Sledgehammer's Cycles

Sledgehammer's Cycles
Sledgehammer's Performance and Custom Cycles

Wednesday, December 31, 2008

New Shooter Report (Chicks with Guns version) with CZ 75

Well, we got back to the range with the lovely and increasingly accurate Mrs. Borepatch and Sister In Law (S-I-L), and this time we actually shot. This was a new experience, in that not only can I put up post a new shooter report, but I can shoeblog at the same time!

Now technically, S-I-L was not strictly a new shooter, as she'd been shooting once with her family when she was a girl. Since then, she hadn't shot while going to college, getting married, having kids, and seeing them grow up to become Lance Corporals. So it was pretty close to a new experience for her.

No pumps this time. Instead, the gun club was treated to tasteful black suede boots to match a tasteful black CZ 75 P-01 in 9mm parabellum. Black goes with everything, and would nicely match a gentleman's tuxedo for a New Year's Eve party. Remember to properly accessorize, gentlemen.


As before, we went over the four rules, plus Greg Morris' Rule Five. I would have preferred to try something smaller (New Shooter violation! Bad Ted!), like the SIG 232 in .380 ACP. However, once S-I-L figured out the "dominant eye" concept, she took to the 9mm like a duck takes to water. At 15 feet, she kept half of her rounds in the ten ring of the silhouette target.

She's going back, with hubby and Lance Corporal son in tow. I expect that she'll be giving them pointers.

The CZ 75 is a pretty friendly pistol. Recoil is modest, which was good since this was a new shooter day. The sights are very nice - black square posts with white dots on both the front and rear sights that make it very easy to allign.

The trigger is one of the two-stage variety, so there was a fair amount of take up, but then it gave a decent break. Not the best trigger I've shot, but good considering the price they charge for the pistol. In any case, it was easily manageable. If I were to buy one, I'd consider investing in a trigger job from a local gunsmith I trust, but this one is fine to shoot straight from the factory.

As for accuracy, it's more accurate than I am, although that doesn't say a whole lot. 25 feet, slow fire.

Oh, and the standard disclaimer:
I'm not any kind of gun or shooting expert. I like shooting, and shoot a fair number of different guns, but I'm really a dilettante. Your mileage may vary, void where prohibited.

I don't do scientific, repeatable tests. There's no checklist, although that's not a bad idea. I write about what I like and don't like, but it's pretty much stream of consciousness. Opinion, we got opinion here. Step right up.

I'm not a shooting teacher, although I do like to introduce people to shooting. Maybe some day I'll take the NRA teaching class, but until then, you get a dilettante's view. You'll get opinion here, but if you get serious about shooting, you'll want to get someone who knows what he's doing to give you some pointers. It can help.

And oh yeah, shooting things is fun.

Internet Security 2008 as a Spaghetti Western

John Leyden at The Register puts it in cowboy terms.

Security pundits are fond are characterising personalties in information security with reference to Westerns - hence hackers wear either a "black hat" or a "white hat" like their cowboy counterparts.

More recently these analogies have been replaced by comparisons with the horror genre. Security firms (usually ill-advisedly) talk about "silver-bullet" security technologies and, of course, networks of compromised PCs are called zombie botnets. Call us old fashioned but we still prefer the Westerns and, in celebration of one of the few quintessential American art forms (alongside jazz), we'd like to take a look back at 2008 in information security through the lens of classic Westerns, with a few Vulture Central casting suggestions.

This is pretty clever, and for those of you who aren't Internet Security geeks, it provides great context about what's happening.

Friends don't let friends browse with Internet Explorer

Background here.

Party Time 2009

Tuesday, December 30, 2008

What is it with stupid Chicago criminals?

And no, this time it isn't a politician - it's a plain old bank robber. The dumbest bank rovver of all time.

We wrote the stick-up note on the back of his paystub:
According to the Chicago Tribune, 40-year-old Infante last Friday handed the written demand, scribbled on half of the pay stub, to a teller in a Fifth Third Bank in Chicago. It read: "Be Quick Be Quit. Give your cash or I'll shoot."
Ignoring the failure of the Chicago public schooling system to teach proper spelling, perhaps Mr. Infante can share a cell with Mr. Blagojevich.

Range Report - Sig Sauer P232 with Mrs. Borepatch

The lovely and dead-shot-even-without-her-contacts-in Mrs. Borepatch came shooting with me yesterday - and this time, she was enthusiastic:
No, pigs still can't fly, but today I went shooting willingly, nay eagerly, with my hubby and #2 son. Let me explain my abrupt change of heart.
I won't spoil the rest of it, you should RTWT, especially if you're a guy - like me - who would like to get your better half out to the range more often.

