youth in these programs were no more likely to have unprotected sex, a concern that has been raised by some critics of these programs. The study found that youth in the four evaluated programs were no more likely than youth not in the programs to have abstained from sex in the four to six years after they began participating in the study. Youth in both groups who reported having had sex also had similar numbers of sexual partners and had initiated sex at the same average age.

When will the religious nuts give up on “abstinence only” education?! It is hurting the youth they think they are protecting. There have been other studies in the past that confirm this result as well. Enough already!

Craigslist Hoax Lures People To Destroy Woman'S House

Tue, 10 Apr 2007 12:17:00 -0700

Boing Boing: Craigslist hoax ad leads to destroyed home

This happened in Washington. I couldn’t believe it when I heard about it and now it’s made it to Boing Boing. Scary.

The Pagan Origins of Easter

Sat, 07 Apr 2007 17:36:00 -0700

The next time some religious person tries to say that there is some secular conspiracy around religious holidays and that the common secular symbols, such as the Easter bunny, Santa Claus, etc. are taking away from the significance of their holiday, remind them that their religion is primarily responsible. Easter is a perfect example. Most of the supposed “secular” symbols were actually Pagan symbols that were co-opted by early christians in an attempt to make their religion more palatable to the Pagans and make it easier to convert them.

The Pagan origins of the Easter Bunny talks about how Eggs, the word Easter, and the Bunny were Pagan symbols from Vernal celebrations co-opted by christians.

The Pagan origins of Easter conflicts somewhat with the aforementioned site but still shows how many of the symbols existed long before Jesus supposedly came on the scene.

More important is to remember how many of the core symbols of the christian Easter story were actually co-opted from previous religions, including Pagan. The crucifixion, resurrection, drinking blood and eating his body, etc. are all symbols from Pagans. Most of them are parallels to the Egyptian god Horus.

The Religious Tolerance website has tons and tons of other quotes, discussions, references about bible and religious teachings that are very interesting.

Phrases Sayings And Idioms

Sun, 11 Mar 2007 15:16:00 -0700

1200 phrases and sayings and their origins! They also have fun categories, like fallacies (misattributed quotes, etc.)

Sayings and Phrases - meanings and origins

Of course, I have 3 books on the subject I haven’t read yet:

101 American English Proverbs Random House Dictionary Of America’s Popular Proverbs and Sayings Rawson’s Dictionary of Euphemisms and other Doubletalk

In Other Sysadmin News

Sun, 11 Mar 2007 14:58:00 -0700

-news

I also finally started using the excellent PromoteThis plugin to create the nice links to digg.

Also, I had to install the MTStripControlChars plugin, but an updated one from an entry at the VOIP and Gadgets Blog to keep Windows 1252 encoded characters (mostly quotes and double-quotes) from creeping into postings. It happens a lot with pasted in text from websites. Ugh.

You know, it’s kind of irritating that the MTAmazon and MTBlogroll plugins aren’t XHTML compliant yet. I may just contribute some fixes to do proper URL entity encoding. I had a ton of HTML cruft from migrating from various template versions and bad Sidebars I didn’t test. Fortunately, the browsers didn’t seem to mind. All of the HTML I could clean up should be cleaned up now, save for some possible issues from Performancing-edited posts. Can’t wait for the revival of Performancing…

New Wider Stylesheet For Juxtaposition

Sun, 11 Mar 2007 14:41:00 -0700

I just finally fixed my modified Vixburg style for Movable Type so that it makes use of wider browsers. Many times, quotes or pictures or preformatted text get chopped by the small center column. I tried for hours to get a decent 3 column layout where the center column will be fluid and take up as much available space as is there, to no avail. Best I could do was set 65% as the width and that does most of what I hoped for, at least for a 1280x1024. The true holy grail is at this site, but would require me building a whole new style to match kind of what I have using this as the base https://www.glish.com/css/7.asp The right column does not flitter away underneath the content as happens with mine when the page is sized smaller. *sigh*

Anyhow, take a look at my css for my tweaks at the bottom and I hope this makes things more readable.

New Life For Old Books With Bookmooch

Sat, 10 Mar 2007 15:44:00 -0800

BookMooch: a community for exchanging used books (book swap and book exchange and book trade)

I am loving Bookmooch. I’ve mailed out several books so far that were sitting in my basement and am going to hopefully get some good ones in return. This was a great idea that my friend Mike and I actually had in college after the annoyance of paying $60 for a book that the bookstore on campus would only buy back for a pittance; only to turn around and sell it for $60 again. I’m glad someone else coded it. Maybe I’ll actually get something for those books I chose to keep rather than get loose change for. Check out my mooch link on the left nav bar: my Bookmooch list

1 Billion Mazes Served

Sat, 10 Mar 2007 15:37:00 -0800

Exactly One Billion Mazes to Solve

This site contains one billion mazes in high-quality printable PDF format. You may view, print and solve these mazes… and yes, there are exactly one billion mazes!

Borrowing Against Your 401k Why You Should Think Twice

Sat, 10 Mar 2007 15:31:00 -0800

There are several reasons you may want to think twice before borrowing against your 401k:

If you leave your job that provides your 401k, you often are required to pay back any loans in full. If you can’t, it is treated as a withdrawl from the plan, requiring paying income tax on the amount and a 10% penalty if you are not of retirement age yet.
While you have the loan, you have less money in your retirement account. This means, you are not earning interest on the loan amount and you will therefore end up with less money at retirement.
People at your company may be able to know that you have taken the loan out.
You may shift your mindset from an investor taking an active interest in the rest of your plan’s success to a debtor, so your investment might suffer.

You can – but shouldn’t – borrow against your 401(k) plan

Notable Security Quote Does Your Company Suffer From Employee Infallability Syndrome

Sat, 10 Mar 2007 15:15:00 -0800

I will say that any government (or other) program which assumes the honesty of employees and contractors is fundamentally flawed, and any associated risk analysis is either incompetent, or in failing to identify risk to travellers, seriously incomplete.

-- Ian Farquhar on the Cryptography mailing list 2/27/2007

Notable Security Quote Insane Probabilities

Sat, 10 Mar 2007 15:06:00 -0800

Yes, of course an infinite number of texts hash to the same value; that’s the way the function works. But the odds of it happening naturally are less than the odds of all the air molecules bunching up in the corner of the room and suffocating you, and you can’t force it to happen, either.

--Bruce Schneier

Clearwire Secure Clear As Mud In Their Own Words

Sun, 18 Feb 2007 08:36:00 -0800

I got an advertisement for Clearwire wireless broadband to my house that had a terrible Q & A about security:

Q: How secure is the connection? Is it more secure than Wi-Fi? A: Your Clearwire connection is very secure. That’s because Clearwire wireless technology uses OFDM transmission protocol, featuring a design standard that includes secure wireless data transmission.

Well, it starts off not too bad. Very high-level and milquetoast of a response. But unfortunately, they continue:

Wi-Fi operates on unlicensed 2.4GHz frequencies, making it vulnerable to scanning and packet interception. Clearwire operates at licensed 2.5GHz frequencies. Licensed frequencies and OFDM make for a very secure connection.

Yes. Take your security soma. Don’t worry. Where others might have SEcurity, we’re leaders in OBscurity.

Washington Defense of Marriage Alliance

Mon, 12 Feb 2007 11:00:00 -0800

This is so rich. A group is trying an argument from absurdity tactic to show how ridiculous the claim that Washington State’s Andersen v. King County decision is that declared a “legitimate state interest” for the state to restrict same-sex couples from legal marriage.

Washington Defense of Marriage Alliance

If passed by Washington voters, the Defense of Marriage Initiative would:

* add the phrase, “who are capable of having children with one another” to the legal definition of marriage; * require that couples married in Washington file proof of procreation within three years of the date of marriage or have their marriage automatically annulled; * require that couples married out of state file proof of procreation within three years of the date of marriage or have their marriage classed as “unrecognized;” * establish a process for filing proof of procreation; and * make it a criminal act for people in an unrecognized marriage to receive marriage benefits.

Patents Now Open For Dispute

Tue, 16 Jan 2007 09:10:00 -0800

Patent litigation could explode in the wake of the Supreme Court’s ruling Tuesday in a closely watched dispute over patent validity between two biotechnology firms.

The Court, by an 8-1 vote, reinstated a lawsuit by MedImmune challenging a Genentech patent related to Synagis, a popular drug for treatment of respiratory disease in children. The opinion in MedImmune v. Genentech, written by Justice Antonin Scalia, says patent licensees no longer have to breach the license in order to have standing to challenge the patent that they dispute. Patent lawyers say the ruling could lead to a flurry of challenges to existing patents.

This is great news! I hope to see a lot more bogus patents being challenged.

High Court Ruling Could Spark Surge in Patent Challenges

Seattle Public Library Catalog Toast

Fri, 15 Dec 2006 14:42:00 -0800

Ouch. Clever page title though: “There goes our five nines…”

Sexual Consent: Hilarious

Sun, 03 Dec 2006 14:37:00 -0800

07:00

This video is hilarious! Probably not suitable for work if the audio is on.

glumbert.com | Sexual Consent

Slashdot | First Person Account of

Sat, 02 Dec 2006 16:03:00 -0800

Slashdot | First-Person Account of a Social Engineering Attack

Slashdot | Possible Serious Security

Sat, 02 Dec 2006 16:00:00 -0800

Slashdot | Possible Serious Security Flaw In ATMs

TECH.BLORGE.com » Blog Archive »

Sat, 02 Dec 2006 16:00:00 -0800

TECH.BLORGE.com » Blog Archive » Definitive guide: Windows Vista and XP head to head

Nist Blasts Paperless Electronic Voting

Sat, 02 Dec 2006 15:58:00 -0800

The National Institute of Standards and Technology (NIST) recently published a paper condemning paperless electronic voting machines as insecurable. I’ll have to read the paper in-depth to see how they came to that strong of a conclusion, but I do know that there is no research showing that a purely electronic system can be completely trustworthy.

It’s amazing how far this subject has come in just a few years, yet how far it still needs to go as evidenced by the irregularities in the recent 2006 midterm election.

Slashdot | NIST Condemns Paperless Electronic Voting

Dangerous Plastic Packaging

Sat, 02 Dec 2006 15:54:00 -0800

I’ve been wondering this and noting that more and more products are coming wrapped in this stuff. I use a tchochke that I got from Tripwire that has a tiny corner of a razor blade on it to open these packages, but even then, the cut plastic package is sharper than the razor. I’ve cut myself on several occasions. The unusual shapes of the packages doesn’t make it very easy to cleanly open either.

Slashdot | Plastic Packages Cause Injuries, Revolt

Of Course This Happened In Florida

Sat, 02 Dec 2006 15:51:00 -0800

This might get the award for best article title too.

The Seattle Times: Nation & World: He was naked, on crack and in alligator’s mouth

“A gator’s got me,” Apgar replied, his voice faint in the background.

Mayid’s call shortly after 4 a.m. sent four Polk County, Fla., deputies racing to the 2,150-acre lake just outside Lakeland, Fla., where they jumped into the water and wrenched Apgar’s arm from the gator’s mouth. The 45-year-old victim, who told authorities he’d passed out nude on the shore after smoking crack cocaine, was rushed to a hospital in critical condition.

Later Wednesday, state wildlife authorities trapped and killed a nearly 12-foot-long alligator thought to be the one that attacked Apgar. ….. Sheriff’s officials have said Apgar, 45, suffered a broken right arm. His left arm was nearly severed, and he had bites to his buttocks and leg. He underwent surgery Wednesday afternoon at Lakeland Regional Medical Center

Free Music Archive

Wed, 29 Nov 2006 15:50:00 -0800

Free Public Domain Music - Welcome to Musopen.com

Legal Standards For Expert Witnesses

Mon, 27 Nov 2006 06:11:00 -0800

Daubert Standard - Wikipedia, the free encyclopedia

Installing An Uncrippled Ffmpeg On Ubuntu

Sun, 26 Nov 2006 16:52:00 -0800

I’m trying this right now on Edgy Eft:

po-ru.com: Fixing ffmpeg on Ubuntu

It seems one can set DEB_BUILD_OPTIONS=risky to enable the missing codecs rather than editing debian/rules and building the package manually.

sudo apt-get build-dep ffmpeg

sudo apt-get install liblame-dev libfaad2-dev libfaac-dev libxvidcore4-dev checkinstall fakeroot