She wanted to try the 1911, which is #2 Son's favorite. I was a little concerned about the recoil - she's still a pretty new shooter - and so we also tried out a SIG P232 in .380 ACP. It wasn't the "pretty Beretta" that she saw the other day, but it was close.

I was interested, since I'd never shot a .380 before.

Boy, howdy - this sure is fun to shoot. It's very lightweight, which makes it just "snappy" enough to be a lot of fun. While I don't want to get in the middle of stopping-power holy wars, this is a very compact pistol, and I can see why people might like to use this as a carry piece, particularly in the summer when you don't have bulky coats to hide your 1911 (picture compares SIG and .380 ACP round to CZ Dan Wesson Commander 1911 and .45 ACP round).

The sights are very nice - square black posts with white dots on both rear and front sights makes alignment fast and accurate. 25 feet, mix of .380 and .45, but mostly .380, slow fire. Unfortunately, I'm pretty clueless about what "follow through" is, so the target, while interesting, wasn't always as helpful as I'd hoped. Both my regular readers know that I'm more than a bit of a dilettante, anyway.

First time I've been called a "jerk" by a target, though (lower left hand corner).

The trigger struck me as being OK - I didn't particularly notice it being especially bad, or especially good. Since trigger break is one of my pet peeves, I'd think that most folks would make friends with this trigger pretty fast.

Now this is a light pistol, so getting back on target is something that I imagine that you'd want to practice. It's certainly not hard, and the recoil is perfectly manageable, but Sir Isaac Newton will have his due - less mass in the pistol, more movement in the recoil. My lovely bride thought it was easier to shoot than the 1911 (no surprise, really).

When we get around to buying a pistol, I could see something like this make an appearance Chez Borepatch, although I'd think that she'd want some nice rosewood grips. I could also see an appearance by something like the CZ 1911 - and the smart money is betting on rosewood grips there, too. Personally, if this gets her out to the range with me, I don't care if it's hand-carved Mammoth Ivory.

But Mrs. Borepatch makes a comment that the shooting world could take to heart:
Now, my husband and son do not mind the more downscale, bare bones, and undeniably macho atmosphere, in fact I think they even like it. However, but if they want me to accompany them more frequently, or the gun world wants to attract more women shooters, it would help if we had a nice place like to go like the one in Scottsdale. That's a place I could envision going with a group of my friends, and then out for a bite to eat or shopping. So, the atmosphere was pleasant, I found a couple of pistols I like, and I shot really well. So, today I had fun and felt empowered.
She'd introduce a bunch of her friends to shooting if there were ranges that catered more to women. She's right - #2 Son and I don't particularly care. But you know, we'll go anyway - she won't. If we want to attract more women to shooting - and gentlemen, I know that you do - then this is something that has not been on-target so far.

Oh, and the standard disclaimer:
I'm not any kind of gun or shooting expert. I like shooting, and shoot a fair number of different guns, but I'm really a dilettante. Your mileage may vary, void where prohibited.

I don't do scientific, repeatable tests. There's no checklist, although that's not a bad idea. I write about what I like and don't like, but it's pretty much stream of consciousness. Opinion, we got opinion here. Step right up.

I'm not a shooting teacher, although I do like to introduce people to shooting. Maybe some day I'll take the NRA teaching class, but until then, you get a dilettante's view. You'll get opinion here, but if you get serious about shooting, you'll want to get someone who knows what he's doing to give you some pointers. It can help.

And oh yeah, shooting things is fun.

What the Well-Dressed Gentleman is wearing

Remember, gentlemen: your lovely ladies will appreciate seeing you putting on the Ritz in your tux this New Year's Eve. And don't be caught without some shooty goodness!

Shotgun shell cufflinks. Didn't see any shotgun shell studs, though. I suppose that a gentleman must have standards.

Monday, December 29, 2008

After twenty years of marriage ...

... I've learned that you don't mess with the Zohan lovely and scary accurate Mrs. Borepatch.

Her contacts were bothering her, so she took them out. Boy, howdy.

She doesn't come to the range very often, but she had fun this time. Stop by her place and tell her to go again sometime!

That was fast

Seems Walmart is selling some tricked out digital photo frames (you know, you upload your digital pix to it, and it displays them). Seems it comes with some complimentary software.

Malware.

No extra charge, folks.

Now why would someone want to do that?

The Fine Print®:

It may be that this is not malware, but rather, the software was packaged with software that is often used to pack up malware. In other words, the antivirus software recognizes signs of the packer, rather than malware per se.

It doesn't matter one bit. This was clearly not tested with antivirus scanners, which means that the manufacturer doesn't care whether you get infected with actual malware. Seems that WalMart doesn't care, either. This sort of test isn't exactly rocket science.

Don't spend it all in the same place

The Great Minds of Science have decreed that there will be a Leap Second added to December 31. Time is money, people.

Hat tip Slashdot, where as usual, the comments deliver up the snark.

A Failure of Imagination

It's a bit old news now, that the American Express web site americanexpress.com had a nasty Cross Site Scripting vulnerability that would let a Bad Guy harvest all the Amex user's authentication cookies.

Cross Site Scripting is an attack technique that lets random people add their own (typically malicious) code to a web site. There's a painless flash demo of how it works here. XSS (as it's called) has been around for about ten years now, so it's rather dismaying that you still see it, especially in high visibility sites like Amex.

Especially because the credit card companies - including Amex - require that people who handle credit cards online ensure that there are no XSS vulnerabilities in their web code. Oops.

Even worse, it seems that the guy who discovered the vulnerability tried to tell the Amex folks, and they ignored him. For weeks.

McRee aired the American Express dirty laundry here after spending more than two weeks trying in vain to get someone inside the company to fix the problem. After getting no response from lower level employees, he emailed a director of a department responsible for information security at Amex. None of his emails was answered.

"I believe they have an obligation to respond, even if it's brief and callous," McRee told El Reg. "You don't have to be polite. Just fix it."

Sigh. All fixed now, so that's not the point of this post. The question is How come this keeps on happening? After all, XSS has been known for about ten years. Heck, buffer overflows have been known for over thirty years and we're still seeing them.

The answer, sadly, is that programmers lack imagination. There, I said it. Sorry to all my friends who are programmers, but with the exception of about five of you, unfortunately, you lack imagination.

Specifically, validating user input (what users type into forms and that sort of thing) is tedious and boring, and in looking for a reason not to have to do it, you ask The Question:
Why would someone do something like that?
The classic way to find a buffer overflow is to get a form field and type a thousand "A" characters. The program doesn't expect that (the programmer didn't check user input), and so makes the assumption that the buffer contains no more than, say, 100 characters. Boom.

Why would someone do something like that?

I've posted this cartoon before, but it illustrates what happens when you don't validate user input.

Database commands entered into a web form? But why would someone do that?

Sigh. (Uses quiet, patient voice that you use when talking to a loved but rather slow child)
Because, punkin, there are Bad Guys out there. Sometimes they want to steal things, and sometimes they want to hurt people, but they're bad. That's why we call them Bad Guys. I'm so terribly sorry that you have to learn this, but you're old enough to know it, and when you're a grown-up, it will be important for you to understand this.
The problem with the web is that web pages are a horrid mix of text ("web pages are a horrid mix of text") and code:
if(window.addEventListener) {
window.addEventListener("load",
function(){ object[attribute] = val; }, false);
It's all on the same page, and it's all munged together. You can see it yourself, if you want to. In Firefox (you're not using Internet Explorer, are you?), go to the "View" menu, and select "Page Source." Voila! Javascript city!

Sometimes code takes user input, and mostly it doesn't. Now imagine that you're the developer who is writing a major site's web site - maybe hundreds of thousands of lines. Find the XSS flaws. Go ahead; we'll wait.

Actually, we won't. And your boss won't, either. Time is money, and the site has to go live, and get it done already, mkay? There's always time to fix it later, although somehow nobody ever does. Besides, why would someone do something like that?

We're going to keep seeing this sort of thing, folks. The reason is that the incentive structure is working against us. Spot who loses when there's a XSS flaw:
The Line of Business VP. He's all about profit and loss, and going online helps his profit.

The Director of Software Development. He's all about programmer efficiency - how many lines of code per dollar spent. Code reviews and testing take time, don't generate any lines of code, and while it improves code quality, this is astonishingly hard to measure well.

The Software Developer. He's all about meeting the deadline, and to a very small amount, he's about the number of identified bugs per line of code (yes, kids, that's precisely how it works).

The poor sod End User. Its his credit card or identity that gets stolen.
So, dear End User, you're screwed. Don't feel bad, I am, too. That's why I work really hard to limit the damage that can happen. That means giving up some pretty attractive things - like online banking.