DEB_BUILD_OPTIONS=risky fakeroot apt-get source ffmpeg –compile

sudo dpkg -i ffmpeg-blah.dpkg

Cia Kryptos Sculpture Has A Typo

Fri, 24 Nov 2006 17:00:00 -0800

It's not really a typo but an intentionally left-out X separator for 
aesthetics on the sculpture that was intended to result in gibberish 
when decrypted that would clue in the decryptors to reinsert a separator 
and try again, except it ended up spelling something intelligible 
instead of garbage so they thought they had decrypted it properly!
```[A Break for Code Breakers on a C.I.A. Mystery - New York Times](https://www.nytimes.com/2006/04/22/us/22puzzle.html?ex=1164603600&en=52cd0484e7cbb98b&ei=5070) 

> For nearly 16 years, puzzle enthusiasts have labored to decipher an 865-character coded message stenciled into a sculpture on the grounds of the Central Intelligence Agency's headquarters in Langley, Va. This week, the sculptor gave them an unsettling but hopeful surprise: part of the message they thought they had deciphered years ago actually says something else.

Upgrade IE ASAP

Fri, 24 Nov 2006 16:53:00 -0800

A study from a year ago but just as valid today. Actually, over the past year, IE got much worse. There were many exploits and unpatched holes in the browser.

One of the best things you can do for your Windows security is to make sure you upgrade to IE 7.x which has been redesigned to avoid many classes of attacks. It is being pushed out by Windows Update (or Microsoft Update) You can also switch to Firefox or Opera to get better security but please don’t use IE 6.x or older anymore!

Unfortunately, you have to be on Windows XP SP2 or higher to use IE 7. So, it will force Windows 2000 users to upgrade to XP first. That is probably also a good thing for security though.

Schneier on Security: Internet Explorer Sucks

Washington State exercising new Anti Spyware law

Fri, 24 Nov 2006 16:44:00 -0800

Rob McKenna is a good friend of the Security community here in Washington. Go get ’em!

–Washington AG Alleges Spyware Act Violations (16 & 14 August 2006) Washington State Attorney General Rob McKenna has filed a lawsuit against Movieland.com parent company Digital Enterprises alleging violations of the state’s Computer Spyware and Consumer Protection Acts.

People sign up for a free, three-day trial of the company’s software that allows them to download movie clips. After the three days, they are inundated with pop-up demands for payment, generated by software that has been placed on their computers without their knowing consent.

The pop-ups, which appear hourly or even more frequently, read “Click ‘Continue’ to purchase your license and stop these reminders.” The pop-ups remain on the screen for 40 seconds and cannot be closed during that time. McKenna also said that computer owners are not obligated to honor contracts entered into by others using their computers.

https://www.theregister.co.uk/2006/08/16/washington_movie_spyware_lawsuit/print.html https://www.networkworld.com/news/2006/081406-washington-sues-movie-download-service.html

Department Of Homeland Pork

Fri, 24 Nov 2006 16:41:00 -0800

Get this: The list of top terrorist targets from the Department of Homeland Security is seriously braindead. It includes 1,305 casinos, 234 restaurants, an ice cream parlor, a tackle shop, a flea market, and an Amish popcorn factory 3,650 sites total. What’s going on? Pork-barrel politics is what’s going on. We’re never going to get security right if we continue to make it a parody of itself.

The worst part is that DHS didn’t even try to hide the pork-barreling by making the inclusions and omissions clear and blatant. Oy. I reluctantly file this in the security category…

The Seattle Times: Local News: Dept. of Homeland Lunacy

When it comes to homeland security, I give up.

I’ve tried to highlight the absurdity of trying to protect every cranny of our country from al-Qaida attack. I’ve critiqued everything from the waste of buying anti-terrorist locks for Sammamish City Hall to the illogic of not having security cameras outside our airport. And yes, I’ve resorted to that columnist stock-in-trade: mocking and satirizing.

But it turns out nothing I can make up is as ludicrous as what the Department of Homeland Security is actually doing.

How To Break A Common Master Combination Lock

Fri, 24 Nov 2006 16:38:00 -0800

Here’s a description of how to open a common Master brand lock in about 10 minutes. The design makes the 40^3 possible combinations collapse to 121. It’s a physical metaphor for bad cryptography and reliance on obscurity.

I happen to have a lock that I forgot the combo to that this will definitely come in handy for…if I can only find the lock…

Airport Security Oversights From The Onion

Fri, 24 Nov 2006 16:35:00 -0800

This was the most troubling one:

Airport Security Oversights | The Onion - America’s Finest News Source

Sept. 3, London to New York: A few Muslim people may have slipped through with their dignity

Encrypted Government Announcements

Fri, 24 Nov 2006 16:33:00 -0800

U.S. Cryptographers: ‘FrpX-K5jE-Oc4n-e5Dn’ | The Onion - America’s Finest News Source

WASHINGTON, DC—In a carefully phrased, 128-bit encoded announcement that has challenged U.S. security agency procedures, top officials of the National Cryptography and Information Security Council warned that “FrpX-K5jE-Oc4n-e5Dn” if “Ha4d-87gH-uiH3-gB5r-g8Bh” late Monday.

Fashion Advice For Geeks

Fri, 24 Nov 2006 16:30:00 -0800

So, there happen to be these unwritten rules of style that change all the time that nobody seems to tell you about and it’s hard to ask and for many, harder to know you should ask. And there are people in the work world that do judge you by your appearance, for better or worse, consciously and unconsciously. Here is some advice that I have culled from significant others, from experience and observation in the workplace, from the advice in Esquire, and even from What Not to Wear on TLC.

No pleated pants Get rid of your pleated pants in favor of flat-front pants. Flat-front pants are simpler, more modern looking, make you look slimmer, and not like an old man.
Clothes should look new and fresh If your sweaters are pilled and your pants have wallet or knee wear marks, or the cuffs are frayed, it’s time to get some new clothes. Buy something new and donate the old.
Get pants with the proper length If you don’t know your length, get measured or fitted in a store sometime. Your pants should “break” at the ankle and continue down slightly over your shoe. If you can see your socks when standing, your pants are too short!
Appropriate sock color White socks are generally not going to work with any business casual attire, unless is Miami Vice white suit day, but even then you probably would be better going without socks…but I digress. The general rule with socks is they should not be noticeable! If your socks stand out, they are wrong for your outfit. I mostly wear neutral socks that match my pants to not draw attention to them. If you are wearing athletic socks with slacks you need to go to Costco and get some Gold Toe dress socks and save the nike socks for the gym.
Your shoes tell all They say you can tell a man by his shoes–they make or break an outfit. You can be totally put together elsewhere but if your shoes are crap, it’s game over. What do your shoes say about you? Are they tired, scuffed, worn and dirty or new, sleek, stylish and shiny? It sucks but you really should have several pairs of shoes so that you can rotate them. Avoid wearing one pair day-in and day-out so that they will last longer and look fresh when you do wear them. I’ve even bought two of the same less expensive pairs of shoes that I liked to keep them looking nicer longer. Oh, and invest in a shoe brush and some instant shine pads. Esquire recommends using black polish–even with brown shoes.
Wear the right size shirt This is another one of those things you’re never taught: how to know you have the right size shirt. Here’s the best way to know: Where the sleeves attach to the main body of the shirt, it makes a line. That line should roughly be even with the very edge of your shoulder blade. More than a 1/4 inch past that and your shirt is probably too big. I often see this with people who wear golf shirts (even PGA pros are bad offenders. Tiger Woods does it right though). Another way to tell if your short-sleeve shirt is too big is if your sleeves extend far past your elbow. They should probably end short of your elbow if it is sized correctly. Having the right size shirt means a sharper, put-together look. Oversized shirts tend to look sloppy or overly-casual.
Dress for the position you want, not the one you have. Hey, I’ve been there where I loved being able to wear jeans and a T shirt because, hey, nobody sees me in the server room. But, if you have higher aspirations or if you interface with business folks who tend to dress nicer than you, then your clothes can be a distraction from you and your message. If anything, your clothes should be neutral or enhance your message. Beware of some managers who get nervous if their underlings dress nicer than they do, but that isn’t really your problem–it’s theirs for not dressing to their level in the organization!
Skip ironing – use the cleaners! Nothing says sloppy like a button-down shirt that has not been ironed or is poorly ironed. The difference I found with people who truly look sharp is not just tailoring but well-maintained clothing. It is so cheap to have someone else iron your shirts and it looks 1000 times better than if you try to do it that it is well worth the investment. And you can usually get a couple of wears out of each shirt before it needs to be sent back for cleaning and ironing. I pay $0.99 / shirt. If you have nice pants, you can usually get away with ironing them yourself but professional pressing also looks a lot better and holds longer than home ironing.

Rfidiots Mandating Insecure Rfid Passports

Fri, 24 Nov 2006 15:39:00 -0800

Nice proof of concept code that can read passport data posted to BUGTRAQ. The “key” is comprised of data on the passport itself so you can remotely decrypt someone’s data only if you know this information, or can brute-force it since it is a small keyspace:

The Passport number

The Date Of Birth of the holder

The Expiry Date of the Passport

The latest version of RFIDIOt, the open-source python library for RFID exploration/manipulation, contains code that implements the ICAO 9303 standard for Machine Readable Travel Documents in the form of a test program called ‘mrpkey.py’.

This program will exchange crypto keys with the passport and read and display the contents therein, including the facial image and the personal data printed in the passport.

Bruce Schneier advises US passport holders to renew your passport NOW before the RFID requirement goes into effect so you can avoid being tracked or hunted down in our country or a foreign country. Otherwise, how will you still be able to claim you’re a Canadian in foreign countries?

Also see this news story.

Patents Are Bad For Society

Fri, 24 Nov 2006 15:33:00 -0800

James A. Donald had a great rant to the Anti-Fraud mailing list about how patents just don’t work, at least for their intended purpose of furthering public knowledge.

The theoretical justification for patents has seldom worked in practice. Most patents are flagrantly bogus, always have been. Of the few legitimate patents, the vast majority merely obstruct the development and application of the technology, without in fact making money for the inventor. The normal outcome of patenting a genuine innovation is that people construct second rate workarounds, as Microsoft just did. The destructive effect of patents is merely most visible in those fields that are advancing most rapidly - cryptography being such a field.

These are the fatal flaws of patents–that they are often used these days to stifle competition or to patent ludicrous things like 1-click shopping or automatically launching active content in a webpage. The whole system needs to be revamped.

Competitive Information For Picking An Antivirus Solution

Fri, 24 Nov 2006 15:21:00 -0800

This is an article from a year ago that showed how each vendor was able to respond to key virus outbreaks. They also show the data from the previous year.

I personally recommend F-Secure’s product. The base product gives you everything you need for anti-spyware and malware and is inexpensive. It is not a huge fat pig like some of the products out there (McAfee…) I’ve heard from others who enjoy Kapersky as well, so either of those would be good choices and happen to both top this list.

I also personally got rid of McAfee products after a multitude of issues:

1. The product is seriously bloated and the Security Center product seems geard toward selling other products by McAfee than providing normal users with value. 2. Many of the products in the suite are not well integrated. They often had their own installers and were a real pain to uninstall. 3. Lots of errors resulting in having to reinstall the product (without there being an easy way to do so). 4. Their website security is horrendous. My wife forgot her password to their site so she used their “forgot my password” feature. Guess what? They emailed her, not a new random password, but her _actual password__ This from a security company!_ They either store passwords without encryption or store them with reversible encryption–both of which are seriously bad ideas and McAfee should know better.5. Their suite product line is very expensive and the price seems to go up every year. They have since reworked their product line and it seems to be better now. 6. I read the F-Secure blog and can tell those guys really get security. 7. McAfee was the company with the poor QA that removed critical Office files to “protect” you and also mislabeled a legitmate ISP software program 8. McAfee products, like Symantec, have suffered from some local privilege escalation vulnerabilities or remote buffer overflows. The cure is worse than the disease?

Ranking Response Times for Anti-Virus Programs - security Fix

Four Challenges For Computer Security Research

Fri, 24 Nov 2006 14:47:00 -0800

I would add a 5th item:

5. Develop Reusable Security Architectures that cover common scenarios and include appropriate protection by design

Tools are sexy; secure design is hard. That’s why you see so many tools and vendors hawking tools but not as much work. I hear from people all the time who talk about this tool or pen testing or scanning some server or how you need to hack your wireless network to be secure. That is a bunch of crap in general because trying to audit your way to security is bottom-up grass-roots and can only get you so far. It’s an early maturity model to be spending so much time and energy on audits and pen tests instead of security design reviews and developing security architectures. It’s a lot easier and sexier to say you hacked a wireless network. We need to get to where it is just as cool to say you developed a wireless network security architecture such that you don’t care who is connected to the wireless network because your security is not so brittle as to lose sleep over it. Where are those reusable models made open source?

As for item #3, I don’t think that I believe that there can be “quantitative” security risk management. The biggest problem is that there is not enough good data to base future risk upon (try this: how do you quantify risk of brand damage due to event X?).

Item #4 is very important and speaks to ensuring security systems are usable.

CRA (Computing Research Association) Grand Research Challenges

Four Grand Challenges in Trustworthy Computing:

1. Eliminate epidemic-style attacks (viruses, worms, email spam) within 10 years; 2. Develop tools and principles that allow construction of large-scale systems for important societal applications – such as medical records systems – that are highly trustworthy despite being attractive targets; 3. Develop quantitative information-systems risk management to be at least as good as quantitative financial risk management within the next decade; 4. Give end-users security controls they can understand and privacy they can control for the dynamic, pervasive computing environments of the future.

Security Usability: Not much progress since 1883 or 1975

Fri, 24 Nov 2006 14:33:00 -0800

This is a great article by Peter Gutmann and Ian Grigg on security usability that lists the six principles for a secure communications system put down by Auguste Kirchoffs ca. 1883. Even he understood the need for usability back then:

Given the circumstances that command its application, the system must be easy to use, requiring neither mental strain nor the knowledge of a long series of rules to observe.

Psychological Acceptability has been defined as a critical aspect of secure systems for over 30 years by Saltzer and Schroeder (1975): The Protection of Information in Computer Systems

It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly. Also, to the extent that the user’s mental image of his protection goals matches the mechanisms he must use, mistakes will be minimized. If he must translate his image of his protection needs into a radically different specification language, he will make errors.

Dmca Still Stands But Now With Some Exemptions

Fri, 24 Nov 2006 14:19:00 -0800

It’s still a shitty law though. Something else I will happily ignore to avoid my fair use rights being infringed. Again, how could I watch DVDs (legally rented/owned) on my Linux box without doing so?

Boing Boing: Copyright Office creates 6 DMCA exemptions

the office refused to grant exemptions that would benefit the general public – space- and format-shifting, backing up your DVDs – and they took back an earlier exemption that let people reverse-engineer the blacklists maintained by censorware companies to bring some transparency to their process.

YouTube shutting down ability to download videos from YouTube

Fri, 24 Nov 2006 14:17:00 -0800

07:00

Hey, I’m on a Linux computer and because they insist on requiring Flash to play the videos, the only way I can view them is to download them and watch them with Xine. I plan on violating their terms of service…to continue to access their service…

Lawrence Lessig: When Web 2.0 meets Lawyers 1.0

Blog Popularity Inversely Proportional To Amount Of Quot Linking Quot-

Fri, 24 Nov 2006 11:03:00 -0800

quot-

Summary: people link to bloggers that provide more original content than who just provide links to other places that do so.

Funny because I was just thinking about this regarding this blog. I think it’s cool when people enjoy what I provide on this blog, but I really don’t care if people read it or not. This is where I keep track of stories and topics that interest me, instead of saved emails or bookmarks that I never look at again. I can always go back and find what I found interesting and what I wrote about it. Pretty cool in my book.

My blog doesn’t really have many that link to it and probably the fact that I post many links without a lot of commentary a lot of the time is a good reason why. But I disagree that nobody links to linkers. I personally like blogs because they act as filters or lenses that focus news and interesting content. There are tons of blogs but I like the ones whose mix of topics coincides most with what I’m interested in. Even if they just link to other places, that’s fine with me. It’s the filtering service that is the value-add, not necessarily original content.

That said, I have anecdotal evidence that my blog only gets noticed when I post original content. My recent entry about SOA security is a perfect example. I also was thinking about how I like the SANS newsbites because they actually summarize the stories they link to, not just provide links (on a related note, the links in Crypto-Gram require me to go read every story that sounds interesting so I generally read fewer of them).

No-one links to the linkers at Andrew Garrett’s Mutation

Richard Dawkins Mania In Silicon Valley

Fri, 24 Nov 2006 10:48:00 -0800

I was bummed that he didn’t come to Seattle on his tour, but I’ll enjoy listening to the mp3 of his appearance in Silicon Valley.

Who Has Time For This?: Silicon Valley Loves Richard Dawkins

Verizon settles class Action suit about deceptive practices regarding crippled phones

Fri, 24 Nov 2006 07:48:00 -0800

This is great news. They did the same with other phones, including the e815 that I have. Fortunately, there are ways around this to re-enable the crippled features, but they are out of reach to most consumers. I had to buy a data cable and software on eBay to uncripple my phone.

[infowarrior] - Verizon Slapped for Crippling Bluetooth

Verizon has been getting weasely with some of its customers in California who bought its Motorola v710 Bluetooth-³capable² phone on or before January 31, 2005. Preliminary approval of the settlement was granted in a California court for a class-action suit against the company because it didn¹t accurately tell prospective customers that its Bluetooth features weren¹t what they appeared to be. Verizon said the phone ³works with a PC² but left out that part about how you can¹t wirelessly sync photos or contacts or any other files using Bluetooth.

Ballot Design Not Dre Issues At Play In Fl Undervote Anomalies

Fri, 24 Nov 2006 06:52:00 -0800

It is hard to believe that such a blatant undervote error could be attributable solely to the DRE itself not properly recording them. But user interface designs can certainly be abused maliciously, or likely unintentionally, to create these situations. How ironic is it that the DREs that were touted to Help America Vote are actually helping them to undervote, due to poor design/implementation of the ballots?

Proper UI is just as important as sound underlying technology in ensuring proper understanding and usability of a system. Recall Why Can’t Johnny Encrypt? A Usability Evaluation of PGP 5.0 and the more recent Why Johnny Still Can’t Encrypt: Evaluating the Usability of Email Encryption Software for how even known secure software can result in insecure and unintended actions by the user. The infamous Butterfly ballots were not DRE-based but certainly were flawed UI that caused voting errors in previous elections so this is not a new issue to software or to voting by far.

This is a perfect example though of how using DREs to generate human-and-machine-readable reciepts (voter verifiable) could allow for voters to detect their undervotes before they drop them into the ballot box. There could even be very blatant warnings to the user on the receipt and on the screen that they didn’t vote in X of the races to help prevent unintentional undervotes. Did these companies do any focus group testing of DREs?

FL-13: More Evidence of Ballot Design Issues - TalkLeft: The Politics Of Crime

…Bev Harris and the Jennings campaign want you to think otherwise. They want to point away from their mistakes. But the real problem was the design…

Scans From 1962 Fallout Shelter Handbook

Wed, 22 Nov 2006 15:51:00 -0800

The Ward-O-Matic: Fallout Shelter Handbook 1962

I’ve been working on emergency preparedness for my neighborhood lately so this is very apropos.

BTW, I found a $79.99 Ready kit at Home Depot that is a pretty good deal for a 2-person 72 hour kit (what is recommended for personal preparedness at a minimum). Don’t forget supplies for your pets too!

Apostrophe Abuse Is Cruel

Wed, 22 Nov 2006 15:48:00 -0800

Boing Boing: Atrocious apostrophe’s and “quotation” “mark” “abuse” photo galleries

Two Flikr galleries dedicated to photo’s of apostrophe and quotation mark abuse. I can’t believe my previous post on Common writing mistakes didn’t touch on this pet peeve of mine.

2006 Gift Card Landscape

Wed, 22 Nov 2006 15:13:00 -0800

Good news about gift cards. I was just thinking the other day about these practices and it looks like, just in time for the holiday season, you can find out which ones have done away with those pesky expiration dates (are you listening Amazon?) and fees.

And a hint for the upcoming holiday: Gift cards make great gifts…

2006 Gift Card Study (Page 1 of 4)

If you want a gift card you can use anywhere, you’ll pay for the privilege, while gift cards from individual retailers are less costly and sprouting more options.

Those are the major findings of the third annual Bankrate.com Gift Card Study.

Retail store gift cards continue to be a consumer-friendly credit product, with fees and expiration dates the exception rather than the rule. The retailers can make a profit from the merchandise users buy.

Gift cards from the major credit card issuers, though, still carry an assortment of fees. All continue to charge monthly “maintenance” or “dormancy” fees, ranging from $2 per month to $3, if the gift card isn’t used within a certain period of time. All but American Express have expiration dates.

Bankrate surveyed the top 25 retailers, as identified by the National Retail Federation, about the costs, terms and conditions of the gift cards they offer, both plastic and electronic. We also surveyed the four largest credit card companies: American Express, Discover Card, MasterCard and Visa.

The Official God FAQ

Wed, 22 Nov 2006 14:43:00 -0800

07:00

There is only one question and the answer is not 42.

The Official God FAQ

On The Performance Of Ssl Vs Ws Security

Mon, 20 Nov 2006 15:11:00 -0800

I’ve been meaning to rant about this for a while.

I’m sick and tired of hearing about the false dichotomy of WS-Security versus SSL and why its performance is somehow going to be so much better than SSL transport encryption of SOAP-based web services. Pundits often point out that SSL has to encrypt the _whole payload_ while WS-Security can be used to digitally sign and/or encrypt only those attributes that absolutely need encrypting or signing.

This kind of reasoning is preposterous and is nowhere near being based on any facts or data, yet these talking points are ever-popular with the “SOA: the Armageddon is near” or WS-NotJustForBreakfastAnymore crowd.

For these people, I have one simple question for you about the assertion that WS-Security is always going to perform better in software than simply using SSL intelligently for the entire transport:

**How is it that you can claim that WS-Security digital signature or encryption (with one _or more_ asymmetric plus 1 _or more_ symmetric crypto operation per request PLUS base64 encoding bloating the request PLUS extra SOAP XML tag hierarchies wrapping the encrypted/signed data section that need to be transferred over the network) is going to be faster in general than SSL (with one asymmetric crypto operation at session initiation, and henceforth 1 symmetric crypto operation per packet)?

**It has often been vendors of XML firewalls and Microsoft web services evangelists that are the worst offenders. I’d love to hear some answers you get to this question. I haven’t gotten a sensible one yet. Asymmetric crypto operations are roughly 1000 times slower than symmetric crypto operations. I would love to see actual hard data based on a valid underlying test scenario proving that WS-Security is faster than SSL even in the face of this reality. But nobody who makes these claims has it and I can’t see it just based on the orders of magnitude difference between the computing time required for the crypto. That is even before you factor in the additional latency for transmitting the extra bytes for the WS-Security payload and the extra parsing time and the likely need to have to encrypt and decrypt multiple separate data elements individually.

Yes, in the purported SOAP-router kind of network where SOAP is treated as if it were a wire-level protocol there are problems with SSL since it is not end-to-end, but that is a red herring when we are debunking the claims of enhanced performance. Stop changing the subject! There can be a place for WS-Security in some advanced SOA scenarios, but strictly on performance, I can’t see there being any comparison. And most people aren’t implementing anything like the SOAP architects envisioned anyway (but don’t let that stop the vendors from beating that drum). Most people are still using SOAP for point-to-point services which often replace other wire-transports or technologies (e.g. DCOM, CORBA, proprietary XML services, etc.)

Performance issues with SSL have generally nothing to do with the fact that you are encrypting an entire payload instead of just subsets of the data. For small messages that typical SOAP calls are, this is perhaps a few clock cycles per request. I can say from lots of experience with lots of development teams that at least 90% of the performance problems with SSL in general are due to seriously flawed implementations. The other 10% is generally actual performance impact because the systems on which it is running are vastly undersized because the system was not designed to be secure (but rather designed on the omission or hope that they wouldn’t have to size it to handle the required security).

If you implement SSL to intelligently minimize the asymmetric crypto operations to the absolute minimum by pooling connections and pinning them up and using keepalives, then you are barely going to notice its impact, especially on properly-sized hardware or if you use hardware crypto accelerators. But if it is done incorrectly, or not accounted for in sizing, SSL will remain the whipping boy of many an environment.

Oh, and I have data showing how SSL can actually _speed up_ connections under certain conditions.

Some Good News on the McCain Front: Attacking NOAA for delays in global warming report

Mon, 20 Nov 2006 14:43:00 -0800

Ugh.

TPMmuckraker November 17, 2006 01:35 PM

“You know,” McCain said a few moments later, “you are really one of the more astonishing witnesses that I have [faced] – in the 19 years I’ve been a member of this [Senate Commerce, Science and Transportation] Committee.”

Lautenberger explained that his staff was working on “pieces” of the report, and conceded the November 2004 deadline had been a “difficult requirement to meet.”

More Mccain Flip Floppery Now On Abortion

Mon, 20 Nov 2006 14:38:00 -0800

Think Progress: McCain Flip-Flops, Supports Immediate Reversal of Roe v. Wade

Great Moments In Sarcasm

Mon, 20 Nov 2006 14:36:00 -0800

Eschaton

In the early 1990s I built a workable time machine. All it lacked was the flux capacitor and 1.21 gigawatts of electricity.

Club Heaven

Mon, 20 Nov 2006 14:34:00 -0800

75% of Americans think they’ll get into Heaven? They must be Evangelicals whose sole criteria is “belief” and not “good deeds”… At least I’ll have lots of friends in hell.

ABC News: Poll: Elbow Room No Problem in Heaven

Who gets in is another matter. Among people who believe in heaven, one in four thinks access is limited to Christians. More than a third of Protestants feel that way, and this view peaks at 55 percent among Protestants who describe themselves as very religious.

Another Mccain Flip Flop

Sat, 18 Nov 2006 15:24:00 -0800

Crooks and Liars: St. McCain’s look of desperation

McCain once had words of praise for Senator Kerry, but he played the repugnican party line during the election and trashed him for his botched joke–acting as if he really believed Kerry, a decorated veteran, was actually disparaging the troops and not Bush. Politics is disgusting. McCain should take what Olbermann said about Rove and Bush to heart:

Crooks and Liars: Olbermann’s Special Comment : There is no line this President has not crossed — nor will not cross — to keep one political party, in power.

Mr. Bush and his minions responded [to Kerry’s gaffe], by appearing to be too stupid to realize that they had been called stupid.

Bank Of America Jails A Customer Causes Backlash Gt 50 Million

Sat, 18 Nov 2006 15:07:00 -0800

The This is Broken blog is a pretty cool idea too. There are so many processes, instructions, websites, etc. that just don’t work quite right. They get posted to this blog!

This Is Broken - Bank of America jailing a customer

Matthew Shinnick dropped by a Bank of America branch in San Francisco to make sure a check he was about to deposit wasn’t fraudulent. The teller found that the check was fraudulent and told the manager, who then had Shinnick thrown in jail. Are you getting this right? The customer who wanted to make sure he wasn’t about to draw on a fraudulent check, got thrown in jail by Bank of America.

In response, customers have withdrawn or removed at least $50 million (at last count) from B of A in protest. See also Clark Howard’s site, who gave this lots of attention in California on his radio show.

Searing Discount Of Liebermann Win

Wed, 08 Nov 2006 07:11:00 -0800

The Insignificance of Lieberman - TalkLeft: The Politics Of Crime

What Big Tent Democrat says.

Bad Monday

Mon, 06 Nov 2006 15:42:00 -0800

I had one of the worst mondays in a while.

I was not feeling well but went to work anyway (I thought of resting up one more day and probably should have stayed in bed).

It was the first day back to work after being sick with fever for 3 days.

On my way to the bus stop, after only a 1/2 block from my house, my pants were soaked and shoes soaked through. The rain and wind has been insufferable this fall! I reluctantly went back home frustrated and not knowing if there was a way to possibly get to work but not be soaking wet all day. I decided the strategy would be sacrificial clothing. I geared up in my Costa Rica Rain forest gear (all drip-dry) and packed a new dry outfit to change into at work, including new shoes.

Well, the sack that I put my shoes in got a hole worn in it on the way to and from the bus. One shoe fell out on the sidewalk coming into my work building. Fortunately, someone saw it right away and alerted me.

When I went to put my shoes on, one shoe got laces worn in half from dragging behind my wheeled laptop bag.

Turns out my laptop bag was not waterproof so my dry pants got wet.

Turns out my brand new building downtown Seattle has no hand dryers in the new bathrooms! So, I couldn’t quickly dry my new pants.

So, I was stuck with wearing my rain pants while I waited for my others to dry out.

But those pants were still damp enough that they got my chair wet. So I had to switch chairs for the day after putting my dry pants on to avoid getting those wet again.

Ugh.

Antennaweb Tv And Hdtv

Mon, 06 Nov 2006 10:43:00 -0800

-hdtv

AntennaWeb

Seattle HDTV antenna map mashup

Mon, 06 Nov 2006 10:32:00 -0800

HDTV Magazine - Broadcast HDTV Market : Seattle-Tacoma

Opml Sharing Site

Sun, 05 Nov 2006 08:01:00 -0800

-site

Share Your OPML: Top 100 Feeds

Bush Amp Reichert Get Issaquah Bus Driver Fired

Thu, 02 Nov 2006 05:03:00 -0800

The Royal Fingerer Can Dish it Out But Can’t Take it"

Bus driver allegedly flips off Bush so Bush and Reichert complain and the bus driver gets fired. Where is the compassion in that conservative again?

Good Info On Compact Fluorescent Lamps

Mon, 30 Oct 2006 13:17:00 -0800

Plus recommendations on where to, and where not to, use them, based on the best use of the technology for the money without excessive wear on the lamps.

What C.F. Lamps to Use Where

More Constitution Shredding By Bush Administration

Mon, 30 Oct 2006 11:52:00 -0800

Boing Boing: Bush legalizes martial law – what Constitution?

Foxtrot Comic On Electronic Voting Machines Quot Scary Quot-

Mon, 30 Oct 2006 11:48:00 -0800

Welcome to goComics Web Site featuring FoxTrot - Online Comics, Editorial Cartoons, Email Comics, Political Cartoons

10-29-2006 sunday comic in case the link breaks in the future.

Congressman Oops Results In Legal And Civil Liberties Violation Of Student

Mon, 30 Oct 2006 11:45:00 -0800

Something tells me that the government has too much power…

Boing Boing: Congressman on Boarding Pass Generator guy: Uh… oops?

Last Friday, Rep. Edward Markey (D-MA) called for the arrest of Christopher Soghoian, and the takedown of his “Boarding Pass Generator” website which illustrated an airline security hole documented on the web for several years. Hours after the congressman’s statement, Soghoian says FBI agents visited his home, then returned a second time after he’d left – in the middle of the night – with a search warrant signed at 2AM, and seized Soghoian’s computer(s) and other belongings.

Now, several days too late, Markey issues another pronouncement which backtracks on his earlier statement. It’s 250 words, but they boil down to one: “oops.”

Speed traps suck

Mon, 30 Oct 2006 11:40:00 -0800

Oh, you should boycott Newhalem, WA for the same reason. I’ll blog about that story someday.

saablog :: Stupid Utah. Stupid rental cars. - The rest of the story

Global Warming Report Pay Now Or Pay Lots More Later

Mon, 30 Oct 2006 11:33:00 -0800

Financial and ecological consequences by delaying the inevitable though.

Think Progress » GLOBAL WARMING REPORT: Right-Wing Fiction vs. Economic Reality

More Sad News In The War On Science And Reason

Mon, 30 Oct 2006 11:28:00 -0800

Think Progress » Senior Bush Appointee Rejected Scientists’ Recommendations In Favor Of Industry Positions

Julie MacDonald, Deputy Assistant Secretary for Fish and Wildlife and Parks, has consistently “rejected staff scientists’ recommendations to protect imperiled animals and plants under the Endangered Species Act.” A civil engineer with no training in biology, she has overruled and disparaged the findings of her staff, instead relying on the recommendations of political and industry groups.

Some Media outlets "forgetting" McCain's reversals

Mon, 30 Oct 2006 11:18:00 -0800

Especially heinous I think is the recent legislation McCain helped to broker that suspended habeus corpus for “enemy combatants”, and allows torture, among other dreadful things. I used to like McCain, but now he’s pimped himself out for too many political purposes I think.

Media Matters - Despite McCain’s many hedges, Borger asserted that “[n]o one would accuse McCain of equivocating on anything”

In her latest column, posted online on October 29 and that will appear in the November 6 edition of U.S. News & World Report, U.S. News contributing editor and CBS News national political correspondent Gloria Borger asserted that “[n]o one would accuse [Sen. John] McCain [R-AZ] of equivocating on anything.” Writing about the prospect of Sen. Barack Obama’s (D-IL) running for president in 2008, Borger contrasted him with McCain, asserting that Obama’s “penchant for wishy-washy is well documented.” Yet as Media Matters for America has repeatedly noted, despite an abundance of well-documented backtracks, flip-flops, and inconsistencies, the media continue to describe McCain with words such as “honest” and “authentic” and generally regard him as an unwavering purveyor of “straight talk.”

39-lucy-39-tour-coincides-with-quot-creation-museum-quot-

Mon, 30 Oct 2006 11:01:00 -0800

39-lucy-39-tour-coincides-with-quot-creation-museum-quot-

Oh brother. “allegedly 3.2-million” years old.

Biblical creationist blasts tour of ‘Lucy’ at Pandagon

The "ticking timebomb" argument is BS

Mon, 23 Oct 2006 15:02:00 -0700

Once Upon a Time…: Lies in the Service of Evil

I have written about the utterly fictitious “ticking bomb” scenario on several occasions. Because I do not want to engage in this exercise ever again, I have assembled here the major relevant arguments, so that they will all be in one place.

An excellent debunking of the “ticking timebomb” argument. Sorry Jack Bauer.

Windows Vista: SD^3 begets Popup Your Way To Security?

Wed, 18 Oct 2006 05:08:00 -0700

Usable Security: Blog Archive: Security in Windows Vista: to 2002 and Beyond!

Popup-your-way-to-security in vista. If this is the logical conclusion of having something secure-by-default (one of the SDs in SD^3), we may be in real trouble.

VirusTotal: Free site to check malware and AV solution efficacy

Thu, 12 Oct 2006 01:57:00 -0700

Aviv Raff On .NET - VML Exploit vs. AV/IPS/IDS signatures

Article showing how VirusTotal revealed how easy it can be to create “variants” that go undetected by most Anti Virus products. The VirustTotal website could be a valuable resource.

No Fly List

Tue, 10 Oct 2006 02:43:00 -0700

Schneier on Security: No-Fly List

What a piece of crap!

New Google Code Search

Tue, 10 Oct 2006 02:38:00 -0700

Google code search (kottke.org)

Find all sorts of interesting things in source code out there, or web sites running interesting code. There’s a great list to get you started “Google Code Hacking”.

Microsoft Bug Reporting Process Makes Me Cacl

Mon, 09 Oct 2006 13:28:00 -0700

The story of how Microsoft has ended up with so many unconnected and uncoordinated versions of command-line tools to manage setting and displaying ACL (Access Control List) entries is funny enough, but wait until you hear about my experience trying to report a bug in the tool. First, on the sordid history that has lead to three versions of the same tool, instead of one version that actually works correctly and handles all situations. There was first cacls.exe, which shipped with windows AFAIK. That was missing some key features so in all their wisdom, Microsoft released xcacls.exe in a resource kit that made up for the shortcomings in cacls.

So, I found a small bug in Microsoft’s

I called Microsoft to find out how I could report the bug in XCACLS.vbs and after voice jail and being put through the regular support cruft they said that the only way to report bugs is by US Mail! They don’t have any email address or way to report them via their support line. I told them to forget it. I’d just post something on my blog so that someone having the same problem can find it via google (and that then maybe Microsoft might google it someday so they can fix the problem).

Ing Direct'S Anti Phishing Measure Backfires

Mon, 09 Oct 2006 13:17:00 -0700

Another funny observation I had was about ING’s anti-phishing security mechanisms and usability. They make you use an annoying, long numeric ID as your login ID (you can’t change it to an easily-rememberable one) which you can’t likely remember so you have to write it down or use Password Safe to recall it. By making account IDs a secret, they are hoping to buy additional security from the obscurity.

However, they recently added a feature on the site (likely because of the usability problems with people not knowing or remembering their login ID) where you can enter some static identifying information (SSN, zip code, birthdate) and they will then pre-populate your customer login ID. I use this often because although you have to type in more information, the usability is better because it is faster to do this than to look up what my login ID is. But, they have now created a great target for phishers that can undo all the benefits of the hidden login ID and the additional measures on the site because this feature is not protected with their RSA/Cyota eStamp as their login dialog is.

YouTube: Hours of entertainment

Mon, 09 Oct 2006 13:16:00 -0700

YouTube - White & Nerdy

This is hilarious.

And for other Halo fans (and lovers of the original skit from Monty Python) is this mashup:

YouTube - Monty Python Halo

Net Neutrality Issue For Dummies

Mon, 09 Oct 2006 13:12:00 -0700

Network Neutrality Threatened In Norway

A very clear description of the Net Neutrality issue and how the claims made by those against it are baseless.

Repeat After Me Quot Gay Quot And Quot Pedophile Quot Are Not Remotely Related Quot-

Sat, 07 Oct 2006 17:50:00 -0700

quot-

MotherJones.com | MoJo Blog - Social Issues and Political Commentary: Repeat After Me: “Gay” and “Pedophile” Are Not Remotely Related

I just heard Limbaugh today repeating the crap talking point about the Foley issue being about the existence of a “gay” republican. That is bullshit. This is about exploitation and preying on innocent children. Wanker.

Olbermann'S Blistering Retort Of Bush Vile Attacks On Democrats

Sat, 07 Oct 2006 17:31:00 -0700

Crooks and Liars: Olbermann’s Special Comment: It is not the Democrats whose inaction in the face of the enemy you fear

Incompetence To Breed More Incompetence In Bush Administration

Fri, 06 Oct 2006 16:19:00 -0700

Think Progress: Bush Asserts Constitutional Right To Hire Incompetent People At FEMA

More News Media Lameness Abuse Of The Question Mark

Fri, 06 Oct 2006 11:16:00 -0700

-mark

Crooks and Liars: Jon Stewart’s Hilarious Look at the Use of the Question Mark

Note to news media: Report the FACTS on the NEWS and lose the question mark.

Security and Privacy "Certifications" often mean the opposite

Fri, 06 Oct 2006 06:56:00 -0700

Certifications and Site Trustworthiness

An excellent paper summarizing many of the problems with certifiers such as TRUSTe as well as showing that sites that get these certifications to prove their trustworthiness are actually more likely to NOT be trustworthy!

I know companies who are simply concerned about wanting customers to _think_ that their site was secure that they worked on getting a certification instead of investing in actually _making_ their site secure. No corrective action was taken to align technology or processes to the spirit or letter of the “certification”. The same crummy procedures and mindsets that existed before the certification were there after the certification.

I have actually helped fill out the TRUST-e questionnaire the difficulty in answering their survey questions with 100% knowledge of everything that goes on in a company even though it tends to certify the site.

Online File Format Conversion Website

Thu, 05 Oct 2006 10:40:00 -0700

Media Convert - free and on line - convert and split sound, ringtones, images, docs - MP3 WMV 3GP AMR FLV SWF AMV MOV WMA AVI MPG MP4 DivX MPEG4 iPOD OGG WMA AAC MP4 MPC MMF QCP KAR MIDI REALAUDIO FLAC JPG PSD DOC PDF RTF TXT ODG ODP ODS ODT SXW WK1 MDB X

Would only be cooler if it removed DRM!

Right Wing Pundit Wankers More Good Use Of Free Speech

Tue, 03 Oct 2006 16:08:00 -0700

scootmandubious: GOP’s Revealing Response To Foley Scandal

Step right up! Join your fellow Right-wingers and go on record as a child predator apologist! Downplay the crime of statutory rape! Justify the coverup as necessary for political reasons!

White house withholding report linking Global Warming to Increase in Hurricanes

Wed, 27 Sep 2006 11:36:00 -0700

Crooks and Liars: White House Bars Hurricane Report

More in the front on the War on Science. Ugh.

43 Things Interesting User Driven Site

Wed, 27 Sep 2006 11:13:00 -0700

43 Things

“Discover what’s important, make it happen, share your progress. Find your 43 things.”

I just came across this site. Seems like a fun idea. You can add your own thing that “you want to do with your life” or see what other people said and use those ideas. You can track your progress. Larger fonts indicate more popular topics in the list. There are thousands of people from around the world on there. It also shows “People doing this are also doing these things”, which is interesting as well.

TSA Insecurity. An economists perspective

Mon, 25 Sep 2006 16:44:00 -0700

Freakonomics Blog: An airplane announcement I’ve been waiting for

if I were a terrorist, don’t you think that I could figure out how to take the top off a bottle of contact lens solution and put my explosive liquids in there? It is totally pointless to enforce rules which impose costs on innocent people, but are easily circumvented by terrorists. Can anyone think this is accomplishing anything productive?

Faux News Wishes No News Of Clinton Smackdown Of Wallace

Mon, 25 Sep 2006 16:30:00 -0700

Fox and the Clinton Interview: Hanlon’s Razor

This was a long-overdue smackdown by Clinton after being sandbagged on Fox. They forced YouTube to take down the video clip–trying to rewrite history. Stephanie Miller played the audio this morning–are they going to go after her too? Oh no, people will know that Fox is slanted to the right and giving people on the right a pass!

O'Reilly Peddling Lies Again

Sat, 23 Sep 2006 10:23:00 -0700

Media Matters - Bill O’Reilly’s enemies list, available in hardback for $26

Media Matters got an advance copy of O’Reilly’s new book and dissects the “errors, unsubstantiated claims, and baseless attacks that run through Culture Warrior”.

Upcoming debate on The Problem of Evil

Sat, 23 Sep 2006 09:53:00 -0700

Debunking Christianity: My Debate With David Wood on the Problem of Evil

October 7th but in Virginia. Transcript and video will be available afterward. I’ll be watching it…

Educate Yourself And Help Defend The Constitution

Mon, 18 Sep 2006 11:36:00 -0700

Atheist Ethicist: Defending the Constitution

take some time, come up with a couple of sharp arguments, and spread those arguments among the people. We can complain about how well or how poorly legislators defend the Constitution. However, ultimately, it is our job to defend the Constitution, and this is one of the greatest assaults the Constitution has ever been subjected to.

Do you care enough to help defend it?

It sickens me to hear people like Pat Robertson on McLaughlin group making these claims as if we know that the captured people are 100% guilty. We often don’t really know that, as evidenced by the many, many people we have captured, held, then let go free. We are considered innocent until proven guilty in this country to protect the innocent – and that is you and me – from unfounded abuse. Give that up and you or your family could be next. All it would take is for one of those in custody we are “coercively interrogating” (read: Jack Bauer tactics) to name you or your family. Then you could be sitting right next to them.

Quot God Doesn'T Do Well In The Free Market Quot-

Mon, 18 Sep 2006 11:20:00 -0700

The struggle to find the downside ended in failure at Pandagon

There are laws that prevent some businesses from being open on Sundays??? I thought it was “christian” pandering by businesses. It is really annoying that so many businesses are closed Sundays and if the government is the reason why, then that is appalling.

I like the quote about “God doesn’t do well in the free market.”

Iran Iraq Part 2

Mon, 18 Sep 2006 11:16:00 -0700

Crooks and Liars: IAEA calls US Report on Iran—a lie

Cooking the books to lead us into war with Iran now? Where have we seen this before…

Statistics show more stupidity of "terror alert levels"

Sun, 17 Sep 2006 14:35:00 -0700

Boing Boing: Flu, hernia, or police more to kill you than Al Qaeda

This is great. People tend to make decisions using the emotional, fear-driven parts of their brain. Even in the face of raw data about risks it is very hard for people to feel comfortable turning away from those hard-wired instincts for self-preservation and making decisions that conflict with those feelings. A look at this chart shows how irrational spending and decisions are in this country. And how trading security for a little perceived freedom is a bad tradeoff–especially when you are far more at risk from plenty of other factors. The incidence of government taking advantage of its citizenry is likely to be higher than terrorist attacks against America.

Unfortunately, politicians rely on the masses making poor choices on inaccurate or flawed data to keep them in power. Think about that when you vote this November. Those who want you to stay afraid are themselves afraid.

Diebold Voting Systems Hacked Again

Thu, 14 Sep 2006 15:31:00 -0700

The BRAD BLOG : HACKED: VIRUS IMPLANTED, SPREAD ON DIEBOLD TOUCH-SCREEN VOTING MACHINE!

Researchers at Princeton, including Ed Felton, have been able to implant malicious code on Diebold touch screen voting machines that was demonstrated to be able to flip election results. They have a video of them doing this as well.

The company response is typically clueless (as is their security). I wonder if the nice Diebold ATMs in use at banks such as USBank are anywhere near as vulnerable?

Bush Sets Record Straight Iraq Had 'Nothing' To Do With 911

Thu, 14 Sep 2006 10:51:00 -0700

Think Progress: Bush Now Says What He Wouldn’t Say Before War: Iraq Had ‘Nothing’ To Do With 9/11

I saw this first on The Daily Show. I can’t believe this hasn’t gotten more press despite the large percentage of the country who have been made to accept the opposite as true because of the lapdog press and liars in this administration.

The new 9/11

Thu, 14 Sep 2006 10:41:00 -0700

Legal Fiction: THE TWO 9/11s

the second 9/11 is the political prop — a mangled, grotesque doppelganger of the first one that has been whored out on the political street for over four years now. The second 9/11 is the source of policies that have made the world far worse, and have killed many times the number of people who died in the Towers. And so, what’s truly tragic about the second 9/11 is that it threatens to forever stain the legacy of the first 9/11

Indeed. How hard was it to find a radio/TV station that wasn’t pushing 9/11 in your face? Who wants to hear another fearmongering speech by W? Not I.

Abc'S Of Abc'S Hypocrisy

Sat, 09 Sep 2006 16:46:00 -0700

Media Matters - “Media Matters”; by Jamison Foser

ABC and Disney, for starters, still plan to broadcast an account of the events leading up to the September 11, 2001, terrorist attacks that they know to be false.

This despite Disney’s 2004 refusal to distribute Fahrenheit 9/11, which was highly critical of President Bush, even though it was produced by a Disney subsidiary, Miramax Films. Then-Disney CEO Michael Eisner explained that the company “did not want a film in the middle of the political process where we’re such a nonpartisan company and our guests, that participate in all of our attractions, do not look for us to take sides.”

Church And State Just Snuggled Closer

Sat, 09 Sep 2006 03:24:00 -0700

Americans United for the Separation of Church and State

Americans United Condemns House Committee Passage Of Bill Cutting Off Attorneys’ Fees In Church-State Cases Measure Is More Pandering To The Religious Right, Says AU’s Lynn

Democrats have to take the house back in November.

Exploding Heads At Tsa

Sat, 02 Sep 2006 13:49:00 -0700

t-tsa

Boing Boing: What would the TSA do about exploding ID?

More Geek Project Goodness

Sat, 02 Sep 2006 13:49:00 -0700

Boing Boing: HOWTO make a twin-engine solar rolling robot

Airline Insecurity Anew

Sun, 13 Aug 2006 13:24:00 -0700

Crooks and Liars � Aviation Critic Michael Boyd on our Airport Security

Opposition To Nominated Us Chief Privacy Officer

Thu, 10 Aug 2006 21:07:00 -0700

I’m so tired of seeing privacy officers and council members who are lawyers first. They may understand the law, but they often don’t understand privacy. And lawyers tend to not consider risks outside of the legal/liability context. I’ve experienced privacy lawyers say that it was okay to not encrypt data anywhere internally because we only said “via our website” in our privacy policy. That may be true in a strict legal sense, but from an overall customer privacy and privacy threat model perspective, it doesn’t adequately ensure either adequate protection for customer privacy (the intent of the policy and assurances to customers) nor does it ensure an adequate privacy environment or mindset in a company (which itself often leads to more lax treatment of sensitive information and therefore breaches).

EPIC Alert 13.16

Open letter to DHS secretary Michael Chertoff

Latest Airline Quot Security Quot Hysteria

Thu, 10 Aug 2006 20:08:00 -0700

Educated Guesswork: Threat modelling airplane explosive detection

A good analysis of why the threat model of materials in checked luggage may be sufficiently different than carry-on that would need to hold for the new security measures to make sense.

I’m not sure I agree with Bruce Schneier’s assessment that, “Given how little we know of the extent of the plot, these don’t seem like rediculous [sic] short-term measures.” I don’t agree with this because if it is too risky to bring these kinds of materials onboard today, then why would it ever be okay to allow them tomorrow? It’s kind of like the precautionary disconnect from the Internet, “Why, why, why do they let employees use the Internet at all if they occasionally stop trusting its safety? Threats don’t magically shrink just because you updated the antivirus package.” It doesn’t make much sense occassionally stop trusting liquids/gels on airplanes, They are either a threat (someone can always masquerade a bomb as benign liquid at anytime and can always disguise a detonator as anything–imagine if terrorists use cellphones instead of keyfobs for a detonaor–the public reaction to banning cellphones in carry-on would be huge) or they aren’t. I agree that there is a heightened threat right now, but that threat has been and will be nonzero, so when will it be “safe” to allow them back on board and what criteria would determine this?

The other danger of taking such drastic measures is that the terrorists could be counting on that. Terrorists can just change tactics while the TSA is busy keeping someone’s Frappuccino off the plane but allowing supposed breastmilk and liquid prescription drugs. As if the terrorists wouldn’t have anticipated that loophole.

I wish I wasn’t flying in a couple of days–not because I’m afraid of the possibility of a terrorist on board my plane, but because it’s going to be a nightmare to go through security. And now I have to rethink everything I was planning to bring on board.

Illogicacy

Tue, 08 Aug 2006 00:45:00 -0700

Atheist Ethicist: Well Founded Beliefs

Great treatise on how the inability for people to properly reason (I called it Illogicacy here after Innumeracy) leads them to make terrible mistakes that result in harm to others, often worse than those that society often feels harm society most.

This blog is really, really excellent, BTW. Really makes you think. Sometimes just think that you would have never come up with that or could never have expressed that so logically and eloquently.

Diy Raid 5 Nas

Tue, 01 Aug 2006 16:41:00 -0700

Build a Cheap and Fast RAID 5 NAS | Tom’s Networking

I’m going to need to get one of those cards and a bunch of drives to augment my data server with a terabyte of RAID-5 goodness. *yum*

Desalinate Water While Ascending Your Space Elevator

Tue, 01 Aug 2006 11:36:00 -0700

Technology Review: Cheap Drinking Water from the Ocean

A water desalination system using carbon nanotube-based membranes could significantly reduce the cost of purifying water from the ocean. The technology could potentially provide a solution to water shortages both in the United States, where populations are expected to soar in areas with few freshwater sources, and worldwide, where a lack of clean water is a major cause of disease.

Diebold A Danger To America

Mon, 31 Jul 2006 15:19:00 -0700

The Open Voting Foundation

“This may be the worst security flaw we have seen in touch screen voting machines,” says Open Voting Foundation president, Alan Dechert. Upon examining the inner workings of one of the most popular paperless touch screen voting machines used in public elections in the United States, it has been determined that with the flip of a single switch inside, the machine can behave in a completely different manner compared to the tested and certified version.

Makes you wonder how secure those ATMs made by Diebold are (USBank uses them I know).

Rfid No Good For Vehicle Security

Mon, 31 Jul 2006 15:16:00 -0700

Wired 14.08: Pinch My Ride

Alternate attack vectors mean that RFID is often not the part of the security system that gets broken (not unlike strong crypto). All of the supporting systems around it are easily broken.

Mccain List Of Reversals

Sat, 29 Jul 2006 18:50:00 -0700

The Carpetbagger Report : Blog Archive : Moving forward with McCain-Feingold — without McCain

You know, there was a time when I thought McCain was a straight-shooter. Now, he’s no different than any other politician it seems. Will someone in politics ever be able to maintain rational, principled stands on something?? They are few and far between.

Bypass Compulsory Registration

Sat, 29 Jul 2006 13:32:00 -0700

Bugmenot.com - login with these free web passwords to bypass compulsory registration

What a great idea.

Some of the best eCommerce sites

Sat, 29 Jul 2006 12:56:00 -0700

Wired News: The 10 Wackiest E-Commerce Sites

Myspace Infects Yourpc

Wed, 26 Jul 2006 10:45:00 -0700

Schneier on Security: Hacked MySpace Server Infects a Million Computers with Malware

Malicious banner ad exploits unpatched IE hole (there are many and more all the time). You have switched to Firefox, Opera, Konqueror or anything other than IE, right?

SeaSec security forum

Wed, 26 Jul 2006 10:42:00 -0700

07:00

SeaSec security forum

Just found out about an informal security group that meets in Seattle. I’ve often seen a need for interaction with security professionals between Agora and ISSA monthly meetings (and I’m on the ISSA Puget Sound board). Where organizations don’t meet needs, they often spring up on their own. Once my dance lessons are over at Century Ballroom, I’ll be able to attend these on Wednesdays.

Why

Agora and ISSA are too formal. This is just a chance to hang out with local security professionals and get to know each other.

Anti Science Inhofe Quot Gore Is Full Of Crap Quot-

Sun, 23 Jul 2006 16:07:00 -0700

Think Progress: Sen. Inhofe: ‘Gore Is Full of Crap,’ ‘All Recent Science…Confirms This Thing Is A Hoax’

Wanker.

Excellent Posts On The Stem Cell Veto

Sun, 23 Jul 2006 16:00:00 -0700

Legal Fiction: THE STEM CELL SILVER LINING

Atheist Ethicist: The Stem Cell Veto

Independent Online Edition: Stephen Hawking to EU on Stem Cell Research

“Europe should not follow the reactionary lead of President Bush, who recently vetoed a bill passed by Congress and supported by a majority of the American people that would have allowed federal funding for stem cell research,” he said in a statement to The Independent. “Stem cell research is the key to developing cures for degenerative conditions like Parkinson’s and motor neurone disease from which I and many others suffer,” he said.

And more idiot liars in the White House repeating the same non-reality-based crap:

Bolten Defends Rove’s False Claims on Stem Cells: Karl ‘Knows A Lot of Stuff’

Bushit Stem Cell Veto

Thu, 20 Jul 2006 10:44:00 -0700

Scott Rosenberg’s Links & Comment

Here is why Bush’s position is a joke: Thousands and thousands of embryos are destroyed every year in fertility clinics. They are created in petri dishes as part of fertility treatments like IVF; then they are discarded.

Exactly. It’s half-assed ridiculous pandering to anti-science, life-regardless-of-the-quality-of-life religious zealots.

Yet another way evangelical schools are destroying America

Thu, 20 Jul 2006 10:41:00 -0700

" href=“https://tbogg.blogspot.com/2006/07/2-2-jesus-rode-dinosaur-new-from-apple.html">2 + 2 = Jesus rode a dinosaur

This made me wonder if the bible mentions anything about dinosaurs. If it doesn’t, does that mean they never existed (for those inclined to believe that everything about the world can be derived from the bible)?

Ingdirect Deploying Rsa Cyota Estamp

Tue, 18 Jul 2006 04:38:00 -0700

Information about the change.

Keycode Coupons And Discount Codes From All Kinds Of Companies

Sun, 09 Jul 2006 15:27:00 -0700

KeyCode Coupons, Coupon Codes, Online Coupons, Discounts, Online Deals

US Election System Still Frought with Systemic Problems

Sun, 09 Jul 2006 10:46:00 -0700

USNews.com: The road to reform in election corrections has been slow going

That messy 2000 election was supposed to be the jolt America needed. After chronic flaws in the country’s voting process became painfully public, an ambitious reform effort was supposed to make hanging chads and butterfly ballots relics of election nightmares gone by.

But nearly six years later, it hasn’t turned out that way. In the state of Washington, the 2004 governor’s election took more than six months to resolve–again before a court. And some liberal activists still believe that vote tampering and dirty tricks handed Ohio to the GOP, enabling President Bush to win re-election. Now, heading into the midterm congressional elections, despite the expenditure of billions of dollars, a litany of problems remains.

Also, several good links via SANS NewsBites Vol. 8 Num. 53:

--Study Finds Popular eVoting Machines Susceptible to Fraud (27 June 2006) A Brennan Center for Justice study of electronic voting machines concluded that the three most widely used voting machines are vulnerable to fraud, but there are measures that can be taken in all three cases to boost their integrity. Roughly 80 percent of American voters are expected to use electronic voting machines in elections this November. Representative Rush Holt (D-N.J.) has introduced a bill that would require all voting machines to provide a verifiable paper audit trail. https://news.com.com/2102-7348_3-6088464.html?tag=st.util.print [Editor’s Note (Schultz): The fact that a verifiable paper trail is being proposed is in and of itself an extremely positive step forward as far as fairness in electronic voting goes. (Pescatore): I think we are past the point where any rational person believes that most current voting machines are safe enough. The first generation of ATM machines weren’t secure enough either - the real issue is making sure the current problems are bounded and managed, and that the next generation of voting machines make big leaps forward. (HONAN): The Irish Commission on Electronic Voting recently published their report highlighting serious concerns with the software used in the electronic voting machines purchased by the Irish Government. https://www.cev.ie/htm/report/download_second.htm https://www.unison.ie/irish_independent/stories.php3?ca=9&si=1646254&issue_id=14303 https://www.examiner.ie/irishexaminer/pages/story.aspx-qqqg=ireland-qqqm=ireland-qqqa=ireland-qqqid=7621-qqqx=1.asp]

Genographic Project

Sun, 09 Jul 2006 07:53:00 -0700

https://www3.nationalgeographic.com/genographic/index.html

and to participate go here – they send you a DNA swab kit that you mail back to them.

https://www3.nationalgeographic.com/genographic/participate.html

Link Mania

Sun, 09 Jul 2006 07:53:00 -0700

Gas prices in your area

This Site Rocks - FUNNY Videos & Pictures

Seed Magazine: on policy and social implications of science

FARK.com: (1837095) Pick the best photoshop image of 2005 used in a previous contest

Gone in 20 Minutes: using laptops to steal cars | Leftlane News - Car News For Enthusiasts Backdoors for locksmiths in electronic lock systems being used by car thieves. Who would have guessed that could happen?

Why SSL alone will not solve the phishing problem

Sun, 09 Jul 2006 07:44:00 -0700

SSL-authenticated login pages certainly doesn’t _solve_ the phishing problem since phishing is partly psychological/sociological and makes use of technology as a means of improving the odds of the hacking the human psyche. So, a purely technological fix is unlikely to, prima facia, address the root issues.

But, the SSL change can help in a couple of key ways:

Rather than give customers 0 tools to protect themselves, we can give them at least the best tool out there so far for authenticating our site and therefore make an informed decision.
. Rather than continuing to train users to “trust page contents” (i.e. the lock image and our feeble assurances in the “Why this is secure” page), we can retrain them to use reliable measures that are not as subject to spoofing.

That is not to say that SSL does not have its problems:

Who made the trust decision to put the 50-100 CA certs in the browser? Why should the user trust those introducers? How do we know that those issuers won’t screw up (like Equifax/GeoTrust did recently by issuing a domain-verified cert automatically that was very similar to a real bank: https://jordy.gundy.org/?p=49)
The UI is horrible for security. The lock is too small, it is too easy for the “simon says” problem to bite you since you don’t notice when it isn’t there. Some changes, such as changing the browser toolbar color based on the encryption will help, but Firefox and IE7 use different color schemes for the same semantics…
There are usability issues with the UI. Everybody (even me) turns off the warning dialogs about submitting unencrypted form posts. That kind of annoy-user-into-submission security fails the psychological acceptability test and it doesn’t work anyhow because you should generally protect the user where it counts, not warn and hope they do the right thing.