Why would someone do something like this? We've asked that before.

Sunday, December 28, 2008

Perspective

JPG has a great post about films from his youth. In it, he said something that made me stop short.
One of my favorite observations is that “Age doesn’t necessarily bring wisdom, but it does provide perspective.”
That seems right. And so, in the spirit of the transition from the old year to a new one, I have a confession: I used to be a snob.

Even worse, I'm not sure that I knew it. I was focused on the Right Wines, or interesting European travel destinations, or reading the right (properly intellectual, that is) books.

Perspective has given me this realization: I'm sorry. It's taken a while to get to this point, but it's a huge relief to be here.

Nowadays, I get a kick out of people doing their own thing. Like this gentleman (it's almost certainly a gentleman, in my experience). He gets a kick out of lighting up his yard with Christmas cheer, and why the heck not? Sure, this would bug the heck out of the Conde Nast Traveller crowd, or even the Garden and Guns crowd. Perspective says that's not a bug, it's a feature.

Wrapping your palm tree with lights, and lining your walkway with glowing candy canes, all presided over by an inflatable Snowman - this is what liberty looks like.

Bravo Zulu, sir. Bravo Zulu.

And you know what real freedom is? Neighborhood competitions to see who can get the most tricked out holiday lighting:

The Baby Jesus, Santa on a Polar Bear (bear hidden by the bush, sorry), and the Angel Gabriel. Plus light-up icicles on the eves. And a light up reindeer behind the bush. The winning house* has the ultimate holiday light show:
  • The Baby Jesus in a creche;
  • Light up, inflatable Frosty the Snowman;
  • Santa; and
  • Mickey Mouse in an inflatable snow globe.
I love every bit of this. Made. Of. Win. What a great country.

Sometimes - not often, but sometimes - getting old is teh awesome.

* Sadly, we only saw this during the day. If I find it again, I'll post a picture of it, lit up at night.

Blogging will resume tomorrow

I think. Travel and technical difficulties have slowed things down a bit.

Advice to the Linksys Product Manager

I've used your stuff for years, so here's some constructive criticism that would keep me from switching to Netgear.

If you're going to call your setup program "EasyLink Advisor", then it should be easy, mkay?

Otherwise, you should probably call it "Easy-if-you're-set-up-the-way-I-think-otherwise-it's-a-bitch-Link Advisor".

Vista is here to stay. You really should handle it.

Your software should be smart enough to know that it is getting installed on Vista. It should be smart enough to say "Hey, IP version 6 needs to be turned off, or you won't be able to get on Al Gore's Intarwebz." It should really be smart enough to say "Hey, IP version 6 needs to be turned off, or you won't be able to get on Al Gore's Intarwebz. Do you want me to do this?"

I'd think that this would cut down on a bunch of support calls. Support calls = $$ to you, which is your problem. Support calls = pain in the butt to me, which is my problem. I think we're both unhappy right around now.

Please don't make me downgrade Acrobat Reader before you install your User Guide.

It's not polite. Besides, I won't do it. And if you hide your User Guide on your web site, you'll get another support call from me. Just because you can't be bothered to install a dang PDF doesn't mean that I'll let you muck with my applications.

If your PC software is so obviously shoddy, what does that say about your router software?

I know, I know, these are different projects, run by different teams. I also know that the PC software group really isn't your A Team. But when your PC software simply doesn't handle errors or unexpected conditions, it suggests that your router software doesn't, either.

Now, I actually don't think that this is the case. I actually think that your router software is pretty good, even if your PC software is teh suX0Rz. But I think so, I don't know so. You put a Linksys brand on lousy software, you start to pollute the brand.

Hokey Smokes, dude, I'm a long time customer and I'm about spitting nails here. A new customer would have this cute little router back at Wally World by now.

You know what it costs to acquire a new customer. You also know that it's essentially impossible to reacquire a customer who gets so frustrated that he switches to a different brand. This is the second time this has happened to me with your stuff.

Pleasepleaseplease can this be the last?

I only say this because I care.

Saturday, December 27, 2008

Keith Urban - Somebody Like You

The lovely and discerning-judge-of-hunky-men Mrs. Borepatch was the one who had the idea of doing a month of hunky country music stars. Her favorite country hunk is a little different from they typical Country act. He doesn't wear a cowboy hat or boots, he doesn't have a short haircut, and he isn't american (he's a kiwi).