The phishing problem is one of Identity Continuity. It’s not important that an SSL certificate matches the domain, since that does not help during the initial introduction to a site. What you really should be protecting the users from is when a known relationship in the digital sense has a discontinuity. That signals a phishing attack. The analogy is SSH known_hosts. On the initial introduction, you choose to trust the server since the likelihood that you are being MITM attacked is infinitesimal. But, if you are MITM attacked, SSH will scream loudly and not let you connect. That is what the browsers should do, although clean up the UI a bit for the unwashed masses. The MITM issue is one of a discontinuity. So, SSL in the current sense solves the wrong problem because the browsers have no means of managing site continuity information. They should. Some schemes, such as trustbar and petnames, allow friendly site logos or names to help users detect continuity problems, but their UIs are too easy to ignore if there is a problem. The user should actually be stopped from proceeding.

And so on. That’s just off the top of my head.

Cartoon The Revised Revised Story About Nsa Wiretapping

Sun, 09 Jul 2006 07:42:00 -0700

WorkingForChange-This Modern World: The revised revised story

God Is Angry But Not At Pat Robertson

Sun, 09 Jul 2006 07:40:00 -0700

The Seattle Times: Nation & World: God is warning of big storms, Robertson says

This must be true because Robertson obviously is Higher-powered (as reported by my colleauge Pete):

I don’t know about you, but I almost missed this. Pat Robertson’s amazing age-defying protein shakes have helped him to leg press 2,000 pounds! https://www.cbn.com/communitypublic/shake.asp

If that doesn’t sound impressive to you, note that it tops the all-time Florida State University leg press record by 665 lbs, set by a guy whose eye capillaries burst during the effort. https://www.sportsline.com/spin/story/9454343

Nsa'S Math Problem

Sun, 09 Jul 2006 07:36:00 -0700

https://www.liveammo.com Security News Blog

legal or not, this sort of spying program probably isn’t worth infringing our civil liberties for — because it’s very unlikely that the type of information one can glean from it will help us win the war on terrorism.

Interesting mathematical analysis of how effective the NSA domestic call-tracking spy program could possibly be.

In Accu Weather Forecast

Sun, 09 Jul 2006 07:34:00 -0700

Hat tip to my friend Kris who discovered this. I captured it for posterity:

In-Accu-Weather

Ajax Security Basics

Sun, 09 Jul 2006 07:30:00 -0700

AJAX security is no different than normal web application security, except that it can add lots of complexity to a site and make black-box auditing much more difficult.

-—-Original Message—– From: Andrew van der Stock [mailto:vanderaj@greebo.net] Sent: Tuesday, June 20, 2006 4:43 AM To: Webappsec ((((E-mail)))) Subject: Fwd: SF new article announcement: Ajax security basics

This was posted to SecurityFocus.com yesterday.

Their article is eerily similar to my Ajax presentation from February (particularly if you’ve seen me give the presentation), and even more similar to the draft Ajax chapter I wrote shortly after for the OWASP Guide (now posted to our Wiki - https://www.owasp.org/index.php/ Ajax_and_Other_%22Rich%22_Interface_Technologies). Hmmmm. As the saying goes, this is the best form of flattery. I suppose.

If you haven’t had a chance to read up on Ajax security, their article is a start… as is my presentation (https://www.greebo.net/? page_id=329) and the draft chapter in the OWASP Guide 3.0 current.

thanks, Andrew

Begin forwarded message:

> > Ajax security basics > > By Jaswinder S. Hayre, and Jayasankar Kelath > > 2006-06-19 > > > > The purpose of this article is to introduce some of the security > > implications with modern Ajax web technologies. Though Ajax > > applications can be more difficult to test, security professionals > > already have most of relevant approaches and tools needed. > > > > https://www.securityfocus.com/infocus/1868

Php Security Top 5 From Owasp

Sun, 09 Jul 2006 07:29:00 -0700

OWASP is pleased to announce the immediate availability of the OWASP PHP Top 5. The OWASP Top 5 is an education piece which provides up to date advice to PHP developers, hosters, and other PHP users. The PHP Top 5 is produced by the OWASP PHP Project.

The PHP Top 5 is based upon attack frequency in 2005 as reported to Bugtraq. This information is a valuable insight into the most devastating attacks against the world’s most popular web application framework.

In 2005, OWASP collaborated with SANS to research and write a completely new PHP section for their successful SANS Top 20 2005. The OWASP PHP Top 5 is the full unabridged text, updated to reflect recent XSS attacks and SQL injection vectors.

OWASP PHP Top 5

https://www.owasp.org/index.php/PHP_Top_5

OWASP PHP Project

https://www.owasp.org/index.php/Category:OWASP_PHP_Project

Another Article On Musicians Being Screwed Out Of Profits Even With Digital Distribution Schemes

Sun, 09 Jul 2006 07:27:00 -0700

Business 2.0 - Magazine Article - The MP3 Economy

“The going rate for downloading songs from online music services like Apple’s (AAPL) iTunes Music Store, MusicNet, Pressplay, and Rhapsody is about $1 a pop. Yet the economics of recorded music sales haven’t changed much since the vinyl era – despite the fact that digital files cost very little to produce and distribute. So how much of your buck makes its way back to the artists? Not much, though it’s clearly a better deal than they get from piracy. "

Getting God Out Of Government

Sun, 09 Jul 2006 07:26:00 -0700

Several articles on the topic of the government pushing religion.

Drum-beating about the 9th circuit decision about “Under God” in the pledge:

AMERICAN ATHEISTS LEGAL UPDATE

Public prayer fanatics borrow page from enemy’s script

The Bush administration has been dealt a setback in its campaign to allow prayer in our public schools. The full 9th Circuit U.S. Court of Appeals has voted 15-9 to back the 2-1 vote by its earlier panel finding the Pledge of Allegiance unconstitutional because of the words ‘‘under God.’’

How did your senator vote on the pledge legislation (" S. Res. 71 As Amended; A resolution expressing the support for the Pledge of Allegiance.")? U.S. Senate: Legislation & Records Home > Votes > Roll Call Vote

The Sacramento Bee – sacbee.com – Diana Griego Erwin: Pledge debate recalls another tradition, another controversy The best quote is, “the Constitution wasn’t written to uphold majority opinion.” It was written to protect the minority from the tyranny of the majority.

The 9th Circuit seems to agree. Our Constitution protects the freedom of us all, Jew, Christian, atheist, Muslim, Buddhist or agnostic to pray or keep silent, worship or not, believe or disbelieve. Standing outside the classroom door to avoid participating is exclusionary, especially for children.

At my school in the 1960s, one student couldn’t pledge allegiance to the flag because her family was Jehovah’s Witness. Being children, we thought she was weird. She even seemed less American. She was just a little girl.

And finally, an article debunking the religious nut talking point that we are a “Christian nation”. The Nation | Article | Our Godless Constitution | Brooke Allen

Washington Supreme Court will decide if police need warrant for GPS 'tracking

Sun, 09 Jul 2006 07:12:00 -0700

Court will decide if police need warrant for GPS ’tracking’

But what if the same secret technology, called global positioning satellite tracking, could track anyone at any time?

The Washington Supreme Court will decide soon whether police agencies throughout the state may use the device freely – without a warrant. The Jackson case is the first in the state dealing with the issue.

Update: The court unanimously decided that a warrant is required:

OLYMPIA, WA - The American Civil Liberties Union of Washington today hailed a unanimous, first-in-the-nation ruling by the Washington Supreme Court that police must obtain a warrant in order to track an individual’s movements with Global Positioning Systems (GPS). The ruling agrees with arguments the ACLU submitted in a friend-of-the-court brief in the case.

“The ACLU applauds the court’s ruling in this landmark case. Tracking a person’s movements by GPS is highly intrusive. It is the equivalent of placing an invisible police officer in the back seat of a person’s car,” said ACLU of Washington Privacy Project Director Doug Klunder, who wrote the ACLU’s brief.

Airline Lt Strike Gt Security Lt Strike Gt-

Sun, 09 Jul 2006 07:09:00 -0700

A Dangerous Loophole in Airport Security - If Slate could discover it, the terrorists will too. By Andy Bowers

More security window-dressing… More reason that ID checks and the watch list are BS security.

The Phantom "Cyber" terrorism?

Sun, 09 Jul 2006 07:08:00 -0700

[IP] Govt Comp.News - Assessing “cyberterror” - couldn’t find any!

>I’ve been working on the issue of how to build secure public networks >for about 7 years. I started out as a military analyst and I wanted to >put the cyber terror/cyber war issue in a larger strategic context. >About a year ago, I started looking for examples of cyber-terrorism, >where hackers had shut down critical infrastuctures. I was surprised to >discover that I couldn’t find any, so I began to look more closely at >the hypothetical scenarios involving cyber war. Most of them turned out >to be implausible from a military or national security perspective. >Hence the report.

Michael Dell Calls Bs On Companies Using Threat Of War As A Scapegoat

Sun, 09 Jul 2006 07:05:00 -0700

Marketplace 4-Mar-2003, interview with Michael Dell

It’s the current fashion for companies to blame the threat of war in Iraq for business being bad. But one company that’s not using the war to explain its performance is Dell Computer. Marketplace host David Brancaccio talks with founder Michael Dell about how a company can succeed even in times of economic insecurity.

Michael talks about companies who are blaming poor results on the Iraq situation, etc. He says “Sadaam ate my homework” is not a good excuse. There will always be uncertainty in world events. Companies need to learn to succeed when times are good, but also when times are bad. Very sage advice indeed.

Faked Research Results On The Rise

Sun, 09 Jul 2006 06:58:00 -0700

Wired News: Faked Research Results on Rise?

Chris Pascal, director of the federal Office of Research Integrity, said its 28 staffers and $7 million annual budget haven’t kept pace with the allegations. The result: Only 23 cases were closed last year. Of those, eight individuals were found guilty of research misconduct. In the past 15 years, the office has confirmed about 185 cases of scientific misconduct.

A great recommended read is False Prophets: Fraud and Error in Science and Medicine which reviews several recorded cases of research fraud.

The Security of Checks and balances

Sun, 09 Jul 2006 06:55:00 -0700

Schneier on Security: The Security of Checks and Balances

Very apropos read a couple of years later.

Same Sex Marriage Is An Issue Of Civil Rights And Discrimination

Sun, 09 Jul 2006 06:51:00 -0700

Marriage Rights

Summary of benefits of marriage that same sex couples are being denied.

The typical talking point of the gay bigots is that “marriage” is a “sacred institution”. But those assholes are guilty of equivocating (i.e. a logical fallacy, not to mention dishonesty). There are two completely separate concepts involved: Religious definition of marriage (which is not at all within the domain of government and is in no way changed by what the state decides to allow or not) and the Legal/Stata/Contractual definition of marriage, which is entirely secular and pragmatic.

Security Career Guide at ISC^2: sponsored by Microsoft

Sun, 09 Jul 2006 06:43:00 -0700

[infowarrior] - Microsoft sponsors security career guide Richard Forno Fri, 08 Jul 2005 22:39:04 -0700

Microsoft sponsors security career guide https://news.com.com/2060-10789_3-0.html?tag=nefd.bl

A nonprofit organization with help from Microsoft has created a “career guide” to spark interest for the information security profession among high school and college students.

The guide was distributed last month to more than 3,500 school counselors, administrators and educators at education conferences and has been made available online, the International Information Systems Security Certification Consortium, or (ISC)2, said this week.

Microsoft sponsored the 35-page guide, which is titled “Decoding the Information Security Profession.” The booklet offers a description of information security, typical jobs, titles, industries and organizations, professional requirements, certification options, typical salaries, career outlook, and a listing of schools, education facilities, certification companies and other resources and associations.

The guide can be found at: https://www.isc2.org/careerguide/

Judge Prevents Divorce Due To Pregnancy

Sun, 09 Jul 2006 06:41:00 -0700

Seattle Post-Intelligencer: Judge won’t let woman divorce while she’s pregnant

In comments submitted to Bastine, Hughes said: “If this court vacates my divorce and requires me to stay married to a man I have no desire ever to have a relationship with and who has brought significant physical harm to me over the years, I would be emotionally devastated. If the court vacates my divorce and stays it until the birth of my child, it will prevent me from marrying the father of my child prior to her birth.”

That link is no longer accessible, but The Stranger had an article which is accessible: A Difficult Pregnancy

Just sick. But the issue may not necessariily be one of an “activist judge” but Spokane law:

Spokane County has a policy against children being born “in limbo.” A child’s paternity must be determined before a divorce can be granted. While one state law allows women to divorce at will, there is another law that prohibits the courts from leaving a child without a source of financial support.

However, there is other information claiming that the judge was really trying to prevent the child from being born “in limbo” or out of wedlock. So who knows.

80211n Wireless Not Living Up To Promises Yet

Sun, 09 Jul 2006 06:31:00 -0700

EETimes.com - 802.11n wireless gear falls short in testing

Early adopters are likely to suffer the same problems that plagued 802.11g when it first emerged.

Pki Considered Harmful

Sun, 09 Jul 2006 06:30:00 -0700

PKI considered harmful

Next time someone at your company says “we can’t do encryption until we get a PKI”, refer to this essay and collection of references.

I’ll need to put together a related one to address the “we can’t do ecnryption until we get a “key management” solution”.

SSH Filesystem

Sun, 09 Jul 2006 06:26:00 -0700

07:00

SSH Filesystem

This is a filesystem client based on the SSH File Transfer Protocol. Since most SSH servers already support this protocol it is very easy to set up: i.e. on the server side there’s nothing to do. On the client side mounting the filesystem is as easy as logging into the server with ssh.

Something to investigate…

More Firefox Plugin Goodness

Sun, 09 Jul 2006 06:25:00 -0700

foXpose/Tabnail plugins Two thumbnail-related plugins. One creates a single index page with thumbnails of all of your open tabs that you can use to navigate with. The other creates tiny thumbnails of the open pages in the tabs themselves. Both require firefox 1.5 or higher. It may be time to try the release candidate…

Also, since my previous post, I found several other useful and promising plugins:

Wizz RSS Newsreader DictionarySearch Dictionary Tooltip Fasterfox IE Tab Buggy, but can be convenient to change rendering engine on Windows. BetterSearch

Security and Web Development:

Leet Key Show IP Stealther Tamper Data Web Developer Live HTTP Headers DownThemAll! ColorZilla

Multimedia: VideoDownloader Download Embedded DownloadThemAll! I now use this instead of FlashGot.

Darwin Award Club Accidentally Burned Down By Brazen Owner

Sun, 09 Jul 2006 06:06:00 -0700

Ananova - Safety test burns club to ground

A strip club owner burned his club to the ground while trying to prove it was fire-proof to health and safety inspectors.

Worst Tech Moments of 2005; Predictions for 2006

Sun, 09 Jul 2006 06:04:00 -0700

07:00

Wired News: Worst Tech Moments 2005

Not sure I entirely agree with all of these. Looks like Bush will make the 2006 list several more times given the additional illegal spying uncovered so far. A summary of the list:

TiVo boxes betray their owners
Commerce Department blocks .xxx domain
PayPal blocks Katrina aid
Space shuttle Discovery
Bush corrupts the NSA

Here are some items that I predict for the 2006 list:

Senator Ted Stevens’: The Internet is a series of tubes
Senator Inhofe, Charman of the Environment and Public Works committee, global warming is the greatest hoax ever
Rewriting The Science, Scientist Says Politicians Edit Global Warming Research - CBS News
Bush Administration: Generally anti-science (ideology trumps science/facts)

I’m sure there are many others. These were off the top of my head.

Bush'S Economic Policy Failure

Sun, 09 Jul 2006 04:21:00 -0700

Think Progress: President Bush’s Job Record Since August 2003: Nothing To Brag About

What Judd says. Even on the economy Bush can’t claim any victory.

I believe it was Randi Rhodes who suggested that Bush should have been asked on Larry King something about how he was the first president to push for tax cuts during a “time of war”. How’s that working for ya?

Adam Corolla Hangs Up On Coultergeist

Sun, 09 Jul 2006 04:15:00 -0700

Jesus’ General: Insulting Mr. Coulter

This is hilarious. Adam Corolla is a god.

And I particularly love the graphic of the Psycho Sally stabbing doll to represent Coultergeist.

Asinine Terrorist Detection At Western Union

Sun, 09 Jul 2006 04:09:00 -0700

Western Union blocks Arab cash deliveries - Yahoo! News

DUBAI, United Arab Emirates - Money transfer agencies have delayed or blocked thousands of cash deliveries on suspicion of terrorist connections simply because senders or recipients have names like Mohammed or Ahmed, company officials said. ADVERTISEMENT

In one example, an Indian driver here said Western Union prevented him from sending $120 to a friend at home last month because the recipient’s name was Mohammed.

Hard to believe it could be possible, but this is more stupid than the TSA’s Secure Flight program (also a miserable failure).

Birth Canal Drive

Sun, 09 Jul 2006 04:05:00 -0700

the cool hunter - DRIVE THROUGH LUBRICATION AD

We need more creativity like this in the world.

Stephen Hawking News

Sun, 09 Jul 2006 03:59:00 -0700

07:00

Stephen Hawking asked a great question: Yahoo! Answers - How can the human race survive the next hundred years?

He also made the news recently after a speech in China where he mentioned that he liked Chinese women The Daily Show had lots of fun with that, especially the longing look he appears to be giving the woman standing next to him.

Work to Live; Don't Live to Work

Sun, 09 Jul 2006 03:58:00 -0700

Joe Robinson: “Vacation Advocate”

The title is my mantra. Coincidentally, I just saw The Devil Wears Prada which is about this very topic. The lesson there is to be true to yourself and do not forsake the things in life (career goals, family goals, relationships, etc.) that you really believe are important to you without making that the result of a conscious choice to do so. A corollary would be Habit 3: Put First Things First - Principles of Personal Management (i.e. “Schedule your priorities”) from the 7 Habits of HIghly Effective People.

It is definitely a fact that the only reason that American workers are more “productive” than other countries is because we work more hours. If we worked the same as the rest of the world, our productivity would fall by comparison. That means that we are less efficient. Joe argues that this is ironically because we don’t value leisure time as much as the rest of the world.

A simple litmus test to evaluate whether your current behaviours align with your life goals or what you would want to have accomplished by the end of your life is to check each activity with:

“I wish I would have ________ more in my life”

Would you have said, “work longer hours”? Would you have said, “spent time with family/spouse/kids”? May help you be true to your inner desires. It’s kind of like how it’s hard to know if you ended up in the right place at the end of your journey if you didn’t know where you were heading to begin with.

Sprint Wireless security SNAFU

Sun, 09 Jul 2006 03:48:00 -0700

cryocone: Identity leak with Sprint wireless

Someone in their infinite wisdom at Sprint set up an IVR that you can call (intended for internal care reps for identity verification) and get anyone’s CPNI/PII by simply keying in their sprint wireless phone number.

Really convenient for Sprint employees and the public – and really stupid on all counts.

At Amp T Usurps Customer Records

Sun, 09 Jul 2006 03:28:00 -0700

Time to switch your phone company. AT&T rewrote its privacy policy to basically say that your data is theirs and they will do what they please. Some legal manoevering to allow them to continue to sell those records to the NSA to spy on you. All Cingular customers should now be wary since AT&T will own them once the acquisition is complete.

But I guess, what do you expect when we live in a country that doesn’t explicitly grant privacy protections like the EU and where privacy is routinely tromped on by companies and the government for their own ends? And when the US public has been trained that this is okay?

https://www.networkingpipeline.com/showArticle.jhtml?articleID=189600470

The most disturbing revelation was one on June 30, 2006 when it was revealed that the NSA allegedly Sought U.S. Call Records 7 Months Before 9/11 This is a perfect example of the danger of unchecked governmental power and unrestrained trust in governement to not abuse power given them or taken (as in the Bush Administration).

Mccain Sells Out To The Religious Right

Sat, 08 Jul 2006 15:20:00 -0700

Daily Kos: McCain Embraces Falwell In All His Wingnut Glory

I thought that McCain was one of the good guys but when he can’t even be true to his own assertion that Falwell is one of the “agents of intolerance”, what kind of integrity does he really have? Disappointing. I’m glad that John Stewart pushed him about this on The Daily Show. The “real” news media certainly did not point this out.

Hitler V Coulter

Fri, 07 Jul 2006 15:04:00 -0700

Give Up Blog: The Hitler vs. Coulter Quiz

She is such a despicable human being.

Coulter The Plagiarist

Tue, 04 Jul 2006 05:47:00 -0700

‘NY Post’ Cites Evidence That Ann Coulter Plagiarized Parts of Book, Columns

Well, she has god on her side though so she must have gotten an okay.

It’s not news that she offers misleading references in her books either. I believe that Al Franken called her out on several items from her previous books in Lies and the Lying Liars Who Tell Them

New Study Shows American Dislike Of Atheists

Tue, 04 Jul 2006 05:17:00 -0700

The Carpetbagger Report: Blog Archive: The last taboo

I do not equate “not professing a particular affirmative belief” with “professing a non-affirmative belief” in god nor do I care enough to claim myself an “atheist” but I don’t think that the religious segment of this country makes any distinction between the various kinds of non-theists so it does not matter. They don’t care what you believe unless it isn’t what they believe. [I consider myself part of the general “non-theist” category and most aligned with Humanism]

The general distaste of atheists is not very surprising given the amount of so-called “christian” religions that make belief in Jesus a prerequisite for avoiding eternal damnation (not doing good deeds or anything–just simply being coerced into believing in Jesus is all you need).

This reminds me of the exchange in Carl Sagan’s excellent book Contact where Jodi Foster’s character, who was a scientist and a nontheist, was demonized by the religious segment as not being able to represent this country’s values. All the more troubling when nontheists often have less contradictory and more consistent and humanistic values than the religious stalwarts. Just because those values are not rooted in a belief in the supernatural they are cast aside as having less worth.

People still make brash generalizations about people through superficial categorizations rather than fully try to understand others. Not much different from any other prejudice. Ignorance reigns supreme.

The Tyranny of the Executive

Tue, 27 Jun 2006 14:19:00 -0700

Atheist Ethicist

My concern is that the Bush Administration may be spying only on suspected terrorists the way that it invades only countries supporting those who attacked the United States on 9/11. My concern is with the possibility that Bush Administration officials might have an agenda, with an ulterior motive, that would involve invading a country so they rationalize a way of thinking about this country that makes it seem to them to be worthy of attack.

Emphasis added. This is a perfect description of why these programs are so troubling. The whole article, in fact, is a look through a crystal ball of where this country is heading if we allow unfettered power in the hands of the Executive branch.

The American democratic “experiment” needs some adjustment to rebalance power. Congress as watchdog is more like a lapdog. They don’t wield their power over the purse strings: they hand out blank checks and don’t oversee what we are getting for that money.

Warren Buffett & Bill Gates: Serious Philanthropers

Sun, 25 Jun 2006 16:55:00 -0700

FORTUNE Magazine: Warren Buffett gives away his fortune - Jun. 25, 2006

I heard this on the radio this afternoon. It is really, really cool. I wonder how the world will look decades from now after these billions have done their good around the world? Hopefully, there won’t simply be more campus buildings and computer labs!

What's the catch?

Sun, 25 Jun 2006 16:52:00 -0700

Executive Order: Protecting the Property Rights of the American People

I think this is a very cool move. Too bad Congress couldn’t do something like this and too bad the courts had to side too much with corporations. This may restore some balance for the little guy against the Wal-Marts of the world…while it lasts.

But, what is the catch? Bush has been so pro-business I’m not seeing where this fits in…

Identity Theft Still The Victim'S Problem

Sun, 25 Jun 2006 16:32:00 -0700

NPR 12-5-2002, All things considered 4pm.

“businesses are so interested in extending credit…” they just write off the losses. ID theft has not hit businesses economically yet, since that cost is borne by the victims, so they don’t have incentive to do anything to fix these problems. And yet, the disclosure laws have given incentive to fix these problems but they seem to instead be incenting companies to water down the proposed federal legislation to neuter the positive effects they are having at creating a market economic incentive to fix the problems (though from the myriad reports still coming out every week about more data lost, you wonder what the heck some CISOs are doing).

Also, this story discusses a report that most ID theft is done by insiders. You do include insider attacks in your threat models, don’t you? Kill the fortress mentality!

The Iraq hoax that just won't die

Sun, 25 Jun 2006 16:22:00 -0700

SecurityFocus HOME Columnists: Iraqi Cyberwar: an Ageless Joke

This is an OLD story so I hope that it is dead by now. But perfect example of the lack of fact-checking that goes on so much in the media.

Quot If You Are Not Doing Anything Wrong Why Should You Worry About Big Brother Quot-

Sun, 25 Jun 2006 16:07:00 -0700

quot-

Schneier on Security: Police Cameras in Your Home

Great rationale for how the “fully trust the government” crowd does not understand the legitimate purpose of limits on governmental intrusion and power. I’ve seen several pundits cry that the end (catching terrorists) justifies the means even still.

Artists And Consumers Get Screwed By The Music Industry

Sun, 25 Jun 2006 16:06:00 -0700

Passionate condemnation of the music industry:

[IP] MUST READ Courtney Love does the math The controversial singertak

[IP] last on this topic – Does File Trading Fund Terrorism? Successful artists not seeing any profit.

[https://www.marketplace.org/play/audio.php?media=/2003/03/12_mpp&start=00:00: 20:00.0&end=00:00:27:30.0](https://www.marketplace.org/play/audio.php?media=/2003/03/12_mpp&start=00:00: 20:00.0&end=00:00:27:30.0)

[IP] 2 more on Does File Trading Fund Terrorism?

And to round this out, a great interview with John Perry Barlow on the evils of Digital Restriction Management Wrapped up in Crypto Bottles

And to draw in a security angle to all of this:

Security Blog

Sony rootkit debacle highlights the failure of the security technology industry: The real story, as Bruce Schneier points out - why the hell didn’t any Antivirus software (or IDS for that matter), detect this software sooner? Is corporate malware going to continue to be default allow by these products? We are collectively paying these companies billions of dollars for what?

Man Stuck On Sticking To Toilet Seat

Sun, 25 Jun 2006 16:06:00 -0700

CNN.com - Man glued to toilet may have history - Nov 8, 2005

Juxtaposition Einstein Approved

Sun, 25 Jun 2006 16:02:00 -0700

This is so cool.

Einstein’s task list generator

Visa prohibits display of card numbers on receipts

Sun, 25 Jun 2006 15:57:00 -0700

[IP] I will start using my Visa card more

Wow this blog entry is old. But remember when every receipt had the full card number on it? And remember when Starbucks would mask out everything _except_ the last four digits so that you could get the full card number with just two receipts?

I still find that the business’ copy of the receipts often has the full card number on it, with only my copy being masked out. But, I don’t much care, except when it comes to my Debit card receipts since the US laws do not cover Debit cards as fully as credit cards.

National Missile Defense System Lame

Sun, 25 Jun 2006 15:52:00 -0700

National Missile Defense System Test Fails Again This story is over a year old but there hasn’t been much better news about this boondoggle since then.

Oh, we can only hope that we are attacked by drones and not real missles… Those have been the only things that have even partially been stopped by this technology (after much rigging). Very apropos since just on the McLaughlin group today there were those that actually thought we could possibly rely on this to knock a North Korean ICBM out of the sky before it hits the US west coast.

Real Life Gremlin Dies

Sun, 25 Jun 2006 15:41:00 -0700

CNN.com - ‘Ugly dog’ Sam dies at 14 - Nov 22, 2005

Was Ugly Dog a real-life Gremlin?

Tales from the RFID Hacking Underground

Sun, 25 Jun 2006 15:32:00 -0700

Wired 14.05: The RFID Hacking Underground

Follow-along to the article on building your own RFID skimmer

Man Swallowed By House Dies

Sun, 25 Jun 2006 15:31:00 -0700

CANOE – CNEWS - Weird News: Man dies after plummeting into large hole that opened beneath his home

This is bizarre!

Airborne Airheads The Sellers Or The Buyers

Sun, 25 Jun 2006 15:22:00 -0700

Who Has Time For This?: CREATED BY A SCHOOL TEACHER!!!!!

Perfect real-life case of a company using deceit and faulty arguments to convince the public. Too bad the FDA doesn’t take a more active role in investigating these kinds of products and claims. The placebo effect also makes people more apt to believe these products work.

[

](https://whohastimeforthis.blogspot.com/2006/04/created-by-school-teacher.html “Who Has Time For This?: CREATED BY A SCHOOL TEACHER!!!!!”)

More Black Marks For Dhs

Sun, 25 Jun 2006 15:18:00 -0700

Think Progress: Homeland Insecurity.

Verizon's hostile attitude toward its customers

Sun, 25 Jun 2006 15:18:00 -0700

07:00

Nuclear Elephant: The Motorola v710: Verizon’s New Crippled Phone

I have to say that I was really annoyed to find that my Motorola E815 couldn’t even share vCards between phones using Bluetooth, let alone that they disabled the advertised ability to use mp3s for ringtones, to get photos you snap onto your PC, to play mp3s, to play videos, etc.

Have You Taken Your Security Pills

Sun, 25 Jun 2006 15:02:00 -0700

The other day, I made what I think is a very apt analogy comparing the security product industry to the diet and herbal supplement industry.

Both operate with little to no oversight or regulation (though security at least has bloggers and scientists willing to call out some of the more egregious offenders)
Products often have little to no academic, scientific or factual basis for their designs or claims
Products tend toward the panacea/“silver bullet” realm and claim to solve all your ills

I’m sure that I am missing some more…

Incompetent Design Theory

Sun, 25 Jun 2006 14:54:00 -0700

Daily Kos: “Incompetent Design” theory

Take that and this Creationists and foes of science:

Evolution of ‘irreducible complexity’ explained

Iraq Withdrawl Timetable Is What America Wants

Sun, 25 Jun 2006 14:35:00 -0700

David Brooks: Completely out of touch

Look at the statistics from three separate polls on how many Americans want a timetable and a withdrawl/draw down soon from Iraq. It’s at least half if not a majority of Americans. Yet pundits like Brooks are misrepresenting them.

I also just heard on Air America this weekend in passing that 72% of US military wants a drawdown/timetable defined. So the Democrats have been on the right side of the issue as viewed by the American people. Oh, and even “Iraq’s national security advisor, Mowaffak Rubaie, has publicly embraced a similar timetable.” See https://www.latimes.com/news/printedition/asection/la-fg-withdrawal25jun25,1,4367170.story?coll=la-news-a_section

I can only hope that this comes back to hurt Republicans in the 2006 election.

Quot Values Quot Votes In The 2004 Election

Sun, 25 Jun 2006 14:23:00 -0700

Editor’s Cut: Stand and Fight

Catching up on ancient blog entries. This article was talking about the 2004 election upset and brought up the issues of why Republicans and the so-called religious right think that their divisive issues are the only “moral” issues at stake.

What about fighting poverty and affordable health care? What about the issues of quality of life instead of “life at any cost” (well, at least after overlooking the pro death penalty thing)? What about enjoying sexuality instead of repressing it as sinful? Why shouldn’t the FCC be regulating Violence on the airwaves instead of nipples? More nipples should be a core value! Spin the anti-nipple crowd as pro-violence on TV! What about honesty over deceit and lies? What about the character to admit you are wrong? What about a fair working wage for every American? What about not breaking the law to uphold the law? What about love and tolerance instead of hatred and intolerance?

Whose values will win out in 2006 and 2008 elections? I vote for mine.

Bush Considered Bombing Al Jazeera Hq

Sun, 25 Jun 2006 12:49:00 -0700

NPR : Report: Bush Considered Bombing Al Jazeera

I never would have thought I would say, “Thank heavens for Tony Blair”.

Making Port Forwarded Connections Accessible From The Intranet Lan

Sun, 25 Jun 2006 11:13:00 -0700

# Enabling many:one IP masquerading from the LAN to the Internet (i.e. out the $WAN interface) iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

# port forwarding $WAN_IP:25 to $SMTP_SVR_IP:25 iptables -t nat -A POSTROUTING -d $WAN_IP -p tcp –dport 25 -j DNAT –to $SMTP_SVR_IP iptables -A FORWARD -i $WAN -p tcp –dport 25 -d $SMTP_SVR_IP -j ACCEPT

# Making this cruft work from the intranet # i.e. DESK_IP -> WAN_IP:25

# Bad rule: iptables -t nat -A POSTROUTING -o $LAN -j SNAT –to-source $WAN_IP

# Good rule: iptables -t nat -A POSTROUTING -o $LAN -s 192.168.1.0/24 -j SNAT –to-source $WAN_IP

Cracking Java Byte Code Encryption

Sun, 25 Jun 2006 10:59:00 -0700

Cracking Java byte-code encryption

Why Java obfuscation schemes based on byte-code encryption won’t work.

Tech Tip Roundup

Sun, 25 Jun 2006 10:58:00 -0700

DIY external portable USB Hard drive: Just bought the Bytecc HD-201u2 enclosure. It is completely USB powered. Stick any laptop harddrive you want in there and go. Comes with a cable and a nice carry case (although the zipper is crap).

Preloading images on a page using only CSS

Grab a PDF copy of the Scriptaculous Cheat Sheet #1: Javascript effects Side note: someone really has the last name Fuchs? How cool is that?!

Windows, has a limit: a single PC can be controlled by a single “local” user (the “real” person on place), OR a single “remote” user. If someone logs into the computer from remote, the local user is disconnected. The following procedure deactivates this block and allows multiple persons to connect and to use a single computer from remote.

Ricky’s Web Review Blog Archive Windows XP Multiuser Remote Desktop Enabling up to 3 simultaneous remote desktops on Windows XP

Presentation Zen

Sun, 25 Jun 2006 10:56:00 -0700

Presentation Zen: What is good PowerPoint design?

A nice article showing several different ways of communicating the same message without overcomplicating your slides.

The blog also offers excellent insight into visual design appropriate for powerpoints or any visual marketing.

Knife Maintenance And Sharpening

Sun, 25 Jun 2006 10:53:00 -0700

eG Forums -> Knife Maintenance and Sharpening

A very helpful guide on how to properly sharpen knives. I seem to dull the crap out of them unless I use the method of holding the steel sharpener vertical. The hardest part is maintaining the 15 degree angle while following the curve of the blade. The article also lists some gadgets that actually do help with this process and some devices to avoid.

Help For Your Penis Anxiety

Sun, 25 Jun 2006 10:38:00 -0700

Entrez PubMed: Treatment of men complaining of short penis.

Men complaining of short penis could be treated using basic principles of sex education with objective methods of penile size evaluation. This combination can correct any previous sexual misconceptions…

I say they save their money and just call Loveline for some ridicule-therapy.

Nsa Surveillance Only The Tip Of The Iceberg

Sun, 25 Jun 2006 10:18:00 -0700

A gaggle of links about the illegal NSA domestic spying program. More apropos in light of even more spying by the Bush Administration – this time on international wire transfers

Think Progress: NSA Whistleblower To Expose More Unlawful Activity: ‘People…Are Going To Be Shocked’

Media Matters - Myths and falsehoods on the NSA domestic call-tracking program

Illegal NSA Data Mining Highlights Need for Congressional Oversight CDT legal analysis (Center for Democracy and Technology) of the NSA spying program

And some analysis of how this kind of program is ineffective (My favorite description is that finding a needle in a haystack is not made easier by increasing the size of the haystack)

Daily Kos: The NSA, the Database and YOU

Daily Kos: An Illusion of Privacy and Security

Fewest Number Of Coins To Make Any Exact Change

Sun, 25 Jun 2006 10:17:00 -0700

Boing Boing: Exact change wallet card

The answer is very cool (only 10 coins):

3 Quarters
1 dime
2 nickels
4 pennies

Good End User Information On Phishing From Paypal

Sat, 24 Jun 2006 15:28:00 -0700

PayPal - Identity Protection Resources

It was a very good touch that PayPal even uses HTTPS (SSL) for their pages providing this security information so that end users can authenticate the pages originate from PayPal and get used to ensuring that their interactions with PayPal are SSL-secured.

Fake Journalism Trumps Quot Real Quot Journalists Again

Sat, 24 Jun 2006 15:17:00 -0700

Boing Boing: Colbert White House video on DVD at CSPAN

This was the most scathing satirical commentary on the lapdog media and the president himself – and right in front of both subjects!

If you have not seen this, it is worth it. It’s about an hour into the correspondent’s dinner. I downloaded the whole show via bittorrent. I would be willing to reseed the 300+ meg show, or follow the links and you can get the segment with just Colbert’s piece from many sources.

Rumoured Huge Amd Price Drop July 24

Fri, 23 Jun 2006 15:14:00 -0700

DailyTech - Update: AMD Plans Major CPU Price Drops Day After “Conroe”

Guess I’ll have to wait to buy my new system! I’m thinking an AMD AM2 motherboard will have the best socket longevity and that is the socket platform that AMD is putting its lower power consumption options on. Comparable CPUs run 89W or less in the AM2 version versus the Socket 939 equivalents. And even lower power consumption models are on the way.

If the prices do drop this dramatically, I’m not sure if I would buy a better proc or take advantage of the cheap price/performance option. We’ll see.

Move Over Chroot Apparmor Is Here

Thu, 22 Jun 2006 03:55:00 -0700

-here

Plugging my own product, but what the hell, it is open source :)

AppArmor https://opensuse.org/Apparmor is an application security container technology for Linux. It lets you create application profiles (policies) that define the files that the application can read, write, and execute. It lets you do this per-application, so you actually could allow users to upload arbitrary C/binary programs and expect them to behave as you specified. It provides an inheritance model so that you can’t escape from this jail by exec’ing something fun: the child is controlled by policy too.

And for confining PHP (and PERL code run by mod_perl, and any other language interpreted in-place by Apache) AppArmor provides a change_hat API call and a mod_apparmor module for Apache, so that you can have AppArmor-style profiles wrapped around individual PHP pages and mod_perl scripts, even though they never appear in the process table.

If you find yourself between the rock of having to run some PHP or PERL code and a hard place of not trusting that code, try confining it with AppArmor, so that if/when the code screws up, it can only screw itself.

Crispin

-- Crispin Cowan, Ph.D. https://crispincowan.com/~crispin/ Director of Software Engineering, Novell https://novell.com

Big Quot No Crap Quot Garage Sale This Weekend

Wed, 21 Jun 2006 16:51:00 -0700

I’m going to be selling lots of good stuff this weekend at a Big alley sale. Come by and check out the goods!

https://seattle.craigslist.org/see/gms/174151604.html

Build Your Own Rfid Skimmer

Tue, 20 Jun 2006 16:32:00 -0700

How to Build a Low-Cost, Extended-Range RFID Skimmer

Oh, I’m definitely going to have to build one of these!!

Open Debate On Drm

Tue, 20 Jun 2006 13:47:00 -0700

WSJ.com - ‘DRM’ Protects Downloads, But Does It Stifle Innovation?

Remember, DRM = Digital Restriction Management.

This is an awesome debate getting to the heart of the matter. Courtesy of BoingBoing

More Proof For Danger Of Allowing Arbitrary Redirect

Tue, 20 Jun 2006 06:29:00 -0700

ZDNetAsia : Printer Friendly - Paypal fixes phishing hole

Ing Data Loss

Tue, 20 Jun 2006 06:27:00 -0700

(19 June 2006) Letters are being sent to 13,000 individuals whose personal data are held in a laptop computer stolen from the home of an ING US Financial Services agent. ING is instating a new security policy for laptop computers that includes encryption and password protection; the stolen computer had neither. The people affected by the data security breach are all District workers and retirees. (please note: this site requires free registration) https://www.washingtonpost.com/wp-dyn/content/article/2006/06/18/AR2006061800716_pf.html [Editor’s Note ( Northcutt): ING’s slogan is Your Future. Made Easier. Try telling that to the 13,000 impacted individuals. This wave of data losses is starting to remind me of counties that don’t put traffic lights up until there is a motorist fatality. (Grefer): Invest around 30-40 dollars into a cable lock for your laptop computers and spare yourselves this embarrassment as well as lots of headaches for your customers. Further, even if you don’t want to spend the money for encryption software, at least use the EFS (Encrypted File System) functionality provided within Windows XP Professional to add a bit more security to the mix.]

Creating A 3 Column Layout In Movable Type

Mon, 19 Jun 2006 18:19:00 -0700

Learning Movable Type: Creating a 3-Column Layout in MT3.2

I used the information in this tutorial as a guide for creating my 3-column stylesheet that I recently implemented across all pages on juxtaposition. Also, the Web Developer firefox plugin was invaluable for tweaking the CSS with live-preview of the results.

Cleaning Deb Package House

Mon, 19 Jun 2006 18:17:00 -0700

Ubuntu Blog: Better Management of Packages while Uninstalling

HOWTO: Using debfoster in practice

The Unbalanced Mainsteam Media

Mon, 19 Jun 2006 18:07:00 -0700

Poynter Online - Forums: Coulter and Moore aren’t the same

Coulter is simply a brash, bigoted, bullheaded, insane, insensitive liar wack-job. There is no comparison to Moore.

Converting Text From Unicode To Ascii

Mon, 19 Jun 2006 09:11:00 -0700

Just had to convert some text files from Unicode to ASCII and used Vim to do it:

Open each file and notice that vim says [converted] at the bottom, indicating that it has transparently opened the unicode file to let you edit that file.

On each file, change the file encoding setting to latin1 (basic ASCII):

Then save the file and it will be converted:

FYI, The vim docs note that changing the “encoding” setting does not affect existing text so that won’t work.

A Fallacy By Any Other Name

Sat, 17 Jun 2006 17:24:00 -0700

But this here herring is so obviously red at Pandagon

I love the way they cut through the bullshit in this argument and reveal the naked fallacy underpinning it. It is a shame when proponents use the fact that society (wrongly) denigrates some activity (prostitution, homosexuality, gay marriage, being single, being a nontheist, etc.) that in itself has nothing to do with them and on its face is not “immoral” and has nothing to do with those who denigrate it and then writes off the fact that those engaging in the activity get victimized (wrongly) by saying that they knew the consequences ahead of time, so what’s the big deal? Really irritating tactics.

Bizarre Notepad Bug

Sat, 17 Jun 2006 17:09:00 -0700

27B Stroke 6

Bizarre notepad bug that really exists. If you type a phrase consisting of a 4 letter word, then two three letter words, then a 5 letter word, save it, then reopen it, the text will be corrupted and unreadable. There is a claim that not all words cause this to occur. See the linked story for examples of what does work.

There was a great quote:

If Microsoft can’t keep strange bugs out of Windows’ simplest application, we’d better get used to the monthly security patch cycle.

US Senate Bigot Roll Call

Thu, 08 Jun 2006 13:16:00 -0700

U.S. Senate: Legislation & Records Home > Votes > Roll Call Vote

From the results of the Gay Marriage Ban cloture vote (read: write discrimination into the constitution), we get a nice list of the bigots in the US Senate that should be defeated, especially the two Democrats who joined the 47 Republicans.

Alexander (R-TN) Allard (R-CO) Allen (R-VA) Bennett (R-UT) Bond (R-MO) Brownback (R-KS) Bunning (R-KY) Burns (R-MT) Burr (R-NC) Byrd (D-WV) Chambliss (R-GA) Coburn (R-OK) Cochran (R-MS) Coleman (R-MN) Cornyn (R-TX) Craig (R-ID) Crapo (R-ID) DeMint (R-SC) DeWine (R-OH) Dole (R-NC) Domenici (R-NM) Ensign (R-NV) Enzi (R-WY) Frist (R-TN) Graham (R-SC) Grassley (R-IA) Hatch (R-UT) Hutchison (R-TX) Inhofe (R-OK) Isakson (R-GA) Kyl (R-AZ) Lott (R-MS) Lugar (R-IN) Martinez (R-FL) McConnell (R-KY) Murkowski (R-AK) Nelson (D-NE) Roberts (R-KS) Santorum (R-PA) Sessions (R-AL) Shelby (R-AL) Smith (R-OR) Stevens (R-AK) Talent (R-MO) Thomas (R-WY) Thune (R-SD) Vitter (R-LA) Voinovich (R-OH) Warner (R-VA)

Death Tax Dead

Thu, 08 Jun 2006 13:05:00 -0700

U.S. Senate blocks permanent estate tax repeal|Reuters.com

This was a stunning setback: 57-41 against. Awesome. I’m not happy about the additional tax cuts but at least our federal coffers won’t be further depleted and the super-super rich won’t get another out, causing the lower classes to pick up the tax burden.

Olbermann Rips Coulter A New One

Thu, 08 Jun 2006 13:01:00 -0700

Olbermann slams Coulter: Shameless

Coulter’s hate and hypocrisy are f*ing sickening. Olbermann uses her own words and positions to destroy her and adds some choice ones of his own.

Ceos Have All The Luck

Sat, 20 May 2006 09:11:00 -0700

The Big Picture: CEO Options: Luck – or something else?

Great summary of a WSJ article showing surprising “coincidences” in CEO stock options being set at a very low point in the company’s stock price so that they end up maximizing their returns. I’m still pissed about my AT&T Wireless stock options being worthless when I left that place because they gave us options at a high point that it never recovered to. Yet all the execs continued to gather options that they exercised to make millions.

Although, one might argue that the best time to give options as incentive to turn things around would be when times are tough. So, is it luck, or a brilliantly engineered rouse?

Worst President EVER -- more proof

Fri, 12 May 2006 09:53:00 -0700

Daily Kos: 29 Percent

A new low for Bush, and this country.

Call Your Phone Company

Fri, 12 May 2006 09:52:00 -0700

Daily Kos: ACTION ALERT: Tell ATT, Verizon, Cingular, SBC NO NSA SPYING!

I called Verizon Wireless and they said that it was not them, but the parent Verizon, which is the subject and that VZW does not divulge this information (known in the biz as CPNI).

I urge you also to call your phone company if they, like Qwest, did _not_ provide your information and thank them. I also did that for Qwest.

Telco liability could be staggering

Fri, 12 May 2006 09:39:00 -0700

Think Progress: Telcos Could Be Liable For Tens of Billions of Dollars For Illegally Turning Over Phone Records

Court Calls Fcc Calea Ruling Quot Gobbledygook Utter Nonsense Quot-

Sun, 07 May 2006 05:23:00 -0700

EFF: DeepLinks

I love it when the justice system works.

Security time capsule opens up: SANS researcher emerges.

Tue, 25 Apr 2006 09:17:00 -0700

************************************************************************* SANS NewsBites April 25, 2006 Vol. 8, Num. 33 ************************************************************************* -- snip – --Researcher Warns Some Online Banking Sites Don’t Provide Adequate Authentication (20 April 2006) SANS Institute chief research officer Johannes Ullrich says many widely used online banking sites do not use authentication technology to assure that they are who they claim to be. Banks would be well advised to send users to an HTTP Secure (HTTPS) web page which uses the Secure Sockets layer (SSL) security protocol instead of merely encrypting login forms. Web pages that do not use HTTPS make themselves vulnerable to DNS spoofing in which attackers try to trick users into visiting phony web sites in an attempt to gather their account information. https://www.computerworld.com/printthis/2006/0,4814,110738,00.html Internet Storm Center: https://isc.sans.org/diary.php?storyid=1278 -- snip –

[Editor’s Note (Axley): This is pure silliness. Their “head researcher” only now has discovered that this has been going on? I certainly applaud their efforts to raise awareness of the issue and clarify it as an authentication issue, not an encryption one, albeit late to the game, and will likely contribute my list to their list of financial institutions not authenticating their login pages (which are often on their homepages) with SSL. I had to deal with this issue at AT&T Wireless with their homepage and also am dealing with it as we speak at my present employer so it is not new. Many companies seem content these past few years to be “cream of the crap” instead of “cream of the crop” – only striving to be “as good as” (read: “as bad as”) the next guy. My prediction is that it won’t stay this way since phishing is getting solidified as its own industry now. ]

Gas Price Quot Temperature Map Quot-

Mon, 24 Apr 2006 17:58:00 -0700

USA National Gas Temperature Map

This is freaking cool. But high gas prices SUCK!

Microsoft To End Support For Quot Outdated Quot Operating Systems

Fri, 21 Apr 2006 03:36:00 -0700

--Microsoft to End Support for “Outdated” Operating Systems (18 April 2006) Microsoft plans to retire support for Windows 98, Windows 98 SE and Windows ME on July 11, 2006; after that date, there will be no more security updates for these versions of the company’s operating systems. Microsoft calls these systems “outdated” and recommends that users upgrade to a more secure operating system, such as Windows XP. https://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1182527,00.html

Printing Human Organs In 3d

Fri, 14 Apr 2006 11:42:00 -0700

New Scientist News - Print me a heart and a set of arteries

This is so cool. Maybe we’re not too far from the Star Trek

Does Blockbuster Suck Worse Than Business Method Patents

Wed, 05 Apr 2006 11:25:00 -0700

Netflix sues Blockbuster to shut online service - U.S. Business - MSNBC.com

Yet another great busienss-method patent fight. Ugh.

Well, I can’t stand blockbuster, who, among other transgressions, got busted in a lawsuit for claiming in marketing, “No More Late Fees” but had a fee listed in the fine print for keeping videos longer than a week. But I can’t stand business method patents wielded as swords no matter who does it.

I couldn’t believe that Blockbuster had the cajones to advertise that it didn’t have late fees ’like those other guys". Just hypocritical since they were one of the biggest offenders of charging late fees (and misleading customers about their fee policy, which resulted in them being sued over that too)

Washington: Home of World's Largest Egg

Mon, 03 Apr 2006 15:24:00 -0700

World’s Largest Egg, Winlock, Washington

I didn’t even know there was a “Winlock” in Washington, let alone that they were world-renowned!

I feel deceived though because it’s not even a real egg.

Quot Put Any Object Or Thing That Produces Data Into The Network Quot-

Mon, 03 Apr 2006 14:52:00 -0700

Boing Boing: Julian Bleecker’s blobjects manifesto: “Why Things Matter”

This Xport device looks pretty cool. I wonder if I could meld it with my weather station to make a data logger…

Religion Meet Science Prayer Doesn'T Work

Mon, 03 Apr 2006 14:45:00 -0700

Boing Boing: Prayer won’t heal ya

A new scientific study shows that prayer didn’t seem to help patients who underwent bypass surgery. In fact, some of the people who were prayed for did worse. The results of the study of more than 1,800 patients were published in the American Heart Journal.

So all the sports teams should think twice about relying on prayer to get to the championship. And think twice about god miraculously saving you. Evidence that things may just “happen” without divine intervention.

In A Word Unbelievable

Wed, 29 Mar 2006 09:37:00 -0800

BBC NEWS | Entertainment | Panda painted onto single hair

Unbelievable.

Update on the right to fly without ID

Wed, 29 Mar 2006 09:36:00 -0800

Boing Boing: Gilmore responds to “TSA ID-checking security lax” story

This would have been my guess, that people will refer to a nebulous rule/law to justify the practice or simply say, well even though it’s not legally required, it is company policy. I’m interested in trying this myself.

One Word Says It All Teledildonics

Wed, 29 Mar 2006 09:34:00 -0800

curious_jp: Release: TranceFinger

Makes all those double-entendres about fingerd have new meaning. Too bad “Virtual Sex” was just trademarked.

Bathroom Mania

Fri, 24 Mar 2006 14:53:00 -0800

I don’t know about you, but I’d have a difficult time going #1 into one of these. Too reminiscient of Rolling Stones / Mick Jagger…

BTW, I had to rewrite to avoid at least four thematic unintentional puns. I guess Freud’s theories may still be alive and well after all.

Congress Trying To Soften Data Breach Notification Laws

Fri, 24 Mar 2006 14:43:00 -0800

https://thomas.loc.gov/cgi-bin/query/z?c109:H.R.3997:

Call your representatives now to get them to oppose this legislation. This is the bill that passed out of committee and would seriously weaken the gains that have been made over the past few years in data breach notification, as well as preventing people from preemptively “freezing” their credit file from being used to open new accounts–something that itself could curb much of the ID theft problems (and perhaps some consumer credit problems…)

It is such BS that Republicans are all about state’s rights…except in this case…and that case…and this other case… Hypocrites!

Wacky World Records

Wed, 22 Mar 2006 14:04:00 -0800

UniqueDaily.com - The Wackiest World Records You Will Ever See

Oh, and just to throw this in since it’s somewhat related: George W. Bush gets my vote for Worst President…Ever. He’s wacky.

Safedisc Drm Update For Windows Xp Reduces Online Gaming Risk

Sun, 19 Mar 2006 12:42:00 -0800

-risk

https://www.microsoft.com/downloads/details.aspx?familyid=eae20f0f-c41c-44fe-84ce-1df707d7a2e9&displaylang=en

This update starts the driver secdrv for SafeDisc from Macrovision at boot time to allow you to run games as a non-admin, lower-privilege user. Games that use SafeDisc otherwise require you to play the game as Administrator in order to have the rights to start the Manual service. Now, if only PunkBuster were to do the same…

Have I mentioned that DRM and copy protection sucks?

Zphone: Encrypt your VOIP

Sun, 19 Mar 2006 12:40:00 -0800

Boing Boing: Encrypted VOIP from PGP creator Zimmermann: Zfone

Encrypted VOIP from PGP creator Zimmermann: Zfone

Good reason to switch to VOIP instead of traditional phones to protect yourself from Big Brother Bush.

Jerry Falwell Issues Correction Jews Are All Going To Hell

Sun, 19 Mar 2006 12:35:00 -0800

-hell

Jerry Falwell issues correction, Jews ARE all going to hell

It must be nice to be in a religion where you can be a callous, holier-than-thou prick and still get into heaven. It also must be nice that all you have to do to get into heaven and avoid eternal damnation is to believe in some shit. The world is such an amazing place where you have free will, but if you process information about that world incorrectly and decide to not believe in Jesus as your saviour, you can suffer for all eternity. Nice. And they get out of having to be Jesus-like in this life in order to get into heaven. Do-gooders need not apply to heaven! Sounds more like the lazy, judgemental person’s religion.

Riaa Says Future Drm Might Quot Threaten Critical Infrastructure And Potentially Endanger Lives Quot-

Sun, 19 Mar 2006 12:26:00 -0800

Freedom to Tinker � Blog Archive � RIAA Says Future DRM Might “Threaten Critical Infrastructure and Potentially Endanger Lives”

Yet another reason DRM sucks. But unbelievably, the “BSA, RIAA, MPAA, and friends” actually are objecting to DRM exemptions for critical systems!

I was also reading recently about how much extra processor and battery life is sucked up when playing DRM files that have to constantly be checking for a valid license and other cruft.

Boggle On Web Weboggle

Sun, 19 Mar 2006 12:21:00 -0800

WEBoggle

This is a great use of AJAX and is also VERY addicting. You have been warned… I’m core24 if I’m playing. But I suck compared to the others. I think they are just monkeys typing random letters and waiting for the squares to light up.

Microsoft Is The Reason The Quot Little Guys Quot Cannot Play Drm Encumbered Files

Fri, 17 Mar 2006 12:29:00 -0800

Boing Boing: MSFT: Our DRM licensing is there to eliminate hobbyists and little guys

It has been freaking annoying that I can’t play DRM encumbered WMA files on my Neuros or even on Linux. Now we know why: Microsoft’s business practices.

Compiling A List Of All Of The Stupid Stuff Bush Has Done

Fri, 17 Mar 2006 10:41:00 -0800

-done

AMERICAblog: Because a great nation deserves the truth

“Let’s create a list of every idiotic thing George Bush has done in the past five years”

This is a great idea. I’ve wanted to at least put together a list of the biggest scandals.

Great timing for this kind of fun. On the heels of a new set of (dis)approval rating results that show that Bush’s popularity has fallen AGAIN, to its lowest level. So, I’ll add his claim that he was given a “mandate” to the list of stupid shit he has said or done.

The single word most frequently associated with George W. Bush today is “incompetent,“and close behind are two other increasingly mentioned descriptors: “idiot” and “liar.” All three are mentioned far more often today than a year ago.

Dhs Adds Another Quot F Quot To Chertoff'S Record

Fri, 17 Mar 2006 01:25:00 -0800

DHS Gets Another F in Computer Security

Is anyone surprised? They can’t even manage a disaster in the physical world (Katrina), what makes you think they can manage the disaster that DHS is? Another black mark for Chertoff and the Bush administration.

Why does the public still think that the Bush administration is strong on defending America?

Most federal agencies that play key roles in the war on terror are doing a dismal job of protecting their computers and information networks from hackers and viruses, according to portions of a report to be released by a key congressional oversight committee Thursday.

The Department of Homeland Security, which is charged with setting the government’s cyber security agenda, earned a grade of F for the third straight year from the House Government Reform Committee. Other agencies whose failing marks went unchanged from 2004 include the departments of Agriculture, Defense, Energy, State, Health and Human Services, Transportation, and Veterans Affairs.

Effective Electronic Communication Requires A Human Touch

Sat, 11 Mar 2006 09:43:00 -0800

https://www.asktog.com/columns/047HowToWriteAReport.html

The finest set of recommendations will be rejected if the form in which they are received is seen as hostile or belligerent. I recently received a copy of an unsolicited report sent to a firm that seemed unimpressed with the writer’s efforts. The reasons why are instructive to us all.

Good reminder to not forget the human element in human communications. Pick up the phone every once in a while instead of just IM or email and you’ll be surprised by the results. Also, if you build human trust in non-electronic means first, it makes understanding nuances in electronic communications easier.

Along the same lines, check out The Art of Schmoozing for some tips on how to build human trust. Hint: it requires human interaction.

Another Bush Administration Inconsistency Dubai But No Israel

Sat, 11 Mar 2006 09:39:00 -0800

Well, at least they’re committed to national security consistent conservative… I give up.

“The same Bush administration review panel that approved a ports deal involving the United Arab Emirates has notified a leading Israeli software company that it faces a rare, full-blown investigation over its plans to buy a smaller rival.

The objections by the FBI and Pentagon were partly over specialized intrusion detection software known as “Snort,” which guards some classified U.S. military and intelligence computers.”

https://redmondmag.com/news/article.asp?editorialsid=7219

Sciam On Quot The Rise Of Crimeware Quot-

Sat, 11 Mar 2006 09:36:00 -0800

quot-

Crimeware coverage by Scientific American

Crimeware coverage by Scientific American. Several good stats and comments from attendees of the RSA Conference. Why the increase in crime on the Internet? Well, it’s where the money is and there is very little risk of getting caught. Job security for a security guy like me though.

3d Panoramas From Around The World

Sat, 11 Mar 2006 09:31:00 -0800

Arounder - Travel and Lifestyle in 360-degree Quicktime VR - Virtual Reality Full Screen panoramas: lugano, milan, milano, barcelona, monte carlo, roma, rome, zermatt, parma, koeln, cologne, zyprus, firenze, florence, pisa:

Wow. Tour cities before you go there. Might come in handy for planning the upcoming honeymoon…

I want to be able to make these with my digicam!

Luckiest Tree

Sat, 11 Mar 2006 09:30:00 -0800

cinthia-moura-gm_l1.jpg (JPEG Image, 400x500 pixels)

Can You Actually Fly Without Providing Id

Sat, 11 Mar 2006 09:25:00 -0800

ng-id

IDP : Investigation

Help us help you determine whether the TSA told the 9th Circuit the truth. Can you fly without ID? According to what the government told the 9th Circuit Court of Appeals in the Gilmore case, you can – you need only submit to secondary screening in order to fly anonymously.

I am just reading a Lee Child book from 1999 (pre 9/11) where the main character flew under president’s names. Would be fun if you could get away with this. Might try it on my next flight…

I almost laughed when I went to the Westin building in Seattle and the guard was going to let me in but I had to show him my ID to get a badge, presumably. But it was funny that someone who worked in the building that I was coming to see happened to come by at the same time and was able to take me in without showing ID or getting a badge. Go figure. So, how important for security _is_ showing an ID then? And, if your threat model includes suicide bombers, what does an ID buy you in terms of protection?

Defeating Censorware

Sat, 11 Mar 2006 09:17:00 -0800

If your employer or corrupt, undemocratic, dictator-based government uses a filtering service such as Secure Computing’s SmartFilter to block access to BoingBoing.net, you can try the following workarounds…

Boing Boing’s Guide to Defeating Censorware

Of course, good network admins take evasive action for these evasive actions, but the reality is that there are always ways to get around proxies. Especially when they do stupid shit like “Smart” filter does. Smartfilter will often block an entire domain in a category for one single page that may fit in that category. They blocked attrition.org under “criminal skills” and several other security sites. I recall them blocking geocities.com or something like it when only some of the pages met the criteria. Why don’t they block specific URLs or URL patterns instead of an entire domain?

Drm Annoying Mistake

Sat, 11 Mar 2006 09:11:00 -0800

The big DRM mistake

Digital Rights Managements hurts paying customers, destroys Fair Use rights, renders customers’ investments worthless, and can always be defeated. Why are consumers and publishers being forced to use DRM?

I have to say that DRM is really on my s*it list these days. I was excited to find out that the Seattle Public Library had three separate e-book and digital audio book relationships so you can access content without even leaving the house. However, I quickly found that one uses WMA files with DRM (which won’t play on my Neuros) and the other uses a proprietary software player that somehow integrates with Windows media player. I can’t even play these files on Linux, let alone on a portable media player. And I can’t burn most of them to CDs to play in the car. What do they expect you to do–play hours of audio books while sitting at your PC??? Retarded.

I’m going to go back to getting the CD audio books and then ripping them so that I can listen to them on the bus on my Neuros.

Note to content producers: you are reducing the play that your clients are getting by using DRM. I will be less able to learn of new authors because it is much more of a hassle to actually listen to the content.

When translators go bad

Sat, 11 Mar 2006 08:56:00 -0800

07:00

I laughed so hard at these mistranslations found on menus in China.

One of my favorites:

“Benumbed hot vegetables fries fuck silk”

Read the comments for a good explanation of how this malicious literal translation gives rise to such humorous groupings of words. I guess you may be able to place an order even with these being so muddled, but I’d stay away from the “sour and sweet bone” and “cowboy meat”. But I hear the “Assorted Fuck” is a real delicacy!

May I take your order?

engrish:

theist v. atheist on studying religion

Sat, 11 Mar 2006 08:47:00 -0800

Web exclusive: ‘How should we study religion?’ by Daniel Dennett | Prospect Magazine March 2006 issue 120