Keith Urban writes his own music, plays a mean guitar, and is married to Nichole Kidman. In many ways, he is a typical "ten year overnight sensation" - someone who works for a decade before Nashville notices, and then explodes onto the music scene.

After working for ten years as a studio guitarist, Urban's breakthrough was in 2002, with the ARIA Country album of the year, Golden Road. Somebody Like You captures the optimistic spirit and rock crossover of the "New Country". The video is one of Mrs. Borepatch's favorites: hot people, hot music, and a hot Jeep (OK, that last was mine).



(Songwriters: Keith Urban, John Shanks)
There's a new wind blowing like I've never known
I'm breathing deeper than I've ever done
And it sure feels good to finally feel the way I do
I wanna love somebody, love somebody like you.

And I'm letting go of all my lonely yesterdays
I've forgiven myself for the mistakes I've made
Now theres just one thing, the only thing I wanna do
I wanna love somebody, love somebody like you

Yeah I wanna feel the sunshine shining down on me and you
When you put your arms around me
You let me know theres nothing in this world I can't do

I used to run in circles going no where fast
I'd take one step forward and look two steps back
I couldn't walk a straight line even if I wanted to
I wanna love somebody, love somebody like you

Whoa here we go now
Yeah, Hey i wanna love you baby

Yeah I wanna feel the sunshine shining down on me and you
When you put your arms around me
Well baby there ain't nothing in this world I can't do

Sometimes it's hard for me to understand
But you're teaching me to be a better man
I don't want to take this life for granted like I used to do
I wanna love somebody, love somebody like you
I'm ready to love somebody, love somebody like you
And I wanna love somebody, love somebody like you (yeah)

Hey I wanna love you baby
Other hunky men from December's Saturday Redneck:
Blake Shelton - Don't Make Me
Tim McGraw - Suspicions
Jason Meadows - 100% Cowboy
Next month will be Hot Country Ladies on Saturday Redneck.

Friday, December 26, 2008

Zero Rounds Expended

#2 Son and I have been looking forward to shooting with nephew Daniel, back from a tour in Iraq. His mother was interested in shooting, so it was a double win. Then the lovely but rarely shooty Mrs. Borepatch wanted to go, and nephew Dan's father, so it looked like we had a day made of win.

We went over the four rules of gun safety, although I also introduced Greg Morris' Rule Five, which I think is simply an outstanding idea with a new shooter. Then we saddled up and headed to the Scottsdale Gun Club range.

It was packed. I'm not a member, since it's a long drive to go shooting here if you live in the People's Republic of Massachusetts. We put our names on the list, then had a leisurely lunch, and we still weren't anywhere near the top of the list. So we reset to a different day. Oh, bother.

And then my lovely bride whispered the words in my ear that sent a thrill up my leg.
Let me show you the gun I like.
The Beretta Cheetah, in .380 ACP. She also found a Springfield 1911 with nice rosewood grips, but this was the one that she kept coming back to. She was positively enthusiastic: by gosh, she didn't want this in her purse (because she can't find her keys in her purse sometimes), she wanted a holster.

"Who are you," said I, "and what have you done with Mrs. Borepatch?"

We had a chat about this on the way back. The Scottsdale Gun Club is the nicest gun club I've ever seen, and this made a big difference to her. Lots of women there shooting - normal, soccer-mom type of women - and this made a big difference to her. The atmosphere was upscale, which made a difference to her. My sister-in-law had gotten a little dressy (red dress and pumps), and the idea of going out nicely dressed appealed to her, too.

It was the type of place that she could see herself going with her girlfriends for some self-defense practice, and maybe a manicure later.

Now I don't care about any of that - an old Rod and Gun place is fine for the likes of me. But anything that makes her think that not only might she want to own a gun, but she might want to own that particular gun, well that's Made Of Win.

So, mission not accomplished, and mission WAY accomplished. We'll get back to the range, and get a new shooter report to boot. And it will come with a Range Report for that sweet, sweet Beretta .380.

It's been a good day, Scooter.

Gonna be a good day, Scooter

Off to the range with Nephew Dan, back from Iraq. Range Report later, and maybe a New Shooter Report, too.

And the lovely and on-target Mrs. Borepatch is coming! Happy Dance time!

Security problems in Voting Machines?

Who would have seen that coming? Well, it seems not officials from the Great State of Maryland, who are suing the vendor to recover the cost of fixing the darn things.
The claim against Texas-based Premier, formerly Diebold, alleges that state elections officials were forced to spend millions of dollars to address a host of security flaws in the machines from 2003 through the November election.
So no big deal, right? I mean, what could possibly have gone wrong?
Many of the problems could have compromised the integrity of the election had they not been fixed, officials said. Now the state wants its money back.
Oh.