Daniel Dennett was just in Seattle, but I missed him. But my colleague saw him and filled me in. His fundamental point is that we need to remove the stigma attached to scientifically studying religion, which I agree with. He also has a different take on the role and origin of religion as a “natural phenomena” rather than what I have typically seen as more of a “tribal tendency” theory in terms of evolutionary advantage of religion. An interesting claim that is often made by religious people is that without religion, there an be no morality. So, Dan suggests that we should empirically study questions like these–put them to the test. I hardly believe that in the overall scheme of life that religion generally makes people more “moral” than nontheists. There are a lot of atrocities done in the name of religion that will deduct from that tally.

Favorite quotes from the debate:

Presumably this same foresighted creator anticipated the amusement the unbelievers would feel when contemplating the recent declarations by Pat Robertson to the effect that Ariel Sharon’s ill health was God intervening to punish him for ceding Gaza. I’m sure you’ll tell me that our expectations about what a good creator would want, and do, don’t extend to such particulars as these, but why are your expectations any better grounded than mine? You haven’t told us what the rules of this game are.

You find it improbable that there would be a multiverse of all physically possible universes, including ours. Is it less improbable than that there would be an omnipotent, benevolent universe-creator? I don’t think so, and here Bayesian probability theory gives no leverage, so far as I can see. Both are mind-boggling prospects—but that doesn’t give yours the edge.

I see no reason to go along with your hypothesis that we’re just what to expect from a perfect and omnipotent creator.

Another Reason To Buy A Cross Cut Shredder

Sat, 11 Mar 2006 08:26:00 -0800

The Torn-Up Credit Card Application

They tore up their own credit card application, then changed the address and phone number and still got the card!

I always shred the applications I get in the mail.

And the good thing is that in Seattle, you can either recycle your shreddings or put them in your yard waste container.

Welcome to Bizarro World - Oracle has 'the security problem solved!'

Wed, 08 Mar 2006 01:05:00 -0800

Australian IT - Oracle on track of secure search (, MARCH 07, 2006)

“We have the security problem solved. That’s what we’re good at, and that’s the hard part of the problem.” -- Larry Ellison

Hell has not frozen over so I don’t believe him.

Bush Worst President Ever

Wed, 01 Mar 2006 14:08:00 -0800

-ever

Fucking…incompetent…liar…

Bush-Katrina Early warning Video

New video shows Bush was warned levees could breach BEFORE Katrina hit - Bush lied when he said no one could imagine levees breaching

Search Engine Search By Sketch-

Fri, 24 Feb 2006 09:39:00 -0800

retrievr - search by sketch

This is a lot of fun to see what search results you get. Maybe Google will pick up similar technology for Google images and video?

Book On Building Geeky Stuff

Fri, 24 Feb 2006 09:36:00 -0800

Adventures from the Technology Underground : Catapults, Pulsejets, Rail Guns, Flamethrowers, Tesla Coils, Air Cannons, and the Garage Warriors Who Love Them: Explore similar items](https://www.amazon.com/exec/obidos/ASIN/1400050820/juxtaposition-20?dev-t=DW7KZDVJYZAIL%26camp=2025%26link_code=xm2 “Amazon.com: Adventures from the Technology Underground : Catapults, Pulsejets, Rail Guns, Flamethrowers, Tesla Coils, Air Cannons, and the Garage Warriors Who Love Them: Explore similar items”)

Mythbusters, except encouraging “do try this at home”. Will have to get this book.

Very cool color pallette tool

Fri, 24 Feb 2006 09:33:00 -0800

Allows selecting colors for web designs from a variety of schemes, such as complementary colors. Very quick to get a list of colors that go well together.

HTML Color Code Tool Or from the source: https://www.siteprocentral.com/html_color_code.html

I would post it here, but they force you to use their HTML code and include it as an iframe.

Fuel Cell Motorbike

Fri, 24 Feb 2006 09:22:00 -0800

Riding Sun ENV bike at Tokyo Fuel Cell Expo

Move over Vespa. There’s a new show in town and I want one of these…

British Video Association Admission Debunks Claims Of Quot Piracy Quot-

Fri, 24 Feb 2006 09:21:00 -0800

BBC NEWS | Entertainment | Digital film: Industry answers

Oops?

Notable Web Site Designs

Fri, 24 Feb 2006 09:19:00 -0800

Current style in web design

Discussion of notable web site designs and properties of good web design.

My Tips For Diy Electrical Wiring

Fri, 24 Feb 2006 09:18:00 -0800

I recently finished wiring my second kitchen and wanted to document and share the tips that I’ve learned. I’m not an electrician so when in doubt, check your local regulations and refer to the National Fire Prevention Association’s National Electrical Code (NFPA 70) But, doing your wiring yourself can save you A LOT of money. It is really not that difficult if you read up on the requirements and practice with someone who has done it before. The inspectors are generally patient with you as a DIY homeowner and will help guide you along if you ask them questions.

Kitchen minimum circuit requirements:

Countertop outlets: Must now have two independent 20A circuits. Not required but recommended is to alternate the outlets on a counter on both circuits to keep outlets in one area from going out if one device overloads the circuit.
Microwave: must be on its own dedicated 20A circuit. This is an absolute must these days when most microwaves are at least 700W (mine is over 1000W) and this will often blow the circuit.
Dishwasher: should be on its own dedicated 20A circuit. It is not required that it be hard-wired and can be handy to put an appropriately-sized gauge plug on the dishwasher so you can just plug it into a receptacle. Best to get a flat plug since there isn’t much available room behind a dishwasher for a standard plug.
Refrigerator: should be on its own dedicated 20A circuit, but this is not required. It is acceptable to dangle this off of one of the two countertop outlet circuits
Disposer: Also should be on its own dedicated 20A circuit, but not required. I prefer to use a switched receptacle for disposals so that the other receptacle is available for a hot water tap or future devices.
Lighting: Cannot be on the same circuit as any outlets. The thoughts are that if you blow the outlet circuit, it is safer to keep the lights on!

Other things to be aware of:

Receptacles:
Any appliance outlet in the kitchen within 6 feet of a water source must be GFCI protected.
Be careful not to wire outlets that should be non-GFCI downstream and in series with GFCI outlets or if an upstream GFCI trips, you will kill the remainder of the circuit leg too. If you need to put others on the same circuit, wire them in parallel or run a parallel separate power lead from the incoming feed source.
Some appliances with motor loads can trip GFCI circuits, such as dishwashers or refrigerators. You should likely not make those GFCI protected.
You’re not supposed to hang anything else off of kitchen countertop outlet circuits, especially in other rooms. You can get away with this in a remodel sometimes, as I had to deal with an existing bad situation.
Any counter wall space of at least 12" needs to have an outlet installed on it.
Countertop outlets are typically placed 6" to center above the finished countertop height (which is 36" these days)
Receptacles: It is recommended to avoid push-in outlet terminals even where available since they are not as reliable as screw-down terminals and can cause overheating and fire in the long-run. Make sure to tighten down the screw terminals for the same reason. My 50 year-old house used the screw terminals but several wires were not tightened and the switches were quite warm because of it.
Switch height is typically 48" to the center of the box from the finished floor. It’s best to check with existing switches in a remodel and just match that height for aesthetics.
Be advised that for some jobs the inspectors may require you to bring other things up to code even if they aren’t part of your permitted work. For example, on my last kitchen remodel project, I had to install at least two 20A outdoor outlets, one near the front and one near the rear door since code requires this so that you aren’t tempted to overload interior circuits with outdoor equipment.
Be careful to provide maintenance switches for appliances that are hard-wired. The circuit panel breaker does not count as a switch unless you equip it with a breaker lock to keep someone from accidentally turning it back on while you’re working on the appliance/circuit
Outlets to bedrooms now are required to be served by AFCI (Arc Fault Circuit Interrupters). These are designed to detect arcing that can cause fires so are a safety precaution.
There is a bit of excessive requirements in the NEC, alot of it designed less for safety than for other things like accessibility and maintainability and ensuring licensed electricians don’t do silly things like wire all of your outlets on one circuit anymore. At the same time, there are some things that the NEC lets slip that I would not, as a security professional, rely on even if you can get away with it because the design is brittle. And with safety, I’d prefer to not have a brittle protection system. One of those is that you can technically install one GFCI outlet at the beginning and chain multiple outlets downstream in series from that one and that is sufficient to meet GFCI protection. I don’t know about you, but that is asking a lot of that one outlet. And GFCI circuits are not necessarily reliable forever. Why do you think they have a test button on them that you are supposed to use periodically? I prefer to use GFCI receptacles on every outlet that should be GFCI protected so that there is some failover protection. I also prefer to install a GFCI circuit breaker if all outlets on the circuit should have GFCI protection since the breaker is more reliable in general than the individual outlets. Multiple layers of protection. I got inspectors asking me why I did this but it’s a bit of extra protection where it is needed most and does not cost a whole lot more.
Make all connections that will have wire nuts attached mechanically sound with pliers before using wire nuts. Don’t rely on the wire nuts alone to hold the wires together! I’ve seen grounds pop out this way and leave outlets unprotected.
Running wires
Wires running through walls should be 1 1/4" back from either face of the stud for safety. Use metal nail plates to protect the wires
All junction boxes have to remain accessible so don’t enclose them in a wall.
Wires need to be stapled within 8 inches of entering a box and at least every 48 inches. More staples are better.

Here’s what I’ve just put into my kitchen as an example:

two 20A countertop outlet circuits. Refrigerator branches off of the incoming power of one of the circuits. one 20A non-countertop outlet circuit one 20A dedicated dishwasher circuit one 20A Disposer circuit. Low voltage transformer and range hood (only 3A max draw) come off of that circuit. one 15A lighting circuit for the recessed cans one 30A electric range circuit one 20A dedicated microwave circuit

Inspections

Here are the required inspections since this is not apparent to the layperson doing this for the first time:

Cover (aka Rough-in): Once you have installed all of the boxes, run all of the wire, and “tailed out” all of the grounds at least, call for this inspection. The inspectors will want to make sure you pigtailed all of the grounds before signing off. You can also pigtail any other necessary connections as well before now. You can essentially hook everything up by this point except turning on the power and connecting receptacles, switches, etc. You cannot put insulation or drywall up until this is done. If you do, they may make you rip it out to see what’s beneath…
Final: After everything has been completed and all of the lights and receptacles are hooked up and the power has been turned on, they will want to come back and do some tests. They will check the polarity of all of the outlets so be sure you check this first. You need to be sure to hook the black (hot) only to the brass screws! The other big thing they will check for is whether the GFCI circuits actually work. Miswiring GFCI outlets can render them worthless so be prepared for this.

Here are a couple of helpful resources:

Codecheck.com and also this checklist.

Just How Insecure Is Electronic Voting

Fri, 24 Feb 2006 09:07:00 -0800

Black Box Voting : 2-23-06: Someone accessed 40 Palm Beach County voting machines Nov 2004

This is good work. NOW do the naysayers see why we need voter verifiable paper ballots?

Discovered Site For Bittorrent Downloads Of All Kinds

Thu, 23 Feb 2006 09:04:00 -0800

mininova : the ultimate bittorrent source!

Hours and hours of entertainment, not all of it legal.

Racial Profiling For Terrorists

Mon, 20 Feb 2006 02:28:00 -0800

On The McLaughlin Group yesterday, there was a lot of ridiculous sophistry regarding racial profiling as a valuable and necessary tradeoff between liberty and security.

Bruce Schneier has written many times on this subject. In this piece, there is a perfect quote about what is misguided about the position that racial profiling is not only necessary, but is actually effective, “Whenever you design a security system with two ways through – an easy way and a hard way – you invite the attacker to take the easy way. Profile for young Arab males, and you’ll get terrorists that are old non-Arab females.”

“The enemy could easily get around it by recruiting people who don’t look like the profile” – Eleanor Clift, the only one who gets it.

“We need smart profiling, not racial profiling” – John McLaughlin, who also gets it, sort of. He was pushing for profiling Muslims, which I don’t believe source the only terrorists now, in the past, or in the future. He is right about one thing, religion has been the excuse for all kinds of atrocities all over the world. But it has not been limited to Muslim extremists. There are Christian extremists even in our own country who would love to turn this country into a theocracy.

Best new word: “Muslometer”; a call for venture capitalists to develop a device to gauge whether someone is a Muslim or not.

Data Shows Overuse Of The Word 'Pandemic' Becoming 'Global Pandemic'

Wed, 07 Dec 2005 06:33:00 -0800

One example: https://bankinfosecurity.com/node/2696

Isn’t “Global pandemic” a bit redundant? Also, is the term “pandemic” even appropriate, or the most appropriate, to describe an Internet-based malady? Pandemic implies distribution over a large geographic area.

Plenty more https://news.google.com/news?q=pandemic&hl=en&lr=&sa=N&tab=nn&oi=newsr

And thankfully I found this article criticizing this trend: The ‘Pandemic’ Epidemic

Doj Staffers Trumped By Political Arm

Sun, 04 Dec 2005 15:04:00 -0800

l-arm

Daily Kos: Justice Determined DeLay Redistricting Illegal, Overruled By Political Hacks

More ugliness from the repugnicans made public.

Justice Department lawyers concluded that the landmark Texas congressional redistricting plan spearheaded by Rep. Tom DeLay (R) violated the Voting Rights Act, according to a previously undisclosed memo obtained by The Washington Post. But senior officials overruled them and approved the plan.

Calling Bs On The Quot War On Christmas Quot-

Sun, 04 Dec 2005 14:55:00 -0800

Salon.com News | How the secular humanist grinch didn’t steal Christmas

A great article in Salon with actual _facts_ instead of anecdotes. Remember kids, anecdotes is not the plural form of the word data.

one can in fact offer Christmas greetings without legal counsel. Christmas trees are permitted in public schools. (They’re considered secular symbols.) Nativity scenes are allowed on public property, although if the government erects one, it has to be part of a larger display that also includes other, secular signs of the holiday season, or displays referring to other religions. (The operative Supreme Court precedent is 1984’s Lynch v. Donnelly, where the Supreme Court ruled 5-4 that a city-sponsored Christmas display including a cr�che, reindeer, a Christmas tree, candy-striped poles and a banner that read “Seasons Greetings” was permissible. “The display is sponsored by the city to celebrate the Holiday and to depict the origins of that Holiday,” the majority wrote. “These are legitimate secular purposes.”) Students are allowed to distribute religious holiday cards and literature in school. If the administration tries to stop them, the ACLU will step in to defend the students’ free-speech rights, as they did in 2003 when teenagers in Massachusetts were suspended for passing out candy canes with Christian messages.

In fact, there is no war on Christmas. What there is, rather, is a burgeoning myth of a war on Christmas, assembled out of old reactionary tropes, urban legends, exaggerated anecdotes and increasingly organized hostility to the American Civil Liberties Union.

Possible Investigation Of Oil Ceo Lying

Sun, 04 Dec 2005 14:45:00 -0800

Lautenberg wants criminal investigation of Oil CEOs

Unbelievable to watch the CEOs lie on CSPAN and unfortunate that it took The Daily Show to point out that the prick who runs the committee prevented the Oil execs from being sworn in. Else they would be guilty of perjury.

I’m glad that my senator from the great state of Washington, Maria Cantwell, was the one who tried to get Ted Stevens (the aforementioned prick) to swear them in.

How Not To Demolish A Building

Sun, 04 Dec 2005 14:31:00 -0800

Funny video of a real life demolition in Sioux Falls, SD that intended to cause the building to fall over but instead just shortened it by about a third.

https://www.argusleader.com/assets/mov/DF13214123.MOV

Geeky Xmas Gifts For Under 100

Sun, 04 Dec 2005 14:22:00 -0800

MAKE: Blog: MAKE’s Mostly Under $100 Gift Guide 2005!

What a cool list. I’m sure I’d enjoy anything on this list–even the PVC pipe (I do have a kitchen remodel coming up…)

Science Toys You Can Make At Home

Sun, 04 Dec 2005 14:08:00 -0800

-home

Science Toys

Make toys at home with common household materials, often in only a few minutes, that demonstrate fascinating scientific principles.

Hours and hours of fun just _reading_ about what you can build.

I’ve built a couple of the things on the site before. Will have to dig up some of my electronics stuff from the basement!

Nature Is Beautiful

Sun, 04 Dec 2005 14:07:00 -0800

Atmospheric Optics

Very beautiful photographs and explanations of optical effects in nature.

I never knew there was a “fogbow”

Lt Strike Gt Security In Airlines Lt Strike Gt Airline Insecurity

Wed, 30 Nov 2005 14:37:00 -0800

When people tried to evacuate during Hurricane Katrina, airline security prevented many from being able to leave before the airport had to be shut down. This is where a threat model would have helped make the right decision in the face of competing risks. And where “zero tolerance” policies really show how they are “zero thought” policies.

Hurricane Security and Airline Security Collide

And recently, if you thought that airline security was too strict, it is working. You should know it is only designed to make you _think_ that so that you will keep flying. If they really based it on a real threat model, you would have a very different traveling experience and stupid things like taking fingernail clippers and metal knives away, but allowing you to have full glass bottles of alcohol on planes would not happen. My cousin, who was in the army, recently said, “I’d like a terrorist to try to attack me with fingernail clippers.” The implication was that he would kick their ass to a bloody pulp before they got anywhere because that is stupidity masquerading as a threat to airline security.

Here is what happens when a politician says The Emperor Has No Clothes. Good for him to speak the truth. The homeland security budget could be put to use protecting against real threats.

Real threats like the fact that our air traffic control systems have shitty security. It is so bad, they lack cyber security. Oooh. FAA air-traffic systems lack cyberprotections, GAO finds

Stem cell research breakthrough -- in Korea

Wed, 30 Nov 2005 14:31:00 -0800

WorldNetDaily: Paraplegic breakthrough using adult stem cells

This is truly great news and will be even better if it holds up to peer review and brings about additional breakthroughs. It is proof positive of a couple of things:

The critical importance of stem cell research of all kinds for treating serious afflictions and diseases. The research here was done using adult stem cells, but embryonic stem cell research may hold even more promise for finding cures in general.
The fact that this breakthrough came from outside the US is a warning of the failure of the US policy on stem cell research and the republicans likening “stem cells” to abortion and creating a false stigma.

In an apparent major breakthrough, scientists in Korea report using umbilical cord blood stem cells to restore feeling and mobility to a spinal-cord injury patient.

The research, published in the peer-reviewed journal Cythotherapy, centered on a woman had been a paraplegic 19 years due to an accident.

After an infusion of umbilical cord blood stem cells, stunning results were recorded:

“The patient could move her hips and feel her hip skin on day 15 after transplantation. On day 25 after transplantation her feet responded to stimulation.”

No City Official Left Behind

Wed, 30 Nov 2005 14:24:00 -0800

Local officials nearly fall for H2O hoax - Science - MSNBC.com

They should also make sure that their hand isn’t larger than their face or they might have cancer.

ALISO VIEJO, Calif. - City officials were so concerned about the potentially dangerous properties of dihydrogen monoxide that they considered banning foam cups after they learned the chemical was used in their production.

Then they learned, to their chagrin, that dihydrogen monoxide — H2O for short — is the scientific term for water.

Hollywood Misleads The Press On Piracy Statistics

Wed, 30 Nov 2005 14:17:00 -0800

Hollywood: Thousands Dead From File Sharing

Statements and statistics from the music, movie and software cartels are about as accurate as their claims that they’re honest, hard-working companies with consumers’ and performers’ best interests at heart.

A couple of years back, the Big Four Organized Music family’s RIAA said a raid against a New York counterfeit operation resulted in the equivalent of 421 CD burners being seized.

However, Bill Evans had been told the numbers was actually156.

Jon Newton

When he asked for an explanation for the discrepancy, “We stated that the raid was the equivalent of 421 burners, as we need to put these operations in perspective based on burning capacity and output, not the number of physical slots for the discs,” RIAA (Recording Industry Association of America) truth adjustment specialist Amy Weiss said.

“Since they burn 4x burners - it is roughly 4xs the numbers of burners.”

Good grief. There’s more in the article. I don’t believe that this is the first revelation of lying with statistics from this industry.

Judges Order Publishing Of Breathalyser Source Code

Wed, 30 Nov 2005 14:14:00 -0800

-code

LiveAmmo Security Blog: Drunk drivers granted access to breathalyser source code

If only I was able to be granted the source code for the laser detector that incorrectly clocked me over the speed limit…

I like when judges don’t treat technology as infallible. In my case, there was not any argument that could detract from the “evidence” , even the likely EMI!

Oh, and let’s also demand the same for our voting machines!

“A panel of judges in the Florida county of Sarasota has granted a request by a group of over 150 citizens accused of drink-driving to view the source code of the breathalyser that was used to determine their breath alcohol levels.

Attorneys for the defendants had filed a motion to review the source code for the Intoxilyzer 5000 breathalyzer in October.

‘The defendants have established that the source code is material to their theory of defense in these cases,’ judges David Denkin, Kimberly Bonner and Judy Goldman wrote in their ruling dated 2 November.

Cardinal Rebuffs Quot Intelligent Design Quot-

Wed, 30 Nov 2005 14:10:00 -0800

Evolution in the bible, says Vatican - The Other Side - Breaking News 24/7 - NEWS.com.au

The vatican taking a modern position? Wow. This doesn’t make up for their handling of the sex abuse scandals but it’s a positive sign.

THE Vatican has issued a stout defence of Charles Darwin, voicing strong criticism of Christian fundamentalists who reject his theory of evolution and interpret the biblical account of creation literally. Cardinal Paul Poupard, head of the Pontifical Council for Culture, said the Genesis description of how God created the universe and Darwin’s theory of evolution were “perfectly compatible” if the Bible were read correctly.

Penn Jillette Quot There Is No God Quot-

Wed, 30 Nov 2005 14:06:00 -0800

NPR : There Is No God

Just in time for the holidays, a piece on what people believe that is not necessarily in the mainstream. A good reminder that not everyone believes the same as you do, especially among the “christian” religions.

Penn Jillette wrote an excellent piece for NPR’s “This I Believe” series on why he is “beyond Atheism”. Many religious people don’t understand or simply don’t believe that you can have morals without god but I think that Penn has a very simple model that explains how there are even possible advantages to the atheist moral world view:

Believing there’s no God means I can’t really be forgiven except by kindness and faulty memories. That’s good; it makes me want to be more thoughtful. I have to try to treat people right the first time around.

He also discusses many other advantages to a godless world that are well worth reading, especially if you are religious; not because it should convince you to not be religious but because it can help you understand that it is just as legitimate a position as your religious position. And hopefully soften some of the anti-atheist views held by most of America.

High Tech Safecracking

Wed, 30 Nov 2005 13:52:00 -0800

This link wasn’t working at the time of posting, but it is interesting to see how you can use infrared to determine a combination from a recently-used keypad. There must be some equipment that would cost less than $5000 that could do this? I’ll have to check the local spy shop.

https://lcamtuf.coredump.cx/tsafe/

Richard Stallman Quot Foils Quot Rfid Quot Security Quot-

Wed, 30 Nov 2005 13:51:00 -0800

quot-

GNU project founder foils UN security

Glad my passport does not expire for many years to come. Perhaps by then passports won’t have RFID tags in them any longer. But if they do, I guess this is an easy way to keep myself from being a target for a shoulder-fired missile overseas.

FOUNDER of the GNU project, Richard Stallman, got in trouble at the UN World Summit on the information society in Tunis for putting tin foil around his RF ID.

Serious flaws in wiretapping equipment

Wed, 30 Nov 2005 13:47:00 -0800

Signaling Vulnerabilities in Wiretapping Systems

Ahh, too bad I don’t work for a telecom compnay anymore (actually, it is good). This might be fun to test out…

In a research paper appearing in the November/December 2005 issue of IEEE Security and Privacy, we analyzed publicly available information and materials to evaluate the reliability of the telephone wiretapping technologies used by US law enforcement agencies. The analysis found vulnerabilities in widely fielded interception technologies that are used for both “pen register” and “full audio” (Title III / FISA) taps. The vulnerabilities allow a party to a wiretapped call to disable content recording and call monitoring and to manipulate the logs of dialed digits and call activity. These countermeasures do not require cooperation with the called party, elaborate equipment, or special skill.

Isakmp The Standard For Incompatibility

Wed, 30 Nov 2005 13:40:00 -0800

Peter Gutman wrote a great summary of the lengths that many have to go to in order to get ISAKMP implementations to interoperate.

I had a hell of a time trying to get Windows 2000/XP IPSec to work with FreeS/WAN in the past. It was very difficult to debug what was going on and I resorted to using tools that translated FreeS/WAN configuration into Windows IPSec configuration so that I was sure that the settings were correct.

>On Sat, 19 Nov 2005, Peter Gutmann wrote: >>- The remaining user base replaced it with on-demand access to network >> engineers who come in and set up their hardware and/or software for them and >> hand-carry the keys from one endpoint to the other. >> >> I guess that’s one key management model that the designers never >> anticipated… I wonder what a good name for this would be, something better >> than the obvious “sneakernet keying”? > >Actually this is a good thing.

Unless you’re the one paying someone $200/hour for it.

>Separation of the key distribution channel from the flow of traffic encrypted >under those keys. Making key distribution require human >attention/intervention.

Somehow I suspect that this (making it so unworkable that you have to hand- carry configuration data from A to B) wasn’t the intention of the IKE designers :-). It’s not just the keying data though, it’s all configuration information. One networking guy spent some time over dinner recently describing how, when he has to set up an IPsec tunnel where the endpoints aren’t using completely identical hardware, he uses a hacked version of OpenSWAN with extra diagnostics enabled to see what side A is sending in the IKE handshake, then configures side B to match what A wants. Once that’s done, he calls A and has a password/key read out over the phone to set up for B.

Peter.

Quot Cybercrime Quot Treaty Is Criminal

Wed, 30 Nov 2005 13:39:00 -0800

Fuzzy logic behind Bush’s cybercrime treaty | Perspectives | CNET News.com

the Convention on Cybercrime will endanger Americans’ privacy and civil liberties–and place the FBI’s massive surveillance apparatus at the disposal of nations with much less respect for individual liberties.

Well, it has “cyber” in its name so it must be good… This legislation sounds like a really bad idea without the fix to ensure that requests are only allowed under “dual criminality” situations.

It’s really puzzling how the Bush administration would be backing this after they put up such a stink about the US not being dictated to by other countries in environmental laws or by international courts. But since when have they been consistent?

Xmas nostalgia

Wed, 23 Nov 2005 11:57:00 -0800

07:00

Someone is scanning in the entire Sears 1979 wishbook.

Two geeky takes on the Kama Sutra

Wed, 23 Nov 2005 11:54:00 -0800

The “Comma Sutra”

via Scrutiny Hooligans

Which reminds me of a related amusing and geeky version:

Linux Sex Positions - The Open Source Kama Sutra

They even have a security-related one: “Position 12 - Piercing the Firewall”

Lawyers Gone Wild

Wed, 23 Nov 2005 11:44:00 -0800

When Legal Strikes—Chaos Theory Meets DRM

Sadly, as management gets more cautious about legal repercussions, lawyers get a voice in decisions in which they not only have no expertise (such as IT), but in customer-facing initiatives, as well.

Sony’s aggressive spyware approach to DRM smells to high hell of the kind of good-intentions-turned-cognitive-dirty-bomb so many Legal-inspired projects descend into.

This is an interesting opinion that I think is only potentially applicable to situations where the lawyer in question is representing the company’s explicit interest. I haven’t seen this happen in general though–particularly where the corporate lawyers are addressing issues that are _not_ in regards to the company interest (e.g. privacy law).

For the most part, I have seen these lawyers define a very low bar for a company to meet. The same tendency for lawyers “tend to wield power disproportionate to their duties” (I would use the word “influence” instead of power) leads to these proclamations to be interpreted to mean that the company should only meet the minimum bar. These lawyers are not in the business of suggesting what the company _should_ do, only a minimum of what it _has_ to do. Laws aren’t necessarily sufficient or detailed enough to ensure that they are complied with, however. I have had several situations where lawyers have undone good security work because they proliferated the fact that the law didn’t require the proscribed procedures, even though those procedures were in place to uphold that law. Lawyers seem to wield more influence than security folks though so who do you think was listened to?

Common Writing Mistakes

Wed, 23 Nov 2005 10:54:00 -0800

This post about Grammar Nerds reminded me that I’ve long wanted to write about some common mistakes I see over and over on the Internet and in emails.

The most common thing that I notice is confusing words that sound somewhat alike but have very different meanings and spellings:

conscious/conscience

If your conscience is bothering you, you are conscious.

effect/affect

Will poor grammer affect your chances of getting that next job?

Missing out on that next job may be the likely effect (outcome) of being sloppy with grammar.

console/consul

You can change administrative settings via an application or server console.

bare/bear

Bear in mind these grammar rules for next time.

there/their/they’re

They’re = They are

There = refers to a location (e.g. over there)

Their = a possessive pronoun; used when referring to group possession of a thing or quality

your/you’re

You’re = You are

Your = possessive pronoun; used when referring to someone possessing a thing or quality

e.g./i.e.

e.g. = exempli gratia (for example); use when providing an example for clarification

i.e. = id est (that is… or “in effect”); use when providing additional clarifying information, not through the use of an example

lose/loose

I always see this one when someone misspells lose as “loose”. Playing fast and loose with spelling!

mute/moot

When using the phrase, “a moot point” or similar, “this may become moot”, moot is the right spelling. Mute refers to remaining or being unable to speak.

to/two/too

Too = also

two = the number 2

to = a preposition meaning a variety of things, such as “toward”

There are a ton of sites that go into more detail than this. A simple google search will find most all of them. Or just check your favorite dictionary.

Internet Security Tips

Sun, 20 Nov 2005 03:27:00 -0800

https://www.eweek.com/article2/0,1759,1883072,00.asp?kc=EWRSS03129TX1K0000614

Md4 And Md5 Collision Generators

Sun, 20 Nov 2005 03:21:00 -0800

There are still not known attacks against encryption schemes that make use of these, but certainly anything relying on these hashes for integrity protection should switch to alternate mechanisms.

Sent: Monday, November 14, 2005 10:48 AM To: cryptography@metzdowd.com Subject: MD4 and MD5 collision generators

I am releasing my collision generators for MD4 and MD5. They have significant time improvements over the ones described in the papers by Wang, et al.

MD4 collisions can be generated almost instantly, MD5 can be generated in approximately 45 minutes on my p4 1.6ghz (on average).

https://www.stachliu.com/collisions.html

Enjoy -Patrick Stach

Scientists Re Invent Nature

Sun, 20 Nov 2005 02:25:00 -0800

BBC NEWS | Science/Nature | Butterfly wings work like LEDs

When scientists developed an efficient device for emitting light, they hadn’t realised butterflies have been using the same method for 30 million years.

Oh The Irony

Sun, 20 Nov 2005 02:23:00 -0800

Wired News: Tainted Sony CDs Used Open Source

In short: Sony’s ill-conceived, ill-executed, and ill-handled copy protected CDs that inserted a rootkit on your Windows computer that were designed to supposedly protect artist’s rights by preventing unauthorized copying of music ironically appear to have violated the copyrights of several open source software tools.

Quot Deep Thoughts Quot On Topics Of The Day

Fri, 11 Nov 2005 04:08:00 -0800

Daily Kos: Cheers and Jeers: Rum and Coke FRIDAY!

Last weekend we picked up three of Jack Handy’s Deep Thoughts books. While he avoids the political (after all, the thoughts are deep), we found some striking parallels to certain people and issues of the day…

More 'Christians' Persecuting Others Who Are Supposedly Persecuting Christians

Fri, 11 Nov 2005 02:01:00 -0800

Pandagon: ‘Tis the season to ‘persecute’ Christians

A couple more years of this hysteria and the use of “Merry Christmas” as shorthand for, “I hate you and everything you stand for because you didn’t pass my Christian sniff test, hellbound motherfucker,”

Now that sounds consistent with the loving Christian attitude fostered by Pat Robertson.

CNN.com - Robertson warns Pennsylvania�voters of God’s wrath - Nov 10, 2005

WASHINGTON (Reuters) – Conservative Christian broadcaster Pat Robertson told citizens of a Pennsylvania town that they had rejected God by voting their school board out of office for supporting “intelligent design” and warned them Thursday not to be surprised if disaster struck.

Don’t you just enjoy how much love and inclusiveness there is at the Holidays? Sheesh.

Alito Response To Vanguard Conflict Of Interest Shows True Character

Fri, 11 Nov 2005 01:11:00 -0800

Eschaton

Alito: “he’s an I’m gonna do what I want and fuck you if you think otherwise kind of guy” Nice.

O'Reilly Unpacks Dead Horse From His Holiday Nick Nacks Begins 2005 Flogging

Fri, 11 Nov 2005 01:08:00 -0800

O’Reilly opens new front in “war” on Christmas … [Media Matters]

O’Reilly is ridiculous and a hypocrite. He is trying to create a controversy where one does not exist and then beat that dead horse senseless. And his issue? “Season’s Greetings” and “Happy Holidays” used by businesses around this time of year “absolutely does [offend Christians]. And I know that for a fact.”

Here’s how he is a hypocrite (one of many ways). It’s okay for him to be offended when the Christian aspect is _not_ specifically mentioned, but non-Christians do not get this same right. But this is okay because O’Reilly says, “I don’t believe most people who aren’t Christian are offended by the words “Merry Christmas.” Nevermind this is a baseless position to take. And the possibility that non-Christians could be just as incensed as he is is not only discounted, but he resorts to ad-hominim attacks against those non-Christians, “I think those people are nuts. I think you’re crazy if you’re offended by the words “Merry Christmas.”

To summarize:

Christians: Have a right to be offended when Christian-specific language is _not_ used at the holidays and can be offended when inclusive language is used, such as “Happy Holidays”.

non-Christians: If they are offended by exclusive language such as “Merry Christmas”, they are “nuts” or “nutty customers”. Further, businesses should ask, “why do you want them [as customers] anyway?” Not only should exclusive _language_ be used, but business should actually think hard about _actually excluding_ them from the customer base.

He wants to see businesses only address the Christian aspect of the holiday season specifically.

But he then contradicts himself when he says, “the smart way to do it is “Merry Christmas, Happy Hanukah, Season’s Greetings, Happy Kwanzaa.” So it’s okay to say “Season’s Greetings” now or isn’t it? Clear as mud, but what do you expect?

Password Hash Dash

Wed, 09 Nov 2005 23:26:00 -0800

-dash

Rainbow Crack is a time/memory tradeoff tool that can break passwords knowing just the password hash. So, those people who still think that disclosing password hashes is not a big deal…

SANS documented and proved, using a modified version of Rainbow Crack, something that I have suspected for a while. That Oracle’s proprietary password hashes are weak There are plenty of good ways to do this that it’s a wonder these days that people still roll-their-own crypto. The SANS team is releasing an update to Rainbow Crack that can crack Oracle passwords.

New Photos Of Wonders Of The Universe

Wed, 09 Nov 2005 15:12:00 -0800

Hubble & Spitzer Space Telescopes on Yahoo! News Photos

Beautiful, wonderous, cool stuff.

This undated infrared image captured by NASA’s Spitzer Space Telescope, released by NASA on Wednesday, Nov. 9, 2005, shows colossal pillars of cool gas and dust that provide scientists with an intimate look at the star-forming process. The image reflects a region in space known as W5, in the constellation Cassiopeia 7,000 light years away, which is dominated by a single massive star. (AP Photo/NASA, JPL, CalTech)

Congress May Curtail Some Patriot Act Powers

Wed, 09 Nov 2005 15:01:00 -0800

Congress May Curb Some Patriot Act Powers - Yahoo! News

Now that congress has apparently taken the time to read the PATRIOT Act, they are more likely to do the right thing before voting for it a second time:

WASHINGTON - Congress is moving to curb some of the police powers it gave the Bush administration after the Sept. 11 terrorist attacks, including imposing new restrictions on the FBI’s access to private phone and financial records. ADVERTISEMENT

A budding House-Senate deal on the expiring USA Patriot Act includes new limits on federal law enforcement powers and rejects the Bush administration’s request to grant the FBI authority to get administrative subpoenas for wiretaps and other covert devices without a judge’s approval.

Quot Religious Right Quot Confirms They Are Hypocrites

Wed, 09 Nov 2005 14:58:00 -0800

AMERICAblog: Religious right bigots upset that a US Senator called them on their religious bigotry

Yet another reason to love Vermont Senator Pat Leahy.

Primer On Root Causes Of The Violence In France

Wed, 09 Nov 2005 14:51:00 -0800

TomPaine.com - Why Paris Is Burning

Attend Or Host A Walmart Movie Screening

Wed, 09 Nov 2005 14:48:00 -0800

WAL-MART Movie Screenings

Attend or host a movie screening of the new film Wal*Mart: The High Cost of Low Price. I’ll be attending one in Seattle next Wednesday. Hope to see you there!

Another Fema And Bush Administration Snafu

Wed, 09 Nov 2005 14:46:00 -0800

Think Progress � Another Titanic Mistake

The Federal Emergency Management Agency has given the defense contracting agency Titan more than a half million dollars in brand-new contracts for Hurricane Katrina. Here are the top five reasons this was a very bad idea

Read the article for the sickening details about Titan. If Republicans want to do something about the moral climate of America, forget the annoying shit that the FCC is doing and clean house in your own party. Ahh, the ones who throw stones should not live in glass houses…

Democrats Now Press Find Their Cajones

Wed, 09 Nov 2005 14:30:00 -0800

Pandagon: Another painful Scott McClellan ass-whooping

White House press briefings are fun again!

Especially when the White House attempts to revise history again.

The press is starting to do its job for once, but it is often discounting and ignoring their role in marketing misinformation about the Iraq war

The complete toll of the Iraq War

Wed, 09 Nov 2005 14:11:00 -0800

It really miffs me to hear media focus entirely on the number of death-specific casualties of the Iraq war but completely ignore the other horrible casualties. From the McLaughlin Group, 11/4/05:

MR. MCLAUGHLIN: Okay, the human toll: The U.S. military dead in Iraq, including suicides, 2,035; U.S. military amputeed, wounded, injured, mentally ill, 48,100; Iraqi civilians dead, 117,700.

Note to the media: Why don’t you ask yourselves why it is only the number of _dead_ servicemen who you choose to highlight? Isn’t 48,100 WOUNDED US CITIZENS an even more horrific number? Yes, 2035 dead US Citizens is tragic, but death is not the only tragic consequence for the soldiers.

And what about the Iraqi _deaths_ of 117,700? That’s not their wounded count. That’s the number of body bags needed or graves to be dug.

Na Na Na Na Na Na Na Na Hey Hey Hey

Wed, 09 Nov 2005 09:05:00 -0800

BBC NEWS | Americas | CIA leak probe reporter resigns

Judith Miller resigns. Good riddance.

Proof Against Intelligent Design The Kansas School Board

Tue, 08 Nov 2005 23:06:00 -0800

In a 6-4 vote, the Kansas school board voted in favor of teaching Intelligent Design in Schools.

Two words: F*cking idiots.

There is some good news in the realm of the New New Creationism though:

Intelligent Design Candidates Voted Out in Penn. Hooray! To show how huge htis was, 8 out of the 9 members who voted in favor of ID as an “alternative” to evolution were up for election; all 8 were voted out.

Science & Theology News also has a list of the ID players

Eff Breaks Secret Tracking Quot Dot Code Quot-

Sun, 30 Oct 2005 14:33:00 -0800

EFF: DocuColor Tracking Dot Decoding Guide

This is a breakthrough. It has been rumoured for years that printers and copy machines include secret codes on documents to track them back to the source machine but the EFF now has real evidence and even tools that you can use to perhaps decode your printer’s secret tracking information.

This guide is part of the Machine Identification Code Technology project. It explains how to read the date, time, and printer serial number from forensic tracking codes in a Xerox DocuColor color laser printout. This information is the result of research by Robert Lee, Seth Schoen, Patrick Murphy, Joel Alwen, and Andrew “bunnie” Huang. We acknowledge the assistance of EFF supporters who have contributed sample printouts to give us material to study. We are still looking for help in this research; we are asking the public to submit test sheets or join the printers mailing list to participate in our reverse engineering efforts.

New Favorite Word Hoffing

Sun, 30 Oct 2005 14:30:00 -0800

Hackers no hassle: Hoff - People - Entertainment - theage.com.au

More From Oracle'S Cso

Sun, 30 Oct 2005 14:17:00 -0800

Wow. Note how she says that she researches “hacking techniques” as well as the network-security-centric language throughout. A CSO should not typically be operating at this level but rather at the “big picture” strategic level.

No wonder Oracle continues having application security and patch quality problems. Their CSO seems too busy hacking the network and writing articles about it and how bad vulnerability researchers are and not enough time executing on a strategy to improve the security posture of their software and processes. Some on security mailing lists are calling for her to resign.

-Jason

-—-Original Message—– From: isn-bounces@attrition.org [mailto:isn-bounces@attrition.org] On Behalf Of InfoSec News Sent: Wednesday, October 19, 2005 12:03 AM To: isn@attrition.org Subject: [spam]::[ISN] Davidson: Lessons of warfare for IT security

https://www.fcw.com/article91127-10-17-05-Web

By Mary Ann Davidson Oct. 17, 2005

As a security professional, I research the latest issues, threats and hacking techniques. For pleasure, however, I read mostly military history, which shapes my view of information security. As a result, I offer the following lessons from military history for federal agency information technology security professionals.

Most security professionals attempt to implement programs to defend all access points because intruders need to find only one way in. But because agency resources are finite, boundaries typically exceed resources. To best apply limited resources to maximize defense success, carefully select your turf.

Risk management approaches to security must move beyond identifying and defending the most important assets to include an analysis of a network’s strategic points where intruders could attack.

Here are some IT security lessons from military history.

* Intelligence has value only if you act on it.

The Battle of Midway in June 1942 was arguably the turning point of World War II in the Pacific rim. The victory hinged partly on U.S. code crackers’ breaking JN25 naval cipher to learn that the Japanese planned to attack Midway. Adm. Chester Nimitz, commander of the U.S. Pacific fleet, sent two carrier task forces to Midway to ambush the Japanese Navy.

A second lesson is the hubris of assuming that enemies cannot break ciphers and codes.

Security professionals have many means of defense at their disposal. Through network mapping, they can determine the landscape of their networks. Knowing how many systems are locked down and adequately patched, they can assess their readiness. Using intrusion-detection systems, they can know the types of probes the enemy has attempted.

But some organizations don’t use or act on the intelligence they have. Many turn off their auditing systems, fail to review the logs or ignore alarms. A military parallel is Pearl Harbor, the attack in which the United States ignored radar detecting the incoming Japanese planes.

* Interior defensive perimeters are critical.

The network perimeter has disappeared as ubiquitous computing and extranet access have surged. The model of hardened perimeters and wide-open interiors is no longer adequate.

During the 1879 defense of Rorke’s Drift in South Africa, about 150 British soldiers held off 4,000 Zulus by defending the inherently indefensible. They created makeshift barricades from grain sacks and biscuit boxes to secure the perimeter. They had fallback positions and used them.

Security professionals can learn from this example. A network is not defensible if attackers breach the perimeter and the rest of the network is wide open.

Today, administrators segment networks with interior firewalls. Tomorrow, networks may be able to create dynamic barriers in response to worm and virus invasions.

Admirals and generals set strategies, but individuals who make tactical decisions and take the initiative win battles. Every federal agency employee has a responsibility to make IT security a priority.

Davidson is Oracle’s chief security officer.

More Php Web Application Security Tips

Sun, 30 Oct 2005 14:09:00 -0800

Hacks From Pax: PHP Web Application Security - The Community’s Center for Security

Today on Hacks From Pax we’ll be discussing PHP web application security. PHP is a great language for rapidly developing web applications, and is very friendly to beginning programmers, but some of its design can make it difficult to write web apps that are properly secure. We’ll discuss some of the main security “gotchas” when developing PHP web applications, from proper user input sanitization to avoiding SQL injection vulnerabilities.

Preventing Future Threats Not With A Quot Lack Of Protective Imagination Quot-

Sun, 30 Oct 2005 13:53:00 -0800

And, after hurricane Katrina, I would add that on top of a “lack of protective imagination”, government continues to suffer as well from “pork barrel security projects” and “visible-but-ineffective security projects” that divert precious resources away from the real or more likely threats.

An unfortunate example of this is how “The federal government will pay the overtime of cops and emergency medical workers if the drill involves an act of terrorism, but it won’t if locals rehearse for a natural disaster.” So, the government is still making it difficult for localities, such as Seattle, to prepare for _likely threats_ and instead they have to fake it by running drills for the more unlikely terrorism-related scenarios instead. See Is Seattle Really Ready?

The other glaringly-apparent issue is that unqualified people are being put into positions of authority of governmental agencies that are in charge of protection and response for natural disasters and other events. I have lost my belief that government can be a reliable first line of assistance and that individual citizens and localities have to take matters into their own hands to be prepared, just like you would do for a retirement plan. Don’t rely on social security, welfare, or unemployment as your sole safety net and now add to that governmental response to disasters.

I’m going to be reactivating my local neighborhood disaster preparedness facility since I can’t believe that if there was any kind of significant event that there could be a reasonable expectation of a decent national response.

Forwarded from: Richard Forno

The London bombs went off over 12 hours ago.

So why is CNN-TV still splashing “breaking news” on the screen?

There’s been zero new developments in the past several hours. Perhaps the “breaking news” is that CNN’s now playing spooky “terror attack” music over commercial bumpers now filled with dramatic camera-phone images from London commuters that appeared on the Web earlier this morning.

Aside from that, the only new development since about noon seems to be the incessant press conferences held by public officials in cities around the country showcasing what they’ve done since 9/11 and what they’re doing here at home to respond to the blasts in London…..which pretty much comes down to lots of guys with guns running around America’s mass transit system in an effort to present the appearance of “increased security” to reassure the public. While such activities are a political necessity to show that our leaders are ‘doing something’ during a time of crisis we must remember that talk or activity is no substitute for progress or effectiveness.

Forget the fact that regular uniformed police officers and rail employees can sweep or monitor a train station just as well as a fully-decked-out SWAT team – not to mention, they know it better, too. Forget that even with an added law enforcement presence, it’s quite possible to launch a suicide attack on mass transit. Forget that a smart terrorist now knows that the DHS response to attacks is to “increase” the security of related infrastructures (e.g., train stations) and just might attack another, lesser-protected part of American society potentially with far greater success. In these and other ways today following the London bombings, the majority of security attention has been directed at mass transit. However, while we can’t protect everything against every form of attack, our American responses remain conventional and predictable – just as we did after the Madrid train bombings in 2004 and today’s events in London, we continue to respond in ways designed to “prevent the last attack.”

In other words, we are demonstrating a lack of protective imagination.

Contrary to America’s infatuation with instant gratification, protective imagination is not quickly built, funded, or enacted. It takes years to inculcate such a mindset brought about by outside the box, unconventional, and daring thinking from folks with expertise and years of firsthand knowledge in areas far beyond security or law enforcement and who are encouraged to think freely and have their analyses seriously considered in the halls of Washington. Such a radical way of thinking and planning is necessary to deal with an equally radical adversary, yet we remain entrenched in conventional wisdom and responses.

Here at home, for all the money spent in the name of homeland security, we’re not acting against the terrorists, we’re reacting against them, and doing so in a very conventional, very ineffective manner. Yet nobody seems to be asking why.

While this morning’s events in London is a tragedy and Londoners deserve our full support in the coming days, it’s sad to see that regarding the need for effective domestic preparedness here in the United States, nearly 4 years after 9/11, it’s clear that despite the catchy sound-bytes and flurry of activity in the name of protecting the homeland, the more things seem to change, the more they stay the same.

-rick Infowarrior.org

Even More Evidence Of Php Becoming The New C

Sun, 30 Oct 2005 13:46:00 -0800

Another example of how PHP can be dangerous. Having to know the internal workings of variable acceptance to implement secure data checking seems to negate the value of having a higher-order programming language.

And, it is common in other languages to work with variables in a REQUEST structure of some sort.

PHP should provide a built-in set of semantics for data input filtering that work across all of the possible input types so that each application doesn’t have to build their own. I even remember when you used to have to build your own PHP session management or use additional PHP modules (PHPlib was a great implementation) before it got rolled into PHP 4.

Also check out the Hardened-PHP Project for this advisory and many others for PHP applications, and some PHP security basics talks.

-J

-—-Original Message—– From: Stefan Esser [mailto:sesser@hardened-php.net] Sent: Saturday, July 02, 2005 12:09 AM To: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com Subject: Advisory 03/2005: Cacti Multiple SQL Injection Vulnerabilities [FIXED]

-—-BEGIN PGP SIGNED MESSAGE—– Hash: SHA1

Hardened - PHP Project www.hardened-php.net

-= Security Advisory =-

Advisory: Cacti Multiple SQL Injection Vulnerabilities Release Date: 2005/07/01 Last Modified: 2005/07/01 Author: Stefan Esser [sesser@hardened-php.net]

Application: Cacti <= 0.8.6e Severity: Wrongly implemented user input filters lead to multiple SQL Injection vulnerabilities which can lead f.e. to disclosure of the admin password hash Risk: Critical Vendor Status: Vendor has released an updated version References: https://www.hardened-php.net/advisory-032005.php

Overview:

Quote from https://www.cacti.net “Cacti is a complete network graphing solution designed to harness the power of RRDTool’s data storage and graphing functionality. Cacti provides a fast poller, advanced graph templating, multiple data acquisition methods, and user management features out of the box. All of this is wrapped in an intuitive, easy to use interface that makes sense for LAN-sized installations up to complex networks with hundreds of devices.”

Because it is usually fun to audit software which was previously audited by experts from iDEFENSE we scanned through their reported vulnerabilities and found that most are not properly fixed.

Details:

With the recent release of iDEFENSE’s Cacti advisories version 0.8.6e of Cacti was released which according to iDEFENSE fixes all reported flaws. But this is not true.

However the user input filters that were added to the Cacti codebase to address the possible SQL Injections are wrongly implemented and therefore can be tricked to let attackers through.

To demonstrate the problem here a snipset of “graph.php”

/* ================= input validation ================= */ input_validate_input_regex(get_request_var(“rra_id”), “^([0-9]+|all)$”); input_validate_input_number(get_request_var(“local_graph_id”)); /* ==================================================== */

if ($_GET[“rra_id”] == “all”) { $sql_where = " where id is not null"; }else{ $sql_where = " where id=" . $_GET[“rra_id”]; }

On the first look this code looks safe, because it checks that the ‘rra_id’ request parameter is either a number or the string “all” before inserting it into a part of the SQL Query.

To realize that this check is however worth nothing one has to dig deeper and look into the implementation of get_request_var()

function get_request_var($name, $default = “”) { if (isset($_REQUEST[$name])) { return $_REQUEST[$name]; } else { return $default; } }

This actually means that the filter in this example is applied to the content of $_REQUEST[“rra_id”] and not to $_GET[“rra_id”]. The problem with this is, that $_REQUEST is a merged version of the $_GET, $_POST and $_COOKIE arrays and therefore array keys of the same name will overwrite each other in $_REQUEST.

In the default configuration of PHP which is usually not changed by anyone the merge order is GPC. This means when the request contains both $_GET[“rra_id”] and $_POST[“rra_id”], only the posted value will end up in the $_REQUEST array.

This however means, that nearly all of the implemented filters can be bypassed by supplying the attack string through the URL and supplying a good string through POST or through the COOKIE.

Proof of Concept:

The Hardened-PHP Project is not going to release exploits for this vulnerabilities to the public.

Disclosure Timeline:

25. June 2005 - Contacted Cacti developers via email 29. June 2005 - Review of patch from our side 1. July 2005 - Release of updated Cacti and Public Disclosure

Recommendation:

We strongly recommend upgrading to Cacti 0.8.6f which you can get at

https://www.cacti.net/download_cacti.php

Summary for Secunia:

Because Secunia proofed several times in the past, that they have enormous problems with reading advisories and crediting the right parties in their advísory rip-offs, here a short summary.

This bug was not found by iDEFENSE. On the contrary it is a bug in the input filters that were implemented because of iDEFENSE and where nodded through by them.

GPG-Key:

https://www.hardened-php.net/hardened-php-signature-key.asc

pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1

Copyright 2005 Stefan Esser. All rights reserved.

Roll Your Own High Entropy Hardware Randomness Generator

Sun, 30 Oct 2005 13:44:00 -0800

High-Entropy Randomness Generator

In this paper, we explain how to construct a High-Entropy Randomness Generator, suitable for a wide range of applications, including extremely demanding ones. We will explain and then use some key theoretical ideas:

* We start with a raw input, typically from a good-quality sound card. * We obtain a reliable lower bound on the raw input’s entropy density (as defined in appendix A). This is calculated based on physics principles plus a few easily-measured macroscopic properties of the sound card. (This stands in stark contrast to other approaches, which obtain a loose upper bound based on statistical tests on the data.) * We make use of the hash saturation principle, as discussed in section 3.2. The resulting output has essentially 100% entropy density. This is provably correct under mild assumptions. * We use no secret internal state and therefore require no seed. * We do not depend on assumptions about “one-way functions”.

We have implemented a generator using these principles. The result is what most people would call a True Random Number Generator. Salient engineering features include:

* It costs next to nothing. It uses the thermal fluctuations intrinsic to the computer’s audio I/O system. * It emphatically does not depend on imperfections in the audio I/O system. Indeed, high-quality sound cards are much more suitable than low-quality ones. It relies on fundamental physics, plus the most basic, well-characterized properties of the audio system: gain and bandwidth. * It can produce thousands of bytes per second of output. * Remarkably little CPU time is required. * It includes optional integrity-monitoring and tamper-resistance capabilities.

Flashback More On Php Security

Sun, 30 Oct 2005 13:40:00 -0800

I dug this out for additional evidence of how PHP gives programmers too much rope to hang themselves, not unlike C.

-J

-—-Original Message—– From: David Wheeler [mailto:dwheeler@ida.org] Sent: Wednesday, August 08, 2001 2:06 PM To: me Subject: PHP

Ben Ford said:

>>Don’t call it a weakness of the language, call it by its true name: >> Lazy Programming.

If this was a common problem in other languages, I might agree with you. But it’s not. Essentially all other computer languages do _NOT_ let attackers set the state of arbitrary program variables to arbitrary values, and then require programmers to constantly reset values if they’d like to prevent attackers from controlling them.

I’m not saying that PHP is some horrible, unfixable language. I’ve posted to PHP-DEV a relatively simple set of changes that would make it possible to eliminate the problem, and others have proposed other approaches. And those who can control their PHP configuration can obviously do so and eliminate the problem right now for their applications.

Yes, you can write secure applications in PHP. But it requires herculean effort. It’s “obvious” when the application is small that some variable needs to be unset, that’s true, assuming you know to look. But once you call functions, you have to have global knowledge of all global values that the function uses, including the complete transitive closure of all functions it calls directly & indirectly – and that INCLUDES the implementation of the library functions you call. And you have to redo the analysis when you use a new version of PHP. You could argue that all PHP developers do this… but I wouldn’t believe you.

It’s certainly true that all languages have “gotchas”. This one is larger than most (in my opinion), though. And we should be striving in our computer languages to make it easy, not hard, to write secure programs.

If some application can be used securely in theory, but its user interface is so hard to use that it cannot PRACTICALLY be used securely, then it’s still insecure. I argue that the same is true for programming languages.

Study: Correlation between more sex and more happiness

Sun, 30 Oct 2005 13:36:00 -0800

Planned Parenthood Federation of America, Inc. - Sex And Happiness: What’s The Connection?

If I had to choose, I’d choose more sex over wealth even before reading about this study :-)

In a recent preliminary and unpublished study, “Money, Sex, and Happiness,” researchers from Dartmouth College and Warwick University (UK) found that people who consider themselves happiest are those who are having the most sex. The study does not claim that having sex causes happiness or vice versa. But of the 16,000 people in the research sample, happiness was associated with sex for both women and men and people under and over the age of 40. And despite the notion that money can buy happiness, researchers found little — if any — connection between increased wealth and long-term happiness.

Federal Judge Rules Pledge Unconstitutional

Sun, 30 Oct 2005 13:12:00 -0800

https://www.npr.org/templates/story/story.php?storyId=4847626&ft=1&f=1001

U.S. District Judge Lawrence Karlton ruled that the pledge’s reference to one nation “under God” violates school children’s right to be “free from a coercive requirement to affirm God.”

Just take the freaking words “under God” out of the pledge that weren’t there to begin with and the problem goes away!

Is Php The New C

Sun, 30 Oct 2005 12:34:00 -0800

I’ve been wondering lately if PHP is much like C from a security perspective in that the chances that if you are using PHP for an application that your application is secure depends on tribal knowledge about “what not to do” with the basic language. Another way to say this is that like C, PHP gives you plenty of rope to hang yourself if you don’t know what you are doing. Which is unfortunate for a language that should be safer by default for use by UI programmers.

This posting from Andrew van der Stock brings up some specific issues with the PHP language that could really help improve security in the same way that GCC compiler warnings when using insecure functions help with awareness.

-—-Original Message—– From: Andrew van der Stock [mailto:vanderaj@greebo.net] Sent: Friday, June 24, 2005 10:07 PM To: Benjamin Livshits Cc: webappsec@securityfocus.com Subject: Re: Languages/platforms used for Web apps. Any stats?

I don’t know of any stats, but if anyone was to make a study, that’s where I’d focus on.

However, saying that:

* I review J2EE finance apps used in very large institutions. I find plenty of problems which need fixing * I look after a PHP forum, which definitely could improve * In my previous job, the most vulnerable app I ever reviewed was written in ASP in VBScript

I don’t think the language has much to do with it beyond basic security posture. PHP could do a lot to redress the problems, for example, by:

* making echo do htmlentities by default, and having a special echo / print which doesn’t in case you really meant to spit out HTML * deprecating the old function based MySQL drivers (ie warnings when E_ALL is used) in favor of the MySQLi drivers or PDO which have prepared statements * in the next version of PHP, remove support for register_globals and make url_fopen permanently false * Remove implicit declarations and add optional strong typing which really means it