You know, I don't see what's wrong with the old paper ballots. Yes, it takes longer to count. Yes, things become hairy if the election is super close like in 2000. But you can't have them, you don't have to have thousands of system administrators to cover technical problems at the polling stations, and you simply don't have questions about whether the election results can be trusted - the system is transparent, in that you don't need a MIT PhD to understand how the totals were computed.

Biggest sources of Spam in Thailand?

Is the new Thai Prime Minister.
Prime Minister Abhisit Vejjavjia assigned deputy Democrat leader Korn Chatikavanij to seek cooperation from three mobile phone network operators, AIS, DTAC and True, to send SMS messages to people, asking them to help the prime minister solve the country's crisis.

Interested callers are asked to send back their postal codes, costing them three baht.

After a user sends the postal code, he or she receives a message saying, "I am Abhisit Vejjajiva. Thank you very much, and I will get back to you."

So the new PM spams the entire country. What could possibly go wrong?
Ms Saree said many consumers had complained about the messages.
Wow, didn't see that coming.

Note to Democrats: I know that y'all are excited about the new President-elect and everything. But if anyone says "Hey, I have an idea! Nation-wide spam will bring the country together and help solve the fiscal crisis!" can you pretty please put him on the next tramp steamer to Wasilla or something?

Hat tip Slashdot, where - as expected - the comments provide quality snark:

GOOD DAY TO YOU SIRS OR MADAM

I AM [PRIME MINISTER OF KINGDOM OF THAILAND]. I HAVE BUSINESS PROPOSITION TO MAKE YOU. Have URGENT POLITICAL CRISIS to get out of the country; need you to send 10c ([TEN CENTS]) to me and it's yours.
Is NOT pyramid scheme

Signed,
[Thai prime minister]

Heh.

No more VHS Tapes

The last US supplier of VHS tapes is going to stop carrying them. If you want 'em, buy 'em now.

If you're like me, you're probably surprised to hear that there are still VHS tapes around. Seems there was quite a niche market for them:

But as shops unloaded their unwanted VHS inventory, Florida-based Distribution Video Audio was there to scoop up the refuse and make a tidy profit. Distribution told The LA Times it sold more than four million VHS videotapes during the last two years.

Its clients are mostly bargain stores, outlet malls, truck stops, and mom-and-pop operations - places that don't exactly cater to the bleeding edge of technology. Public libraries, military bases, and cruise ships were also buying VHS tapes, although nowadays are mostly only interested in DVDs.

But no more. Like I said, get 'em now, because there probably won't be any more, at least easily.

I have to say, it's not better picture quality that did VHS in for me. It was small children frustrated at having to rewind. Of course, DVD just meant that it was easier to play Mickey's Songs To Annoy Dad again faster.

Thursday, December 25, 2008

I don't think we're in Massachusetts anymore, Toto

I have the best readers, ever

Sitemeter tells me that visits are way, way down today. I interpret this as y'all spending time with your families on Christmas morning.

Well done, you.

Merry Christmas

It's a silent night at the Phoenix airport. We even have our bags.

So Merry Christmas to all, and (hopefully) to all a good night!

Wednesday, December 24, 2008

Symantec Antivirus puts you at risk

I'm flabbergasted - in 25 years of security work, I've never seen such an Epic Fail by a security company.

Symantec makes a popular antivirus (sometimes referred to by the brand "Norton" or "Norton Internet Security"). Now it's not particularly effective, and it is a performance hog - it will bring your computer to a standstill toute suite. But that's not the point of this post.

Symantec's on-line support procedures for people who get infected could not be better designed to maximize financial damage to Symantec customers.

Here's what happens: someone gets some sort of new malware on their computer. They smell a rat, and go online to Symantec for help. If their annual antivirus subscription has expired, Symantec's support site makes them enter their credit card number:

So what's wrong with this? Most of the malware today includes software that records every keystroke you type. So the malware gets to intercept the credit card details:

After railing at Symantac's customer support people via their online chat support for not properly protecting his machine, Delano was told to speak with their premium support folks who could remotely take control over his system and give it a thorough inspection and cleaning.

Delano said he initially protested, but after pricing other services like Best Buy's Geek Squad, he agreed to pay Symantac $100 for the service. He was instructed to enter his credit card number and other billing information at a secure symantec.com Web site. However, the keyloggers that were still on his machine, intercepting his information.

The punch line? Symantec's own annual Internet Security Threat Report says that 70% of malware captures credit card information that is typed in by the user.

So, Symantec can't say that they don't know.

If you think that you have malware on your computer, do NOT use Symantec antivirus and absolutely, positively DO NOT ENTER YOUR CREDIT CARD.

You can get a second opinion via free online antivirus scanners: I like Trend Micro's House Call, but there are ones from ESET (well regarded for technical capability) and F-Secure as well. You'll have to use Internet Explorer, and while I tell you not to, just this once I'll forgive you.

But Symantec clearly doesn't give a fig for their customer's safety. While IANAL, this strikes me as such egregious negligence that they may be liable for damages.

Note: if anyone from Symantec reads this and wants to respond, you can leave a comment or email me (email contact info is in the links on the right hand side). Technical folks can expect some sympathy; marketing flacks better bring a good story.

No additional charge, it's all part of the service

But you're making me blush.

And she posted a picture of me, so my Secret Identity is now all compromised ...

Six months of blogging

Technically, tomorrow is my sixth month anniversary. It's been interesting, and a lot has been unexpected.

Comments are teh awesome. I hadn't anticipated just how important these are. I've learned a lot from y'all in the comments you leave, and a whole bunch of them make me laugh out loud. Also, it's very cool when people comment. As Chris Matthews would say, I feel a thrill run up my leg when you do. And not in the icky Internet-stalker way, either.

Technorati seemed really cool at first, but not so much now. A lot of folks don't seem to use it, so the rankings don't reflect reality. I find that I never look at it any more. The Truth Laid Bare has always been broken, so I have no idea whether it's fun or not.

Sitemeter is teh awesome, especially after going back to "Sitemeter Classic." Hits are fun! I write because it amuses me, but it seems to amuse some of you, which is very nice indeed.

I seem to be a bit of a Chatty Cathy. This is post 642, in six months. But I can stop anytime I want. No, really.

This post is definitely filed in "get a life."

ClustrMaps is fun. If you have a blog, you should check it out. Eventually, I'll get the entire World Map covered in red dots, like some horrible Borepatch disease. Next stop - World Domination!

I need to update the "Best Posts" category more often. I try not to have more than 5% of my posts in this category (you know, only the good ones), so it helps to wait a week or so before deciding whether a post is good enough. But what I really do is wait until I don't have anything to blog about. So if you see a bunch of posts go into this category some day, you'll know I was bored.

Surprisingly, the "Best Posts" are pretty much my best posts. I'm not a writer - more like a spewer - but these are about as good as I can do.

Thanks to the folks who stop by, and especially the folks who leave comments. If you didn't, I probably wouldn't blog much, so you have Great Power. Remember to always use it for good.

Orbitz stinks

Ashley at US Air is teh awesome. Orbitz is not.

Orbitz is teh Anti-awesome. Orbitz sucks all the awesome out of the room.

Specifically, while they let you pick your seating assignments, they do not confirm said assignments with the airline. Therefore you have tickets, and think that you have seats. All the airline thinks is that you have tickets, because stupid Orbitz didn't tell them the seats.

This is a bad week to be flying without a seat assignment.

OK, well look, Ted, I hear you say - stuff happens. It's Holiday week, and we all need that little extra bit of patience as a lubricant in a difficult world. Maybe the nice Orbitz phone support man could help. So how's that work out for you?

Not so great, actually. Pretty badly, actually. As in "You're running up my minutes on a call that I'm not going to help you on, and that will give me bad stats."

Unlike Ashley at US Air, who owned the problem and did what was possibe, Orbitz phone guy really wasn't interested. They had their money, and hoped I could sort it out.

So if you want my advise, don't use Orbitz.

In the unlikely event that anyone from Orbitz wants to clarify Whiskey Tango Foxtrot is up, I'm happy to post your side of the story. My email contact is on the link bar on the right hand side of the blog.

Ashley at US Air/Logan is teh Awesome

Supposed to be in Phoenix now. We're not. Seems there was a mixup in the reservation (another post on this later), and this is a bad, bad week to be flying, if there's a mixup in your reservation.

However - and this is important - Ashley at US Air (Logan Airport) is an absolute gem. Kind of the definition of grace under fire. Ashley, thank you for taking care of us.

I won't post her last name, because that might be a little creepy and Internet-stalker-like, but if anyone from US Air management wants to contact me about this, my email contact is in the link bar on the right. Give her a raise. Really.