The basic security posture of PHP has been improving, but honestly, it really depends on the quality of the coders and if they are aware of the security options open to them. The other thing is that there is a lot of PHP code out there written in the PHP 3 days which sorta runs okay on PHP 4 and 5, which shouldn’t. PHP 3 really was a security nightmare - everything in the interpreter was set to be the most insecure possible posture with maximal attack surface area.

Does Voting Machine Technology Affect The Outcome Of Elections

Sun, 30 Oct 2005 12:30:00 -0800

Some interesting results found in a study of 2000-2004 election data.

We first show that there is a positive correlation between use of touch-screen voting and the level of electoral support for George Bush. This is true in models that compare the 2000-2004 changes in vote shares between adopting and nonadopting counties within a state, after controlling for income, demographic composition, and other factors. Although small, the effect could have been large enough to influence the final results in some closely contested states.

They also found:

Touch-screen voting could also indirectly affect vote shares by influencing the relative turnout of different groups. We find that the adoption of touch-screen voting has a negative effect on estimated turnout rates, controlling for state effects and a variety of county-level controls.

Fixes To The Patriot Act Seen As Sufficient To Address Concerns

Sun, 30 Oct 2005 12:23:00 -0800

Appropriate rational commentary on the specifics that need to be changed about the PATRIOT act to address privacy and governmental power and oversight issues.

The Wall Street Journal

November 12, 2004

COMMENTARY

Patriot Fixes

By BOB BARR November 12, 2004; Page A12

The most common charge levied against critics of the Patriot Act – one that Alberto Gonzales, the new face of Justice, is likely to repeat in his days ahead – is that they’re “misinformed.” Well, as a former U.S. attorney appointed by President Reagan, a former CIA lawyer and analyst, and a former Congressman who sat on the Judiciary Committee, I can go mano a mano with any law-enforcement or intelligence official on the facts. And the facts say that the Patriot Act needs to be reviewed and refined by Congress.

Critics of the Act are not calling for full repeal. Only about a dozen of the 150 provisions need to be reformed; these, however, do pose singular threats to civil liberties. Here’s how to bring them back in line with the Constitution.

The two most significant problems are sections 213 and 215. The first authorized the use of delayed-notification search warrants, which allow the police to search and seize property from homes and businesses without contemporaneously telling the occupants. The Justice Department often claims that this new statutory “sneak and peek” power is innocuous, because the use of such warrants was commonplace before. Actually, the Patriot Act’s sneak and peek authority is a whole new creature. Before, law enforcement certainly engaged in delayed-notification searches, especially in drug investigations. Importantly, this authority was available in terrorism investigations. Courts, however, put specific checks on these warrants: They could only be authorized when notice would threaten life or safety (including witness intimidation), endanger evidence, or incite flight from prosecution. It was a limited and extraordinary power.

The Patriot Act greatly expanded potential justifications for delay. The criminal code now allows secret search warrants whenever notice would “jeopardize” an investigation or “delay” a trial – extremely broad rationales. The exception has become the rule. Congress should remove that catch-all justification and impose strict monitoring on the use of these secret warrants.

The other primary problem is the “library records” provision, Section 215. This amended a minor section of the 1978 Foreign Intelligence Surveillance Act, which created a specialized court for the review of spy-hunting surveillance and search requests. This “business records” section allowed agents to seize personal records held by certain types of third-parties, including common carriers and vehicle rental companies. The Patriot Act made two changes to this relatively limited power: It allowed the seizure of any “tangible thing” from any third-party record holder (including medical, library, travel and genetic records); and it removed the particularized suspicion required in the original statute.

Pre-2001, investigators had to show “specific and articulable facts” – a standard much lower than criminal probable cause – that a target was a spy or terrorist. Now, that already low standard has been lowered further. Agents simply certify to the intelligence court that the records desired are relevant to an investigation – any investigation – and the judge has no real authority to question that assertion, rendering judicial review meaningless.

Reformers on the left and right want two fixes to this section. First, reinstall the individualized suspicion requirement. This reflects the Fourth Amendment notion that the government cannot invade privacy and gather evidence unless it has reasonable suspicion that one has done wrong. The proposed “fix” would retain the section’s broad “tangible things” scope, but with a safeguard against abuse. The authorities would still be able to go to a criminal grand jury to demand the production of the same records, providing additional flexibility for counterterrorism work. Second, Congress should require additional reporting requirements.

There are other refinements desired by the Act’s critics. The new definition of domestic terrorism in Section 802 can be used by prosecutors to turn on an array of invasive new authorities, including broad asset-forfeiture powers, even when the underlying crime does not rise to the level of “terrorism.” The preferred legislative reform keeps the definition, but links it to specific crimes like assassination or kidnapping.

Reasonable critics of the expansive provisions of the Patriot Act, on both sides of the aisle and in both Houses, have introduced legislation that would implement these modest changes. Far from gutting the Act, these would secure the important powers of the law, but place modest limits on their use. For most of us who voted for the Act, what sealed the deal was the inclusion of provisions that would require us to take a sober second look at the most contentious provisions in the Act by the end of 2005, before reauthorizing them. That time is coming, and the Justice Department does not want to lose the emergency powers it won in the aftermath of 9/11. But Congress should resist its overtures, move forward on the sunsets, and enact additional Patriot fixes if it believes them needed.

Mr. Barr is a former Republican congressman.

Study: Motivations for global terrorism over the past 25 years

Sun, 30 Oct 2005 08:57:00 -0800

This is not so much about Islam vs. Christianity (although I think a lot of wacky Christians are making this case still) Courtesy of Bruce Schneier.

An absolutely fascinating interview with Robert Pape, a University of Chicago professor who has studied every suicide terrorist attack since 1980. “The central fact is that overwhelmingly suicide-terrorist attacks are not driven by religion as much as they are by a clear strategic objective: to compel modern democracies to withdraw military forces from the territory that the terrorists view as their homeland.”

His book: or Reviews:

Another Reason To Cancel Your Time Magazine Subscription

Sun, 30 Oct 2005 08:51:00 -0800

First Ann Coulter on the cover of Time, now a so-called-news story on religion vs. science (which is a false dichotomy IMHO)

“Welcome to Jesusland” Part Deux…

The United States of Almighty-God

Ugh.

Another State To Avoid Kansas

Sun, 30 Oct 2005 08:50:00 -0800

Close to adopting “intelligent design” in Kansas. They’re joining Pennsylvania. FYI, there was an update on NPR from Oct 21 about the Pennsylvania case. It may be good that this is not a jury trial. The defense is now bringing on their witnesses about the merits of the “theory” of intelligent design. At least the science teachers at the schools in question had refused to read the ridiculous statement about intelligent design being another “theory” that is out there.

Also good news: 8 of the 9 school board members are up for reelection. More reason to vote in PA so you can vote these people out who pushed ID BS into schools.

https://www.npr.org/templates/story/story.php?storyId=4795205&sourceCode=RSS

A move to adopt guidelines encouraging Kansas schools to teach an alternative to the theory of evolution – intelligent design – gains momentum. The Kansas Board of Education has approved a draft of new science standards proposed by supporters of intelligent design. Approval is expected in October.

Acceptable Risk As A Euphamism For Shifting Fraud Liability To The Consumer

Sun, 30 Oct 2005 02:51:00 -0800

Financial Cryptography: “Acceptable Risk” - a Euphemism for Selling Fraud?

This is a post from a while back but is still relevant to recent discussions about how the financial industry is still shifting the burden of identity theft and fraud to the customers. Bruce Schneier just wrote about this in regards to phishing in the most recent edition of Crypto-Gram as well.

The “acceptable risk” concept [writes guest financial cryptographer Ed Gerck] that appears in recent threads has been for a long time a euphemism for that business model that shifts the burden of fraud to the customer.

The dirty little secret of the credit card industry is that they are very happy with 10% of credit card fraud, over the Internet or not.

In fact, if they would reduce fraud to zero today, their revenue would decrease as well as their profits. So, there is really no incentive to reduce fraud. On the contrary, keeping the status quo is just fine.

Everything You Wanted To Know And More On Teleportation

Sun, 30 Oct 2005 02:38:00 -0800

Teleportation – Facts, Info, and Encyclopedia article

Teleportation, or teletransportation, is the process of moving objects (or more likely with present techniques, (A particle that is less complex than an atom; regarded as constituents of all matter) elementary particles) from one place to another by encoding information about the object, transmitting the information to another place, such as on a (A communication system based on broadcasting electromagnetic waves) radio signal, and creating a copy of the original object in the new location. The notion of teleportation was first conceived in the course of the Golden Age of (Click link for more info and facts about 20th century) 20th century (Literary fantasy involving the imagined impact of science on society) science fiction (Creative writing of recognized artistic value) literature by authors who considered necessary a form of on-the-spot intangible conveyance tools to hold up the narratives of their tales.

Top 5 Spam Categories

Sun, 30 Oct 2005 02:14:00 -0800

Security Scoop - NSI Watercooler Stories - BankInfoSecurity.com

This seems consistent with what I’ve seen in spam that comes into axley.net. Spammers and scammers are the scourge.

Top 5 Spam Categories Named Drum roll please … it’s time to reveal the top five categories of junk e-mail, as tracked by security firm Sophos. The big winner for 2005 so far is medication/pills, which accounts for 41.4% of all spam reports. Next are mortgage offers, which clocked in with 11.1%. That old favorite pornography took the third spot, with 9.5%. Stock scams are growing fast, Sophos says, accounting for 8.5% of all spam thus far this year. In fifth were product-related spam messages, with 8.3%. The remaining 21.2% fall into the “other” category.

Restrictions Placed On Fbi Cellular Tracking

Sun, 30 Oct 2005 01:18:00 -0800

FBI Dealt Setback on Cellular Surveillance

Finally some restraint on use of the PATRIOT act powers. Especially in light of recent FOIA documents that EPIC found that show abuses by law enforcement.

The FBI may not track the locations of cell phone users without showing evidence that a crime occurred or is in progress, two federal judges ruled, saying that to do so would violate long-established privacy protections.

Biometrics In Atms

Sun, 30 Oct 2005 01:48:00 -0700

-atms

InformationWeek > Biometric Security > Privacy Concerns, Expense Keep Biometrics Out Of U.S. ATMs > October 12, 2005

This article is chock full of fun things to comment on.

Ricardo Prieto, who was vice president for system operations at BanCafe when the system was installed, said that at first ATMs failed to recognize fingerprints on the well-worn hands of some elderly customers and laborers such as construction workers.

He said the ATM imaging was improved, and the number of customers whose fingerprints couldn’t be read fell from 30 percent to 8 percent.

Wow, that is great progress! Now for a large bank, only 2 million instead of 7.5 million customers will not be able to use my bank’s ATMs! Where do I sign?

“Biometrics is certainly the most secure form of authentication,” said Avivah Litan, an analyst with Gartner Inc., a Stamford, Conn.-based technology analysis firm. “It’s the hardest to imitate and duplicate.”

He’s right. It is very difficult to “imitate and duplicate” biometrics in ways that could fool sensors.

I also would argue that biometrics is not the most secure form of authentication. Smart cards and tokens are hard to imitate and duplicate and this isn’t even a threat model to be concerned about in general because in practice, nobody uses this factor as the only factor. These are used as part of a two-factor authentication system, which is really a much more secure form. For some bizarre reason, biometric holy-grail folks (mostly vendors, I imagine) think that biometrics don’t need a second factor. Additionally, there is a nonzero False Acceptance Rate and False Reject Rate (as noted beautifully above) that make biometrics fail in many real world scenarios. Smart cards don’t have that problem.

“The real holy grail in biometrics,” said Jim Block, Diebold’s director of global advanced technology, “is let’s get rid of the PIN so no one has anything to steal anymore.”

Let’s think about that for a minute. Let’s ignore for a moment that this came from Diebold, a foremost authority in voting security. He claims that without a PIN, there would be nothing to steal anymore. Really?

Actually, having a PIN or another second factor can help to thwart these kinds of “steal the biometric” attacks since the biometric by itself is rendered useless. It certainly won’t eliminate the threat, but I think it would reduce the likelihood that someone would violently extract the biometric to steal something since they need you alive anyhow to get the PIN or password.

This Old Porn

Sat, 29 Oct 2005 14:20:00 -0700

Wired News: This Old Porn Is New Again

RetroRaunch maintains a collection of more than 40,000 images of vintage erotica. Keepin’ it retro.

Keeping Eyes On The Prize

Fri, 28 Oct 2005 09:48:00 -0700

Daily Kos: Rove’s Lawyer Confirms Rove Remains Under Investigation

Hunter is right on. The investigation is still ongoing and ultimately, this country needs to get to the bottom of the core issue of the Valerie Plame leak, which compromised her safety and national security apparently for political purposes.

And a big “FU” in advance to any in the punditocracy who are preparing to write these charges off as something insignificant. It wan’t insignificant during Watergate.

Whether or not Rove is ever charged with anything is less important than simply finding out the facts of what happened in the White House to lead multiple senior officials, Rove and Libby apparently foremost among them, on a press spree outing a NOC agent to at least six Washington journalists.

Must Have Firefox Extensions

Fri, 21 Oct 2005 13:34:00 -0700

I thought it would be good to document the Firefox extensions that I find invaluable:

All-In-One Sidebar A much nicer integration of common configuration options with the FF GUI at the ready. Also, lets you load up two different pages side-by-side or the source code to a page right next to the site, etc.

Download Statusbar I find the firefox download manager separate dialog box kind of annoying. This extension shows all download progress right in the statusbar so you don’t have to watch multiple windows to track download progress.

FlashGot This integrates firefox with any currently-installed download manager to quickly perform mass-downloads on pages with a nice right-click context menu.

NoScript This is a must-have for security. NoScript allows you to set fine-grained policy on which sites you permanently or temporarily allow to run javascript. You can also use this to block Macromedia flash, but I prefer the Objection extension instead to manage the Local Shared Objects.

Scribe Lets you save long form textbox entries locally so that you don’t lose them before you submit them. Very handy for blogging or submitting tech support or forum posts and being safe from the “back button” or your browser crashing and losing your posts. No more need to edit in Vi or Notepad and then paste into the site!

Objection Allows you to control Macromedia Flash cookies from the privacy settings window.

On Windows:

IE View Adds a new right-click context menu item that will let you easily launch those pesky IE-only websites that don’t show up in Firefox. Yes, there still are some of those around, unfortunately. Hopefully the launch of IE7 will force many to clean up their sites to the latest standards.

Rant On Oracle Just Not Quot Getting It Quot-

Tue, 11 Oct 2005 17:03:00 -0700

Funny and entertaining and sad rant about Oracle’s inability to do security in stark contrast to public claims by their CSO, marketing, etc.

This has inspired others to note how there are some Oracle vulnerabilities that have been open for 768 days!! among other comments. Oracle even tried to put the cat back in the bag on some other disclosed vulnerabilities recently. They just don’t get it. I’m wondering if Larry Ellison were in Bill Gate’s place just how much worse off the Internet and world would be from a security perspective.

-——— Forwarded message ———- From: David Litchfield To: bugtraq@private, ntbugtraq@private Date: Thu, 6 Jan 2005 16:01:26 -0000 Subject: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers

Dear security community and Oracle users,

Many of my customers run Oracle. Much of the U.K. Critical National Infrastructure relies on Oracle; indeed this is true for many other countries as well. I know that there’s a lot of private information about me stored in Oracle databases out there. I have good reason, like most of us, to be concerned about Oracle security; I want Oracle to be secure because, in a very real way, it helps maintain my own personal security. As such, I am writing this open letter

Extract from interview between Mary Ann Davidson and IDG https://www.infoworld.com/article/05/05/24/HNoraclesecurityhed_1.html

IDGNS: “What other advice do you have for customers on security?”

Davidson: “Push your vendor to tell you how they build their software and ask them if they train people on secure coding practices. "

Now some context has been put in place I can continue.

On the 31st of August 2004, Oracle released a security update (Alert 68 [ https://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf ]) to address a large number of major security flaws in their database server product. The patches had been a long time in coming [ https://www.eweek.com/article2/0,1759,1637213,00.asp ] and we fully expected that these patches would actually fix the problems but, unfortunately this is not the case. To date, these flaws are still not fixed and are still fully exploitable. I reported this to Oracle a long time ago.

The real problem with this is not that the flaws Alert 68 supposedly fixed are still exploitable, but rather the approach Oracle took in attempting to fix these issues. One would expect that, given the length of time they took to deliver, these security “fixes” would be well considered and robust; fixes that actually resolve the security holes. The truth of the matter though is that this is not the case.

Some of Oracle’s “fixes” simply attempt to stop the example exploits I sent them for reprodcution purposes. In other words the actual flaw was not addressed and with a slight modification to the exploit it works again. This shows a slapdash approach with no real consideration for fixing the actual problem itself.

As an example of this, Alert 68 attempts to fix some security holes in some triggers; the flaws could allow a low privileged user to gain SYS privileges - in other words gain full control of the database server. The example exploit I sent to Oracle contained a space in it. Oracle’s fix was to ignore the user’s request if the input had a space. What Oracle somehow failed to see or grasp was that no space is needed in the exploit. This fix suggests no more than a few minutes of thought was given to the matter. Why did it take 8 months for this? Further, how on earth did this get through QA? More, why are we still waiting for a proper fix for this?

Here is another class of thoughtless “fix” implemented by Oracle in Alert 68. Some Oracle PL/SQL procedures take an arbitrary SQL statement as a parameter which is then executed. This can present a security risk. Rather than securing these procedures properly Oracle chose a security through obscurity mechanism. To be able to send the SQL query and have it executed one needs to know a passphrase. This passphrase is hardcoded in the procedure and can be extracted with ease. So all an attacker needs to do now is send the passphrase and their arbitrary SQL will still be executed.

In other cases Oracle have simply dropped the old procedures and added new ones - with the same vulnerable code!

I ask again, why does it take two years to write fixes like this? Perhaps the fixes take this long because Oracle pore through their code looking for similar flaws? Does the evidence bear this out. No - it doesn’t. In those cases where a flaw was fixed properly, we find the same flaw a few lines further down in the code. The DRILOAD package “fixed” in Alert 68 is an example of this; and this is not an isolated case. This is systemic. Code for objects in the SYS, MDSYS, CTXSYS and WKSYS schemas all have flaws within close range of “fixed” problems. These should have been spotted and fixed at the time.

I reported these broken fixes to Oracle in February 2005. It is now October 2005 and there is still no word of when the “real” fixes are going to be delivered. In all of this time Oracle database servers have been easy to crack - a fact Oracle are surely aware of.

What about the patches since Alert 68 - the quarterly Critical Patch Updates? Unfortunately it is the same story. Bugs that should have been spotted left in the code, brand new bugs being introduced and old ones reappearing.

This is simply NOT GOOD ENOUGH. As I stated at the beginning of this letter, I’m concerned about Oracle security because it impinges upon me and my own personal security.

What is apparent is that Oracle has no decent bug discovery/fix/response process; no QA, no understanding of the threats; no proactive program of finding and fixing flaws. Is anyone in control over at Oracle HQ?

A good CSO needs to more than just a mouthpiece. They need to be able to deliver and execute an effective security strategy that actually deals with problems rather than sweeping them under the carpet or waste time by blaming others for their own failings. Oracle’s CSO has had five years to make improvements to the security of their products and their security response but in this time I have seen none. It is my belief that the CSO has categorically failed. Oracle security has stagnated under her leadership and it’s time for change.

I urge Oracle customers to get on the phone, send a email, demand a better security response; demand to see an improvement in quality. It’s important that Oracle get it right. Our national security depends on it; our companies depend on it; and we all, as individuals depend on it.

Cheers, David Litchfield

Riaa The New Mafia

Tue, 11 Oct 2005 17:01:00 -0700

[infowarrior] - RIAA Takes Shotgun to Traders

Hundreds of people are being wrongly sued by the Recording Industry Association of America for illegally trading music online, legal experts say.

Attorneys representing some of the 14,000 people targeted for illegal music trading say their clients are being bullied into settling as the cheapest way to get out of trouble. Collection agencies posing as “settlement centers” are harassing their clients to pay thousands of dollars for claims about which they know nothing, they say.

Last week a judge in Michigan dismissed a file-sharing case against Candy Chan, a mother who testified in court that the user name identified in the suit belonged to one of her children.

In the court report (.pdf), Judge Lawrence P. Zatkoff wrote: “Chan opposed the motion and asserted that the plaintiffs used a ‘shotgun’ approach to pursue this action, threatening to sue all of Chan’s children and engaging in abusive behavior to attempt to utilize the court as a collection agency.”

Clickfest

Tue, 11 Oct 2005 16:40:00 -0700

Google Maps + Craigslist = Housing Maps https://www.housingmaps.com/

New Washington State Quarter designs. I think that we should use the state quarter designs to vote states out of the union. I’d say that if you put your best on a quarter and all you can come up with is lame crap like “Birthplace of Aviation Pioneers” (as if one resident’s coincidental occupancy in your state somehow is noteworthy) then perhaps we don’t need you in the union. That said, Washington’s proposals are pretty tame. I do like Salmon, the mountains, and apples. Although we are one of the up-and-coming wine regions so perhaps they should pick that instead? https://www.cnn.com/2005/POLITICS/09/30/bennett.comments/index.html?section=cnn_topstories

Here’s some state quarter commentary: https://www.uwgb.edu/dutchs/PSEUDOSC/Mediocracy0.HTM

And pictures of all current state quarters: https://en.wikipedia.org/wiki/State_Quarters#External_links

PDA + wi-fi + “borrowed connection” + VOIP software = free cell phone. https://www.techbuilder.org/recipes/59200427

New Age quotes a coworker is collecting (aka New Age “Wisdom”) https://www.peterga.com/quotes/newage.htm

Now this is a cool looking device. I would like to do something like this in my house to join network + audio sources. I think that a box running MythTV would be cheaper and better though: https://www.sonos.com/us/index.htm

The New New Creationism: Intelligent Design

Tue, 11 Oct 2005 16:34:00 -0700

Several notes on this Intelligent Design crap driving us toward another Scopes trial.

Evolution Lawsuit Opens in Pennsylvania

US President Jimmy Carter, and an evangelical Christian:

“As a Christian, a trained engineer and scientist, and a professor at Emory University, I am embarrassed by Superintendent Kathy Cox’s [Georgia Public Schools] attempt to censor and distort the education of Georgia’s students. The existing and long-standing use of the word ’evolution’ in our state’s textbooks has not adversely affected Georgians’ belief in the omnipotence of God as creator of the universe.”

The President continues, with my favorite part of his statements. This is exactly what doesn’t make sense about the ID and creationist nuts. There is no incompatibility between science and the general faith tenets. Perhaps there are some issues raised with the strict Biblical account, but add them to a huge list already out there that still does not shake most people’s faith as they often pick and choose what to take at face value, what to interpret, what to believe, what is an allegory, etc. anyhow. If you believe that the natural world was created by God for you, then why would you go to great lengths to distort our experience and understanding of the natural world, which the only tool we have for this is the lens of science?

“There can be no incompatibility between Christian faith and proven facts concerning geology, biology, and astronomy. There is no need to teach that stars can fall out of the sky and land on a flat Earth in order to defend our religious faith.”

“They’re blinding you with NOT science” - Lewis Black on Intelligent Design

I just finished reading Science Friction (ISBN 0-8050-7708-1) which has several essays discussing the interplay between Religion and Science. Chapters 8 and 11 dive into a lot of the fray and Chapter 11 provides “ten arguments and ten answers” against ID which point out the absolute ridiculousness of their position(s). Oh, and the “What type of creationist are you?” is a great one if you run into any proclaimed creationists. There are at least 10 different positions on a continuum so the answer is not binary as many creationists would have you believe and probably believe themselves.

Quot Open Sesame Quot Opens Quot High Tech Quot Cockpit Doors

Tue, 11 Oct 2005 02:32:00 -0700

The Seattle Times: Business & Technology: Glitch forces fix to cockpit doors

Well, “Open Sesame” works if you say it through a nearby walkie-talkie:

For more than two years, U.S. airplane passengers have flown more securely because high-tech cockpit doors created a barrier to prevent a repeat of 9/11, when terrorists entered the cockpit and commandeered four planes.

But, the doors were not foolproof.

In December 2003, a Northwest Airlines maintenance mechanic inside an Airbus A330 jet on the ground in Minneapolis pushed the microphone button to talk into his handheld radio. Though he hadn’t touched the cockpit door, he heard the sound of its lock operating.

So, other on-board avionics and electronics has to meet strict EMI standards to get on an airplane, but not the new cockpit doors??? Let me guess, the Bush Administration and Congress exempted this new equipment from typical safety and other regulations after 9-11 since those aren’t important when there are terrorists out there?

Sharing an HP Printer via CUPS w/o a network printer driver

Mon, 10 Oct 2005 03:25:00 -0700

HP has several printers where they provide huge driver downloads of 75-350 megabytes but none of them come with a network INF installer (you can look in autorun.inf and see references to Drivers/Network but those directories aren’t there)

Two printers that I know have this problem are the:

HP PSC 750xi HP PSC 1210xi

I run a linux print server so I want to connect the printers to the linux box and share them out via IPP provided by CUPS. This requires some software gymnastics on Windows because the typical HP drivers expect the printer to be plugged directly into the local USB cable, not served out over IPP. I saw similar problems of other HP users when they tried to use Windows printer sharing to remote computers on a network.

I have been able to get the latest 750xi driver to install on an IPP printer by pointing to the right INF file in the HP printer driver directory (c:\Program Files\Hewlett-Packard\AiO\hp psc 700 series) after installing the huge software package on the windows box. I never had to plug the printer into windows.

Now, the PSC 1210xi is another story. I had to download the 160 megabyte driver/software package from the HP website and install it as if I were installing the printer locally. However, I could not get any of the INF files to work.

I found the solution on the Internet is to find this section in the win98 INF file (hpoupdrx.inf) and comment out the line with a semicolon:

[ControlFlags] ;ExcludeFromSelect=*

This is what prevents windows from showing a listing of compatible printers when you point to this INF file.

Then, add your network printer and select Have Disk… for the driver. Navigate to c:\temp\HP All-in-One Series Web Release\enu\drivers\win9x_me and the hpoupdrx.inf will show up. When you select this, a list of the printers supported by the driver will show up and you can then select the right driver and proceed and windows will not be the wiser.

This was installed on win2k without any problems.

Is O'Reilly Really This Much Of A Dumbass

Fri, 07 Oct 2005 09:49:00 -0700

O’Reilly compared Irish immigration to enslavement of African-Americans

O’Reilly actually says this. He started talking about his family’s plight when the Irish famine was going on, “everybody was starving in Ireland. They had to leave the country, just as Africans had to leave – African-Americans had to leave Africa and come over on a boat and try to make in the New World with nothing. Nothing.”

Yes, you read that correctly. O’Reilly said that Africans came to america:

On a boat (“slave ship” sounds too harsh?)
Willingly (refer back to the “slave ship” note)
Because they were “starving” (He must have meant when they were on the slave ships stacked one on top of the other like cords of wood)
To look for a better life in America (Land of opportunity does not include “forced opportunity”)
and get this. According to Mr. Bill, it has worked out beautifully for them: They have “succeeded, succeeded. As did Italians, as did – and I’ll submit to you, African-Americans are succeeding as well. So all of these things can be overcome I think”

Yes, when the song “We shall overcome” is sung, it refers to the Great African famine.

Unbelievable

Can We Pleeeze Get Some Real Journalists Out There

Fri, 07 Oct 2005 09:35:00 -0700

The Stakeholder: Cute, But No Cigar

The Washington Times takes cruft out of Tom DeLay’s mouth and prints it without investigating whether what he was claiming was true or not. Of course it was an outright dissembling on DeLay’s part. But what do you expect (both from WaPo and DeLay)?

New Book Security And Usability

Fri, 07 Oct 2005 08:06:00 -0700

Usable Security Blog Archive O’Reilly Book: Security and Usability

One of the research areas that I am very interested in:

O’Reilly has released Security and Usability: Designing Secure Systems That People Can Use, a collection of 34 essays on security and usability edited by Lorrie Cranor and Simson Garfinkel.

Wanker of the day: William Bennett

Tue, 04 Oct 2005 05:35:00 -0700

CNN.com - Bennett under fire for remarks on blacks, crime - Sep 30, 2005

Bennett, who held prominent posts in the administrations of former presidents Ronald Reagan and George Bush, told a caller to his syndicated radio talk show Wednesday: “If you wanted to reduce crime, you could – if that were your sole purpose – you could abort every black baby in this country and your crime rate would go down.

He claims that it was okay because it was a hypothetical and that he didn’t literally mean that they should do this. So, he stands by his statement. He has gone on the defensive rather than admit that the remark was a bit out of the bounds of appropriateness.

Come on, if the Bush administration thinks its inappropriate, it must really be bad.

Family Guy Dvd Video Clips

Wed, 28 Sep 2005 15:16:00 -0700

Family Guy - Clips from DVD-movie

Ohhhhh Riiiight.

Here are some fun clips from Stewie Griffin: The Untold Story which comes out today!

Preoccupied With Firewalls

Mon, 26 Sep 2005 15:03:00 -0700

Firewalls a dangerous distraction says expert

I don’t know who Abe Singer is but he makes a great point that I have been touting for years. Look at your infosec program and count how many people you have dealing directly with firewalls. Now, count how many people you have dealing with application security audits, standards, reviews, etc. More than likely, you only need one hand to count the latter. That is why there is such a problem with insecure applications on the Internet. It starts with misunderstanding your threat model and continues with inadequate staffing and misplaced priorities

A preoccupation with firewalls is diverting attention and resources away from the more important issue of locking systems down, according to an expert.

Computer security researcher at the San Diego Supercomputing Center (SDSC), Abe Singer said companies can spend 90 percent of their security efforts on firewalls and not much of anything else. “I’m not saying firewalls are completely irrelevant, but how much effort do you spend on security?” Singer asked. “Do security at the host, not just the perimeter. You should be worried about what users are doing, because if an attacker is going through the perimeter [without secure hosts] then it’s game over.”

Blast From The Past Dmv Fraud

Mon, 26 Sep 2005 14:56:00 -0700

As the REAL ID act meets reality, recall a previous report on DMV fraud and lax security. If you think you have problems budgeting for security in your company, imagine being handed an unfunded mandate from the federal government. Do you think current problems will magically go away?

Date: Mon, 2 Feb 2004 09:50:52 -0500 From: Monty Solomon Subject: Security Holes at DMVs Nationwide Lead to ID Theft and Safety Concerns

CDT (https://www.cdt.org/) has issued a report entitled “Unlicensed Fraud” (https://www.cdt.org/privacy/20040200dmv.pdf) documenting rampant internal fraud and lax security at state motor vehicle administration offices across the country placing the reliability of all driver’s license at risk. While heavy public attention has been placed on new national standards and new technologies for driver’s licenses, studying local news reports from throughout 2003 CDT finds that basic management processes to stop bribery and theft are lacking. In the report, CDT offers policy recommendations to address this dire issue. February 2, 2004

20 Questions

Mon, 26 Sep 2005 14:42:00 -0700

20 questions: AI style

This is pretty freaky that a computer can guess what you are thinking…

20Q.net is an experiment in artificial intelligence. The program is very simple but its behavior is complex. Everything that it knows and all questions that it asks were entered by people playing this game. 20Q.net is a learning system; the more it is played, the smarter it gets.

Star Wars Gangsta Rap video

Mon, 26 Sep 2005 14:34:00 -0700

Star Wars Gangsta Rap

The funniest part I think are the stormtroopers. What a bunch of nancies…

Idaho Weatherman Quits To Pursue Bizarre Katrina Quot Theory Quot-

Mon, 26 Sep 2005 13:51:00 -0700

You can’t make up better sh*t than this. Unbelievable.

Unfortunately, a “theory” must be “either originating from observable facts or supported by them.”

Idaho weatherman quits, says he wants to pursue hurricane theory

THE ASSOCIATED PRESS

IDAHO FALLS, Idaho – A Pocatello weatherman who gained attention for an unusual theory that Hurricane Katrina was caused by the Japanese mafia using a Russian electromagnetic generator has quit the television station.

On The Insecurity Of Passwordspassphrases These Days

Mon, 26 Sep 2005 13:46:00 -0700

In a posting to the cryptography mailing list. Interesting statistics in the presentation. Update your threat models!

Folks might want to look at https://www.huitema.net/talks/ietf63-security.ppt the slides from a talk Christian Huitema gave at the Applications Area at IETF63 this past week. Of particular interest is just how cheap it is to brute-force a passphrase these days, especially if it’s just used as a cryptographic key with known plaintext (i.e., in challenge/ response protocols).

--Steven M. Bellovin, https://www.cs.columbia.edu/~smb

Creative Zen Digital Media Players Ship With A Worm

Mon, 26 Sep 2005 13:43:00 -0700

Glad I’m sticking with the Neuros which doesn’t run Windows now and will run Linux in the next version. Not to mention the open source aspects and the ability to play OGG/Vorbis audio files…

https://rss.slashdot.org/Slashdot/slashdot?m=251

Are You Blocking Flash Cookies

Mon, 26 Sep 2005 13:36:00 -0700

Spammers and people without regard for your privacy or your privacy preferences (blocking cookies means I don’t want them in any form) are insidious.

Unbeknownst to many people, Macromedia Flash player allows surreptitious cookies to be dropped on your computer that can be used to track you even if you block traditional browser cookies.

Some information on eradicating them:

Firefox extension for blocking flash cookies: [https://www.yardley.ca/objection/]

Macromedia info (opens up the hidden flash config tool in your browser that lets you view and expunge flash cookies): [https://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager06.html]

EPIC Flash Cookie page: [https://www.epic.org/privacy/cookies/flash.html]

Great Site On Bayesian Statistics

Mon, 26 Sep 2005 13:26:00 -0700

This site has a great overview of Bayesian statistics (the basis for bogofilter , why my email is still useful). Also look for information on common misinterpretations of statistics and statistical error rationale for why lie detector tests are less than useful.

cause, chance and Bayesian statistics: a briefing document

Most Apropos Juxtaposition

Mon, 26 Sep 2005 13:24:00 -0700

Movable Type 32 Upgrade Woe New Templates

Mon, 26 Sep 2005 13:19:00 -0700

I was having the same problem as in this posting to the MT forum after upgrading to the new 3.2 templates by copying them in from the default_templates directory or from the movable type templates website:

The footer on my main index seems to be incorrectly displayed: %%time"> | | (0)

1- %% shouldn’t be displaying 2- It should say Posted by xyz on August 19, 2005 02:00 PM | Permalink | (0) 3- ‘>’ shouldn’t be displaying 4- the permalink should be displaying

It turns out that the problem is due to the fact that the new templates in MT 3.2 are really templates for templates in that they contain special tags for internationalization that need to be parsed and replaced with the real template content before you use the templates. So, the default_templates cannot be just pasted in directly.

The simple solution: Create a new blog. This will have the default templates by default (funny how that works). You now have available any of the default templates that have been fully localized to your blog’s language and can now be copy and pasted right into your existing blog.

Federal Court Quot Smacks Down Quot Specious Dmca Claim

Mon, 26 Sep 2005 13:17:00 -0700

Fed. Circuit Smacks Down Bad DMCA Decision Re: Independent Repair Techs

Great news for the public’s rights over “copy” rights.

the DMCA must be read in the context of the Copyright Act, which balances the rights of the copyright owner against the public’s interest in having appropriate access to the work.

The browser wars are back: on security turf

Mon, 26 Sep 2005 13:06:00 -0700

In this article, OSS means slower patches, David Sykes from Symantec makes some absurd claims about open source being slower to patch than closed source.

“It is relying on the goodwill and best efforts of many people, and that doesn’t have the same commercial imperative,” he said. “I’m sure that is part of what is causing the blow-out in the patch window.”

So… “commercial imperative” is a requirement to be quick with patches? Where has this guy been for the past 10+ years when commercial vendors have done everything to thwart publication of vulnerabilities and have been the slowest to patch (and still are, such as Oracle and Cisco).

Also, “I’m sure [relying on the goodwill and best efforts of many people] is part of what is causing the blow-out in the patch window” is entirely an opinion statement. But there are actual people with actual data working on the mozilla project who the reporter or even Mr Sykes could have asked. But no, they go with the unsubstantiated opinion of a purported expert on the matter instead.

Of course, Mr Sykes has a vested interest in maintaining a level of fear in users to keep buying Symantec products to protect them.

Fortunately, the Mozilla organization has hit back with the facts: Mozilla hits back at browser security claim

He also argued that, according to security company Secunia’s statistics, the Microsoft vulnerabilities were more critical, and had been so over a longer timescale. In the period 2003 to 2005 Secunia have issued 22 security advisories regarding Firefox 1.x, and rate it as “less critical”. In the same period Microsoft Internet Explorer 6.x had 85 Secunia advisories, and is rated as “highly critical”.

“Basically their vulnerabilities are more critical. With Firefox — yeah, you have holes, but they’re much less serious.” Nitot likened the differences between Firefox and IE vulnerabilities as being like injuries: “Which would you prefer, to have a broken finger, or your head ripped off?”

Ld50 Of H20

Mon, 26 Sep 2005 13:01:00 -0700

This calculator for the lethal dose (toxicity) for caffeine reminded me that even water has an LD50 https://en.wikipedia.org/wiki/LD50
Intraperitoneal Mouse LD50 (for water): 190 g/kg Intravenous Mouse LD50 (for water): 25g/kg

The alt.drugs FAQ has info too on LD50

Doj Puts Porn Over Terrorism

Mon, 26 Sep 2005 12:59:00 -0700

[infowarrior] - Top DoJ Priority Isn’t Terrorism, it’s Adult Entertainment

This is disgusting. I’m glad it is getting such a negative public reaction.

My Pick For Cost Reducing Noise Reducing Headphones

Mon, 26 Sep 2005 12:47:00 -0700

Aiwa HP-CN6 Noise-cancelling headphones. Get them at amazon.com for super cheap. I compared these to the $299 Bose and it was a very easy decision. There is not $270 more noise cancelling in the Bose headphones.

When trying them on and comparing them, be aware that the over-the-ear designs block more noise just without having them turned on. So, account for that difference in your testing.

I often use mine at work to cancel out the subconsciously irritating ambient noise and they are indispensable on airplanes.

Inspired by “Cost Reduction” Headphones

Bush Then Vs Now

Mon, 19 Sep 2005 11:29:00 -0700

Then:

A large majority of voters express confidence that Bush will protect the country from a terrorist attack if he is re-elected in November

Now:

the public now shows diminished confidence in his abilities to handle a crisis or provide leadership, as well as in the government’s ability to protect the country.

Quality Time Wasting Sites

Tue, 13 Sep 2005 14:19:00 -0700

Just in case you’re looking for hours and hours of quality entertainment, here are several sites with similar kinds of videos and pictures that always deliver.

[https://www.ebaumsworld.com]

[https://www.killsometime.com]

[https://www.collegehumor.com]

[https://www.ugoto.com]

[https://www.gorillamask.net]

[https://www.hamncheez.com]

A Message From The Church Of The Flying Spaghetti Monster

Mon, 29 Aug 2005 11:41:00 -0700

OPEN LETTER TO KANSAS SCHOOL BOARD

My new greeting will have to be: “May you be forever touched by His Noodly Appendage”

Since a judge in washington today just ruled that it is okay to post the 10 commandments on government property in some cases without posing a “threat to the religious freedoms of the citizens”, this would be a great time to get some of the Flying Spaghetti Monster commandments on public land. Fair is fair, right?

One of my new favorite words is Pastafarian

Security reading list

Fri, 19 Aug 2005 15:17:00 -0700

A book that I am reading right now:

Between Silk and Cyanide A true story of cryptography in the field during WWII.

A free 900 page eBook from Microsoft Press: Improving Web Application Security: Threats and Countermeasures

You may want to just buy a paper copy since it weighs in at 3-4 inches of paper (I have a copy of the “real” book and it’s big).

Another book that sounds interesting:

Secrets of Computer Espionage: Tactics and Countermeasures “Covers electronic and wireless eavesdropping, computer surveillance, intelligence gathering, password cracking, keylogging, data duplication, black bag computer spy jobs, reconnaissance, risk assessment, legal issues, and advanced spying techniques used by the government.

Author shares easily-implemented countermeasures against spying to detect and defeat eavesdroppers and other hostile individuals.

Addresses legal issues, including the U.S. Patriot Act, legal spying in the workplace, and computer fraud crimes. "

Security books to check out

Fri, 19 Aug 2005 15:14:00 -0700

https://www.wiley.com/legacy/compbooks/mcnamara/

Secrets of Computer Espionage: Tactics and Countermeasures

by Joel McNamara

Covers electronic and wireless eavesdropping, computer surveillance, intelligence gathering, password cracking, keylogging, data duplication, black bag computer spy jobs, reconnaissance, risk assessment, legal issues, and advanced spying techniques used by the government.

Author shares easily-implemented countermeasures against spying to detect and defeat eavesdroppers and other hostile individuals.

Addresses legal issues, including the U.S. Patriot Act, legal spying in the workplace, and computer fraud crimes.

ISBN 0-7645-3710-5 384 Pages June 2003

Rss Feed For Traffic Conditions Data And Maps

Fri, 19 Aug 2005 15:03:00 -0700

The technical details of how to find your local traffic feed are at https://ejohn.org/blog/traffic-conditions-data/

It’s pretty easy to set up your own URL. Here’s one for Seattle that I’ll have to put on my blog somewhere…

New Research Cats Can'T Taste Sweets

Fri, 19 Aug 2005 15:02:00 -0700

Very interesting.

Genetic flaw leaves felines without sweet tooth

Now, there’s a scientific theory explaining, at least in part, why cats have such snobby eating habits: genetics.

Researchers at the Monell Chemical Senses Center in Philadelphia and their collaborators said Sunday they found a dysfunctional feline gene that probably prevents cats from tasting sweets, a sensation nearly every other mammal on the planet experiences to varying degrees.

Geocentrist Challenge

Fri, 19 Aug 2005 14:58:00 -0700

Catholic Apologetics International is challenging people to provide proof that the earth revolves around the sun.

CAI will write a check for $1,000 to the first person who can prove that the earth revolves around the sun. (If you lose, then we ask that you make a donation to the apostolate of CAI). Obviously, we at CAI don’t think anyone CAN prove it, and thus we can offer such a generous reward. In fact, we may up the ante in the near future.

Why are they doing this, well one reason:

if it can be proven that, after the Church clung so tenaciously to the view that the sun revolves around the earth, but that now the Church finally has to admit she was wrong about one of its more authoritative teachings in the seventeenth century, this does not bode well for convincing modern man to abide by the Church’s official teaching on ANY issue.

Evidence Of The Expanding Us Totalitarian State

Fri, 19 Aug 2005 14:52:00 -0700

From John Gilmore to the cryptography list:

> one that is all too relevant today. The pertinent question is no longer > whether Americans spied, but rather how highly educated, intelligent men > and women failed to comprehend the true nature of Stalinist communism, and > why they were willing to risk their lives and imperil the security of their > families, neighbors and friends to commit crimes on behalf of a foreign > power opposed to the basic tenets of modern society.

This was a good observation, but the next sentence muddled it with typical American self-blindness.

> Answers to similar > questions, regarding educated Muslims with experience of life in Europe and > the U.S. like those who led the 9-11 and Madrid attacks, are essential to > constructing a defense against 21st century terrorism.

I want the same answer about how not just the Washington elite, but even army kids from Iowa, fail to comprehend WHY we prohibit torture, provide fair trials and legal representation, due process of law, and why we have a constitution or civil rights at all. Do they not comprehend the true nature of a United States with arbitrary searches, travel papers, pervasive surveillance, no effective Leg. or Jud. checks on arbitrary executive power, no federalism checks on unlimited federal power, indefinite imprisonment of US citizens at the will of the President, indefinite imprisonment without trial of non-citizens seized by force anywhere in the world, and wars of occupation? It’s caled an expanding totalitarian state, kiddies, and every totalitarian stste tells its citizens how they are the freest country in the world. Get out and compare for yourself!

Then tell me what the “basic tenets of modern society” are.

John Gilmore (posting from Greece)

PS: Add in a lapdog press too. Try reading the foreign press on the web. They actually ask hard questions of pols and slam them for evading. And all their sources aren’t anonymous “highly placed govt officials”.

And to go along with this, Perry Metzger had a very well put posting on why we should’t blindly trust governments:

hadmut@danisch.de writes: > But nevertheless, I do not understand why americans are so afraid of > an ID card.

Perhaps I can explain why I am.

I do not trust governments. I’ve inherited this perspective. My grandfather sent his children abroad from Speyer in Germany just after the ascension of Adolf Hitler in the early 1930s – his neighbors thought he was crazy, but few of them survived the coming events. My father was sent to Alsace, but he stayed too long in France and ended up being stuck there after the occupation. If it were not for forged papers, he would have died. (He had a most amusing story of working as an electrician rewiring a hotel used as office space by the Gestapo in Strasbourg – his forged papers were apparently good enough that no one noticed.) Ultimately, he and other members of the family escaped France by “illegally” crossing the border into Switzerland. (I put “illegally” in quotes because I don’t believe one has any moral obligation to obey a “law” like that, especially since it would leave you dead if you obeyed.)

Anyway, if the governments of the time had actually had access to modern anti-forgery techniques, I might never have been born.

To you, ID cards are a nice way to keep things orderly. To me, they are a potential death sentence.

Most Europeans seem to see government as the friendly, nice set of people who keep the trains running on time and who watch out for your interests. A surprisingly large fraction of Americans are people or the descendants of people who experienced the institution of government as the thing that tortured their friends to death, or gassed them, or stole all their money and nearly starved them to death, etc. Hundreds of millions of people died at the hands of their own governments in the 20th century, and many of the people that escaped from such horrors moved here. They view things like ID cards and mandatory registry of residence with the local police as the way that the government rounded up their friends and relatives so they could be killed.

I do not wish to argue about which view is correct. Perhaps I am wrong and Government really is the large friendly group of people that are there to help you. Perhaps the cost/benefit analysis of ID cards and such makes us look silly. I’m not addressing the question of whether my view is right here – I’m just trying to explain the psychological mindset that would make someone think ID cards are a very bad idea.

So, the next time one of your friends in Germany asks why the crazy Americans think ID cards and such are a bad thing, remember my father, and remember all the people like him who fled to the US over the last couple hundred years and who left children that still remember such things, whether from China or North Korea or Germany or Spain or Russia or Yugoslavia or Chile or lots of other places.

Perry

Who's fault is ID theft and financial fraud? Ask your bank.

Fri, 19 Aug 2005 14:21:00 -0700

Repeat after me: Identifiers are not Authenticators.

SSN: Identifies you, does not prove your identity. This is a claimed identity on its own.
Credit/debit Card Number: Identifies your credit card account, does not prove your identity. Possession or presentment does not prove that the presenter of this information is authorized to make use of it. But that doesn’t stop the financial industry from using it as the payment authenticator…
ACH/Bank account and routing numbers: Identifies your bank account (along with the type, checking or savings). Again, possession or presentment does not prove that the presenter of this information is authorized to make use of it. Realize that you give this out to everyone and anyone if you send out checks since all the information to transfer money in or out of your account is right there on the check.
ITIN: From the IRS website:

Are ITINs valid for identification? No. ITINs are not valid identification outside the tax system. Since ITINs are strictly for tax processing, IRS does not apply the same standards as agencies that provide genuine identity certification. ITIN applicants are not required to apply in person, and IRS does not further validate the authenticity of identity documents. ITINs do not prove identity outside the tax system, and should not be offered or accepted as identification for non-tax purposes.

So, because of this mess, you need to know how to protect yourself. Know your rights about bank account fraud.

Perry Metzger’s posting to the cryptography mailing list recently about the problems of financial fraud were spot on:

John Denker writes: > My point here is that knowing who I am shouldn’t be a > crime, nor should it contribute to enabling any crime. > Suppose you know who I am. Suppose you know my date of > birth, social security number, and great-great-grandmother’s > maiden name. As Spike said, so what?

I tend to agree. It is equally ridiculous to use a credit card account number as the “secret” to authorize a transaction, since that “secret” has to be given out several times a day.

> It’s only a problem if somebody uses that _identifying_ > information to spoof the _authorization_ for some > transaction.

Yes.

> And that is precisely where the problem lies. Any > system that lets _identification_ serve as _authorization_ > is so incredibly broken that it is hard to even discuss > it. I don’t know whether to laugh or cry.

Again, yes.

However, I would like to make one small subtle point. In fact, what you are complaining about is not the use of identification for authorization – that is a totally separate and equally sad discussion -- but the use of widely known pieces of information about someone to identify them. The issue is that the bank pretends only you would know your mother’s maiden name, not that the bank would only let you withdraw funds. A piece of information that is not widely known but which can be used to establish your identity – such as a private key only you should know – is probably fine.

So, rephrasing, the problem is not that secret information isn’t a fine way to establish trust – it is the pretense that SSNs, your mom’s birth name or even credit card numbers can be kept secret.

> Identifying information cannot be kept secret.

I’d amend that to “things like your name, your SSN or your account numbers cannot be kept secret…”

> There’s no point in trying to keep it secret. Getting a new SSN > because the old one is no longer secret is like bleeding with > leeches to cure scurvy … it’s completely the wrong approach. The > only thing that makes any sense is to make sure that all relevant > systems recognize the difference between identification and > authorization.

I have to agree yet again (with my caveats about the terminology you are using).

This is yet more reason why I propose that you authorize transactions with public keys and not with the use of identity information. The identity information is widely available and passes through too many hands to be considered “secret” in any way, but a key on a token never will pass through anyone’s hands under ordinary circumstances.

Perry

Several stories that prove the world is going crazy

Fri, 19 Aug 2005 13:52:00 -0700

First out of the gate:

Fedex sued a loyal customer for posting photos of furniture he made for himself out of Fedex boxes on the web. Get this, they used many…er…novel…legal arguments to try to scare him. Welcome to the doghouse FedEx. You’ve got great company, such as Cisco and Oracle.

Some highlights:

They tried to use the DMCA in their claims. But were complaining about trademark issues. Copyright law does not cover trademarks. Next!
They tried to make some claim that he was violating the terms of service of fedex.com in his use of the boxes.
They tried to claim that he was obviously posting the photos for personal financial gain. Get this–because he posted them to a .com website instead of a .net. Good thing I’m on a .net so they can’t sue me!

Furniture Causes FedEx Fits

Also in the WTF files. A Doonesbury strip was recently pulled for using a real, albeit crude, nickname for Karl Rove. The papers claimed it was “in bad taste”.

Some pull ‘Doonesbury’ over Rove moniker

The strip itself: https://www.doonesbury.com/strip/dailydose/index.html?uc_full_date=20050726

Next on the list. Jason Coombs had a great rant on Bugtraq about computer forensics professionals who are testifying against defendants who may well have a legitimate defense – the “the trojan ate my homework” defense. He takes issue with claims that a forensics investigation could reasonably ascertain whether a past action was performed by a human or a trojan horse or other malware:

The fact that malware authors aren’t cooperating with the computer forensics industry by making sure that it’s easy to distinguish between the actions of malware and the actions of a human computer user, combined with uninformed expert opinions like those shown below, is resulting in innocent people being put behind bars, and people like Marcus Lawson who think they know what they’re doing but clearly do not are helping to get innocent people convicted by spewing nonsense.

This undermines the ability of the criminal court system to convict those who are truly guilty, and keep them convicted on appeal.

And finally, How many laws do you have to break to get fired in the Department of Homeland Security? Since this ran, we now know that the DHS has now deleted the data that they illegally obtained from data miners. So now, americans have no way of knowing if the TSA had used data about them illegally. A group from Alaska is suing the government now.

Using threat modeling featured in new OWASP WAPT

Fri, 19 Aug 2005 13:48:00 -0700

This will be something to look forward to. I have not seen much of the theory of threat modeling end-to-end put into practice effectively or completely. And much of what I have seen of threat modeling really should be baked into the SDLC process and something that project teams do as part of normal development efforts (why are security people doing separate data flow diagrams, for example?).

From Threatsandcountermeasures:

The next release of the OWASP Web Application Penetration Test (WAPT) guide will include a section on using threat modelling effectively

Threat Modelling and security testing

ZDNet's "apology" to Google

Fri, 19 Aug 2005 12:40:00 -0700

Gotta love brit humor! This is great tongue-in-cheek commentary at its best.

The background: News.com UK published details about Google’s CEO using public information found on…Google (aka Google hacking). Google wasn’t happy about this, so they banned Google employees from speaking to News.com reporters for a year. Absurd!

But, fortunately, ZDNet UK has apologized for the whole matter, although it is covered with loads o’ sweet syrupy sarcasm.

ZDNET.UK’s “apology” to Google

Clearly, there is no place in modern reporting for this kind of unregulated, unprotected access to readily available facts, let alone in capriciously using them to illustrate areas of concern. We apologise unreservedly, and will cooperate fully in helping Google change people’s perceptions of its role just as soon as it feels capable of communicating to us how it wishes that role to be seen.

25 And A Bit More Green For An X509 Certificate

Fri, 19 Aug 2005 12:36:00 -0700

That sounds like quite a deal actually. Verisign still charges an exhorbitant amount of money for bits that do the same thing.

-Jason

From Peter Gutman to the Cryptography Mailing list Subject: How much for a DoD X.509 certificate?

$25 and a bit of marijuana, apparently. See:

https://www.wjla.com/news/stories/0305/210558.html https://www.wjla.com/news/stories/0105/200474.html

Although the story doesn’t mention this, the “ID” in question was the DoD Common Access Card, a smart card containing a DoD-issued certificate. To get a CAC, you normally have to provide two forms of verification… in this case I guess the two were photo ID of dead presidents and empirical proof that you know how to buy weed.

The cards were issued by Yusuf Khalil Jackson, a man with a long criminal history (including, ironically, identity fraud):

John Pike, Global Security.org: “The notion that we’re going to let somebody with this type of criminal record, with no background check on him and give him the ID card machine defies understanding.”

Jackson admitted to making about 30 of the ID cards:

John Pike: “The good news is that it looks like some of these people were just doing it so they could go to a bar and claim to be over 21. The bad news is that you don’t know what else some of these other people might have done.”

One of the cards was later “seized from a Pakistani national” by the police.

Bowens: “That’s the nightmare of it. The cards themselves are not counterfeit. They’re authentically made but they’ve been issued in an unauthorized manner for profit or ideology or a little of both.”

This sort of thing doesn’t bode well for Real ID either. These cards were real ID too.

Peter.

Homeland Security Getting Smarter Or Staying Stupid

Fri, 19 Aug 2005 09:53:00 -0700

Getting smarter:

Chertoff is a good guy. When I heard this NPR interview I remember thinking, holy crap, someone who gets it. Security is about tradeoffs and with limited resources, making the most cost effective and rational decisions based on risk and threat analysis.

TSA may move to reallow knives, etc. back on aircraft. Threats Reassessed To Make Travel Easier for Public

The stay-seated the first and last 30-minutes of a flight rule is also going away, due to reasoned analysis: https://www.mail-archive.com/infowarrior@g2-forward.org/msg01084.html

Staying stupid:

(proposing requiring passports to enter the US from Canada)

https://www.mail-archive.com/infowarrior@g2-forward.org/msg01280.html

Looks like getting smarter may finally win out.

Favorite Words That Probably Arent Words

Fri, 19 Aug 2005 09:48:00 -0700

Sheeple

Irritainment

Adminisphere

To go along with other new entries in the Oxford English Dictionary

You can have lots of fun at Unwords

Drooling Over My 7mbps 892 Kbps Dsl Upgrade

Tue, 19 Jul 2005 11:36:00 -0700

broadband Speed Interpretation

Just upgraded from 1.5mbps / 768kbps to 7mbps / 892kbps. Yum.

2005-07-19 21:32:27 EST: 4427 / 719 Your download speed : 4533441 bps, or 4427 kbps. A 553.3 KB/sec transfer rate. Your upload speed : 737104 bps, or 719 kbps.

Rick Santorum Blame The Victims Of Clergy Sex Abuse

Tue, 19 Jul 2005 10:58:00 -0700

SANTORUM ALSO BLAMES THE VICTIMS OF CLERGY SEXUAL ABUSE - Santorum Exposed: The Blog

This is an utterly disgusting rationalization.

Non English Internet Domain Names Likely Delayed Due To Phishing Concerns

Fri, 15 Jul 2005 05:45:00 -0700

Non-English Domain Names Likely Delayed - Yahoo! News

Social engineering attacks using similar characters to trick users are called homograph, or semantic attacks Also see this article on IDN Homograph Attacks.

Concerns about “phishing” e-mail scams will likely delay the expansion of domain names beyond non-English characters, the chairman of the Internet’s key oversight agency said Friday.

Vint Cerf, head of the Internet Corporation for Assigned Names and Numbers, would not speculate on when such characters might appear but said Internet engineers must now spend time “trying to winnow down, frankly, the number of character (sets) that are allowed to be registered.”

“In some of the early tests, … it became clear we had opened up the opportunity for registering very misleading names,” Cerf said in a conference call wrapping up ICANN’s meetings this week in Luxembourg. “This kind of potential confusion leads to parties going to what they think are valid Web sites.”

Back in February of this year, the ICANN announced a request for Public Comment on issues with the proposed Internationalized Domain Name (IDN) standard and recognized homograph attacks as a likely attack vector.

Bush Administration May Be Responsible For Botching Effort To Thwart London Bombing

Fri, 15 Jul 2005 05:33:00 -0700

AMERICAblog: Bush admin may be responsible for botching effort to thwart London bombing

Seems as if the Bush Administration has a habit of leaking confidential information.

ABC News just reported that the British authorities say they have evidence that the London attacks last week were an operation planned by Al Qaeda for the last two years. This was an operation the Brits thought they caught and stopped in time, but they were wrong. The piece of the puzzle ABC missed is that this is an operation the Bush administration helped botch last year.

One senator told CNN that U.S. officials should have kept Khan’s role quiet.

“You always want to know the evidence,” said Sen. George Allen.

“In this situation, in my view, they should have kept their mouth shut and just said, ‘We have information, trust us.’ “….

I agree with the senator. We had an operative INSIDE Al Qaida! And this leak destroyed that advantage that may have helped prevent not only this attack, but other future attacks.

UN inspector "god told him" where the weapons in iraq were

Tue, 12 Jul 2005 10:45:00 -0700

Eschaton:
Sybil the Soothsayer

Good Grief.

So, where’s your God now? Perhaps where the WMDs are?

I wonder if he still believes that his God is omniscient?

Another Study Showing Real Danger Of Cell Phone Use While Driving

Tue, 12 Jul 2005 07:48:00 -0700

I no longer work for a large US cellular company, so I am free to write about this topic. Even better, I can write about how the lobbying by the cellular phone industry has been what keeps laws from being enacted to protect the public. Now, I do agree with the position that there are a lot of things drivers do that are just as bad, if not worse (reading the newspaper on your steering wheel, reading email on a blackberry…) so why pick on cellphones, but the fact is that from a public threat perspective, there are way more people doing stupid shit while on their cellphone than all other distracted driving combined, I guarantee.

I have made it a habit to note how many drivers doing stupid shit are talking on their cellphones when I see them and it is, no joke, almost 100% of drivers. I challenge you to do the same and you’ll be horrified at how many common dangerous and annoying things are related to being on a cell phone at the time:

Driving too slow
Unable to stay in lane
Swerving
Not letting you merge (not paying attention)
Etc. etc.

CNN.com - Study: Drivers on cells more likely to crash - Jul 12, 2005

A study released Tuesday said drivers who use cell phones – even hands-free models – are four times as likely to be involved in wrecks involving a serious injury than are drivers who do not use cell phones.

Cell Phone Service Temporarily Disabled In Nyc For Quot Security Quot-

Tue, 12 Jul 2005 07:42:00 -0700

CNN.com - Cell phone service disabled in New York tunnels - Jul 12, 2005

Cell phone service was disabled inside the four tunnels leading into Manhattan after the terrorist bombings in London, but Mayor Michael Bloomberg questioned Monday whether the move “makes the most sense.”

I’m with Mayor Bloomberg. I don’t think it makes sense at all for at least four major reasons:

Terrorists don’t necessarily have to call a cellphone in order to use it to detonate a bomb. I have read about them using the built-in timer. And this article actually corroborates this.

In the Madrid explosions, alarms in cells phones were set on vibration, which sent electric impulses to the copper detonators connected to the explosives, Spanish authorities said.

So, this measure indicates that someone does not understand the threat.
More importantly, suppressing cellular service only can serve to incite panic–especially if there were to be another bombing or similar terrorist attack. I remember on 9/11 how distracted and distraught everyone was who knew people from New York when they could not get through to anyone to make sure everyone was alright. Now, if that isn’t terrorism, I don’t know what is. So, shutting down cell phone service really is going to help the terrorists with their mission
Cellphones on the front lines can be a great help in reporting attacks. Faster reporting and more accurate directions to authorities can save lives if there were to be another attack.
The Department of Homeland Security said that this goes against their guidelines of keeping the cellphone system up and working for rescue authorities to use in the event of an emergency

The Department of Homeland Security said the decision in New York to cut off cellular service was made without any recommendation by the federal government’s National Communications System, which ensures communications are available during national emergencies.

And while we’re on the subject of anti-terrorist governmental reactions that don’t make any sense… (Bruce Schneier is really going to have a field day with these):

PCWorld.com - Feds Seek Wiretap Access for Mobile Calls on Planes

If cell phones and other handheld wireless devices are allowed to be used on aircraft by the U.S. Federal Communications Commission, the U.S. Department of Justice wants built-in terrorism-fighting capabilities to allow fast wiretaps and quick ways to disconnect conversations between terrorists.

Eff Legal Guide For Bloggers

Tue, 12 Jul 2005 07:39:00 -0700

Now that I may actually be somewhat consistent in posting, and will be posting more if I can help it, reading up on the EFF: Legal Guide for Bloggers would be prudent.

Reduce Fear Increase Security

Tue, 12 Jul 2005 06:21:00 -0700

This appeared in the October 2004 crypto-gram and is a very good description of how the current “security” measures at airports, etc. serve only to “reduce fear” and don’t actually “increase security”. The latter is the hard problem….

From: Anonymous Subject: Fear and Security

This is in response to the letter you published last month by Wayne Schroeder: Fear and security are closely coupled in simple situations, like riding a motorcycle. The way to reduce the fear is to increase your safety, such as by driving more slowly. Millions of years of evolution have evolved fear as a mechanism for keeping us alive, but millions of years of evolution never had to deal with a 767. It evolved for simpler things, like bad weather, high speeds, and scary animals.

When it comes to the more complex security situations of the modern world, our natural instincts are inadequate. People still rely on them to guide them, though, like in the now-notorious Annie Jacobsen freakout. That’s why we have security theater; people are trying to reduce fear, not increase safety, and they don’t realize those aren’t the same anymore.

That is also why people are reluctant to confront their poor choices. When you force them to do so, you are taking them from a place of reduced fear to one of heightened fear; as far as they’re concerned, you’re causing the fear. The rational perspective is clearly that you are making them safer, but they don’t see it that way.

The motorcycle example just doesn’t work because it maps easily to our evolved instincts. Modern security problems are so complicated that the ways to reduce fear have diverged from the ways to increase safety. Trying to map these primitive emotions to modern threats can’t work; the gap is too large. Relying on our fears to guide us won’t make us safer; it will only make it more shocking when our defenses are breached again.

Homeland Security Terror Alerts

Tue, 12 Jul 2005 06:11:00 -0700

Good to look back on in light of the raising of the alert (and only for public transportation…) Is the best our intelligence can do is to assume that the next attack will be the same MO and style as recent ones?

Schneier on Security: Do Terror Alerts Work?

When Attorney General John Ashcroft came to Minnesota recently, he said the fact that there had been no terrorist attacks in America in the three years since September 11th was proof that the Bush administration’s anti-terrorist policies were working. I thought: There were no terrorist attacks in America in the three years before September 11th, and we didn’t have any terror alerts. What does that prove?

VIM as an XML Editor

Tue, 12 Jul 2005 02:39:00 -0700

07:00

A great HOWTO: Vim as XML Editor

I’m not sure I’ll give up a GUI for XML editing, but you can do quite a lot with VIM that many GUI XML editors can’t.

Avoid Losing Web Form Text

Mon, 11 Jul 2005 04:04:00 -0700

Scribe, Mozilla Firefox Extension looks like a handy extension to add to Firefox. How many times have you lost a long textarea posting? No more typing in VIM or Notepad and then pasting into the web. No need to constantly save to the server to avoid losing text.

Example given uses movable type… I’ll definitely be checking this out.

UPDATE: I just lost a great posting due to accidental hitting the back button… Aargh.

SecureUML, with Visio templates

Mon, 11 Jul 2005 04:02:00 -0700

Mark Curphey’s Blog

I am very methodical when it comes to security design and security reviews so I am sure that these templates will come in very handy to ensure uniform coverage of requirements and mechanisms.

My only quibble so far is that they call this “SecureUML”. The UML isn’t Secure, nor is having a well-defined Authorization model imply security (look no further than the Sarbanes-Oxley efforts that define wonderful processes and models, but the auditor testing never covers the effectiveness of the underlying mechanisms implementing these controls…)

There are a few simple steps that can help when defining authorization requirements and an extension to the Unified Modeling Language called SecureUML that is very powerful for documenting unambiguous authorization models, specifically RBAC (roles based access control). My colleague Rudolph Araujo (Security Developer MVP) has built a Visio template for creating SecureUML models that is also available here. One of the things I specifically like about UML and SecureUML is that it forces you to really think about things and promotes best practice where you are not operating on undocumented assumptions.

First things first, lets define some simple steps to creating an authorization model.

1. Identify Users (actors) 2. Identify Application Specific Roles 3. Map Users to Roles Based on Business Function 4. Identify Resources 5. Identify Actions 6. Identify Authorizations Constraints

Free Open Source Tool Released For Web Services Security Scanning

Mon, 11 Jul 2005 02:08:00 -0700

Foundstone, Inc.� Strategic Security

Have not checked it out yet. Sounds promising. Although it would be nice to have a scanning tool that can do application security checks regardless of the protocol being HTML over HTTP, XML over HTTP, SOAP, etc. Many of the attacks and scanning signatures will be the same. Only the formatting and perhaps the detection of success/fail of a test. I’d be interested in knowing more about what they encountered as to whether the differences are significant enough to warrant a separate tool.

Unintended consequences of improved SSL UI in browsers

Thu, 07 Jul 2005 05:45:00 -0700

SSL Organization Vulnerabilities

The following example web site spoofs demonstrate the vulnerabilities that exist if First-Generation vetting practices for digital certificates are used in combination with new browser enhancements which bring the certificate Organizational information forward and displayed next to the SSL Lock symbol.

Spoofers these days are adapting very fast to new technology to counter their tactics. This is one in which adversaries are generating certificates with Organization information that matches a target site to spoof, and dumb “Trusted” third party CAs happily sign these certificates. Some browsers, such as Opera, are now providing the organization information directly to users to help them make better trust decisions. Unfortunately, this is rearranging deck chairs on the Titanic since the SSL TTP model is totally broken–it does not allow for adequate authentication of sites to end users, hence the rampant phishing attacks and soon to be man-in-the-middle attacks (my prediction).

Study: Users becoming more security Conscious

Thu, 07 Jul 2005 05:14:00 -0700

Fear of Spyware Changing Online Habits - Yahoo! News

Internet users worried about spyware and adware are shunning specific Web sites, avoiding file-sharing networks, even switching browsers. ADVERTISEMENT

Many have also stopped opening e-mail attachments without first making sure they are safe, the Pew Internet and American Life Project said in a study issued Wednesday.

Some good indications that end users are gaining levels of awareness of the security problems in today’s Internet environment. Go read the full report It has a lot more meat than the wire stories.

Musings On The Horrible Bombings In The Uk

Thu, 07 Jul 2005 05:12:00 -0700

I hope we have better reason to suspect Al-Qaida than this. And can’t the press do better than push a ridiculous assertion such as this below with a weak justification by an anonymous source? Why the need for an anonymouse source anyhow? It almost seems as if the reporter was trying to squeeze in a link to Al-Qaida no matter the questionable “logic” being used to make that assertion. But, perhaps it came off this way due to too much pruning by the editor.

A senior U.S. counterterrorism official, speaking on condition of anonymity, said that because the attacks were well-coordinated and appeared fairly sophisticated, they were consistent with al-Qaida’s methodology.

So, are there not any other terrorist groups that can be “well-coordinated” and “fairly sophisticated”?

Seeing that the terror alert level was only raised after the bombings occurred indicates that our intelligence is still in pretty bad shape. I’m sure that if the US knew about a threat against the UK in advance, they would have raised our alert level in anticipation.

From the AP: U.S. Raises Alert to Orange for Transit

The Rise of the American Taliban

Mon, 04 Jul 2005 17:03:00 -0700

Daily Kos: State of the Nation

I was just talking last week about the rise of the American Taliban and how hypocritical some brands of “christian” are about who gets to have freedom of religion in this country. This article is very apropos.

Funny how the wingers try to claim American liberals are in league with crazy fundamentalist Muslims.

Reality is, we hate everything Islamic fundamentalism stands for. On the other hand, the Dobson’s of the Republican Party – you know, the people running the show – have far more in common with the enemy than they’d ever like to admit.

More Tsa Idiocy

Sun, 03 Jul 2005 15:04:00 -0700

Following up on my earlier posting on TSA idiocy… Supposedly this was also at SeaTac.

Just met with some friends tonight and the subject of airline/airport “security” came up. A true story about a recent run-in with TSA:

85-year-old resident of Washington state arrives home after an international flight where he had successfully taken about six different flight legs without incident carrying on a small watch/clock repair toolkit with him in his carry-on luggage. On the final leg, he is accosted by TSA because he is carrying a 2 inch hammer in this kit with a metal head and wooden handle!! The TSA tells him that tools are prohibited and that they are going to confiscate this tiny hammer.

Well, they pleaded with TSA:

The man is 85 years old and lives in Seattle
Oh, by the way, he had no problems on the other six legs of our flight and this is the final leg.
He had made the hammer himself with his own hands years ago–both the handle and the metal head. It is a one-of-a-kind and a cherished family heirloom.
Are terrorists (or _anyone_) known to attack people with 2 inch hammers?

But, the TSA, protecting all of us from 2 inch hammer banditos, refused to budge. The family got several levels of TSA and airport staff involved to press the issue yet their pleas still fell on deaf ears.

To make matters worse, the TSA staff were nasty about the situation too. For example, when asked what they were going to do with the hammer after confiscating it, they said that it would be “discarded”, as if it were something with only utilitarian value. No thought about the real human lives in front of them that were being negatively impacted by this policy. I guess “things have changed after 9-11”: Americans are self-righteous and don’t care about the American public? No thought is expended to question whether the TSA Policy that does actually prohibit bringing quote-unquote “hammers” on board, but I’m sure the policy writers did not intend for this to apply to 2 inch hammers! Think people!! Sheesh.

Yeah, people supposedly trying to protect us are maliciously obedient to policies that address false risks not based on a threat model, let alone a reasonable one. And, they only care about the letter of the law and not the spirit. The risk mitigation lies in the spirit of the law. Stupidity and a police state lies in strict interpretation of the letter of the law, especially in the case of the TSA where Americans have no ability to confront their accusors and ensure any sense of just treatment under the law.

A great quote I have heard someone say (about “no tolerance” school gun/knife/drug/etc. policies) is that “no tolerance” polices like these are really “no thought” policies. They allow people to be maliciously obedient to idiotic policies and take away any hint of a rational thought process that would normally prevent humans (formerly known to be rational actors) from arriving at ridiculous conclusions to benign situations.

Cryptography Must Overcome Ui Problems To Be Both Useful And Effective

Wed, 29 Jun 2005 13:05:00 -0700

A great paper to read up on, especially given that Phishing is showing us that the “Trusted Third Party” model as implemented in today’s web browsers is horribly broken.

Don Davis’ Cryptography Articles. Specifically, read “Compliance Defects in Public-Key Cryptography”.

Abstract: Public-key cryptography has low infrastructural overhead because public-key users bear a substantial but hidden administrative burden. A public-key security system trusts its users to validate each others’ public keys rigorously and to manage their own private keys securely. Both tasks are hard to do well, but public-key security systems lack a centralized infrastructure for enforcing users’ discipline. A “compliance defect” in a cryptosystem is such a rule of operation that is both difficult to follow and unenforceable. This paper presents five compliance defects that are inherent in public-key cryptography; these defects make public-key cryptography more suitable for server-to-server security than for desktop applications.

The slides (78 Kbytes) PDF (78 Kbytes) discuss a topic that the paper only touches upon: the complexity of thoroughly checking a certificate issuance-chain, to see whether any of the certs in the chain have been revoked recently. Even in the best case, this is a surprisingly messy procedure. See slides 12 & 13, and their annotations.

Best Quote

Wed, 29 Jun 2005 12:42:00 -0700

Best quote:

“Whenever someone thinks that they can replace SSL/SSH with something much better that they designed this morning over coffee, their computer speakers should generate some sort of penis-shaped sound wave and plunge it repeatedly into their skulls until they achieve enlightenment.”

-- Peter Gutman, https://mail-archive.com/cryptography@metzdowd.com/msg00891.html

The rest of the post is great as well, with a “sound” warning about the CIPE VPN.

Wireless security can be funny

Wed, 29 Jun 2005 12:37:00 -0700

This is a true story!

The link to the story below is stale now, but this one still works:

Hackers tell man he’s “too fat” to eat at Burger King - silicon.com

https://www.ananova.com/news/story/sm_853744.html?menu=news.latestheadlines

Burger King customers told: ‘You are too fat to have a Whopper’

Police believe teenage pranksters are hacking into the wireless frequency of a US Burger King drive-through speaker to tell potential customers they are too fat for fast food.

Policeman Gerry Scherlink said the pranksters told one customer who had just placed an order: “You don’t need a couple of Whoppers. You are too fat. Pull ahead.”

The offenders are reportedly tapping into the wireless frequency at the restaurant in Troy, Michigan. Police believe the culprits are watching and broadcasting from close range.

Officer Scherlinck said the men are telling customers who order a Coca-Cola that, “We don’t have Coke.” And when the customer asks what they do have, the hacker would say: “We don’t have anything. Pull ahead.”

But what has managers concerned is the profanity the hackers are using, according to police.

A drive-through customer has told police if he had children with him in the car and someone used profanity, he would have been upset.

Burger King franchise owner Tony Versace issued the following statement in response to the incidents: “We apologise to our customers who’ve been insulted by the use of this drive-through speaker.”

Management at the fast-food restaurant are reportedly trying to change the radio frequency used for the speakers, reports Local 4.

Pigeons Follow Roads To Navigate

Wed, 29 Jun 2005 12:35:00 -0700

Telegraph | News

How do homing pigeons navigate? They follow roads By Caroline Davies (Filed: 05/02/2004)

Researchers have cracked the puzzle of how pigeons find their way home: they just follow the main roads.

Zoologists now believe the phrase “as the crow flies” no longer means the shortest most direct route between two points. They say it is likely that crows and other diurnal birds also choose AA-suggested routes, even though it makes their journeys longer.

TSA abuse of power comes to a city near me

Wed, 29 Jun 2005 12:23:00 -0700

This story from my hometown of Seattle is further proof that the current airport security procedures are nothing more than window dressing and are leading to the loss of civil rights for innocent people.

When was the last time you heard about these security procedures actually catching a terrorist?

komo news | ‘This Is Not Right’

DES MOINES - Cecilia Beaman is a 57-year-old grandmother, a principal at Pacific Middle School in Des Moines, and as of Sunday is also a suspected terrorist.

“This is not right,” she told us. It’s not right!"

During the stay she made sandwiches for the kids and was careful to pack the knives she used to prepare those sandwiches in her checked luggage. She says she even alerted security screeners that the knives were in her checked bags and they told her that was OK.

But Beaman says she couldn’t find a third knife. It was a 5 1/2 inch bread knife with a rounded tip and a serrated edge. She thought she might have lost or misplaced it during the trip.

On the trip home, screeners with the Transportation Security Administration at Los Angeles International Airport found it deep in the outside pocket of a carry-on cooler. Beaman apologized and told them it was a mistake.

“You’ve committed a felony,” Beaman says a security screener announced. “And you’re considered a terrorist.”

Beaman says she was told her name would go on a terrorist watch-list and that she would have to pay a $500 fine.

And to make it worse, you are guilty without the ability to confront your accuser and clear your name

She says screeners refused to give her paperwork or documentation of her violation, documentation of the pending fine, or a copy of the photograph of the knife.

“They said ’no’ and they said it’s a national security issue. And I said what about my constitutional rights? And they said ’not at this point … you don’t have any’.”

At Amp T Plans Security News Channel

Wed, 29 Jun 2005 12:22:00 -0700

AT&T plans CNN-style security channel

Security experts at AT&T are about to take a page from CNN’s playbook. Within the next year they plan to begin delivering a video streaming service that will carry Internet security news 24/7, according to the executive in charge of AT&T Labs.

The service, which currently goes by the codename Internet Security News Network, (ISN) is under development at AT&T Labs, but it will be offered as an additional service to the company’s customers within the next nine to 12 months, according to Hossein Eslambolchi, president of AT&T�s Global Networking Technology Services and AT&T Labs

ISN will look very much like Time Warner’s Cable News Network, except that it will be broadcast exclusively over the Internet, Eslambolchi said. “It’s like CNN,” he said. “When a new attack is spotted, we’ll be able to offer constant updates, monitoring, and advice.”

Given the kinds of horrible “sky is falling” coverage on mainstream media of security items in the past, perhaps this can help raise the bar?

Suspected Steganography lead to raising the terror alert in 2003

Wed, 29 Jun 2005 11:45:00 -0700

07:00

Bogus analysis led to terror alert in Dec. 2003 - Lisa Myers & the NBC Investigative Unit - MSNBC.com

WASHINGTON - Christmas 2003 became a season of terror after the federal government raised the terror alert level from yellow to orange, grimly citing credible intelligence of another assault on the United States.

“These credible sources,” announced then-Secretary of Homeland Security Tom Ridge, “suggest the possibility of attacks against the homeland around the holiday season and beyond.”

For weeks, America was on edge as security operations went into high gear. Almost 30 international flights were canceled, inconveniencing passengers flying Air France, British Air, Continental and Aero Mexico.

But senior U.S. officials now tell NBC News that the key piece of information that triggered the holiday alert was a bizarre CIA analysis, which turned out to be all wrong.

CIA analysts mistakenly thought they’d discovered a mother lode of secret al-Qaida messages. They thought they had found secret messages on Al-Jazeera, the Arabic-language television news channel, hidden in the moving text at the bottom of the screen, known as the “crawl,” where news headlines are summarized.

And the critics come out:

“I’m astonished,” says author and intelligence expert Jim Bamford, “that they would put so much credibility in such a weak source of intelligence.”

Bamford says the CIA shouldn’t be criticized for considering the theory, but that analysts should have weighed how implausible it was.

“What you have to do is judge the intelligence versus what your actions are going to be. And this is the equivalent, basically, of looking at tea leaves,” Bamford says.

I find it very interesting that steganography was the cause for raising the alert level. The article says the messages were supposedly found “in the moving text” in the “crawl”, which would seem to implicate Al-Jazeera in communicating secret messages from terrorits since they control the crawl and would presumably have authored the content. The only way they wouldn’t be implicated would be if they were to have been scrolling direct quotes from terrorists.

But is the “intelligence” applied to the “steganographic data” (flight numbers, etc.) that was “found” simply masking the fact that the CIA is resorting to numerology? Mining arbitrary data for significance where there is none, ala The Bible Code? The reference to reading “tea leaves” above is apropos…

What I’m also curious about is who leaked the information about why we raised the terror alert level? You would think that would be a national security secret–even now. Makes both the CIA and the decision makers in Homeland security look like idiots to put this information out there.

“It is better to keep your mouth closed and let people think you are a fool than to open it and remove all doubt” --Mark Twain

Debunking Biometric Assumptions

Wed, 29 Jun 2005 03:48:00 -0700

Chris Hill’s biometrics thesis:

This is a very interesting development. It challenges a key assumption that people have made about biometrics:

“that stored biometrics pose no threat to their owner (if they are stolen by another party), because it is not possible to recreate the original biometric from the stored data.”

So, attackers can potentially bypass biometric systems in a couple of ways if they can compromise digital representations of biometric data (from storage or by sniffing, e.g. USB sniffer or keyboard sniffer): They can recreate new physical biometrics that will have properties indistinguishable from the original.

“I demonstrated that it is possible to recreate a biometric artefact that is equivalent to the original biometric provided to the system. This means that while a third party will not be able to generate the original biometric, they will be able to generate something that is indistinguishable from it, as far as the biometric software is concerned.”

Adam Shostack also had some additional comments on this today, pointing out the privacy implications of such a breach:

The answer is you can reconstruct fingerprints from common systems.

Daniel David Walker referred me to some work by Andy Adler, who pointed out Ross, Shah and Jain, “Towards Reconstructing Fingerprints from Minutiae Points.”[1]

[1] https://www.csee.wvu.edu/~ross/pubs/RossReconstruct_SPIE05.pdf

Some additional tidbits are on my blog at https://www.emergentchaos.com/archives/001443.html

Imagine lost biometric passports allowing the creation of counterfeit passports with “real” biometric data on them. And further imagine trying to prove that it wasn’t you who bombed that plane in Lebanon. “But we logged you going through security…and biometrics are _unique_ and _unforgeable_”. *Shiver*

Washington State Governor's Election Upheld!

Wed, 08 Jun 2005 11:39:00 -0700

The Seattle Times: Local News: Election trial dispatches

Some highlights:

Bridges: Overturning election would have meant “judicial egotism” Judge Bridges said Republicans did not meet the burden of showing “clear and convincing” proof.
“There is no evidence in this record that Ms. Gregoire received any illegal votes,” he said.
There is no evidence that the problems in King County had anything to do with “intentional misconduct or someone’s desire to manipulate the election” or “partisan bias,” the phrase Republicans used to allege wrongdoing.
“No evidence exists as to which candidate may have received a vote from the provisional ballots not associated with a registered voter.”

So, I wish I had heard what Dori Monson’s comments were about this…

A Pledge For Stem Cell Research Foes

Thu, 02 Jun 2005 03:21:00 -0700

Pandagon: A compromise I can really stand behind

This is a great idea. A lot of adult stem cell treatments may now or in the future benefit from embryonic stem cell research so these foes better hope they or their family members never get Leukemia…

In-vitro fertilization generates hundreds of thousands of embryos that are simply stored or destroyed for no gain. It is ridiculous to not allow the use of these to further cures for diseases such as cancer and diabetes.

The majority of the country cares about science and progress and healing.

Anecdotal Study Of Data Aggregator Quality

Fri, 20 May 2005 07:41:00 -0700

PrivacyActivism.org - Data Aggregators: A Study of Data Quality and Responsiveness

Results of a study conducted by PrivacyActivism show that data aggregators have significant problems with accuracy and responsiveness, potentially serious issues for an industry already under fire for massive security breaches.

100% of the eleven participants in the study discovered errors in background check reports provided by ChoicePoint. The majority of participants found errors in even the most basic biographical information: name, social security number, address and phone number (in 67% of Acxiom reports, 73% of ChoicePoint reports). Moreover, over 40% of participants did not receive their reports from Acxiom – and the ones who did had to wait an average of three months from the time they requested their information until they received it.

To go along with my other post on data aggregator service efficacy, another set of nails in the coffin. Keep in mind that this is anecdotal. However there was at least another study that I can’t find a reference for that found something like 80% of entries had errors.

Anyhow, more fuel to the fire from real-life experience with ChoicePoint data was the voter roll purging debacle:

The Department of State awarded a $4-million contract to Boca Raton-based Database Technologies Inc. (now ChoicePoint Inc.) to find improperly registered voters in the state’s database. Database Technologies cross-checked voter lists with federal and state databases to find illegal voters by matching names, birth dates and other characteristics.

Mistakes were rampant.

Washington State Getting Tough on Rampant Spyware Problem

Tue, 17 May 2005 11:54:00 -0700

Slashdot | Washington State Outlaws Spyware

the Governor of Washington signs a a bill outlawing spyware (bill history) which imposes penalties of $100,000 per violation.

This is a step in the right direction. I am not sure if it will be effective due to jurisdictional and technological issues with tracking, identifying, and prosecuting purveyors of spyware. The anti-spam legislation in the state and federal laws has not exactly dramatically curbed spam. But this clarification of the computer crime statutes is helpful to avoid ambiguity.

Also of interest to me now is that Washington also passed an anti-phishing law.

Identity Theft Is Okayif Done By The State

Mon, 16 May 2005 02:46:00 -0700

Ohio Agents Use Woman’s Identity in Strip-Bar Sting: Internal Affairs at Officer.com

This is absolutely unbelievable! Imagine if the state was to damage your reputation or financial status (e.g. FICO score or credit worthiness) due to the unauthorized use of your identity!

Nasal said the ploy was legal because a change in Ohio’s law the previous year aimed at curbing identity theft. The law allows police to use a person’s identity within the context of an investigation, he said.

The problem of identity theft is the persistent lack of decent capabilities in the financial industry to reliably authenticate claimed identities. I don’t have a perfect solution, but continuing with the status quo of allowing people to just claim an identity (not prove it) and then trying to keep plugging fingers in the dike to keep this information “private” (_identifying_ information that is allowed to be used as _authenticating_ information) rather than implement a real authentication solution is solving the wrong problems. And they wonder why identity theft is increasing in double-digit percentages every year…

A Message To Choicepoint Customers Just How Helpful Is The Data You Are Buying

Mon, 16 May 2005 02:24:00 -0700

The Five Most Shocking Things About the ChoicePoint Debacle - CSO Magazine - May 2005

Maybe it was the fact that this wasn’t a hack. Personal information of nearly 145,000 people wasn’t stolen from ChoicePoint. In fact, the company sold the information to inadequately vetted bogus businesses–this when the company itself helps other businesses verify cred[entials of employees or others using the data in their databank].

A great point that has been lost in a lot of the reporting. Just how useful is the service they provide when they were spoofed over 50 times by fraudulent users?

These companies always beg the question of which entities are authorized to be their customers to “legitimately” obtain this kind of sensitive data about people? What would stop me from paying to get the data on anyone they had? What criteria would they establish to prevent just anyone from getting at this data? Or, do they not care as long as you have the cash?

ChoicePoint likely would love to keep the focus on how this was just an isolated case where these 50+ users fooled them. But does it even matter that the identities were fraudulent? Would it have been okay if I signed up with my own identity and obtained information on these 145,000 people instead?

Rfid Passport Security Proposal Defeating The Purpose

Mon, 16 May 2005 02:07:00 -0700

Schneier on Security: RFID Passport Security

“The solution would require an RFID reader to provide a key or password before it could read data embedded on an RFID passport’s chip. It would also encrypt data as it’s transmitted from the chip to a reader so that no one could read the data if they intercepted it in transit.”

The devil is in the details, but this is a great idea.

I have to agree with some of the posters to Bruce Schneier’s blog that this is certainly not a “great idea”.

This seems to entirely defeat the purpose of “contactless” passport data reading. If you have to scan the passport physically, it would be more secure to forego RFID entirely and put all of the data in a contact-based reader. This would offer greater privacy protection. Of course, it doesn’t have the RFID “bling” so would be entirely rejected by technophiles.
Again, the devil is in the details, but once someone has read your key, they can now access and decrypt your passport data remotely anytime they want. What keeps those keys secure after they have been accessed? Are there going to be passport “skimming” attacks as with magstripe credit cards?
Attackers abroad can still use RFID “presence” to detect which tourists are Americans, even if they could not read the data on the passport. Thus RFID would seem to still increase risk to Americans rather than make us safer. Funny how that works with these newfangled “security” measures being imposed by the government.

Here is a related article on the government caving to privacy advocates. Feds Rethinking RFID Passport

Penguins Not On Terrorist Watch List

Mon, 16 May 2005 01:57:00 -0700

TheDenverChannel.com - Slideshow

The American public can rest easy now that these penguins have been rigorously vetted by the TSA. Someone managing the Terrorist Watch List must have recently seen one of the Batman movies. That was _just a movie_.

Ipsec Esp Protocol Flaw Discovered

Fri, 13 May 2005 08:41:00 -0700

NISCC Vulnerability Advisory IPSEC - 004033

From what I have read on this, the flaw in ESP only will affect you if you are using ESP for confidentiality protection only (no integrity check in ESP) and are relying on other layers for integrity protection (e.g. AH or the application layer). I would never recommend you configure IPSec in this manner. Confidentiality protection without integrity protection in the same layer is not very useful IMHO. And it can be dangerous, as this flaw indicates.

Intel Hypterthreading Leads To Security Bug

Fri, 13 May 2005 00:37:00 -0700

y-bug

Hyper-Threading considered harmful

This is an interesting case where a hardware flaw can be used to subvert software security.

I find it fun to ask vendors who create their own OS and processors for appliances how they ensure things such as memory page protection. I get a lot of blank stares. They often focus entirely on the macro-level security in their software and have spent little to no time addressing the basic hardware and OS-level security issues that are taken for granted by software authors.

Spam blocking update

Tue, 03 May 2005 13:52:00 -0700

So, like everyone, I get a LOT of spam. Over the past year (May 15 2004 - May 3 2005), I have received and processed a total of 120878 emails.

Here is how the mail I received breaks down:

notspam (ham): 14092 (11.7%) probably-spam: 76925 (63.6%) suspected-spam: 29154 (24.1%)

The statistics are somewhat misleading. I switched in August of 2004 to calling all mail marked over a particular spam threshold “probably spam” and suspicious mail as “suspected spam”, when before everything was “suspected spam”. So, until I do further analysis, the suspected spam pot is a bit fuller than it should be.

What this shows is that only about 12% of my email is legitimate, leaving the other 88% as mostly, well, crap. The legitimate mail will actually a bit higher because some of the mail that gets quarantined as suspected spam is actually legitimate, but not all of it. I have to look at mail that falls into the suspected spam bucket and retrain bogofilter if the mail is really spam or legitimate (in which case, I set up a new whitelist entry)

The spam solution that I have today works very well. It is a combination of a whitelist along with Bogofilter in tri-mode so that Bogofilter tags mail as either notspam, suspicious, or pretty sure it’s spam. A solution with just Bogofilter was still fairly accurate, however, false positives were unacceptable to me. Also, it is a chore to weed out the wheat from the chaffe with the volume in spam compared to the very infrequent false positives. So, a whitelist turned out to be a necessary evil to keep known legitimate mail from making it into the spambucket (which, with bogofilter, until you correct the database, can negatively impact every future spam decision)

Bogofilter relies on a 72 megabyte database of spam tokens, generated from hundreds of thousands of spam messages that I have kept since 1997 (about every single spam I have ever received from every mail account I’ve had).

False negatives used to be a problem until I got my bogofilter database properly tuned and caught many classification errors that were made that I had missed that were throwing off the classifications. My Bogofilter database is now 72 megabytes and works a lot better than the old 17 megabyte list from long ago. All in all, it is a great solution.

Another Governmental Pdf Quot Redaction Quot Blunder

Tue, 03 May 2005 12:09:00 -0700

The Washington Monthly

here’s a question: do you think the Italian computer whizzes will be any more competent than their American counterparts when they release their report? The U.S. report is full of redactions, as you can see in the picture above, but once again an American agency has used the searchable PDF format to distribute a report, and all you have to do is save the report as a text file in order to recover all the redacted parts.

The curious Will of God

Tue, 03 May 2005 11:56:00 -0700

Pat Robertson’s contradictory theology: God won … [Media Matters for America]

So, God doesn’t control the natural world around us–that just works on its own volition, according to Pat Robertson. But, “in terms of human affairs, I do think he answers prayer”. Specifically, Pat was saying that those evangelicals who are praying for bigoted, religious zealots to be placed in the supreme court could have their prayers answered and a Godly intervention, but in cases, such as the Tsunami, where God could have protected tens of thousands of human lives, God won’t get involved. Apparently human life is not a “human affair”?

God doesn’t “change the magma” or “wind currents” but he does change human minds on issues regarding the selection of US supreme court justices. Talk about a micro-manager…

Car Crunch History

Sun, 01 May 2005 07:47:00 -0700

So, within the past week, my brand new car got crunched in a parking lot while I was attending a security conference. Here are some photos:

I really did park straight…

In the distance, you can see the semi that did the damage

After the car was moved back into the spot. You can see the skid marks showing that the car was moved at least two feet.

What happened was that the truck driver (53 foot semi) had tried to take a tight right turn and the back left corner of the truck swung wide and clipped my trunk, hitting first the left tail light and continuing across, pushing the car two feet into the car in the next stall. The driver didn’t even know he had hit the car. The double skidmarks from the trailer showed that he had also gone up on the curb in the parking lot right after the trailer hit my car.

The body shop guys keep saying that the car is a novelty. Nobody has seen a trunk get destroyed so thoroughly without severe rear-end body damage. The trunk lid took the brunt of the damage.

My sister pointed out that every car I’ve owned has been hit by someone. The sordid history:

1984 Nissan Sentra: Hit & run in school parking lot the first day I drove it to high school
1988 Honda Accord Coupe: Hit & run in Redmond Town Center parking garage while at work.
1994 Toyota Pickup: Rear-ended while at a metered ramp on I-405. The other guy’s car was crunched. The truck had a great bumper and didn’t suffer any damage, fortunately.
2004 Infiniti: Hit and dragged two feet by a 53 foot Serta mattress truck

*sigh*

My brother-in-law found a Serta Sheep #86 that arrived on my doorstop unexpectedly yesterday. This is hilarious! A quote from the fictional sheep:

“Of course Serta is bad…very bad…maybe the most evil force in the whole universe.”

“In the spirit of all that is fair and just, have pity on me.”

For the record, I have no issues with the driver or Serta. I just think it’s a funny story. I haven’t been too inconvenienced. Thanks for insurance!

Funniest Error Message

Sun, 01 May 2005 07:37:00 -0700

rtfm.6o4.ca - Read The F***ing Manual Reference Library

If you go directly to this link, you will be presented with a hilarious error message, complete with apropos image. I got a kick out of this.

Since the page is a 404 now, here’s the content from archive.org:

Sorry, I couldn’t find the fucking topic you were looking for.

Reason: Why not try a topic that actually exists? Perhaps you meant one of these:

Appropriate Yet Unfortunate Commentary On The Times We Live In

Wed, 20 Apr 2005 12:28:00 -0700

Daily Howler: Coulter makes ‘’errors’’ like other scribes breathe. But store-bought John Cloud couldn’t find them

ERNSTEIN WATCHES THINGS FALL APART: Congratulations to Carl Bernstein, perhaps our frankest press bigfoot. On last evening’s Special Report, Jim Angle cited a recent speech by the Watergate worthy:

ANGLE (4/19/05): Former Washington Post reporter Carl Bernstein, who helped break the Watergate story, says journalism nowadays is squandering the public’s trust, insisting the, quote, “triumph of the idiot culture in news, particularly TV news, has weakened journalist drive for the truth.”

At a press convention in Kansas, Bernstein said, quote, “The consequences to a society that is misinformed and disinformed by the grotesque values of this idiot culture are truly perilous. For the first time in our history,” he went on, “the weird, the stupid, the coarse, the sensational and the untrue are becoming our cultural norm, even our cultural ideal.”

Reverse Surveillance

Thu, 14 Apr 2005 04:52:00 -0700

Wired News: Surveillance Works Both Ways

At this year’s Computers, Freedom and Privacy conference in Seattle, Steve Mann enlisted volunteers to film those who were filming them in local Seattle businesses. They got varied responses. I think this would be really useful in airports to monitor what the TSA does. But, I bet they would not be so happy about that.

“The totalitarian regime is the regime that would like to know everything about everyone but reveal nothing about itself”

“What I argue is that if I’m going to be held accountable for my actions that I should be allowed to record … my actions,” Mann said. “Especially if somebody else is keeping a record of my actions.”

Getting To The Root Of Id Theft Problems

Mon, 11 Apr 2005 01:50:00 -0700

There is an article on ID theft causes that has a great summary of the fundamental factors in ID theft from entities entrusted with your private data They can’t steal data you don’t have

We have observed that some of the sensitive data that gets stolen fits into one of several categories:

Data that was never needed

Data that was needed but should never have been stored

Data that was originally needed but was kept far beyond its useful life

Data that should never have been stored in an unencrypted form

At some point, the question “Did you consider not having this data” is going to become a standard part of lawsuits. If you’re an IT manager, are you planning for that day?

I had actually included these questions in a decision tree for my corporate privacy strategy. Most people go right to the “encrypt” sensitive data and don’t back up and ask these more fundamental “behavioural” questions that actually are often a) more effective at solving/eliminating the problems and b) have less drawbacks than simply “encrypt everything everywhere, but still store it”.

I’ve seen the “encrypt everything everywhere” mantra effectively require “copies of encryption keys everywhere”, which gives your corporation a false sense of security. “The data’s encrypted”, the executives say. However, if you cannot implement secure key management (you have to know that you need to do this, then have the knowledge to design the solution to be effective and manageable, then you have to be able to implement it across diverse groups who don’t all understand cryptography…), then you effectively have the keys to decrypt the data right next to each of your excessive, unnecessary encrypted copies of that sensitive data.

Beware the buzzword-compliant solution!

Loose Lips When Reporting Privacy Breaches

Fri, 08 Apr 2005 08:34:00 -0700

Computer theft may expose data on 180,000 patients - Computerworld

APRIL 08, 2005 (COMPUTERWORLD) - A San Jose-based medical practice has notified about 180,000 current and former patients about the theft of their personal information contained on two computers stolen from its offices during a burglary March 28.

And recall the other recent privacy breach due to a lost laptop:

Stolen UC Berkeley laptop exposes personal data of nearly 100,000

By MICHAEL LIEDTKE, AP Business Writer Tuesday, March 29, 2005

A thief recently walked into a University of California, Berkeley office and swiped a computer laptop containing personal information about nearly 100,000 alumni, graduate students and past applicants, highlighting a continued lack of security that has increased society’s vulnerability to identity theft.

Now, some have pointed out that the California law SB 1386 that required these organizations to disclose their privacy breaches has the unintended consequence of notifying the thieves of these laptops that there may be information on those laptops that would be worth far more than the laptops themselves–something that is probably not the primary goal of most laptop thieves. However, I actually think that with these two cases that the organizations erred in disclosing too much information about the details of the breach.

Nothing that I read into SB 1386 says that you have to say exactly HOW the breach happened. The requirement in the law is simply that you have to “notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”, where “‘breach of the security of the system’ means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.”

So, the law requires that you notify the affected parties that

a) there was a breach, or b) you have reason to believe that the affected party’s personal information was disclosed

IANAL, but do yourself a favor and be sparing with the details of your next breach.

Defeating Fingerprint Readersby Force

Thu, 07 Apr 2005 04:12:00 -0700

Carjackers swipe biometric Merc, plus owner’s finger | The Register

Carjackers swipe biometric Merc, plus owner’s finger By John Lettice Published Monday 4th April 2005 13:52 GMT

A Malaysian businessman has lost a finger to car thieves impatient to get around his Mercedes’ fingerprint security system. Accountant K Kumaran, the BBC reports, had at first been forced to start the S-class Merc, but when the carjackers wanted to start it again without having him along, they chopped off the end of his index finger with a machete.

Okay, I knew this would happen someday and this is evidence that it finally happened. Biometrics (“something you are”) should only be used as a convenient _IDENTIFICATION_ mechanism as a necessary, but not a sufficient condition for _AUTHENTICATION_ of users. This is why multi-factor authentication is still important with Biometrics so you couple the “something you are” with “something you know” or “something you have”.

Additionally, you should be wary of biometric hardware that can often be trivially fooled or, as this one, are unable to adequately tell the difference between “live” and “dead” or “not-live” biometric data. Else, you could be risking more than your security: the well-being and safety of your users.

Big Brother May Be Watching Your Wlan

Tue, 05 Apr 2005 05:04:00 -0700

The Feds can own your WLAN too : TomsNetworking :

Also a [slashdot discussion](https://hardware.slashdot.org/hardware/05/04/05/1428250.shtml?tid=193&tid=172
) of this technique, which essentially cracks WEP implementations that are vulnerable to weak keys and uses some nice “features” of some APs to get the AP to send out additional encrypted packets to improve the speed of the attack. They can crack WEP in minutes. Pretty interesting…

Quot Terri'S Law Quot Unconstitutional

Fri, 01 Apr 2005 08:53:00 -0800

At least there is some good and rationality left in the world. This is great.

Daily Kos :: Political Analysis and other daily rants on the state of the nation.

the legislative and executive branches of our government have acted in a manner demonstrably at odds with our Founding Fathers’ blueprint for the governance of a free people - our Constitution. Since I have sworn, as have they, to uphold and defend that Covenant, I must respectfully concur in the denial of the request for rehearing en banc.

Making Fun Of Schiavo Quot Protestors Quot-

Fri, 01 Apr 2005 08:45:00 -0800

quot-

This is priceless. Click on the link and look at the pictures where someone mingled with the crowd, holding a sign saying “We are idiots” for the media to see.

kill_terri: Fun at the expense of nutbag Christians

Blockbuster Busted

Tue, 29 Mar 2005 07:16:00 -0800

BLOCKBUSTER SETTLES INVESTIGATION INTO ADVERTISING FOR “NO LATE FEE” PROGRAM

For the most part, this is a good thing. It was addressed fairly quickly for one. I’m not sure that, aside from the negative publicity, that this is going to dissuade them from continuing with other deceptive practices because, according to the agreement, they do not have to do anything other than:

“Blockbuster also agreed to provide a full refund or credit to any customer who failed to return the item within the thirty day period, but who now returns it in good condition by April 28, 2005.

If the customer already has returned the item but has paid a “restocking” fee, the customer can obtain a refund of the “restocking” fee. A request for restitution must be made in writing and allege a failure to understand the “No Late Fee” program.”

So, “oops”, they just have to refund the deceptive charges and don’t have to provide any kind of other restitution.

Id Theft Targets Are Everywhere

Mon, 28 Mar 2005 08:19:00 -0800

Security no match for theater lovers

This article shows that for the promise of a $7-$10 movie ticket, you can trivially gather enough information about almost anyone to steal their identity. And this was at a security conference. I’ve seen a couple of other studies such as this with other low-value enticements work just as effectively.

Owasp Opens Seattle Chapter

Thu, 24 Mar 2005 13:35:00 -0800

Web Security Group Launches Northwest Chapter

Web Security Group Launches Northwest Chapter

The leading web application security organization, Open Web Application Security Project (OWASP), has opened a local chapter in Seattle.

I may be spending some time with this group. Glad to see more volunteer security orgs in the Seattle area! And glad to see some emphasis on application security, of course.

Their website is https://www.owasp.org/local/seattle.html

Be warned: the site looks atrocious in Firefox.

This website can read your mind

Thu, 24 Mar 2005 13:25:00 -0800

20Q.net

Select the “Think in english” link to proceed in english. This is an automated 20 questions that is very good at guessing what you are thinking of. Haven’t seen this in some time but got sent the link recently.

-J

New Bookmark 15 Megs Of Fame

Thu, 24 Mar 2005 13:16:00 -0800

I haven’t poked around too much at what is on here, but it’s supposed to carry on the torch of mp3.com for small, independent artists. Seems like a pretty cool site.

15 Megs of Fame | Artists and Fans unite!

Mobile Phone Industry Blocking Itunes Phone

Thu, 24 Mar 2005 12:45:00 -0800

Courtesy www.fiercewireless.com

If this is true, this is really sad. I know the mobile phone industry would just love to keep charging exhorbitant rates for worse-than-midi ringtones to counteract the trend of them becoming commodity carriers for wireless voice, but to go this far – hindering technology growth and restricting use of their mobile data networks – is the wrong move. It took the public Internet to launch the explosion of new technology, services, etc. The variety and growth in technology that exists on and over the Internet today would not have occurred if the only game in town was still the AOL or Compuserve network – just to offer a historical analogy.

Rumor Mill: Who is trying to kill the iTunes phone?

Motorola was supposed to launch the much-hyped iTunes phone yesterday at CeBit. The company, however, cancelled its launch at the last minute reportedly after a secret phone conversation with a carrier or carriers. Supposedly, the carrier(s) in question was not excited by the prospect of a handset that could access iTunes content, but that didn’t include them in the revenue share. So, the rumor goes, the carrier in question bascially said they would not carry the iTunes phone, forcing Motorola to pull back on its launch plans. Many claim that carriers are working to block Motorola’s iTunes phone outright in favor of their own mobile music services. Some insiders claim that carriers are more interested in owning the mobile music process and that they do not want to have to compete with Apple’s iTunes platform for revenue.

Rumor Mill: Is Motorola trying to cover up the iTunes phone story?

Motorola yesterday said that, contrary to rumors, the iTunes phone was delayed not because of carrier worries but because of issues with its partner Apple Computer. At a press conference at CTIA, Motorola’s mobile phone head, Ron Garriques, told reporters that the iTunes phone’s sudden disappearance last week at CeBit was due to differences in the two companies’ approach to marketing. Garriques blamed Apple for trying to launch the handset too soon. He claimed that Motorola delayed the device because it was not ready for the market. Garriques also added that an iTunes phone will make it to market in the second half of the year.

Insiders at CTIA dimissed Garriques’ comments, claiming that the rumors that broke at CeBit were likely the true version of the story – i.e., that carriers killed the iTunes phone because they fear Apple will dominate the mobile music market and because the iTunes phone does not support over-the-air music downloads.

See also Motorola: iTunes phone no-show due to Apple

Mimo Standards At War

Thu, 24 Mar 2005 12:42:00 -0800

Courtesy www.fiercewireless.com

Trend: New WiFi products may ignite MIMO definition war MIMO technology is very much in the news these days, and not only because of the intense fight between the two warring camps, each relying on MIMO, over the specifications of 802.11n. A soon-to-be-released MIMO-based RangeMax WLAN kit from Netgear has again caused many to ask what exactly was the meaning of MIMO. Most MIMO chips on the market now come from Airgo, but Netgear chose chips from Video54 instead, leading Airgo to charge that Netgear’s solution is not truly a MIMO product. This is not mere semantics: As the battle over MIMO-reliant 802.11n specifications intensifies, the last thing we need is to have that battle complicated further by skirmishes on the flanks over the precise definition of MIMO.

The differences between the two approaches are clear. Airgo makes the complete chipset for offerings by Belkin and Linksys. Netgear, in contrast, relies on its Atheros chips: Video54’s BeamFlex chips are merely an overlay which can add MIMO to chips from other vendors. Airgo’s products use spatial multiplexing (sending two radio signals in one channel); Netgear uses seven independent internal antennas which may be turned on and off, offering 128 routing patterns. Netgear says its technology give its products a range of 495 feet and a real throughput of up to 48 Mbps.

For more on the debate over MIMO: - see Peter Judge’s Computerworld discussion

Rip Spencer Garrett

Thu, 24 Mar 2005 12:37:00 -0800

komo news | Libertarian Congressional Candidate Dies In Skydiving Accident

This was shocking news in a year that is shaping up to be at least as bizarre as last year for me.

Spencer was one of the smartest people I have ever met, one of the best UNIX/network/tech/IT administrator gurus anywhere and a great friend to all. You will be missed.

His ISP business 2alpha will hopefully continue on with his business partners still at the helm.

SNOHOMISH - Spencer Garrett, a Libertarian candidate for Congress last fall, has died in a skydiving accident outside this town northeast of Seattle.

Instructions For Life In The New Millennium From The Dalai Lama

Thu, 24 Mar 2005 12:14:00 -0800

-lama

Earlier this year, I got a chain email containing a powerpoint (!!) that I’m not going to pass on via email, but I liked the majority of the advice so here is a transcription.

Take into account that great love and great achievements involve great risk.
When you lose, don’t lose the lesson.
Follow the three R’s: Respect for self, Respect for others, Responsibility for all your actions .
Remember that not getting what you want is sometimes a wonderful stroke of luck.
Learn the rules so you know how to break them properly.
Don’t let a little dispute injure a great friendship.
When you realize you’ve made a mistake, take immediate steps to correct it!
Spend some time alone everyday.
Open your arms to change, but don’t let go of your values.
Remember that silence is sometimes the best answer.
Live a good, honorable life. Then, when you get older and think back, you’ll be able to enjoy it a second time.
A loving atmosphere in your home is the foundation for your life.
In disagreements with loved ones, deal only with the current situation.
Don’t bring up the past.
Share your knowledge. It’s a way to achieve immortality.
Be gentle with the earth.
Once a year, go someplace you’ve never been before.
Remember that the best relationship is one in which your love for each other exceeds your need for each other.
Judge your success by what you had to give up in order to get it.
Approach love and cooking with reckless abandon.

Verisign conflict of interest opposition

Thu, 24 Mar 2005 12:08:00 -0800

07:00

ICANN Email Archives: [net-rfp-verisign]

…Verisign also operates a ‘Lawful Intercept’ service called NetDiscovery [2]. This service is provided to “… [assist] government agencies with lawful interception and subpoena requests for subscriber records [3].”

We believe that under such a service, VeriSign could be required to issue false certificates, ones _unauthorised_ by the nominal owner. Such certificates could be employed in an attack on the user’s traffic via the DNS services now under question. Further, the design of the SSL browser system includes a ‘root list’ of trusted issuers, and a breach of _any_ of these means that the protection afforded by SSL can now be bypassed.

…..

The cryptographers and security architects who designed the SSL system in 1994 and 1995 envisaged the issuer of certificates to be _trusted by the certificate owner_. This development represents the antithesis of this security requirement.

Not Issuing Driver'S Licenses To Illegal Aliens Reduces Security

Mon, 17 Jan 2005 04:21:00 -0800

U.S. Newswire : Releases : “Not Issuing Driver’s Licenses to Illegal Aliens…”

Great Site Watching Out For Stupid Religion Tricks

Wed, 12 Jan 2005 09:45:00 -0800

Retard of the Month

No disrespect meant to the disabled, but the content is priceless. Going to keep an eye on this site. Perhaps it will show up in the links section soon.

Irrational Incompetence

Wed, 12 Jan 2005 09:27:00 -0800

White House has bigger credibility problem than CBS

“What happens when you base a big project on questionable information?

Well, if you work for CBS News, you get a pink slip. If you work for George W. Bush, you get a promotion or a medal.”

Makes me sick.

-J

Welcome to Jesusland

Sun, 07 Nov 2004 05:51:00 -0800

Interesting talk on The McLaughlin Group this week about the division between the “Jesusland” parts of the country (who mostly receive more Federal $$ than they pay in, BTW) and the other “non-Jesusland” states that could give rise to a revolt over the next four years, especially if fundamentalist judge appointments appear during this second term.

The Blogging of the President: 2004: Jesusland

Strange blog spam?

Wed, 03 Nov 2004 23:23:00 -0800

07:00

I have gotten two spam blog posts (aside: so, should blog spam be called spog or splog?) recently that I can’t figure out what the person’s motivation is. They were very similar in style:

They were both posts consisting of one line of text
They both had a first name as the user name
They both included a URL that was not registered or accessible that was related to their name
They both used name-based hotmail IDs (not sure if they are even valid) for email addresses
They were both posted within just over 2 hours of each other
They both were posted to old posts
Neither had anything to do with the post itself

All of these factors lead me to conclude that they were bogus and so both were rejected.

(MT-Blacklist ROCKS, BTW!!!)

One of the comments said simply:

“Does this form work like a guestbook?”

The other said:

“First time reading this blog, just wanted to say hi.”

I could perhaps understand if the URLs they provided were valid, but otherwise, I can’t understand what these posts were trying to do. Perhaps they were just trying to see how they could slip in under the radar for future spam attacks?

Other evidence culled from the logs confirms my suspicions that these are not legit:

The first one has a user-agent of PERL’s LWP module:

69.193.88.30 - - [03/Nov/2004:13:08:11 -0800] “POST /blog-bin/mt-comments.cgi HTTP/1.1” 200 1794 “-” “libwww-perl/5.65”

Hmmm. Same thing with the next one, but from a slightly different IP and using an older LPW module:

69.193.101.102 - - [03/Nov/2004:15:23:23 -0800] “POST /blog-bin/mt-comments.cgi HTTP/1.1” 200 1794 “-” “libwww-perl/5.64”

Cspan Presidential Election Returns Map

Tue, 02 Nov 2004 09:36:00 -0800

Very cool map shows progress at-a-glance.

C-SPAN: 2004 GENERAL ELECTION RESULTS

One Thing I Agree With The President On

Mon, 01 Nov 2004 13:10:00 -0800

nt-on

The Daily Show pointed out that in a recent speech on the campaign trail, the president laid out this gem about the recent missing 380 tons of explosives in Iraq:

“The investigation is important and it’s ongoing. And a political candidate who jumps to conclusions without knowing the facts, is not a person you want as your Commander-in-Chief.”

Indeed. At least I can agree with the president on this statement. It does not apply in this context, but there is this debacle going on in Iraq…

WE NEED VOTER VERIFIABLE PAPER TRAILS!!!

Mon, 01 Nov 2004 13:09:00 -0800

To all of you who are claiming to this day that with current security knowledge and technology we can have all-electronic voting equipment and still have a meaningful recount, read this story. Un-be-freaking-leivable.

local6.com - News - 13,000 Ballots Rushed From Voting Site, Must Be Recounted

Be Prepared On Election Day Find Your Polling Place

Mon, 01 Nov 2004 11:49:00 -0800

A great site that will tell you where you should go vote and other information about your polling place. You can even get text message reminders on voting day.

MyPollingPlace.com

Be Prepared And Know Your Rights For Election Day 2004

Mon, 01 Nov 2004 01:45:00 -0800

The Rittenhouse Review: LET NO KERRY VOTER LEAVE LINE

some interesting thoughts about Election Day that are worth keeping in mind heading toward – and on – Tuesday.

Also, check out the similar information in the Voter bill of rights

Pathetic Gop Deception Tactics In Florida

Mon, 01 Nov 2004 00:34:00 -0800

Just pathetic. Amazing how the GOP will stoop to any level to try to re-elect W. From deception to outright lies on the campaign trail, to continued distortion. But I guess their end justifies the means? What kind of an America is it that you stand for again, Mr. President?

Joshuah Bearman: How They Do, Part III

The ruse, apparently, was supposed to target this church-going Democratic crowd by misrepresenting Kerry�s politics. It was a little surprising at first; but then again, that�s the only way Republicans can win: by misleading people.

Know Your Rights State Voter Leave Law Summary

Sat, 30 Oct 2004 07:37:00 -0700

Many states allow voters to take time off of work to vote. In Washington state, this allows up to 2 hours off in certain cases.

Time To Vote | Voter Leave Laws

My Award For Quot Best Adaptation Quot Goes To

Thu, 28 Oct 2004 12:59:00 -0700

Of course

is hilarious and knowing that this was the original makes the image all the more humorous.

Mosh The Vote

Wed, 27 Oct 2004 12:11:00 -0700

the politics of Mosh is a great, in-depth review of Eminem’s new video for the song “Mosh” that is now the top video at MTV. Whatever you may think of Eminem, his music is always forceful and powerful and this is no exception. The video is exquisite. You can watch it online at https://www.gnn.tv/content/eminem_mosh.html

If it rains let it rain, yea the wetter the better They ain’t gonna stop us, they can’t, we’re stronger now more then ever, They tell us no we say yea, they tell us stop we say go, Rebel with a rebel yell, raise hell we gonna let em know Stomp, push up, mush, fuck Bush, until they bring our troops home

Motherly Reasons For Opposing Bush

Wed, 27 Oct 2004 11:26:00 -0700

-bush

Yes, it makes me want to swear too.

“Seriously” 30-second ad

Missing Wmds An Impeachable Offense

Wed, 27 Oct 2004 05:08:00 -0700

Another one intended to be posted long ago, and even more interesting with the election a week away.

FindLaw’s Writ - Dean: Missing Weapons Of Mass Destruction

President George W. Bush has got a very serious problem. Before asking Congress for a Joint Resolution authorizing the use of American military forces in Iraq, he made a number of unequivocal statements about the reason the United States needed to pursue the most radical actions any nation can undertake - acts of war against another nation.

Now it is clear that many of his statements appear to be false.

….

To put it bluntly, if Bush has taken Congress and the nation into war based on bogus information, he is cooked. Manipulation or deliberate misuse of national security intelligence data, if proven, could be “a high crime” under the Constitution’s impeachment clause. It would also be a violation of federal criminal law, including the broad federal anti-conspiracy statute, which renders it a felony “to defraud the United States, or any agency thereof in any manner or for any purpose.”

The high price of bad diplomacy

Tue, 26 Oct 2004 20:51:00 -0700

Written almost 2 years ago, very poignant today.

But what about Poland? Ugh.

BW Online | March 24, 2003 | Commentary: The High Price of Bad Diplomacy

The U.S. has already lost the prewar battle over Iraq, whatever the outcome of a further U.N. vote. Even if it wins a fig-leaf majority vote in the Security Council, America will be entering its first preemptive war faced with opposition from nearly all of its allies and much of the rest of the planet. A world that rallied to America’s side in unprecedented demonstrations of support after September 11 increasingly perceives the U.S. itself as a great danger to peace. How did things come to this? The failure of the Bush Administration to manage its diplomacy is staggering, and the price paid, even if the war ends quickly, could be higher than anyone now anticipates.

Sign the Petition: Stop the Florida Tion of the 2004 election

Tue, 26 Oct 2004 20:36:00 -0700

ActForChange Petition: Stop the Florida-tion of the 2004 election

“Today, there is a new and real threat to voters, this time coming from touchscreen voting machines with no paper trails and the computerized purges of voter rolls.

Urge your friends to join SCLC President Martin Luther King III and investigative reporter Greg Palast in opposing the “Florida-tion of the 2004 Presidential election” by signing this petition.”

Memory Errors Trick Virtual Machines

Tue, 26 Oct 2004 20:33:00 -0700

Interesting paper on how to use memory errors to attack a virtual computer. The attack exploits the fact that a “time of compilation” check is not necessarily valid at “time of use.”

This happens to be the theory behind the Java ByteCode verifier. I just heard Whit Diffie talk yesterday at SecureWorld Expo about how the run-time check of the bytecode is intended to validate that proper array bounds checking is going to be done, for example.

SecuritySpace monthly reports

Tue, 26 Oct 2004 20:31:00 -0700

Monthly reports on security and non security-related items, such as analyzing SSL webserver usage, apache module usage. Very interesting. I like to see Apache having almost 80% of the market share now :-)

SecuritySpace

SSL unsafe for users?

Tue, 26 Oct 2004 20:28:00 -0700

“99% of SSL users have no idea how SSL works and consequently make informed decisions”

Browser manufacturers try to make things easy for users but end up diluting the security properties of the hierarchical trust model.

A lot of talk in recent years on the cryptography mailing list indicates that this model is too broken and perhaps should be replaced with an ad-hoc mechanism, such as the SSH model, with all web servers installing _some_ sort of certificate by default–even self-signed. The thoughts are that some confidentiality protection with reasonable MITM detection is better than so few sites supporting encryption since they don’t want to pay Verisign blood money for a “real” certificate.

You’ll notice on my site that I have always used my own cert. I should probably regenerate one that is not expired…

-—-Original Message—– From: InfoSec News [mailto:isn@c4i.org] Sent: Monday, March 24, 2003 12:39 AM To: isn@attrition.org Subject: Re: [ISN] Is SSL safe?

Forwarded from: Kurt Seifried

None of this really matters because 99% of SSL users have no idea how SSL works and consequently can’t make informed decisions when faced with attacks such as:

Older SSL clients that don’t check certificate constraints, i.e. CAN-2002-0828, CAN-2002-0862, CAN-2002-0970, CAN-2002-1183, CAN-2002-1407 and so on. If you don’t understand what this sentance means you are potentially vulnerable. I have yet to see a GOOD plain english description of this problem that my mother would understand.

Verifying certificates that are out of date or issued to the wrong common name (i.e. hostname). This happens a lot, my web based banking provider (one of the big 4 banks in Canada) used an out of date SSL certificate for about a week last year. Perhaps an insider attack at work, perhaps an innocent mistake, I never got an answer out of them.

Verifying that certificates are issued from a trusted provider. Most common web based SSL clients (like Netscape, IE) have over 100 root certificates. Have you ever heard of “Certisign Certificadora Digital Ltda.” (doesn’t expire until 2018) or “IPS SERVIDORES” (good until 2009). It seems to me that an intelligent criminal could subvert one of these small firms (hostile takeover, get employed there, etc.) and then have a grand old time issuing certificates to themselves.

The eternal “who cares about SSL” argument, web servers and back end infrastructure is so poorly secured that most times an attacker can spend a week breaking in and get a few (tens, hundreds, etc.) of thousands of credit cards with all the personal data in one fell swoop. This applies less so against “secure” corporate/gov/mil/etc infrastructure like SSL encrypted POP email, against which targeted SSL attacks are useful (to gain a password to gain further access, etc.).

All the old old stuff I covered in:

https://seifried.org/security/cryptography/20011108-end-of-ssl-ssh.html

and

https://seifried.org/security/cryptography/20011108-sslssh-followup.html

Which still largely applies. *SIGH*.

Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 https://seifried.org/security/

History Of Buffer Overflow Protection

Tue, 26 Oct 2004 20:24:00 -0700

A great (old) post to Risks 22.74 about the past issues with designing solutions to buffer overflows in hardware. Also, a link to a paper describing the history of these efforts that I’ll be looking to check out.

Crispan was just spotted at SecureWorld Expo in Seattle today…

-Jason

-————— Date: Sat, 10 May 2003 19:19:12 -0700 From: Crispin Cowan Subject: Re: OpenBSD … protects against buffer-overflow … (Ardley, R 22.72)

>What is not so apparent is why technology that was developed and >operating over 30 years ago is just being re-invented in software.

Because what was developed in operating systems over 30 years ago was use of heavily segmented architectures. Over 20 years ago (the Intel 432) it was discovered (the hard way) that such architectures run horribly slowly compared to RISC architectures. Since the debacle of the 432, even CISC processors such as the x86 have migrated towards RISC style instruction processing.

What OpenBSD is implementing is a variety of software schemes to make up

for the lack of hardware protection for array bounds. Some of these schemes (Openwall’s non-executable stack) are performance neutral: just mark the stack segment non-executable. Some (ProPolice, a re-implementation of StackGuard ) are very cheap , much cheaper than enforcing memory safety in hardware.

Unfortunately, one of these enhancements (W^X) is not so cheap. Here, they try to make all writable pages non-executable, and vice versa. This

is problematic on the x86 architecture because waaaay back in the day, Intel decided that memory pages did not need separate Read and Execute permission bits in the TLB (only segments have separate R and X bits, not pages). The W^X hack has to do a lot of work with TLB faults to compensate for this simple omission.

>The Burroughs 6700 implemented a hardware solution to the problem by >assigning 3 bits of very 51 bit memory location to the type of data >contained.

The 432 did something similar, and the performance penalty was astronomical. For a survey of buffer overflow attacks and defenses, check out these papers:

“Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade”. Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie, and Jonathan Walpole. DARPA Information Survivability Conference and Expo (DISCEX) https://schafercorp-ballston.com/discex/, Hilton Head Island SC, January 2000. Also presented as an invited talk at SANS 2000 https://www.sans.org/sans2000/sans2000.htm, Orlando FL, March 2000. PDF https://immunix.com/%7Ecrispin/discex00.pdf.

“Software Security for Open Source Systems”. Crispin Cowan. IEEE Security & Privacy Magazine https://www.computer.org/security/, February 2003, Volume 1, Number 1 https://www.computer.org/security/sp2003/j1toc.htm?SMSESSION=NO, pages 35-48. PDF https://wirex.com/%7Ecrispin/opensource_security_survey.pdf.

Crispin Cowan, Ph.D., Chief Scientist, Immunix https://immunix.com https://immunix.com/~crispin/ https://www.immunix.com/shop/

Pki'Not Working 39-

Tue, 26 Oct 2004 20:22:00 -0700

I still run into people who believe that PKI is a viable end-user authentication solution for the masses. My favorite were the systems that tried to solve the certificate portability problem by allowing download of certs from a website – with only a password! The vendor couldn’t see that it was no more secure than the password itself. Another case of “But this one goes to 11”.

-J

PKI ’not working’

The e-envoy’s office has started searching for new ways to authenticate the users of e-services as existing technology is “not working”, a senior UK Government official revealed on 11 June 2003.

Although PKI (public key infrastructure) and digital certificate technology has played a major role in leading projects such as the Government Gateway, there is now growing recognition that it is unsuited for wider public use.

While digital certificates would not be scrapped, and would be retained as an option for e-service users, one possible alternative being suggested is that employers, banks, the voluntary sector and other “trusted organisations” would verify a person’s identity before transacting online for services.

Crying'Security 39-

Tue, 26 Oct 2004 20:14:00 -0700

And now candidates are crying “security” to win elections… It works on both sides apparently.

-J

WSJ.com - Companies Cry ‘Security’ to Get A Break From the Government

In Kansas, utilities want to raise rates without having to tell their customers why. Elsewhere, grocers and mall owners seek tax breaks for equipment purchases. And at sports arenas, teams want to keep banner-trailing planes away from their stadiums.

Sept. 11 to the rescue.

Across America, special-interest groups are using the threat of terrorism to help them get what they want from elected officials. In framing their requests as being in the interests of national security, these groups are benefiting from lawmakers’ fear of another terrorist attack in the U.S.

Maher Arar Releases Details On How The Us Sent Him To Syria To Be Tortured

Tue, 26 Oct 2004 20:07:00 -0700

An update to this story: As of Sept 2004, a heavily-redacted report was released that reportedly found fault with some of the RCMP’s handling of the case, but, according to the CBC timeline, claims that the RCMP did not know that the US was planning to arrest and deport him to Syria.

“Prime Minister Jean Chr�en tells the House of Commons that the U.S. government’s deportation of a Canadian to Syria was “unacceptable,” but he is adamant that he will not allow an independent inquiry into the case of Maher Arar. He says his government has asked U.S. Secretary of State Colin Powell for an explanation and that the government also wants to find out whether Canadian intelligence officials played a role in the deportation of Arar.”

National Story - canada.com network

Wikipedia: Maher Arar

CBC News: Maher Arar Timeline

Homeland Security Measures Ignore Fiscal Responsibility

Tue, 26 Oct 2004 19:58:00 -0700

Catching up on draft postings, this is one that is very timely today, although it was originally penned over a year ago.

-J

Message: 6 Date: Sat, 20 Sep 2003 14:26:14 -0800 From: “Rob, grandpa of Ryan, Trevor, Devon & Hannah” Subject: Cost/benefit

In commenting on yet another pointless “homeland security” proposal, the INFOCON mailing list passed along this quote:

“The number one threat to American national security during this long war is neither anthrax nor truck bombs . it is uncontrolled spending. We cannot afford to put guards on every bridge and at every critical node of our infrastructure. We cannot afford a sophisticated chemical and biodetector in every government building. America cannot afford a risk-free society in a world of global terrorism. The enemy’s strategy is to destroy our economy. We must not facilitate their efforts. America will need to spend considerable sums of money to ensure our security . but we must do it wisely . there will be no money to waste on irrational fear and unconscionable pork. We must develop a strategic plan to guide our efforts. This must include federal, state and local governments, plus the private sector. Since 9-11, more than 130 bills regarding homeland security have been introduced in the House of Representatives. This is not the example of spending based on a strategic plan.

“The outcome of this war will determine the type of nation our grandchild will know. I do not want that to be a nation that is bankrupt.”

Randall Larsen, Director, ANSER Institute for Homeland Security, at the National Defense University Symposium on Quadrennial Defense Review 2001

====================== (quote inserted randomly by Pegasus Mailer) rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu Allowing an unimportant mistake to pass without comment is a wonderful social grace. - Judith Martin https://victoria.tc.ca/techrev or https://sun.soci.niu.edu/~rslade

Find Your Elected Officials By Zip

Tue, 26 Oct 2004 19:42:00 -0700

This is a great site that will show you who your legislators are by submitting your 9 digit zip + 4.

Project Vote Smart

Quot Votergate Quot Film Premiers Today Online

Tue, 26 Oct 2004 19:07:00 -0700

If you have fond memories of recounts from the 2000 election–I know I do!–then you need to see this film. The 2004 election is going to be _worse_ because of the explosion of electronic voting machines that do not produce a Voter Verifiable Paper Ballot. Without a non-electronic storage mechanism for recording official vote tallies, there will be NO WAY TO HAVE A MEANINGFUL VOTE RECOUNT.

Votergate is the investigative documentary feature film uncovering the truth about new computer voting systems, which allow a few powerful corporations to record our votes in secret. But Votergate is not just a warning. The film strongly concludes that elections are harder to defraud when voters turn out in big numbers.

Votergate will continue filming through the Nov. 2nd election and release a 90 minute feature film / DVD. This 30 minute Special Edition is designed specifically to help viewers navigate past the fear and spin being thrown at this critical issue.

…

Every American who cares about democracy must see this film before the election! These filmmakers decided to create a 30 minute “Special Edition” of their feature film as a free public service to get this information out to the public - in time for the Presidential election and it premiers OCTOBER 26, 2004 online at (www.votergate.TV).

Critics of these e-voting systems protest that the machines are not transparent to the voters and provide no paper ballot/receipt or any way to do a meaningful recount. But Votergate is not just a warning, the film strongly concludes that elections are harder to defraud when voters turn out in big numbers. Just as public interest and news about these election issues are exploding, the Votergate Special Edition is the must-see film that educates citizens about how to keenly observe, question and protect the process on Election Day!

Back In The Saddle

Tue, 26 Oct 2004 13:00:00 -0700

Well, this site has gone stagnant for almost a year now for reasons that I’d rather not go into.

But that’s not the important thing–it’s back online, on superfast hardware now, and should get more regular updates.

Hope you enjoy!

Reducing Your Exposure Running Dvarchive On Linux

Tue, 18 Nov 2003 10:19:00 -0800

I recently got a ReplayTV 5040 for a steal on closeout at buy.com and just love it. One of the most attractive features is how it is network-aware by default and that the community has created some great free software for integrating with it. I have been using DVArchive to expand the capacity for recording without having to violate my ReplayTV warranty by hacking the hardware. DVArchive enables your PC to act as a software-based ReplayTV unit for replay, archival, vending photos, as well as playing recorded mpegs remotely on your PC.

However, I was horrified at the suggestion in the DVArchive FAQ that on UNIX “you must launch DVArchive as root” if you want to enable the functionality that allows serving shows back to your ReplayTV, or to other DVArchive programs running on your network. The real reason for this is that DVArchive (due to inflexible ReplayTV design) must bind to port 80 for ReplayTV units to access the HTTP server there that vends out the mpeg files. And to do this, you normally have to be root.

Well, you could just use sudo or worse, log in as root and run DVArchive as root. But, being a security person, this was not a pleasing thought.

So, I came up with a better way that runs DVArchive as an unprivileged user on the system. I do this by using port forwarding to forward connections to port 80 up to an alternate, unprivileged high port.

Fortunately, DVArchive allows you to specify a different TCP port to listen to instead of port 80. Now, it will bark at you that what you are doing is probably going to prevent ReplayTV units from accessing files on your DVArchive server but you can safely ignore these because you’ve got port forwarding up your sleeve.

Set that port to some open high TCP port under File -> DVArchive Properties… -> Server by changing the “Server Port” setting. I used 13198 in this example and in the attached startup script.
Install the attached startup script (see the Extended Entry text for the full script) as root to /etc/rc.d/init.d/dvarchiveforward
Edit dvarchiveforward and change MYIP to point to your IP address of your DVArchive server and change the IPTABLES binary location, if necessary.
On a RedHat 7.x - 9 system (or any other that has chkconfig) you can active this script at boot time by running (still as root): /sbin/chkconfig –add dvarchiveforward
You can then check to make sure that this script was activated by running: /sbin/chkconfig –list dvarchiveforward You should see output like:

dvarchiveforward 0:off 1:off 2:on 3:on 4:on 5:on 6:off

Now, start this script so you don’t have to wait for a reboot for it to work:

/sbin/service dvarchiveforward start

Check to see that the port forwarding entries were inserted correctly

/sbin/iptables -t nat -L

Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp – anywhere yourhostname tcp dpt:http to:192.168.1.1:13198

Chain POSTROUTING (policy ACCEPT) target prot opt source destination

Chain OUTPUT (policy ACCEPT) target prot opt source destination DNAT tcp – anywhere yourhostname tcp dpt:http to:192.168.1.1:13198

Now, you can try accessing archived shows on your DVArchive server from your ReplayTV. All should work just fine.

Here is the /etc/rc.d/init.d/dvarchiveforward script:

 
#!/bin/sh 
\# dvarchiveforward -- script to enable port forwarding so that I can run DVArchive as 
\# a non-privileged user. Why doesn't firestarter let you do this kind of portfw 
? 
\# chkconfig: 2345 06 95 
\# description: DVArchive port forward script by Jason Axley 

export IPTABLES=/sbin/iptables 
export MYIP=192.168.1.1 
export MYPORT=13198 
case "$1" in 
start) 
\# This forwards local port 13198 to port 80 so that we don't have to run 
\# DVArchive as root to bind to port 80! 
\# doing this below doesn't work for connecting to localhost. Use the other entries instead 
#$IPTABLES -t nat -A OUTPUT -d $MYIP -p tcp --dport 80 -j REDIRECT --to-ports $MYPORT 
#$IPTABLES -t nat -A PREROUTING -d $MYIP -p tcp --dport 80 -j REDIRECT --to-port 
s $MYPORT 
$IPTABLES -A PREROUTING -t nat -p tcp -d $MYIP --dport 80 -j DNAT --to $MYIP:$MYPORT 
$IPTABLES -A OUTPUT -t nat -p tcp -d $MYIP --dport 80 -j DNAT --to $MYIP:$MYPORT 
break; 
;; 
stop) 
$IPTABLES -t nat -F 
$IPTABLES -t nat -X 
break; 
;; 
reload) 
$0 stop; 
$0 start; 
break; 
;; 
\*) 
echo "Usage: $0 {start | stop | reload}" 
exit 1 
;; 
esac

Sony Style Warning needs a Warning?

Sat, 30 Aug 2003 16:18:00 -0700

Within the past month or so, I received a warning from Sony about fraudulent e-mails claiming to be from Sony but that actually were not. The deceptive e-mails were designed to lure Sony customers into divulging personal information at a fake Sony site. It “falsely indicates that it is from SonyStyle.com” and “includes a link to a bogus SonyStyle.com registration site”

So, I was shocked to notice that the e-mail from Sony that was supposedly warning about deceptive e-mails and URLs was itself guilty of using apparently deceptive or “fraudulent” URLs!

Within the text, it contained a couple of URLs that, in the HTML version of the e-mail, deceptively show up as www.sonystyle.com, but in fact pointed to some other site at m0.net. Here is one of the deceptive URLs from Sony:

https://news.sonystyle.m0.net/m/S.asp?HB9483736521X2571692X218821X

Not to mention that the From address of the e-mail was also from the same site: sonystyle@news.sonystyle.m0.net

Should you trust the warning e-mail? Sure. The contents are benign enough. Just think twice about clicking those links or replying to the e-mail! Sony is surely using a company to send out the mass e-mailings and to track the “click-through” responses, but that seems like a pretty poor choice in this context!

Fox Not Quot Fair Amp Balanced Quot In First Amendment Treatment

Fri, 29 Aug 2003 06:36:00 -0700

This is such a great line.

In Courtroom, Laughter at Fox and a Victory for Al Franken

Judge Chin said the case was an easy one, and chided Fox for bringing its complaint to court. The judge said, “Of course, it is ironic that a media company that should be fighting for the First Amendment is trying to undermine it.”

You can buy the book here:

SPAM filter comparisons

Sat, 23 Aug 2003 06:05:00 -0700

SPAM is a truly egregious problem. This article does some analysis of popular spam filtering software. It is no surprise to me that signature-based programs tend to have slightly higher false positive rates and that Bayesian filters work best when trained properly, and have low or zero false positive rates.

I use bogofilter and have a corpus of thousands of spam messages that I have received, going back 6 or more years. It works great. I don’t have to keep checking my spam bucket for false positives all the time and occasionally have to retrain if I get a false negative but online life is much better than before bogofilter. I was constantly having to scan through the spam bucket to pick out false positives.

freshmeat.net: Category Reviews - Spam Filters

Openldapopenssl Stupidity

Mon, 18 Aug 2003 15:51:00 -0700

Sorry for not keeping up. Been enjoying the summer too much!

Anyhow, I thought that my experience in trying to get openLDAP 2.0.x working with TLS would be of interest to someone because the solution was so orthogonal it is unbelievable.

I have working OpenLDAP servers with TLS on two other machines so was baffled when I tried /etc/rc.d/init.d/ldap start and got [FAILED] with a very similar configuration to the others. Permissions on the TLS files are very finicky so I tried tweaking those–but nothing was working. I tried strace on the slapd binary but that did not offer any clues. I was able to get it to work by running slapd in debug mode on the command line, but in that mode it was ignoring the -u ldap so was running as root. So that told me there was some sort of permissions problem. But where?

Setting up syslog for openldap (not on by default, unfortunately) indicated these errors in the syslog logfile:

 
Aug 18 22:07:21 funhouse slapd\[29220\]: daemon: socket() failed errno=97 (Address family not supported by protocol) 
Aug 18 22:07:21 funhouse slapd\[29220\]: daemon: socket() failed errno=97 (Address family not supported by protocol) 
Aug 18 22:07:21 funhouse slapd\[29220\]: main: TLS init def ctx failed: 0 
Aug 18 22:07:21 funhouse slapd\[29220\]: slapd stopped. 
Aug 18 22:07:21 funhouse slapd\[29220\]: connections\_destroy: nothing to destroy.

Hmmm. Not too helpful. I googled on these messages and didn’t find a thing that helped. I tried all kinds of permissions tweaking to no avail. Adding SLAPD_OPTIONS="-d 6" to /etc/sysconfig/ldap offered up these gems of wisdom:

 
TLS: could not load verify locations (file:\`/etc/openldap/ssl/cert/cacert.pem',dir:\`'). 
TLS: error:0200100D:system library:fopen:Permission denied bss\_file.c:104 
TLS: error:2006D002:BIO routines:BIO\_new\_file:system lib bss\_file.c:106 
TLS: error:0E064002:configuration file routines:CONF\_load:system lib conf\_lib.c:91 
TLS: error:0906D06C:PEM routines:PEM\_read\_bio:no start line pem\_lib.c:662 
TLS: error:0B084009:x509 certificate routines:X509\_load\_cert\_crl\_file:missing asn1 eos by\_file.c:284 
main: TLS init def ctx failed: 0 
slapd shutdown: freeing system resources. 
slapd stopped. 
connections\_destroy: nothing to destroy. 
\[FAILED\]

WTF? So it looks like some permissions problem with /etc/openldap/ssl/cert/cacert.pem. But that file is world-readable. Does openLDAP think that it needs write perms to that file? Okay–wish granted. Nothing. What finally turned me onto the final solution was the last line “X509_load_cert_crl_file…” The OpenSSL library is trying to find a CRL file. Why would it be having trouble (I don’t have a CRL for my CA)? Poking around /usr/share/ssl I noticed that openssl.cnf is not world-readable. Well, I knew that. But most things that need it start as root and then drop privs and it hasn’t been a problem. Let’s just for the heck of it chmod 644 the file and try again.

 
\# /etc/rc.d/init.d/ldap start 
Starting slapd: \[ OK \]

You have got to be kidding me?!?! openssl.cnf must be readable by the ldap user! None of the log messages indicated this. You would think that there would be an fopen() call that would fail in trying to open this file… Well, there is. Looking at the strace output I find:

 
open("/usr/share/ssl/openssl.cnf", O\_RDONLY) = -1 EACCES (Permission denied) 
getpid() = 11271 
getpid() = 11271 
getpid() = 11271 
getpid() = 11271 
open("/etc/openldap/ssl/cert/cacert.pem", O\_RDONLY) = 7 
fstat64(7, {st\_mode=S\_IFREG|0644, st\_size=3607, ...}) = 0 
old\_mmap(NULL, 4096, PROT\_READ|PROT\_WRITE, MAP\_PRIVATE|MAP\_ANONYMOUS, -1, 0) = 0 
x40377000 
read(7, "Certificate:\\n Data:\\n V"..., 4096) = 3607

The fact that openLDAP kept trucking along after failing to open what appears for it to be a critical file diverted attention away from the real reason it would not start!

Best Buy Hoax Notification

Fri, 20 Jun 2003 04:52:00 -0700

Here is an excerpt from an e-mail I got today. If you ever get e-mail purportedly from a company that asks for you to divulge personal information, there is a high likelihood that it is one of the many social engineering attacks running around. Popular ones try to snag AOL and eBay/Pay Pal users. Be wary of what e-mails and Internet sites you trust your personal information to!!

IMPORTANT: E-MAIL HOAX NOTIFICATION

Late Wednesday afternoon, June 18, 2003, Best Buy became aware of an unauthorized and deceptive e-mail to consumers titled “Fraud Alert.” That e-mail message, which requested personal information (i.e., social security and credit card numbers), claimed to come from the BestBuy.com Fraud Department. That message was NOT from Best Buy or any of our affiliates.

Best Buy is working with the appropriate law enforcement authorities to quickly resolve the situation. We are working to shut down sites affiliated with that unauthorized e-mail and Best Buy will work with law enforcement authorities to prosecute any perpetrators involved in this illegal act to the fullest extent of the law. If you replied to the fraudulent e-mail in any way, contact your bank and/or credit card companies immediately.

No Best Buy systems have been compromised, and our online business is secure. The privacy of your personal information is of the utmost importance to Best Buy and any information you provide to us is handled according to our Privacy Policy.

Wal Mart poised to dominate online DVD rental space

Wed, 18 Jun 2003 03:10:00 -0700

This does not look good for Netflix, which is too bad. They have been a great service.

Excite News

After a seven-month trial, Wal-Mart Stores Inc. has begun full-scale operations in its online DVD rental business, hoping to catch up with market leader Netflix Inc. (NFLX)

Customers order the movies online. Wal-Mart sends them from six distribution points, reaching 90 percent of the nation within two days, the company says.

Copyright Conundrum Q Amp A On Quot Digital Copyright Quot Issues

Thu, 12 Jun 2003 03:29:00 -0700

Good stuff to refer to from Lawrence Lessig.

Online NewsHour: Forum – Copyright Conundrum

Doj Inspector General Criticizes Doj For Treatment Of Immigrant Detainees

Sat, 07 Jun 2003 04:54:00 -0700

Courtesy of EPIC Alert 10.10. https://www.epic.org

====================================================================== [3] Inspector General Criticizes DOJ on September 11 Detainees ======================================================================

The Inspector General of the Department of Justice has released a 198-page report examining the treatment of people who were held on immigration charges in connection with the investigation of the September 11, 2001 terrorist attacks. The report details how the Justice Department used federal immigration laws to detain 762 persons, mostly of Arab or South Asian origin, who were suspected of having ties to the attacks or connections to terrorism, or who were simply encountered during the course of the FBI’s inquiry into the attacks. The report highlights serious problems with the round-up and treatment of the 762 detainees, including arbitrary detentions, prolonged detentions, restrictive detention conditions, and in some instances physical and verbal abuse. The Office of Inspector General is an independent internal investigation unit within the Justice Department.

The report, instigated by media reports and reports from human rights organizations, paints a picture of chaos immediately following the attacks, followed by a long period of negligence that left detainees in administrative limbo. Only after details of the abusive treatment emerged in the press did the Department begin to process the detainees more quickly in January 2002. DOJ has not apologized for its actions, but instead has taken the position that the crisis atmosphere immediately after September 11, and the fact that all the persons detained were in technical violation of immigration laws, makes it “unfair to criticize the conduct” of Department officials. The Department spokesperson said that, “We make no apologies for finding every legal way possible to protect the American public from further terrorist attacks.” EPIC and a coalition of public interest groups is litigating under the Freedom of Information Act to require disclosure of the names of the detainees; the case is now pending before the D.C. Circuit Court of Appeals.

According to the report, the Justice Department instituted a “no bond” policy for all detainees connected to the terrorism probe after the attacks – even though immigration officials quickly questioned the policy’s legality. Without bail, terrorism suspects remained in jail for an average of nearly three months, much longer than the FBI projected before it cleared most of them for release, the report said. In addition, detainees faced monumental difficulties and weeks of delay before they were allowed to make phone calls and find lawyers. Some were kept for months in cells illuminated 24 hours a day and were escorted in handcuffs, leg irons and waist chains. Most of the detainees were eventually found to have no connection to the terrorist attacks.

The September 11 Detainees Report, Office of Inspector General:

https://www.usdoj.gov/oig/special/0603/full.pdf

CNSS/EPIC v. Department of Justice (detainee FOIA case):

https://www.epic.org/open_gov/foia/cnss_v_doj.html

Anonymity Bibliography

Tue, 03 Jun 2003 01:38:00 -0700

If you are interested in research into the field of anonymity, check this site out.

The “goal is to set up something we can point at for people new to the field [anonymity] (and most of us are still new to the field, it seems), so they know which papers to look at to get up to speed. The ones I particularly recommend have boxes around them.”

Anonymity Bibliography

Out For Dinner Mathematics

Mon, 02 Jun 2003 16:07:00 -0700

This is very interesting. Supposedly only works in 2003. Anyone have the mathematical basis for this? I have a whole book with cool calculator games somewhere…

-Jason

#######################################

DON’T CHEAT BY SCROLLING DOWN FIRST

It takes less than a minute…….

Work this out as you read.

Be sure you don’t read the bottom until you’ve worked it out!

This is not one of those waste of time things, it’s fun.

1. First of all, pick the number of times a week that you would like to have dinner out. (try for more than once but less than 10)

2. Multiply this number by 2 (Just to be bold)

3. Add 5. (for Sunday)

4. Multiply it by 50 - I’ll wait while you get the calculator…………….

5. If you have already had your birthday this year add 1753…. If you haven’t, add 1752……….

6.. Now subtract the four digit year that you were born.

You should have a three digit number .

The first digit of this was your original number

(I.e., how many times you want to have eat out each week.)

The next two numbers are…

YOUR AGE! (Oh YES, it IS!!!!!)

THIS IS THE ONLY YEAR (2003) IT WILL EVER WORK, SO SPREAD IT AROUND WHILE IT LASTS. IMPRESSIVE, ISN’T IT? ============================================

Cert Needs To Plug Leak

Mon, 02 Jun 2003 16:01:00 -0700

Confidential bug report gets sent to CERT.
CERT sends it out to their advanced ISA (Internet Security Alliance: pay for early warning) group (Jericho calls “a vulnerability cartel)
The bug report is leaked out to the public, perhaps by an ISA member who was either compromised (if so, they would need more than CERT to help them…) or purposefully leaked it out

Jericho’s comments on the ISN list were classic, especially:

“> CERT representatives declined to say when the organization planned > to release official versions of the leaked advisories.

Even with leaked draft copies, CERT still can’t release anything ontime. Go figure.”

Wired News: Leaked Bug Alerts Cause a Stir

Danger And Absurdity Of The Tsa No Fly List

Mon, 02 Jun 2003 15:53:00 -0700

John Gilmore points out how to have fun with bomb scanners by using hand lotion with Glycerine, or at least points out how easily such expensive equipment can be rendered useless. If equipment has any significant number of false-positives, be sure that it, or procedures, will tune out any hope of finding a real needle in the haystack.

Also, if you notice an “S” on your boarding pass, prepare for extra scrutiny at the airport. The TSA believes, based on often erroneous matching, that you are a member of its “Selectee” list of people who need additional security measures.

Be sure to check out EPIC’s site, “Documents Show Errors in TSA’s “No-Fly” Watchlist”

-—-Original Message—– From: John Gilmore [mailto:gnu@toad.com] Sent: Sunday, May 18, 2003 3:25 PM To: Jason C Axley Exchange Subject: Re: The War on David Nelson

> > … people who want to see if their name is on either list or who > > want to make a complaint, can call the agency’s contact center at > > 866-289-9673 or send an e-mail to TellTSA@tsa.dot.gov. > > Since this inquiry will no doubt result in a listing where none previously > existed, I would suggest that everyone reading this make an inquiry - > *especially* those of us with very common names. Let the system break under > it’s own weight.

If you want to break the system under its own weight, I also suggest using lots of “Kiss My Face” honey scented hand cream. Someone recently told me setting off the nitrogylcerin censors (oops, I mean sensors) at that spot where they wipe down your bag with little pads and then put them through a quick chemical analysis. When she set it off, they went down a checklist of “Did you do X recently?” until they got to “Did you put on hand cream recently?” They let her through, of course; you probably can’t blow up an airplane with hand cream. The problem was with their sensorship, not with her.

If even 1% of travelers refused to show an ID, the system would also break down under its own weight. Do your part. There is no law or regulation that requires you to show ID. You are all being sheep for violating your own privacy, for no reason, when ordered by people who have no authority. Demand that they show you such a law, and refuse to show ID until they identify one. As you go up the chain of command, you will find that you have the option to be searched rather than show an ID. In regimes where the laws are secret, the only way to find out what the law is, is to not follow orders.

John

PS: I doubt that sending a complaint to TSA results in them adding you to the no-fly list. It’s random and arbitrary, but not THAT random and arbitrary. If you want to see the complaints of some of the ordinary people who TSA mousetraps every single time they enter an airport, (not just the David Nelsons), check EPIC’s FOIA results. The dozens of complaints forwarded via Congresspeople are well worth reading:

https://www.plastic.com/article.html;sid=03/03/12/06265215;cmt=42

-——————————————————————– The Cryptography Mailing List Unsubscribe by sending “unsubscribe cryptography” to majordomo@metzdowd.com

Is The Price Right For Your Freedom

Mon, 02 Jun 2003 15:41:00 -0700

How do you measure a cost-benefit for the new security measures or of your liberty? It is hard to even come up with a causal link from the “increased” security measures (ask me about the absurd experience I had in LAX…) to increased safety, let alone quantifying such a benefit.

There is also a discussion at https://www.plastic.com/article.html;sid=03/03/12/06265215;cmt=42

NYTimes.com Abstract

In an unusual twist on cost-benefit analysis, an economic tool that conservatives have often used to attack environmental regulation, top advisers to President Bush want to weigh the benefits of tighter domestic security against the ‘‘costs’’ of lost privacy and freedom.

Secure programming in UNIX HOWTO

Mon, 02 Jun 2003 15:30:00 -0700

David Wheeler has put together a set of design and implementation guidelines for programming securely in several languages. The document is actually in a ton of different formats, even ones suitable for Wireless devices. So, take yours with you and learn it well!

Secure Programming for Linux and Unix HOWTO

There is also a set of overview slides that are definitely worth a look.

Aclu Dmca Case Against N2h2 Is A Loss For Freedom

Mon, 02 Jun 2003 15:23:00 -0700

This is a very disturbing development and more reason why the DMCA has a chilling effect on speech and freedom to do legitimate research.

“*RESEARCHER, ACLU LOSE DMCA CASE

N2H2 Inc. can use the Digital Millennium Copyright Act (DMCA) to stop a researcher from attempting to reverse engineer its Web filtering product, a judge ruled last week.

Harvard Law student Benjamin Edelman says he wants to crack the filtering tools to test them. Edelman planned to hack into N2H2�s cryptography-protected list of filter parameters, but, fearing prosecution, sought court protection. Edelman and the ACLU believe filters, used at libraries and schools, limit free speech.

In a written decision, U.S. District Judge Richard Stearns found “no plausibly protected constitutional interest� that would overcome �N2H2’s right to protect its copyrighted property from invasive and destructive trespass.”

N2H2 didn�t respond to requests for comment. Edelman says no decision has been made on appealing, but adds that N2H2�s public list of filtered sites isn�t enough for rigorous testing.

�Suppose you wanted to know which .gov sites are classified as pornography. Or to see what sites N2H2 calls pornography this week, that last week were not,� he says. �N2H2’s online database site would not allow any of these kinds of research, but you can see why it would be important.�”

Bid to Expose Porn Filters Loses

https://cyber.law.harvard.edu/people/edelman/edelman-v-n2h2

https://cyber.law.harvard.edu/people/edelman/edelman-v-n2h2/order-040703.pdf

Quot Us Gov'T Blindly Trusts The Antivirus Industry Quot-

Mon, 02 Jun 2003 15:15:00 -0700

I love the quote below and the 15 claims about how shady the Antivirus industry is are great, especially #7, “expect applause when you release hundreds of security patches for your product each year;”

Vmyths.com- Truth About Computer Virus Myths & Hoaxes

“The Pentagon should not protect a weapon system with software written by people they’d never trust. Yet they do.”

Low Bandwidth Application Dos Attacks

Mon, 02 Jun 2003 11:25:00 -0700

Interesting work and something that I can’t seem to get many people to pay attention to. Not all DoS attacks are bandwidth exhaustion attacks. DoS attacks can be thought of generically as resource exhaustion or suppression attacks. This does not necessarily require using a large amount of bandwidth.

The traditional thoughts on DoS attacks cause people to believe that normal modes of monitoring systems will catch DoS attacks early just because it would be hard to not notice such brazen resource consumption. However, low-flying attacks could possibly cause DoS attacks that are more difficult to detect without finer-grained application-level monitoring than is often employed.

This work documents attacks on the complexity of applications themselves to cause DoS.

Denial of Service via Algorithmic Complexity Attacks

We present a new class of low-bandwidth denial of service attacks that exploit algorithmic deficiencies in many common applications’ data structures. Frequently used data structures have ``average-case’’ expected running time that’s far more efficient than the worst case. For example, both binary trees and hash tables can degenerate to linked lists with carefully chosen input. We show how an attacker can effectively compute such input, and we demonstrate attacks against the hash table implementations in two versions of Perl, the Squid web proxy, and the Bro intrusion detection system. Using bandwidth less than a typical dialup modem, we can bring a dedicated Bro server to its knees; after six minutes of carefully chosen packets, our Bro server was dropping as much as 71% of its traffic and consuming all of its CPU. We show how modern universal hashing techniques can yield performance comparable to commonplace hash functions while being provably secure against these attacks.

Hussein Can Hide Wmd But Not His Money

Mon, 02 Jun 2003 11:15:00 -0700

William Raspberry from the Washington post asks a great question:

“Why would Hussein, facing annihilation, take the bother to hide his chemical and biological weapons so carefully that we still haven’t found them, while leaving his millions of American dollars right where we could find them?”

If WMD are there for defense purposes, they have to be readily-available to provide a benefit to the holder. Accounts indicate thousands of tons of WMD and production capabilities should be all over the place but – nothing. However, we find his stash of cash fairly easily.

>https://www.washingtonpost.com/wp-dyn/articles/A39211-2003May25.html

Mci To Build New Gsm Network In Iraq

Mon, 02 Jun 2003 11:08:00 -0700

MCI gets $500 million to build a new GSM network in Iraq. There are a couple of interesting aspects to this:

a. The sensible GSM network was chosen amid staunch lobbying by Qualcomm junkies to build an “American” CDMA network. Hooray!

b. MCI is not a wireless telephone company. Why are they getting to build a wireless network from scratch instead of other wireless carriers? They were actually a reseller of AT&T Wireless before their accounting scandals.

The Register: MCI wins Iraq gig, shovels $500m to shareholders

Quot Politicians Lie New Study Shows Quot-

Mon, 02 Jun 2003 11:02:00 -0700

quot-

Well, we definitely agree on the point, �Politicians need to be more honest about lying� Perhaps they should go for more of the honest and less on the lying at the same time.

Politicians lie, new study shows

IN A STUDY described in Britain�s Observer newspaper, Glen Newey, a political scientist at Britain�s University of Strathclyde, concluded that lying is an important part of politics in the modern democracy.

Juxtaposition Rockets To Top Of Google Results

Fri, 30 May 2003 10:44:00 -0700

Juxtaposition has rocketed to the top of the Google search results for the word ‘juxtaposition’! Strange, given that Juxtaposition is nary a few months old.

Sadly, a link search (for link:juxtaposition.axley.net) returns no hits though.

https://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=juxtaposition&btnG=Google+Search

Interpreting 'Access' And 'Authorization' In Computer Misuse Statutes

Fri, 30 May 2003 02:49:00 -0700

The paper is 81 pages long but based on the abstract, it appears like important work. I hope that this will be taken to heart by policy shapers.

Cybercrime’s Scope: Interpreting ‘Access’ and ‘Authorization’ in Computer Misuse Statutes

This Article presents a comprehensive inquiry into the meaning of unauthorized access statutes. It begins by explaining why legislatures enacted unauthorized access statutes, and why early beliefs that such statutes solved the problem of computer misuse have proved remarkably na�. Next, the Article explains how the courts have construed these statutes in an overly broad way that threatens to criminalize a surprising range of innocuous conduct involving computers. In the final section, the Article offers a normative proposal for interpreting “access” and “authorization.” This section argues that courts should reject a contract theory of authorization, and should narrow the scope of unauthorized access statutes to circumvention of code-based restrictions on computer privileges.

Reflections On Drm

Thu, 29 May 2003 15:43:00 -0700

Article on the restrictions imposed by the DRM inherent in Apple’s AAC file format.

From my perspective, $1 per song is way too expensive, especially when the product you get is inferior to a track of a physical CD. A short list of the problems:

It is in a lossy format. For most people this is not an issue from a quality perspective, but converting to another format is very likely to be necessary in the future and would either not be possible or would be suboptimal without the original. That is supposed to be the beauty of digital music–you can keep migrating it to the latest technology without having to pay for the “license” to listen again.
It does not include liner notes or artwork. I point this out because from a value perspective, you are not getting the same deal as it is made out to be (you cannot simply divide the total CD cost by the average number of tracks to come up with the value of a single digital music file).
It is encumbered by DRM. It is said that the real meaning of DRM is Digital Restriction Management. DRM-encumbered songs are surely not valued in the resale marketplace because many (these AAC files seem to be no exception) won’t even let you resell them because of the platform restrictions. You can resell your CD just fine however.

None of these disadvantages appear to be reflected in the cost of much online music that I see.

I would think that the true value of a single digital, lossless-encoded, non-DRM-encumbered track to be more like $0.50/track. You do not have to pay for distribution costs or manufacturing costs or artwork costs, etc. The value of these new digital distribution models should lead to savings for the consumer, not less value for more money.

And don’t get me started on how absurd paying $1-2 for monotonic ringtones is. Why don’t labels give those away for free as a promotional tool, ala radio? They just don’t get it.

TidBITS: Apple Changes the Face of Digital Music

E Voting Interview Reveals Serious Risks To Election Integrity

Thu, 29 May 2003 15:22:00 -0700

This scares me as a security professional. This especially scares me as a resident of Washington State.

Some gems from this interview with representatives from Sequoia systems:

Miller: “On the touch screen – we do have the hand recounts of close races too.”

Harris: “On a machine with no voter-verified paper trail?”

Miller: “Well, there’s no way to do a hand recount on a DRE.”

-————

Harris: “But the positive, which can be proved, is that every election system that’s ever been used in the USA has, at one time or another, been tampered with. And what we do know is that $800 million has gone toward contributions to candidates. So certainly we can predict that someone will try to tamper with a programmer. And therefore, what I’m asking, is what safeguards do we have in place to make sure that, if someone tampers with a program or a CD update –”

Miller: “I think we’ve gone as far as we can go.”

Black Box Voting: Ballot - Tampering in the 21st Century - Interview with Paul Miller & Kathryn Ferguson (Sequoia)

Another Ill Conceived Set Of Tax Refunds

Thu, 29 May 2003 14:51:00 -0700

1. Companies fraudulently overstate earnings 2. Companies pay tax on those fake earnings 3. Companies get caught, restate earnings 4. Companies want refunds of taxes paid on those earnings 5. Unbelievably, they get the refunds!

Firms Want Refunds Of Tax on Fake Profit (TechNews.com)

Bmw 7 Series Windowsce Crash Traps Driver Inside

Sun, 25 May 2003 04:46:00 -0700

A post to the IP and Risks lists is a harbinger of things to come as more and more complexity and computer-controlled systems get added to everyday devices without ensuring the same kind of quality and safety engineering. We can only hope that Ford and other car companies will not be successful in overturning laws requiring mechanical connections for safety-critical systems like steering, braking, etc.

-core24

Date: Tue, 13 May 2003 17:31:11 -0700 From: “Robert J. Berger” Subject: MS Windows crash traps Thai politician in car (From Dave Farber’s IP)

Crashed Computer Traps Thai Politician, 14 May 2003 https://aardvark.co.nz/daily/2003/n051301.shtml

Thailand’s Finance Minister Suchart Jaovisidha had to be rescued today from inside his expensive BMW limousine after the onboard computer crashed, leaving the vehicle immobilized.

Once the computer failed, neither the door locks, power windows nor air conditioning systems would function, leaving the Minister and his driver trapped inside the rapidly heating vehicle.

Despite the pair’s best efforts, it took a full ten minutes before they were able to summon the attention of a nearby guard who freed the two men by smashing one of the vehicle’s windows with a sledgehammer.

A report (https://www.bangkokpost.com/Business/13May2003_biz12.html) published in the *Bangkok Post* indicates that the vehicle was Mr Jaovisidha’s own BMW 520 which was being used while his state-supplied Mercedes, was being repaired.

BMW’s more up-market 7-series range uses a computer system called i-drive which has Microsoft’s WindowsCE at its core. https://www.microsoft.com/presspass/press/2002/Mar02/03-04BMWpr.asp

Did Mr Jaovisidha narrowly miss being killed by the blue windscreen of death?

Robert J. Berger - Internet Bandwidth Development, LLC. Voice: 408-882-4755 eFax: +1-408-490-2868 https://www.ibd.com

IP Archives at: https://www.interesting-people.org/archives/interesting-people/

[At least 33 readers have noted this one thus far. TNX! PGN]

Making Telemarketers Cry

Sun, 25 May 2003 04:39:00 -0700

A great Telemarketer Suing HOWTO by attorney Mark Eckenwiler from Washington D.C.

How To Make A Telemarketer Cry (or, Suing Bozos for Fun & Profit)

“In November 2002, a telemarketer called my home in D.C. at 5:24 a.m. This is the story of how that call cost him $500.”

Quot If You Want To Win An Election Just Control The Voting Machines Quot-

Fri, 23 May 2003 11:06:00 -0700

quot-

A couple more sites working against all-electronic voting machines:

https://www.blackboxvoting.com/ https://www.ecotalk.org/VotingSecurity.htm

Also, an article discussing a situation that, if true, is truly egregious:

The senator who won the election in Nebraska allegedly “was the head of, and continues to own part interest in, the company that owns the company that installed, programmed, and largely ran the voting machines that were used by most of the citizens of Nebraska.”

The bigger issue, in my opinion, is not whether the senator had rigged his election but the fact that we are entirely unable to verify whether this occurred or not. With a voter verifiable and recountable audit trail, we could.

Can Microsoft Be Secure

Fri, 23 May 2003 10:57:00 -0700

I sure hope so. I have high expectations for Windows 2003. We’ll see how things progress.

I want to know who the companies are that were surveyed… I assure you mine wasn’t one of them.

Commentary: Can Microsoft be secure? | CNET News.com

Customers worry about Microsoft’s security: Seventy-seven percent of respondents to a Forrester survey cited security as their top concern about deploying Windows. Despite those concerns, 89 percent of users are still deploying sensitive applications like financial transaction systems and medical records databases on Windows.

Horrible Precedent Guantanamo Detainees Have No Us Legal Recourse

Fri, 23 May 2003 10:53:00 -0700

[IP] Stuart Taylor’s column today –“Falsely Accused ‘Enemies’ Deserve Due Process

Couldn’t say it better myself. And regarding those lists of “known or suspected terrorists”, Bruce Schneier said it best, “there is an incentive for law enforcement to put people on this list, but no incentive for them to take people off. So the harrassment continues.”

“It ought to be unnecessary to say this, but even *correctly* accused enemies of the state deserve due process – not least because due process is the best way of determining whether they were, in fact, correctly accused.”

Facial Recognition Systems Quot Improve Quot-

Fri, 23 May 2003 10:47:00 -0700

quot-

[IP] NIST rates facial recognition systems

“The three top-rated systems verified identities correctly 87 percent to 90 percent of the time with a false-alarm rate of 1 percent. When NIST specified a false-alarm rate of 0.1 percent, the success rate dropped to between 79 percent and 82 percent.”

From the report itself:

“Typically, the watch list task is more difficult than the identification or verification tasks alone. Figure 8 shows detection and identification rates for varying watch list sizes at a false alarm rate of 1%. For the best system using a watch list of 25 people, the detection and identification rate is 77%. Increasing the size watch list to 3,000 people, decreases the detection and identification rate to 56%.”

This means that such systems would still result in fingering plenty of innocent people as terrorists.

A practical, statistical look at the civil rights implications of this problem, endemic to the NCIC database as well, can be found in the April 2003 Crypto-Gram

In related news, from an earlier Crypto-Gram:

“The SmartGate facial recognition trial at Sydney Airport has suffered an embarrassing setback, when two Japanese visitors fooled the system simply by swapping passports. https://email.ni.com.au/Click?q=aa-gBTeQXUc2wTVl8iWEhuEcIDY”

Handset Security Flaws On The Horizon

Fri, 23 May 2003 10:35:00 -0700

Software quality, especially data input filtering, is critical for mobile devices; especially devices that do not typically have user-updateable software.

News: Mobile phone hacking expected to spread

United States-based security company @stake has released a security advisory detailing a Denial of Service (DoS) vulnerability in the Nokia 6210 GSM mobile phone, and although the flaw isn’t serious it could be a sign of worse things to come.

Drm Threat Analysis Shows Futility In Drm Mechanisms

Fri, 23 May 2003 10:23:00 -0700

This analysis shows how DRM solutions are ineffective because they [attempt to] address the wrong threat model.

“Many DRM advocates make the classic mistake of refusing to choose a threat model. When they complain about the problem, they seem to be using the Napsterization model – they talk about one infringing copy propagating across the world. But when they propose solutions they seem to be solving the casual-copying problem, asking only that the technology keep the majority of customers from ripping content. So naturally the systems they are building don�t solve the problem they complain about.”

Freedom To Tinker: DRM, and the First Rule of Security Analysis

Catching Up

Fri, 23 May 2003 10:15:00 -0700

I’ve been so busy with work and other things that I have amassed a large queue of articles and little nuggets over the past few months. You’ll probably see some old news come through that I still wanted to share or comment on.

Cheers,

-core24

Insider Attack Nails Shut Janteknology'S Coffin

Fri, 23 May 2003 10:07:00 -0700

Evidence of the damage that insider attacks can wreak. Ironically, this was a security software distributor.

It’s unbelievable how often I hear things like:

“Well you have to trust your employees/administrator/etc!” “But we’re behind the firewall!”

I even noticed Microsoft’s STRIDE threat model does not include the threat:

Misuse of granted privileges.

Whoops. People all too often don’t look inside their own organizations at the threats all around you. Insider attackers are a difficult, and perhaps not entirely solveable problem. It is much easier for someone to attack your network when they are already on it than through your firewall over the Internet. Your firewall rejects access, but then your HR department allows it. They will even give a potential adversary a computer, cubicle, network access, badge, etc.!

You have to consider this angle in designs and in how you manage privileges and maintain audit trails.

“Security software distributor, Janteknology, has shutdown amidst dramatic circumstances, its battle to survive tough market conditions ended by industrial sabotage.”

News: Security firm shuttered by sabotage

Museum Of Unworkable Devices

Fri, 23 May 2003 09:37:00 -0700

" This museum is a celebration of fascinating devices that don’t work. It houses diverse examples of the perverse genius of inventors who refused to let their thinking be intimidated by the laws of nature, remaining optimistic in the face of repeated failures."

A truly fascinating site.

The Museum of Unworkable Devices

weblogs.com RPC error fix

Fri, 23 May 2003 09:34:00 -0700

07:00

You may have seen this error crop up in your movabletype blog:

Ping ‘https://rpc.weblogs.com/RPC2' failed: HTTP error: 500 read timeout

I found plenty of sites through google where people were asking about this but nobody offered a solution that I saw. Well, I found a solution that was posted on the MT support forum just an hour or so ago:

movabletype.org : Support Forum

below is a unified diff so that you can patch your site. The patch seems to work most of the time, although I have had at least one of the same errors crop up. That could have been due to something else though.

 
\--- XMLRPC.pm Tue Feb 11 16:15:03 2003 
+++ lib/MT/XMLRPC.pm Fri May 23 16:29:04 2003 
@@ -68,8 +68,12 @@ 
"HTTP error: \[\_1\]", $res->status\_line )); 
} 
my $content = $res->content; 
\- my($error, $msg) = $content =~ 
\- m!flerror.\*?(\\d+).\*message.\*?(.+?)!s; 
+# quick fix to weblogs.com RPC error in activity log. See blog entry for details. 
+# my($error, $msg) = $content =~ 
+# m!flerror.\*?(\\d+).\*message.\*?(.+?)!s; 
\+ my($error) = $content =~ m!flerror.\*?(d+)!s; 
\+ my($msg) = $content =~ m!message.\*?(.+?)!s; 
+ 
if ($error) { 
return $class->error(MT->translate( 
"Ping error: \[\_1\]", $msg ));

Creationist Debunking At Your Fingertips

Fri, 23 May 2003 08:26:00 -0700

An Index to Creationist Claims

An online Index to Creationist Claims that debunks many of them, with references.

Acm Testimony To Congress Against Dmca'S Chilling Effect

Fri, 23 May 2003 01:19:00 -0700

USACM co-chair Barbara Simons spoke out against sections of the DMCA during recent Congressional review of the DMCA’s anti-circumvention provisions.

ACM MemberNet

You can also read the transcript of Simons’ testimony

“During a time when our nation is devoting unprecedented resources to homeland security, we should be eliminating laws such as the DMCA that encourage insecurity,”

Voter Confidence and Increased Accessibility Act

Fri, 23 May 2003 00:48:00 -0700

Voter Verification Newsletter – Vol 1, Number 3

“Federal Legislation Introduced!

Rep. Rush Holt of New Jersey has introduced a bill requiring a voter-verifiable paper trail.

https://holt.house.gov/issues2.cfm?id=5996

The Voter Confidence and Increased Accessibility Act of 2003.

“We cannot afford nor can we permit another major assault on the integrity of the American electoral process,” said Rep. Rush Holt. “Imagine it’s Election Day 2004. You enter your local polling place and go to cast your vote on a brand new ’touch screen’ voting machine. The screen says your vote has been counted. As you exit the voting booth, however, you begin to wonder. How do I know if the machine actually recorded my vote? The fact is, you don’t.”

Folks, this is what we’ve been waiting for! Please contact your U.S. Representative ASAP and ask them to support this bill and consider co-sponsoring it.

Let everyone know about this pending legislation.”

'E Mail Wrap' License

Thu, 22 May 2003 15:34:00 -0700

Like ‘click-through’ or ‘clickwrap’ licenses before, Lawrence Lessig publishes what may be described as an ’e-mail through’ or ’e-mail wrap’ license:

welcome spammers

Illogical Rantings On Quot Under God Quot Issue

Thu, 22 May 2003 15:28:00 -0700

I couldn’t pass this one up.

Miami News-Record - Gerald Stone Column

" At a time when we need God and religion in our lives more than ever, the U.S. Supreme Court is poised to strike down the words �under God� from the Pledge of Allegiance."

I’ll add some clarification to this statement:

“we” = you and those who believe as you do “our lives” = the lives of you and those who believe as you do.

It was a bit unclear. It sounded like you are representing non-Judeo-Christians.

And more God in your life requires “under God” in the national pledge of allegiance? Does not follow…

“This poor excuse for a human must have been off his medication for a long time.”

I can hardly begin to respond to this fallaciousness. Now I really know that you never read the court decision text.

“the Supreme Court will probably hear the case sometime this year and you can expect �under God� to be taken out of the pledge. …

The Bush administration, in its petition to the high court, argues that the Pledge is not like a prayer or invocation. They’re the only ones making sense. But, the atheist-inclined liberals will probably get their way.”

So, anyone who agrees with the court’s decision, for whatever reason, is painted as “atheist-inclined” and a “liberal”. That is such an enlightened viewpoint.

And why is it that many Republicans want the government to be involved in actively furthering a particular faith but in most other aspects of life (e.g. gun control) they want to be left alone?

Logic Error In Texas Dps Record Destruction Quot Rationale Quot-

Thu, 22 May 2003 15:11:00 -0700

quot-

Talking Points Memo: by Joshua Micah Marshall

“The DPS [Department of Public Safety] appears to have violated Texas state law by destroying the records. To justify this, they point to a federal regulation which a legal expert says is plainly inapplicable. And the very regulation they’re trying to hang their hat on seems to bar the original conduct itself.”

This whole story is unbelievable. I’m still waiting for what assistance they requested and perhaps received from the department of Homeland Security… There is a possible criminal investigation ensuing.

Taxed logic...

Thu, 22 May 2003 15:06:00 -0700

Warren Buffet writes:

Dividend Voodoo (washingtonpost.com)

Putting $1,000 in the pockets of 310,000 families with urgent needs is going to provide far more stimulus to the economy than putting the same $310 million in my pockets.

When you listen to tax-cut rhetoric, remember that giving one class of taxpayer a “break” requires – now or down the line – that an equivalent burden be imposed on other parties. In other words, if I get a break, someone else pays. Government can’t deliver a free lunch to the country as a whole. It can, however, determine who pays for lunch. And last week the Senate handed the bill to the wrong party.

Supporters of making dividends tax-free like to paint critics as promoters of class warfare. The fact is, however, that their proposal promotes class welfare. For my class.

Questions Of Mass Distruction

Thu, 22 May 2003 14:41:00 -0700

“Look, if there are no WMDs in Iraq, it means either our government lied us to us in order to get us into an unnecessary war, or the government itself was disastrously misinformed by an incompetent intelligence apparatus. In either case, it’s a terribly serious situation.”

TOMPAINE.com - Questions Of Mass Destruction

Rhp Livejournal Web Board

Mon, 19 May 2003 14:15:00 -0700

Check out a new place to discuss the Red House Painters and get news.

a red house painters & mark kozelek community’s Journal

Anti Polygraph

Mon, 19 May 2003 13:08:00 -0700

Here is a 176-page PDF paper on the fallacy of polygraph exams (a.k.a. “lie” detectors). I have not read up on this subject in some time but this looks to be a good read.

Lie Behind the Lie Detector

Stupid Security

Mon, 19 May 2003 12:59:00 -0700

Found out about this great site through this month’s Crypto-Gram newsletter. It posts articles on – you guessed it – all the stupid security measures people come across.

Stupid Security: Exposing Fake Security Since 2003

E Voting Systems Assailed

Tue, 06 May 2003 15:43:00 -0700

A great article with some perfect quotes from leading advocates and experts for voter verifiable audit trails. Also, there are some documented cases of voting machine errors in the article.

New Voting Systems Assailed

New Voting Systems Assailed Computer Experts Cite Fraud Potential

By Dan Keating Washington Post Staff Writer Friday, March 28, 2003; Page A12

As election officials rush to spend billions to update the country’s voting machines with electronic systems, computer scientists are mounting a challenge to the new devices, saying they are less reliable and less secure from fraud than the equipment they are replacing.

…

“These systems, because of the level of testing they go through, are the most reliable systems available,” said Michael Barnes, who oversaw Georgia’s statewide upgrade. “People were happy with how they operated.”

….

But the scientists’ campaign, which began in California’s Silicon Valley in January, has gathered signatures from more than 300 experts, and the pressure has induced the industry to begin changing course.

….

Critics of such systems say that they are vulnerable to tampering, to human error and to computer malfunctions – and that they lack the most obvious protection, a separate, paper receipt that a voter can confirm after voting and that can be recounted if problems are suspected.

Officials who have worked with touch-screen systems say these concerns are unfounded and, in certain cases, somewhat paranoid.

David Dill, the Stanford University professor of computer science who launched the petition drive, said, “What people have learned repeatedly, the hard way, is that the prudent practice – if you want to escape with your data intact – is what other people would perceive as paranoia.”

Other computer scientists, including Rebecca Mercuri of Bryn Mawr College, say that problems are so likely that they are virtually guaranteed to occur – and already have.

…

“If the only way you know that it’s working incorrectly is when there’s four votes instead of 1,200 votes, then how do you know that if it’s 1,100 votes instead of 1,200 votes? You’ll never know,” said Mercuri.

Because humans are imperfect and computers are complicated, said Ben Bederson, a professor of computer science at the University of Maryland, mistakes will always be made. With no backup to test, the scientists say, mistakes will go undetected.

“I’m not concerned about elections that are a mess,” Dill said. “I’m concerned about elections that appear to go smoothly, and no one knows that it was all messed up inside the machine.”

“We’re not paranoid,” said Mercuri. “They’re avoiding computational realities. That’s the computer science part of it. We can’t avoid it any more than physical scientists can avoid gravity.”

Seattle Area volleyball site

Tue, 06 May 2003 15:37:00 -0700

Scott Marlow maintains a very cool site on Seattle-area Volleyball programs, gyms, groups. https://www.seanet.com/~swmarlow/volleyball.html

Juxtaposition Mobile Edition-

Sat, 22 Mar 2003 01:36:00 -0800

I just found out some very simple instructions and a sample template to make a parallel WML version of this site for viewing on my mobile phone (I do work for a wireless phone company, after all). Check out the result: Juxtaposition mobile edition

I started by finding this WAP & WML thread at movabletype.org

This discussion pointed me to two solutions for two different problems:

Nicely Toasted Mobile, which generates wml versions on-the-fly for WAP-based mobile devices
Mark Pilgrim’s solution which was designed for more intelligent mobile form factors, like the palm. This is how you can create Avant-Go compatible content for offline browsing with tools like Plucker.

I chose the first option as this is the one that I really find lacking right now–the ability to view my own site from my Ericsson t68i. I can view the regular site just fine (with the exception of the style sheet, because Pocket IE does not support CSS…) in my Siemens SX56. But cannot even coax the Ericsson to view the RDF version.

I made just a couple of tweaks to the Nicely Toasted template to customize the content and make it generic enough to be used for any other blog, including: making the Home URL relative, changing the blog name using the tag

I think that the next step will be to further customize the template to include hyperlinks to the rest of the story content.

Users tricked into believing a Nokia upgrade hoax

Fri, 21 Mar 2003 12:19:00 -0800

“Nokia 7650 upgrade - hoax

An internet hoax is traveling round the internet that purports to be a press release from Nokia offering an upgrade for owners of the Nokia 7650 handset to support a series of new features.

The press release says that “Nokia today announced after months of speculation and rumours that it will be re-releasing it’s flagship Symbian OS phone, the 7650, with the long awaited increased memory capabilities.

The new 7650 will remain branded as 7650 but will have the added feature of an MMC expansion bay and support for Bluetooth Audio.”

There is a web site address for the press release, that at first look, does look like a Nokia web site address - but the @ symbol in the middle of the URL actually causes browsers to ignore everything before it, and the remainder of the address is a web page on a totally different server. "

One of the URLs looks like this, so you can see how someone could be easily tricked into believing it as legitimate:

https://press.nokia.com~id=@%31%39%34%2e%31%36%34%2e%32%30%2e%38/release/7650.htm

The page no longer works, but you need to be very diligent online and can’t trust everything you read. Someone could easily hide this URL in some inocuous text so you would not easily notice the underhandedness: Nokia fake press release

Read more about these same techniques that spammers often use to trick you at Stupid Spam Tricks.

Black Box Testing Your Brain

Fri, 21 Mar 2003 11:58:00 -0800

New Scientist

“The world’s first brain prosthesis - an artificial hippocampus - is about to be tested in California.”

This is the result of black-box testing the hippocampus–the part of your brain that encodes “experiences so they can be stored as long-term memories”. It has proven to be elusive to its exact workings, but by treating it as a black-box and mimicking its response to inputs, scientists were able to devise a mathematical model that they could program onto a chip which could replace a malfunctioning hippocampus.

Some of the ethical issues are discussed in the article as well.

Space Elevators: fact or fiction?

Fri, 21 Mar 2003 11:48:00 -0800

A slashdot article about a book (see below) researching whether the sci-fi Space Elevator could be practically manufactured is out:

This is some of the fruits of ongoing NASA-sponsored research.

What is a Space Elevator, you ask? A superstrong elevator “shaft” stretching from earth and anchored to a geosynchronous satellite in outer space that an elevator would ride upon to carry payloads outside of our atmosphere.

“carbon nanotube fibers are both strong and light enough that a 100,000 km elevator, constructed of a 2m wide carbon nanotube “ribbon,” could be constructed in 10 years for a cost of US $6 billion, and be capable of lifting a 13-ton payload to geosynchronous orbit once every few days. If feasible, it would present a stunning breakthrough in space accessibility, and likely usher in a new age of space development and exploration.”

Slashdot story

Fuel Cells Coming To A Laptop Near You

Fri, 21 Mar 2003 11:40:00 -0800

Cool!

InfoWorld:�Toshiba prototypes methanol fuel cell for laptops:�March 05, 2003:�By�Gillian Law:�End-user Hardware

SSL Patent suit update: victory for SSL!

Fri, 21 Mar 2003 11:23:00 -0800

07:00

A press release on RSA’s website announces that a unanimous verdict was reached on all infringement claims in favor of the defendants, RSA Security Inc. and Verisign Inc.

RSA Security | RSA Security Wins SSL Patent Infringement Trial

Analysis Of The Educational Initiatives Outlined In The National Cybersecurity Strategy

Fri, 21 Mar 2003 10:52:00 -0800

Rob Slade takes an in-depth look at what the National Cybersecurity Strategy is for security education and doesn’t really find much. To summarize:

“we [the U.S. Gov’t] can’t do it alone, so we’re not going to do anything”

“How will it happen?”

“Focus or force?”

“Security awareness cannot be promoted by establishing contests where nobody will compete.”

“Again, this proposal sounds good, but, without details to back it up, I doubt that there will be any impact any time soon”

“Subject to budget considerations. No further comment needed.”

“What incentive do those companies have to do so? "

“How about funding?”

“OK, the government doesn’t want to help or fund certification, but wants to dictate what the certification is for.”

“I imagine AV and firewall vendors will be delighted that the government will be advertising for them”

The document seems to say a lot but does not seem as if it will actually do anything.

Read the full analysis in Risks 22.63, article 1

Duk Koo Kim

Thu, 20 Mar 2003 23:38:00 -0800

I recently purchased the one and only vinyl album that I own. I had to do so, even though I do not own a turntable, because it is a 1000 copy limited release single. It contains two versions of the same beautiful song, called Duk Koo Kim, by Mark Kozelek of the Red House Painters. This is one of my favorite RHP songs. Reading the history about Duk Koo Kim makes the song that much more poignant and sad.

Duk Koo Kim - Wikipedia

A tragic turn of events that reads more like Shakespeare than real life. One death leads to several others and radical changes to the world of boxing.

E Voting Banter Between Scientists

Thu, 20 Mar 2003 10:20:00 -0800

There was voluminous and heated discussion on the cryptography mailing list about the dangers of the paper audit trail for e-voting that is being pushed by the e-voting academic experts. The instigator and perpetuator of the discussion was Ed Gerck.

His main criticism was that the paper audit trail does not address the problems of massive external vote tampering by extortion (vote this way and prove you voted this way or I’ll kill you) or vote selling (vote republican, prove it to me, and I’ll pay you $$). He is afraid that the paper audit trail will be just the thing that can be photographed as proof of your vote to enable these system.

Rebecca Mercuri replied:

“The whole idea of photographing paper ballots is a straw man. It is akin to saying that people will just run through red lights anyway so we shouldn’t place them at intersections.”

This seemed to sum up my thoughts on the complaint. He seemed to be arguing for throwing the baby out with the bathwater, saying “[printing paper receipts] creates problems that are even harder to solve than the silent subversion of e-records”

He included criticism later on that a paper audit trail does not really make e-voting systems any better than existing paper-based systems and seemed to argue that it is academically uninteresting. I think that this is exactly the point though: nobody has yet come up with an entirely electronic voting system that solves the fundamental problem that a paper audit trail solves. It may be unsatisfying, but what I think is far more unsatisfying are the voting districts that are ignoring this academic result and swapping out systems with unverifiable ones. People need to understand the limits and risks of electronic systems.

Rebecca’s most interesting statement for me was:

“The salient requirement of Democratic elections is that the voters must be assured that their ballots are recorded and tabulated as cast. If the process is such that it can only be understood by a team of scientists with Ph.D.’s, the average citizen can have no confidence that their voice is being heard.”

She ended her posting with a response to the criticism:

“I have never said that the paper balloting solution is a perfect one, but it provides assurances in a human-accessible format that is a considerable improvement over both the black-box systems and the chad-based ones.If you can devise a system that is equally user-friendly and has the same ability for independent auditing, then please do so.”

The discussion ended with that.

In Happier Times

Thu, 20 Mar 2003 09:43:00 -0800

This is hilarious. It must be making its rounds on the Internet today. Thought it would bring a bit of levity to the current world situation.

[

Propaganda Against Anti War Position Ancient Practice

Tue, 18 Mar 2003 14:46:00 -0800

I may have to get this book:

Details from 480BC about painting anti-war sentiment as “disloyalty”.

[IP] anti-war == disloyalty

TSA inspector rebukes passenger in a note

Tue, 18 Mar 2003 14:40:00 -0800

07:00

I hope that somebody is guarding the constitution. People seem to be lining up to shred it with war on the horizon.

The Seattle Times: Local News: Suitcase surprise: Rebuke written on inspection notice

Ugly: politicians calling for excessive sentences for filesharing

Tue, 18 Mar 2003 14:30:00 -0800

07:00

[IP] Does File Trading Fund Terrorism?

Bizarro World Nyc Talking Fish Speaks In Tongues

Tue, 18 Mar 2003 14:01:00 -0800

Um. Yeah.

Contra Costa Times | 03/15/2003 | Skeptics can carp, but a New York fish is the talk of the town

Risks Of Background Checks

Fri, 14 Mar 2003 01:46:00 -0800

There is a trend after 9/11 to perform more background checks on individuals as a requirement for all kinds of things–employment being a major. Data integrity issues are probably the biggest risk with these kinds of checks. Who has your data? Where did they get it from? How do you know it is accurate? How can you correct mistakes?

I reviewed a background check service that is used for credit checks mainly and was surprised to see that they offered the ability to check against the _____________________

This is a case of just not doing a very thorough query of the information in the first place. Reminds me of the recent erroneous (and perjurious?) BSA complaint against OpenOffice based on an inaccurate search query and lack of human sanity-checking of the result. “The computer said there was a match. And computers don’t lie…”

Date: Thu, 6 Mar 2003 18:14:45 -0800 (PST) From: Max Power Subject: Identity mixup: NZ teacher identified as prostitute

Michelle Garforth (Dunedin, NZ) applied to be registered as a teacher, after finishing four years of training. She was notified that she was “likely” to be a prostitute convicted on four charges, including two assaults, based on a computer match of her maiden name and birthdate. Despite going to the police and submitting to fingerprinting that demonstrated she was not the person in question, she was not cleared until weeks later – after her local Member of Parliament had intervened. [Source: Prostitute mix-up shocks teacher, by Ruth Berry, 06 March 2003; PGN-ed] https://www.stuff.co.nz/stuff/0,2106,2309649a7694,00.html

undefined

Thu, 13 Mar 2003 23:08:00 -0800

07:00

PrivacyChoices

New Ieee Security And Privacy Magazine

Thu, 13 Mar 2003 14:53:00 -0800

I will have to check this out. Although, I have several piles of other publications to whittle down first.

“The IEEE Computer Society has created a new magazine called “Security and Privacy” specifically for the security community The magazine intends to present a balanced mix of scientific research and practical security discussion. "

Risks Of Public Internet Access Terminals

Thu, 13 Mar 2003 14:49:00 -0800

This story about 16M Yen (~$136,000) stolen from someone’s CityBank online banking service after the user’s password was compromised at an Internet cafe highlights the tremendous risk of insecure client computers. It does not make a darned bit of difference what crypto strength you were to use, it is so trivial to install a keystroke capture device that nobody would ever notice that will catch everything before it is encrypted.

“Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench.” – Gene Spafford

The trend toward SSL-based VPNs and Internet-enabling everything under the sun leads to uncontrolled client-side access that significantly increases this risk. Gartner is “bullish” on these SSL-based VPNs but I’m not convinced that their convenience outweighs the increased risk in many cases. You would need to deploy token authentication at a minimum with these solutions but you would still be at risk of general data compromise. In any company with a large amount of employees, training everyone to not use their personal computer, a library computer, an Internet cafe computer, etc. to access such a solution would be difficult and not entirely effective. Users will choose the convenience over security much (all?) of the time.

Full story below and at CNN.com

Date: Fri, 07 Mar 2003 00:40:28 +0900 From: Chiaki Ishikawa Subject: 16M Yen stolen from sniffed bank passwords at Internet Cafe On March 6th, two men have been arrested for illegally transferring 16 million YEN from someone’s CityBank online banking service account to a third party account and then take the money from it, Tokyo police announced. >From the descriptions of newspaper articles, it seems that one of the culprits has installed keyboard sniffer programs on about hundred PCs at a dozen or so Internet Cafes in Tokyo and Kanagawa prefecture (south of Tokyo). He has regularly visited the cafes and brought back the recorded data with him, and searched for ID/password, and other identification information. At the charged man’s home, the police has found ID/password for 719 accounts, and about a couple of hundred user profiles meant for dating services. One such ID/password for a man’s City Bank online banking service was used to transfer 16 million Yen to a different account at another bank from which the money was withdrawn. This is the first time that a keyboard sniffer is implicated in a large scale ID theft in Japan, from what I know. It beats me, though, why anyone wants to use a PC at Internet cafe for one’s banking service. (We should assume doing something on it, like writing a memo, for example, is akin to writing on a memo pad on a desk at a public library under which a carbon paper may be secretly placed to record information and we never know. For that matter, even without the carbon paper, we often can see the telephone number, etc. left by the previous user by looking at the indented marks on the next paper sheet, don’t we? ) I think the general public should be taught more about the security implications of various Internet services, which may look useful and handy on the surface, but may not be so attractive if the security implications are taken into account. I think it should be the responsibility for the service provider to tell such risks, but I am not sure how to go about writing a law because “risk” is a relative thing. This has been a busy week for computer security professionals in Japan. First the computer system for handling nations’s flight plans collapsed on the morning March 1st. Then a large credit card company, Oriental Corp., announced the leak of 15,000 user profiles to a member of an underground gang group who blackmailed the company and was arrested. Then this incident. I hope the general public will start to pay more attention to the computer security issues thanks to these high-profile incident. (The ID theft using keyboard sniffer was the front page head line article in the evening edition of *Asahi Shimbun*. It occupies about 1/5 of the paper and is very conspicuous.)

Krispy Kreme Grossly Overcharges 28 Customers

Thu, 13 Mar 2003 14:20:00 -0800

From RISKS 22.61.

“A Krispy Kreme doughnut shop in Albuquerque seemingly greased its coffers while figuratively deep-frying over two dozen customers. Irrespective of what they ordered, each of 28 customers using a credit card were charged EXACTLY $84,213.60 for the purchase. "

The PGN comments simply made the posting though:

[These charges were actually APPROVED, and of course also blew the customers’ credit ratings for a few days. Amazing! ``The $84,000 charge, were it legitimate, would have purchased over 170,000 … doughnuts, enough to stretch over 9 miles if placed end-to-end.’’ …

Date: Tue, 04 Mar 2003 19:31:54 -0500 From: “Fuzzy Gorilla” Subject: 28 Krispy Kreme customers each charged over $84,000 A Krispy Kreme doughnut shop in Albuquerque seemingly greased its coffers while figuratively deep-frying over two dozen customers. Irrespective of what they ordered, each of 28 customers using a credit card were charged EXACTLY $84,213.60 for the purchase. KK blamed Heartland Payment Systems, which processes their credit-card transactions. [Source: KRQE News 13, Albuquerque, N.M., 19 Feb 2003; PGN-ed] https://www.krqe.com/Global/story.asp?S=1140274 [These charges were actually APPROVED, and of course also blew the customers’ credit ratings for a few days. Amazing! ``The $84,000 charge, were it legitimate, would have purchased over 170,000 … doughnuts, enough to stretch over 9 miles if placed end-to-end.’' (But a few days later, the doughnuts might have settled into substantial paving bricks. Or do Krispy Kremes have a shelf-life of years, like the bread and chocolate used in Des(s)ert Shield?) Of course, stacked vertically, they would reach almost 2 miles high. Somehow, the name ``Heartland’’ seems incompatible with the concept of Krispy Kremes, unless it is related to a hospital with the same name. PGN] [Three sentences back, I have added “(s)” in the archive copy, inspired by Mike Yuhas. PGN]

VoteHere whistleblower lawsuit and other e Voting madness

Thu, 13 Mar 2003 14:13:00 -0800

BlackBox Voting is reporting on a whistleblower lawsuit filed here in Washington state by a software engineer against his former employer VoteHere. He alleges that he was wrongfully terminated to silence his complaints while third party “certification” of the VoteHere system was being conducted. The lawsuit enumerates many of the system’s flaws that he documented in defect reports. It is a must-read.

In other unbelievable news, Santa Clara County, CA and Collins County, TX both voted for electronic voting machines without paper audit trails against all sound advice from experts around the world. Santa Clara County reportedly cited the same kinds of “certifications” as evidence that the system is okay without the voter verifiable audit trail.

Music Wish List

Wed, 12 Mar 2003 13:02:00 -0800

I’ve been compiling a text file with my queue of music to get next and thought that I should share. It would also be much nicer to manage through MovableType with the MTAmazon plugin and the MTMacro plugin.

How Mobile Phones And An 18m Bribe Trapped 911 Mastermind

Tue, 11 Mar 2003 05:04:00 -0800

Guardian Unlimited | Special reports | How mobile phones and an �18m bribe trapped 9/11 mastermind

Top Inspectors Criticize CIA Data on Iraqi Sites

Sun, 09 Mar 2003 15:13:00 -0800

[IP] Top Inspectors Criticize CIA Data on Iraqi Sites

Iraq Nuclear Program Evidence To The Un Faked

Sun, 09 Mar 2003 15:05:00 -0800

[IP] Some Evidence on Iraq Called Fake U.N. Nuclear Inspector SaysDocum

Big Brother Is All Around You

Fri, 07 Mar 2003 08:59:00 -0800

ABCNews is reporting that several police agencies are under fire for domestic spying. Those of you who think that the government can have all the power it thinks it wants without checks and balances should take heed that this certainly breeds abuses. Read this article. See the trend toward more domestic spying. Be afraid.

I hope that Seattle maintains their current ban on this practice.

ABCNEWS.com : Is Police Spying Back in Fashion?

Dumb Criminal Award Candidate

Fri, 07 Mar 2003 08:43:00 -0800

Just hilarious if this suspect was truly the robber.

“A California man who got away after allegedly sticking up an Aurora Avenue North video store a couple of weeks ago apparently couldn’t leave well enough alone.”

The Seattle Times: Local News: Robbery suspect nabbed during return visit to store

Copa Ruled Unconstitutional-

Fri, 07 Mar 2003 08:11:00 -0800

The Washington Post has a story about the victory for free speech handed down by the 3rd U.S. Circuit Court of Appeals on Thursday. They upheld a lower court injunction blocking the law (COPA) as being too squishy to withstand constitutional muster.

“Previously, the 3rd Circuit had ruled the law unconstitutional on grounds that it allowed the legality of Internet content to be judged by “contemporary community standards.”

Also see discussion at Slashdot | Appeals Court Rejects Child Online Protection Act, Again

See the full decision here. Monitor any future developments at EPIC’s site

Note: Updated on 3-12-03 to change content to reflect CIPA to COPA. This law acronym alphabet soup is just as bad as telecom’s! A CIPA announcement came out recently but this was supposed to be about COPA…

Aol Customers Buyer Beware

Tue, 04 Mar 2003 15:08:00 -0800

Many of the attacks described are social engineering attacks and not computer security holes. I can’t believe the mumbling attacks–hilarious! Social engineering attacks are very hard to defend against, especially with huge callcenters like AOL must have.

AOL customers beware your privacy. AOL not only makes it easy to get on the Internet, they make it easy for others to get on the Internet as you too!

“Using a combination of trade tricks and clever programming, hackers have thoroughly compromised security at America Online, potentially exposing the personal information of AOL’s 35 million users. "

Wired News: Hackers Run Wild and Free on AOL

SSL under patent dispute

Tue, 04 Mar 2003 15:05:00 -0800

The March 3 Security Wire Digest and Reuters are reporting that:

“Leon Stambler, who has won financial settlements from companies such as National Cash Register, First Data and Openwave Systems, seeks up to $20 million in the federal suit, being heard in Delaware. "

“Certicom and Openwave each paid $400,000 plus ongoing royalty fees for their licenses and First Data paid $4 million, he testified. "

He is suing RSA Security and Verisign now, trying to extract money. Ugh.

The companies are arguing that his invention (patented in 1992) is distinct from SSL. SSL was developed in 1994 and patented in 1997, according to the Reuters article.

The Reuters story is here

Wireless hackers invade!

Tue, 04 Mar 2003 14:57:00 -0800

“Two Alberta men with a passion for locating and mapping wireless computer networks have come under the scrutiny of Canada’s spy agency.”

“The press release, which also included Mr. Kaczor’s name and contact information, featured the tongue-in-cheek headline “Wireless hackers invade Red Deer!””

High-tech hobby falls under CSIS suspicion

Debate On Copyright Vs Innovation At Stanford

Mon, 03 Mar 2003 05:13:00 -0800

[IP] Pondering Value of Copyright vs. Innovation

“Technology scholars, business leaders and policy makers gathered at California conferences this weekend to argue whether a mismatch between two different technologies and the legal policies that govern them could inhibit free expression and innovation. "

““We have ceded too much power to copyright owners,” said Ms. Lofgren, who plans on Tuesday to reintroduce a bill that would amend the 1998 law. “People are afraid to proceed on innovative measures.””

Outlawing Encryption Under Patriot Ii

Mon, 03 Mar 2003 05:10:00 -0800

ot-ii

Among other nasty things, the US government is trying to make the use of encryption while committing a crime over a computer a new crime that would add 5 years onto your sentence, if convicted.

“If you order a book from Amazon.com and fail to pay state tax, the SSL session with Amazon supports a five year felony. [RFF - I’d also include using GSM cell phones with the built-in encryption….]”

The ACLU has a section-by-section analysis for the full dose of insanity.

[IP] Outlawing Encryption under PATRIOT II

Several members of congress have sent an open letter to John Ashcroft chiding him for the administration’s handling of PATRIOT II. The Justice Department is being very secretive about this new act, even lying to congress about its existence even though it has been leaked on the Internet.

From the FoxNews story:

“If there’s going to be a sequel let’s find out what it’s going to be” before reading about it in the newspapers, Leahy said, accusing the Justice Department of lying to his staff about whether a new bill was in the works.

Ari Gets Laughed Out Of Wh Briefing Room

Mon, 03 Mar 2003 00:55:00 -0800

[IP] Must Read and See: Ari Gets Laughed Out of WH Briefing Room]

Join in laughing Ari Fleischer out of the briefing room. Start at about 30 minutes into the tape when Ari is being repeatedly questioned about US diplomat quotes that some aid packages are being offered to Mexico and Columbia relating to their upcoming UN Security Council votes.

Google Removes Quot Illegal Quot Site From Its Index On Request

Mon, 03 Mar 2003 00:53:00 -0800

Seth Finkelstein has details on a troubling case about someone in Chester county in the UK complaining to google about a site run by someone calling themselves “Chester the Molester” as an illegal paedophile site that they found by searching for “Chester Guide” on google. The site, in fact, was not illegal at all but a list of “sick humor” that included a link to a humor article entitled, “Chester’s guide to: picking up little girls”.

So, all it takes is for someone to make a complaint, for google to not really research it, and you can get someone’s site removed from google’s cache.

[IP] Google removal - Chester’s Guide to Molesting Google

Truth in music on its way?

Mon, 03 Mar 2003 00:51:00 -0800

Senator Ron Wyden (D) from Oregon is pitching a simple idea to lead to a market-driven solution to the DRM problems being imposed on consumers: to require music companies to disclose to consumers the restrictions they will impose on the consumer’s use of the product.

“When customers know, for example, that the compact disc they’re buying is technologically rigged so they can’t rip MP3 files from it for use on a portable player, they won’t buy it. Eventually, these informed customers will demand change in the copyright laws.”

[IP] Truth in labeling

Senator Seeks Full Copyright Disclosures

Dell Cost Cutting With Sun To Linux Switch

Sun, 02 Mar 2003 14:31:00 -0800

Wow. This may help spur other cost-conscious companies (perhaps my employer too) into making the switch.

“Currently, our order management, customer transaction information, manufacturing flow, and software downloads (as a part of our build-to-order manufacturing process) all involve Sun-based Unix systems. But that’s all being moved to Dell-based systems running Red Hat Linux and Oracle 9iRAC. So far, 14 Sun systems are gone and the plans are to complete the ‘Sun setting’ exercise this year.”

Dell, Sun execs trade jabs over Unix viability

Vespa Madness

Sun, 02 Mar 2003 13:55:00 -0800

A must have: Vespa Screensaver. Windows-only, of course.

Interested in buying one for me? I could handle the platinum, dragon red, or cobalt blue one. The local dealer location

Or, I can at least hope to win one from Starbucks. This is the perfect excuse to buy more coffee :-)

Worm press release template

Sun, 02 Mar 2003 13:50:00 -0800

Keep this handy for the next MS Worm. Posted to RISKS 22.53: . [From Pete Lindstrom, Spire Security, petelind@spiresecurity.com]

* Computer Worm Internet*

In the wee hours of , a computer worm spread throughout the Internet. Dubbed because <ridiculous reason that doesn’t explain anything about how it works>, and also known as and , the worm has infected an estimated systems within . Experts are calling this worm the most since .

The worm exploits a hole in that was first identified months ago by …

In an attempt to secure the planet, released detailed information about the vulnerability and how to exploit it. They also mentioned how to fix it, but apparently listened. Coincidentally, the worm that exploited this hole was also first identified by . Even more coincidentally, they make a product to protect against . “Actually, it’s not really a , it’s a ,” said <Pete Lindstrom, or some other person seeking publicity>. " A true works by ." The worm’s payload every system by <verb ending in -ing> the . Comparatively speaking, this is much worse than but not as bad as . The computers of were hit the hardest. Current damage is estimated at <dollar figure more than the GNP of two-thirds of the world’s nations>. " This worm has the potential to ," said <Pete Lindstrom, or some other person trying hard to come up with something interesting to say ;-)>. " It just goes to show you that ." Though there is no way to protect against this particular bug, experts recommend trying or , neither of which matter, since nobody will do it anyway.

Bsa Joins Ranks With Riaa In Threatening Without Cause

Fri, 28 Feb 2003 02:19:00 -0800

The BSA (Business Software Alliance) is now taken to sending out threatening letters based on the results of a web/ftp spider search for the word “Office”. The RIAA has done similar things in searching for “pirated” music by keyword and then automatically mailing.

From the BSA letter:

“What was located as infringing content: -—————————– Filename: /mandrake_current/SRPMS/OpenOffice.org-1.0.1-9mdk.src.rpm (199,643kb) Filename: /mandrake_current/i586/Mandrake/RPMS/OpenOffice.org-libs-1.0.1-9mdk.i586.rpm (35,444kb)”

OpenOffice.org thread

Anyone have a clue stick handy?

Microsoft Spyware

Wed, 26 Feb 2003 14:38:00 -0800

tecChannel reverse-engineered Windows Update to find that it can spy on other installed applications. It is unclear whether it actually does spy though. Although an article at The Inquirer claims as much.

They are offering a utility that you can run yourself to spy on the spyware. You have to pay 1.99 Euro for the full article and get the software included. A summary can be found for free though at The Inquirer.

“The information can pass on to Microsoft a list of all of the software installed on an individual’s computer, including software manufactured by other manufacturers.”

There is a slashdot story as well.

An article update shows a dump of what a hardware configuration looks like being sent to Microsoft.

More On Santa Clara E Voting

Wed, 26 Feb 2003 09:53:00 -0800

Just heard an NPR story on the Santa Clara e-voting saga. A vote today did not decide on whether they would only go with a system with a paper ballot. Only to test such a system.

The Sequoia company representative (the chosen product) admitted that they only agreed to add the paper ballot because they listen to customer demands. He didn’t think it was necessary though.

“Officials in California’s Santa Clara County learn that those who know computers best have the biggest concerns about them. That county, home to Silicon Valley, is deciding on an electronic voting system. But a computer scientist fights to keep old-fashioned paper in the voting process. NPR’s Andy Bowers reports.”

Listen here: Real Audio link

Check out the 128 pages of documentation. page 13 is interesting and the discussion on page 23 that the “prevailing view is that proprietary source code should not be readily available for obvious security [ed: obscurity] reasons”

Page 27 has a discussion of the “security” for modem data transmissions of vote totals in the ES & S iVotronic product. It’s good for a laugh. Here’s their modem “security”:

1. “Transmission…uses an ES&S proprietary protocol that includes proprietary data format and checking….If a standard PC with a modem attempts to link up with a Data Acquisition Manager (DAM) Host, the modems will initially link up but no intelligible information will be received by either unit.”

Don’t know about you but that gives me warm fuzzies. Of course this is not unlike things that I see in RFPs for other kinds of technology all the time. You would (and should) expect more from such a critical system though.

2. “To add additional security…” [as if 1 is not enough] “…there is an eight-position password built into the protocol”

They go on to say that there is a time period–not a number of failed attempts–that governs disconnect if the correct password is not entered. So, it sounds like someone could brute-force. Is 8-position just numeric, or does it include alpha too?

I could go on but don’t want to ruin it for you.

Homeland Quot Security Quot Measures Coming Under Fire

Wed, 26 Feb 2003 09:17:00 -0800

I heard someone talk about how in the 50’s and 60’s everyone was building bomb shelters for protection against nuclear attack and fallout but now people are being told that some tarp and duct tape are all that is needed.

The question was asked, “Who is going to protect us from Tom Ridge, and his bumblers in the Dept of Homeland Security…”

[IP] More bad advice from Tom Ridge…

NPR : Duct and Cover?

Now It'S 8 Million Credit Cards Stolen

Wed, 26 Feb 2003 00:22:00 -0800

“In what is believed to be the biggest credit card hacking incident so far, Omaha-based Data Processors International, which processes transactions involving Visa, MasterCard, American Express and Discover Financial Services for merchants, said in a statement that it had “recently experienced a system intrusion by an unauthorized outside party.”

Yahoo! News - FBI Probing Theft of 8 Million Credit Card Numbers

Acm Joins Opposition To Tia

Tue, 25 Feb 2003 15:15:00 -0800

o-tia

There is a story in this month’s ACM MemberNet publication on the ACM’s opposition to Total Information Awareness (TIA).

This isn’t exactly news, because the ADM letter was drafted on Jan 23. The latest status on the EPIC TIA page was Jan 24 when Amendment 59 was included in a bill to impose limits on TIA. However, the requirement that the government simply provide a report in order to continue funding seems weak. There isn’t anything defining what content within the report would be satisfactory. It sounds too much like corporate privacy policies. It doesn’t matter what is in them, so long as the company abides by it. The report could say exactly what privacy advocates fear most and TIA will still be funded. However, the catch-all requiring congress to approve use of TIA is a step in the right direction.

Santa Clara County More Clueless Electronic Ballot Junkies

Tue, 25 Feb 2003 15:13:00 -0800

Santa Clara County faces key decision on electronic ballots

“The future of electronic voting may be rewritten this week in Santa Clara County, where county leaders are weighing warnings that the touch-screen voting machines they want to buy are more prone to error and fraud than the systems they would replace.”

“Sequoia’s systems don’t produce paper ballots that voters can verify, and supervisors didn’t ask for such a device in their bid proposal. Vendors and election officials say paper ballots aren’t needed because the machines have internal safeguards, are certified by federal and state governments and tested repeatedly before and after elections.”

Ack! Read the research! Read my rant! Just stop immediately and don’t do anything yet!

“``We still believe they’re secure,’’ Assistant County Executive Peter Kutras said Friday. ``There are not any issues that should cause concern in terms of voter confidence.’’ "

Good Grief.

This is also good press for the petition that David Dill at Stanford began. Hopefully they will listen.

Study shows Linux defect rate much better than commercial Unix

Tue, 25 Feb 2003 15:04:00 -0800

A study of TCP/IP code of various commercial and open source operating systems found that the defect rate in the Linux implementation was much better than others studied.

“The Linux defect rate was 0.1 defects per 1,000 lines of code, Reasoning found. The rate for the general-purpose operating systems–two of them versions of Unix–was between 0.6 and 0.7 per 1,000 lines of code. The rates for the two embedded operating systems were 0.1 and 0.3 per 1,000 lines of code. "

Because of the very limited scope of this audit, and because who knows what specific defects were being tested out of the set of all possible defects, I would not be so quick to draw sweeping conclusions from it. However, it is very interesting in itself.

Study lauds open-source code quality

Scuba Diving Computer Recall

Tue, 25 Feb 2003 14:57:00 -0800

From RISKS 25.57.

I have friends who dive and hope to get certified myself soon so this is of particular concern.

Date: 17 Feb 2003 05:35:20 -0800 From: tom.race@skipton.co.uk (Tom Race) Subject: Scuba diving computer recall

[See also Risks in scuba equipment, Carl Page, RISKS-21.41]

In simple terms, a dive computer monitors the amount of nitrogen dissolved in the diver’s blood. Typically worn like a wrist watch, it tracks the diver’s depth and calculates the absorbed nitrogen according to a mathematical model of the human body’s various tissues.

If a diver surfaces too quickly with too much nitrogen in the body it is released as bubbles within the blood or tissues, potentially causing injury or death through Decompression Sickness (DCS). Divers typically rely heavily on a computer to tell them when to surface to avoid DCS.

The manufacturer below is being sued over the mathematical model, which has a faulty assumption, or more likely a complete oversight. The model embedded in this computer assumes that the diver on the surface continues to breath whatever gas mixture they were diving with. When the diver is using nitrox, a gas mixture containing extra oxygen and therefore less nitrogen than air, the computer will assume that they are releasing nitrogen at a higher rate than reality. Over several dives and several intervals on the surface, the state of the mathematical model and the diver’s actual nitrogen levels may become seriously different, and in the ‘wrong’ (more risky) direction.

A failure of requirements specification or code inspection? The lawsuit refers to a ‘manufacturing defect’.

I have an interest, since I have a nitrox computer from the same manufacturer. Fortunately mine is more recent, and I have not used it for gases other than air.

Tom Race

- - - - - - - - - - - - Uwatec, Scuba Pro and Johnson Outdoors Subject of Class Action Seeking Product Recall; 5 Feb 2003 Dive industry leaders Uwatec and Scuba Pro, and their parent company, outdoor equipment conglomerate Johnson Outdoors, Inc., have been sued in federal court by a former authorized reseller, Robert Raimo, seeking a mandatory recall of all Aladin Air X Nitrox dive computers manufactured before 1 Feb 1996. The suit seeks certification as a class action on behalf of all owners of the dive computers, and all persons who acted as retailers, dealers, wholesalers or distributors of the dive computers. The suit claims that 1995 model Aladin Air X Nitrox dive computers have a manufacturing defect that prevents the computer from switching from underwater to surface, or air mode when the user returns to the surface. As a result, the computer continues to calculate a diver’s decompression obligations as if the diver were breathing enriched air, or nitrox, containing as little as 50% nitrogen, while on the surface, instead of properly calculating the diver’s decompression obligations and off-gassing while the diver is breathing air, which contains 78% nitrogen. This defect causes the computer to underestimate residual nitrogen loads, and to overestimate the diver’s safe repetitive bottom times, thereby significantly increasing the diver’s risk of contracting decompression sickness (bends). The suit alleges that the defect is likely to affect experienced divers making multiple nitrox dives in a single day to maximize bottom time, such as those conducted on increasingly popular “live-aboard” dive vacations in exotic locations, far away from the nearest treatment centers capable of saving the life of a diver stricken with decompression sickness. The so-called “air-switching defect” was first described in an internal Uwatec memo dated 30 Jan 1996, which warned one of the company’s test divers about “the faulty Aladin Nitrox”. The memo described how to manually override the defect so the diver could safely use his computer until it was replaced by Uwatec. After this memo was sent to Uwatec’s U.S. management, they drafted a product recall notice. However, the suit alleges the managers were fired before they could issue the recall notice, and the defendants have maintained a “conspiracy of silence” ever since. Copies of the 1996 memo and recall notice are attached as exhibits to the complaint and may be viewed on the News section of the Web site of Raimo’s attorney, David Concannon, at www.davidconcannon.com. Raimo was stricken with Type II decompression sickness after using a 1995 model Aladin Air X Nitrox on four nitrox dives off Bonaire in Apr 2002. He is the former owner of two retail dive centers in New York. According to Concannon, the suit was filed as a class action only after Johnson, Scuba Pro and Uwatec rebuffed Raimo’s requests that the companies issue a voluntary recall. The suit was filed in Oakland, California because four other lawsuits filed by divers alleging they were injured by the same model computer are currently pending there and are scheduled for trial in Nov 2003.

Someone compromised 1% of all visa and mastercard account numbers

Tue, 25 Feb 2003 14:55:00 -0800

A 2-17-2003 very short Reuters story reports that Over 5 million Visa/MasterCard accounts hacked into

“More than five million Visa and MasterCard accounts throughout the nation were accessed after the computer system at a third party processor was hacked into, according to representatives for the card association”

This story by the BBC has more details

Great. Why were the account numbers on Internet-accessible systems. And why were the accounts not stored encrypted at the third party?

5 million accounts is about 1% of the 560 million total cards in circulation. This is huge.

Orange Alert Status Terror For Students

Tue, 25 Feb 2003 14:48:00 -0800

From RISKS 22.56

“Date: Thu, 13 Feb 2003 05:46:37 -0500 From: “Rebecca Mercuri” Subject: Risks of Doing Homework

At the faculty meeting at Bryn Mawr College on 12 Feb 2003, we were informed that a student at Haverford (our affiliated College) was arrested over the weekend when he was trying to do his homework assignment in Philadelphia. As part of the Cities project, he was taking photographs of SEPTA (our regional transit authority) facilities when he was arrested, detained for a few hours, and eventually released. Haverford administration is working to try to ensure that this event not be a part of the student’s permanent police record. Apparently taking photographs at transit facilities is cause for arrest during “Code Orange” alert, the authorities explained. Faculty were advised to be careful about assigning “field trip” projects during such alerts.

Rebecca Mercuri, Bryn Mawr Computer Science”

Not Only N Korea Can Have Nukes

Tue, 25 Feb 2003 14:23:00 -0800

A Wired article describes an unbelievable story of reporter Noah Shachtman trivially breaching the physical security at none-other-than Los Alamos National Laboratory described as “the world’s most important nuclear research facility”.

“On Saturday morning, I slipped into and out of a top-secret area of the lab while guards sat, unaware, less than a hundred yards away.”

Mobile Mp3 Quandary

Tue, 25 Feb 2003 10:14:00 -0800

What to buy…

For my birthday, I’m looking to buy myself a digital music jukebox player/recorder. There are plenty of options, but none of which meet all of my requirements.

I’m going to play the wait-and-see game for a while. There are some new Minidisc players coming out that are candidates as well, although the tradeoff is smaller capacity to get a smaller form factor and jog-proof mechanism.

The most promising product is the Neuros, although some poor design decisions, including only providing USB 1.x support, may kill this one before it gets started. The promise for me is the ability to have both a memory-based player and a hard-drive based player in one. I could take it to the gym without the hard disk pack, but still be able to add the disk for roadtrips or just the daily commute. The built-in FM transmitter is another great feature.

PC Firewire iPod Creative Nomad Jukebox Zen Creative Nomad Jukebox 3 Neuros Archos Jukebox Multimedia 20 Bantam Interactive BA1000

New Ssl Active Mitm Attack

Fri, 21 Feb 2003 15:11:00 -0800

" In a paper researchers at the Security and Cryptography Laboratory of Swiss University (Lasec) EPFL demonstrate a timing-based attack on CBC cipher suites in SSL and TLS.

The attack assumes that multiple SSL or TLS connections involve a common fixed plaintext block, such as a password. Since credit cards numbers are normally sent to a secure server only once this particular attack has little or no chance of success.

When checking emails, using for example an Outlook Express 6.x client, using a secure connection passwords are sent periodically as email is checked. This leaves the door open for an attack. "

The attack relies on the protocol being a bit too chatty in providing information . There are many limitations that make this not especially critical, although IMAP/POP clients like Outlook exacerbate the risk because they will happily keep resending your encrypted password to the server if it does not succeed.

The Register article

Peter Gutman, of cryptlib fame, posted some client-side coding suggestions to ensure that you are not at risk, regardless of whether your server is vulnerable or not:'

- Don’t retry a connection repeatedly if it fails the first time (I guess you don’t do that anyway, but some programs like Outlook try automated repeated connects).

- Add random whitespace to the initial messages so the password isn’t always at a fixed location (that is, sprinkle extra spaces and tabs and whatnot around in the lines you send up to and including the password).

-- Snip –

This changes the padding on each message containing the password, making the attack rather more difficult, and has the advantage that you don’t need to convince the party running the server to update their software. Depending on how much stuff you can send per message, you can vary it by quite a bit. In the POP case the “PASS xxx” would be a single message so you don’t have quite that much leeway, but it looks like you can add enough whitespace to make the padding random. Someone else on the list posted a followup to say he’d tried it on two servers and they had no trouble with the whitespace.

There is an excellent technical summary that I’ll have to dig up and post later. It listed out all of the limitations that could mitigate your risk.

Citibank Trying To Silence Atm Pin Security Research

Fri, 21 Feb 2003 07:17:00 -0800

Citibank is trying to prevent the disclosure of new scientific research that has apparently broken ATM PIN confidentiality protection wide-open. This is even in the face of “phantom” charges appearing on people’s accounts that banks refuse to reverse, claiming that their system is so secure that users cannot repudiate such charges.

“The card’s issuer says that’s not possible, because their ATM network is secure, and is suing the couple to recover the nearly $80,000 that was charged against the card. "

The raw archived information:

Protocol Analysis, Composability and Computation

There is a slashdot discussion

There is an eWeek article too: Attack Exposes ATM Vulnerabilities

Well-known cryptographer Ross Anderson offered this testimony in the case: ““In addition to being published material, derived from open sources, and of crucial importance to the defendants’ case, the vulnerabilities are likely to be crucially important in other cases brought in the U.K. and elsewhere over disputed ATM transactions,” Anderson wrote in his letter. “Bond plans to incorporate much of this material into his Ph.D. thesis. It is spectacularly unfair for the applicant to ask you, in effect, to prohibit Bond from including in his thesis a scientific discovery that he has already published.””

Slag your drives to thwart data recovery

Fri, 21 Feb 2003 06:58:00 -0800

A recent MIT study of 129 used hard drives indicated that people leave a treasure trove of data behind on their discarded computers.

This begs the question of how can you securely dispose of old hard drives? Well, the typical answers are to use a secure wiping program or degaussing, but these are not 100% effective.

Some people have come up with a foolproof method called Drive Slagging which involves melting down the platters and essentially creating aluminum ingots.

Not exactly do-it-yourself though :-)

Ebay Rolls Clock Back To 1984

Thu, 20 Feb 2003 02:32:00 -0800

-1984

“Big Brother is watching you - and documenting eBay, ever anxious to up profits, bends over backward to provide data to law enforcement officials”

Buyer (and seller) beware…

Ha’aretz - Article

TurboTax copy protection mucks with sectors on your hard disk

Wed, 19 Feb 2003 14:30:00 -0800

DRM is getting even more annoying, dangerous, and insidious. Intuit thought that it would be necessary to utilize a product called SafeCast to prevent unauthorized copying of its popular TurboTax product. Extremetech did some testing and found that SafeCast copy (not copyright) protection relied on modifying sector 33 on your hard drive outside of your operating system. This is not necessarily a Good Thing ™

TurboTax Test Results Part II

What to do now? Should you use TurboTax or switch to a competitor’s product? Well, Intuit has been listening to the complaints and have offered some concessions, including assurance that a version of TurboTax that won’t require “activation” to utilize will be released after October 2003, allowing SafeCast to be uninstalled when TurboTax is uninstalled. TurboTax: So What Do I Do Now?

Timeline of the problems and Intuit’s response Most interesting here was this note that “Analysts sharply question Intuit about TurboTax product activation.” when they reported their quarterly results on February 13.

To Thwart the Identity Thieves

Mon, 17 Feb 2003 11:39:00 -0800

There is an excellent article in BusinessWeek on what is supposed to be the fastest growing crime in the U.S.: Identity Theft. I agree that only radical reform will solve the problem. However, I always think that the solutions focus on symptoms of the problem disclosure of customer identifying information) and not on the root cause of the problem (insufficient authentication (i.e. PROOF of identity) requirements by credit issuers). Your identifying information should not have to be secret. That is the mark of an insecure system.

The biggest problem with identity theft is the human element though. Consumers really don’t want the additional security that would prevent identity theft because of the additional hassle it would cause them. I hear all the time about people who get offended by having to show I.D. for financial transactions–even when it is explained why this is necessary. It must be that people are natuarally trusting and to have someone challenge their authenticity is offensive. Perhaps it takes becoming the victim of identity theft to actually see that there are rational reasons to have better security…

I do like the idea of a market-driven solution. There are plenty of areas where the market fosters very poor security. Government mandates can change this tide and force novel approaches, like the one in this article.

BW Online | February 11, 2003 | To Thwart the Identity Thieves

Richard Forno Let Go Rants About Symantec

Mon, 17 Feb 2003 09:53:00 -0800

Richard Forno was let go by Symantec, coincidentally right after he had politely complained in a letter about the extremely inefficient payment procedures they brought with them to SecurityFocus.

I really enjoyed his commentary so I hope to see him show up somewhere else soon!

symantec-bitch

Computer Security And Intelligence Web Links

Mon, 17 Feb 2003 08:58:00 -0800

The C4I.org - Computer Security and Intelligence website has, according to the author, “little nuggets” of information he finds “interesting enough to post online”.

The most interesting thing that I found there (so far) is Tradesports.com where people are betting on current events, such as whether or not Saddam will still be in power as of March 31.

-Jason

The Myth of Security at Canada�s Airports

Mon, 17 Feb 2003 01:01:00 -0800

07:00

Senate Committee on National Security and Defense in Canada recently released a report on the new airport security measures.

Entitled, “The Myth of Security at Canada�s Airports”

“…measures have reassured many travellers that security has been tightened at Canadian airports since the tragic events of September 11, 2001. The problem is that there has been little or no improvement to huge security gaps that persist behind the scenes in the Canadian travel industry. "

There is also a full-disclosure debate arising over whistle-blowers who may point out that money or effort is being misdirected:

“Our basic premise: You can be sure that ships really will sink if they have a lot holes in them. And those holes aren�t likely to get patched unless the public applies pressure to get the job done. They certainly aren�t patched yet. "

Security measures should be able to withstand scrutiny.

Fifth Report: The Myth of Security at Canada�s Airports

Viacom won't run anti War ads

Sat, 15 Feb 2003 14:49:00 -0800

With all of the millions of protesters out there this weekend, you would think that Viacom would not be opposed to a fairly popular viewpoint being broadcast. However, they have refused to run an anti-war ad by MoveOn.org and have given an alleged lame rationale.

The organization was going to pay for the ads just like any other entity would. Interestingly, “According to Boyd, the donations came rolling in�after just two hours the group had met its goal.” They raised $75,000 through an e-mail campaign in 2 hours!

Billboard Ban

Viacom won’t run the ad but you can view it on MoveOn.org’s website.

MoveOn.org’s poster:

Reckless Administration May Reap Disastrous Consequences

Fri, 14 Feb 2003 08:33:00 -0800

Senator Robert Byrd made this excellent speech on the negative consequences of the Bush Administrations actions and policies.

Some gems:

“To contemplate war is to think about the most horrible of human experiences. On this February day, as this nation stands at the brink of battle, every American on some level must be contemplating the horrors of war.

Yet, this Chamber is, for the most part, silent – ominously, dreadfully silent. There is no debate, no discussion, no attempt to lay out for the nation the pros and cons of this particular war. There is nothing. "

“This Administration, now in power for a little over two years, must be judged on its record. I believe that that record is dismal.”

“Calling heads of state pygmies, labeling whole countries as evil, denigrating powerful European allies as irrelevant – these types of crude insensitivities can do our great nation no good. "

https://www.commondreams.org/views03/0212-07.htm

Aba Taking A Stand Against Bush Administration

Thu, 13 Feb 2003 15:32:00 -0800

A Feb 10 American Bar Association resolution “urges Congress to ensure, through appropriate legislation, regular and timely oversight, and expanded reporting requirements, that the FISA is used only when the government has a significant foreign intelligence purpose – as required by the USA PATRIOT Act – and not to circumvent the stricter Fourth Amendment warrant requirements applicable to ordinary searches and surveillances. "

The ABA also lambasted the Bush Administration for denying so-called “enemy combatants” the right to meet with counsel. The vote was overwhelming, but not unanimous. About 70 or so ABA members voted against this measure.

Excerpt from EPIC Alert 10.03.

Patriot 2 Encryption An Aggravating Circumstance

Thu, 13 Feb 2003 15:23:00 -0800

Declan McCullagh asks a good question on the cryptography list:

When encryption is omnipresent in everything from wireless networks to hard drives to SSH clients, might the basic effect of such a law [Patriot 2] be to boost potential maximum prison terms by five years?

It is a terrible idea to presume that using encryption is an aggravating circumstance. “Why are you using encryption? You must have something to hide…”

Original SAFE Act: https://thomas.loc.gov/cgi-bin/bdquery/z?d105:h.r.00695: Leaked new Patriot Act 2 draft: https://www.privacy.org/patriot2draft.pdf

World's Most Stupid Security Measures

Thu, 13 Feb 2003 15:16:00 -0800

“Human rights watchdog Privacy International has launched a quest to find the World’s Most Stupid Security Measure. "

https://www.theregister.co.uk/content/55/29279.html

There were some preliminary examples in discussion on the cryptography mailing list.

E Voting In Washington Say Goodbye To Election Integrity

Thu, 13 Feb 2003 14:07:00 -0800

“The most important question to ask is this:

With respect to this year’s all-electronic voting machines, is there any meaningful evidence that the vote you cast was correctly recorded – that is, evidence that there were no misconfigured systems, accidents, internal fraud, etc.? For almost all of the existing systems (with the exception of one that actually incorporates the Mercuri Mechanism, namely, Avante), the answer is an UNEQUIVOCAL NO. This is an untenable situation if you believe in election integrity, IRRESPECTIVE of your party affiliations.”

-- Peter G. Neumann

Electronic voting is very, very dangerous. Don’t even get me started on Internet voting. There is only one known product on the marketplace that has done their homework and implemented the correct mechanism for ensuring election integrity that the research community has identified (the Mercuri Mechanism, above).

There are tons of published cases of errors and delays caused by electronic voting that has been done around the country in practice, including more votes being counted than registered voters in the precinct.

Here is one list: https://www.csl.sri.com/neumann/illustrative.html#24 And another: https://www.csl.sri.com/users/neumann/book-voting.html

Washington State is even looking at Internet Voting: https://www.secstate.wa.gov/elections/evoting_paper.aspx

I heard and saw Sam Reed talking about an Electronic Voting pilot in Washington State on the news. Here’s a press release: https://www.secstate.wa.gov/office/news.aspx?news_id=150

This is an area that fascinates me because of all of the research that has gone into this area that public officials ignore on the dangers and how to do this correctly. They are often giving way too much credence to vendors that tell them all is safe. I would love to ask the people doing these pilots how they plan to assure voters of the integrity of the election, especially when e-voting machines are often closed-source and cannot be reverse-engineered because the companies claim trade secrets and will probably sic the DMCA on you.

When I get some time, I need to write some letters to representatives in this state. I will include these folks:

Sam Reed, Secretary of State Dean Logan, Director of Elections (elections@secstate.wa.gov) David M. Elliott, Assistant Director of Elections

To find the representatives in your district, check out https://dfind.leg.wa.gov/dfinder.cfm

In the meantime, there is a petition that you can sign up with:

https://verify.stanford.edu/evote.html

A ton of big-name researchers and security experts have already signed it.

And two renowned experts in electronic voting:

Rebecca Mercuri, Ph.D. https://www.notablesoftware.com/evote.html (been researching for over a decade). " Her position statement: https://www.notablesoftware.com/RMstatement.html

Peter G. Neumann (moderator of the ACM Risks Forum): https://www.csl.sri.com/users/neumann/ and a paper at https://www.csl.sri.com/users/neumann/ncs93.html His excellent summary of the issue: https://www.interesting-people.org/archives/interesting-people/200211/msg00090.html

Avi Rubin has also written a paper on this topic: https://avirubin.com/e-voting.security.html

NPR also just ran a segment on the risks of electronic voting during Morning Edition Feb 10, 2003

About

Mon, 01 Jan 0001 00:00:00 +0000

I’m Jason Axley and The Truth Imperative is my blog.

As an application security professional and software developer, you’re going to see some geeky postings that relate to my vocation.

As a skeptic, tinkerer, geek and vehement believer that shining a light on the truth is a moral imperative, you’re likely to find many of my thoughts and posts that serve to explore our pale blue dot, technology, and the follies of the human condition.

As a humanist and father, you’re also likely to see some parenting-related research, facts or tips pop up here and there.

Disclaimer

The opinions expressed on this site are mine alone and do not necessarily reflect those of my employer

Posts Archive

Mon, 01 Jan 0001 00:00:00 +0000

The Truth Imperative (Full Posts Feed)

Subscribe

Artificial definitions

My Mentoring Journey with Community For Youth

Update: Google Play store not taking advantage of Safe Browsing data to inform risk of apps in the store

Google Play Safe Browsing Safer Android Mobile Ecosystem

Beating The Open Source Is More Secure Straw Man

Free Community For Youth Lunch That Will Feed Your Soul

Community For Youth Changes Lives. I Know – It’s Changed Mine!

Share in the Community Experience

Get Inspired

Ios Clients Not Vulnerable To Heartbleed What Does The Source Say

Using VNC to securely connect to OSX without exposing an unlocked console

I Get An Irs Scam Voice Mail

Transcript

What's wrong with the Amazon mp3 store on Android?

Seattle Area segregation

Humorous Page Not Found Error Page

Information Warfare Via Url Shorteners

Seattle Infosec calendar

What can we learn from the ZRTPCPP / Silent Circle debacle?

07:00

Mountain Lion Easter Egg References Debut Of Original Apple Macintosh

Ross Anderson Response About Payments System Weakness

Zombie Juxtaposition blog coming back to life

Devaluing Harassment

The Truth Imperative: What's in a name?

Beautiful Life Diary To Cultivate Happiness

Christmas Car Break In

Abc News Poll On Tsa Scanners Misleading

Skepticblog » Get Fed Up: Report Medical Quackery to the FDA

Google Voice Chat Qos

Understanding Atheists/Agnostics

Favorite New Android Apps

Rooting And Optimizing The Sprint Htc Hero Cdma-

Taxonomy of Blue Angels Haters: What kind of hater are you?

Stupid Android market bug STILL affects 2.1 OS

At T Leaks Email Addresses Of 114 000 Ipad Users

SurveyMonkey has crummy logon security

Alcohol Caffeine And Pregnancy

Proof That Iframes Are Not Risk Free

Aap Against Female Genital Mutilation After They Were For It

Every Baby Knows Science

Weather forecasting terms explained

Deleting Lines And Non Matching Lines With Vim

Dispute With Seattle Public Utilities Over Alley Trash Collection

Notable Quotable Skeptic Is Not A Bad Word

Excellent Infographic On Health Care Reform Implementation Plan

Passwordcard A Low Tech Wallet Password Manager

throw new DumbCodingException

Infographic On Efficacy Of Popular Supplements

Excellent Primer On Tree Pruning

Virtual PC - VMware breaks mouse

Facebook Broken In Firefox Brought To You By The Letter Quot S Quot-

Nutritiondata Know What You Eat

Reigning In Credit Card Companies Begins February 13 2010

New Study Suggests Exposure To Microbes As Kids Is Healthy

The "Alternative" medicine trash heap

Daily Nasal Irrigation May Encourage Sinus Infections

Iphone Worm Warning To Rooted Android Users

Securely rooting your HTC Hero

Gmail Suppresses Copies Of Mailman Posts To Yourself

Colorpulse Carl Sagan Ft Stephen Hawking Quot A Glorious Dawn Quot-

Flash App To Find Flickr Photo Set Ids

My First Greasemonkey Script Now Available

Free West Seattle Wi Fi

Obama Does Not Go Far Enough With Financial Regulation

Why I hate my 2wire DSL modem

Study: Who Causes Bicycle Deaths? (90% of the time, motorists)

What the Internet knows about you scary

Eerie Similarities To Grisham Non Fiction Book With Georgia Case

Glenn Beck Zaniness Continues

One Car Show I'M Not Sad I Missed

Latest Entry In The Horrible Ui Category

Palin Haiku Entries

Prediction 'Persecuted Christian' Propaganda Chain Email Fodder

10 Things Obama Did Wrong On Health Care

Quot Uncle Sam Quot Billboard Spouts Birther Nonsense

Evidence Based Government Succeeds In West Seattle-

President Carter Courageously Quot Sever S Ties With The Southern Baptist Convention Quot Over Women'S Rights