Just for perspective, I've flown between a million and a half and a million and three quarters miles. She's one of the top ten or so "Airline helped me out" situations. Just sayin'.

And a personal request to my fellow bloggers who might read this: please link to this post. I'm not trolling for hits, but think it would be awfully nice if the top Google hit for "Ashley at US Air" said she was teh awesome. Because she is. I'd be mighty obliged.

Tuesday, December 23, 2008

It's a fair cop

Although as I've said, I'm not a conservative.

How to Win a Fight With a Liberal is the ultimate survival guide for political arguments

My Conservative Identity:

You are an Anti-government Gunslinger, also known as a libertarian conservative. You believe in smaller government, states’ rights, gun rights, and that, as Reagan once said, “The nine most terrifying words in the English language are, ‘I’m from the government and I’m here to help.’”

Take the quiz at www.FightLiberals.com


Hat tip to Southeast Texas Pistolero, another Anti-Government Gunslinger.

It's twenty degrees warmer


... in Iceland.

Can we all just shut up about Global Warming, now?

UPDATE 23 December 19:24: OK, Liberty, you win. I'll shut my piehole on the subject of "cold." Yikes.

MBTA not teh stupid after all

L'affair Charley Card has gotten more interesting. Both my regular readers will remember how the Boston subway system (MBTA) sued to stop some MIT researchers from talking about how the security in their new electronic "Charley Card" was teh broken.

Now it seems that the MBTA folks are taking a plausibly sensible approach to the security problem:
The Massachusetts Bay Transit Authority (MBTA) said it would work with Zack Anderson, RJ Ryan, and Alessandro Chiesa to make improvements to the agency's fare collection system "that will be as straightforward and inexpensive to address as possible." In August, the MBTA obtained a court order gagging the trio just hours before they were scheduled to speak about the gaping holes at the Defcon hacker conference in Las Vegas.
Now I'm not a fan of hiring hackers to help your security, but that's not what's happening here. The MBTA chose a system with lousy security, and then sued researchers who were going to discuss it (can you say "prior restraint"). The researchers aren't hackers under any workable definition of the term.

That said, seeing what the transit authority can learn to correct the weaknesses is The Right Thing to do. So well done, MBTA.

UPDATE 23 December 2008 7:50: Interesting discussion over at Slashdot, especially this comment:

Except the MBTA system isn't fixable. It's just full of fail.

For starters, the card's balance is stored ON THE CARD and nowhere else.

Secondly, the fare-taking devices are not hooked up to any sort of network. They just kind of assume that only the special blessed writing device can change the balance on the card.

This isn't quite as stupid as it sounds since the devices use PKI so that theoretically the write request must be signed by a blessed source.

Except, rather than use a tested encryption source like AES (which is available), they went with some proprietary 40-bit encryption scheme for the smart card. The ticket was even worse, there they used a 6-bit checksum. Yes: 6 bits.

So the only way to fix it is to build a network to monitor potential fraud, rip out all the fare-taking devices, and replace every single ticket and smart card.

Now you can see why the MBTA sued: their massive incompetence means that fixing the problem they created will easily run into the billions of dollars.

Then again, this is the same group of people who successfully sued the glue manufacturer who created the glue that failed to hold up 2-ton slabs of concrete. Never mind that the glue was never designed for such an application or that no one in their right mind GLUES 2-ton slabs of concrete to the ceiling of tunnels.

So it's progress, but not as cut and dried. The Charley Card system is still fundamentally broken, and an investigation of the company who makes the technology would have shown this.

How to hack a classified network

Early this month saw the release of a report saying that major portions of the US Government information networks - including classified ones - have been penetrated by the Bad Guys. This isn't a surprise to anyone who's been in the field a while; unfortunately, the problems are institutional:
Participants in a recent cyber-warfare exercise told Reuters that the exercise highlighted problems in leadership, communications and readiness. The two-day exercise brought together 230 government agencies, private firms and other participants. Participants were split into two groups - attackers and defenders - before each developed tactics for attacking and defending critical infrastructure systems, such as those controlling banking, telecommunications and utilities.

[snip]

Attackers always have the advantage over defenders in cybersecurity and, by extension, cyber-warfare. Problems such as maintaining extended supply lines or knowing the terrain on which battles are fought really translate into the sphere of cybersecurity.
As is frequently the case, John Leyden gets to the absolute heart of the problem in the last paragraph. Knowing the terrain on which battles are fought is the problem.

Important networks like classified DoD networks are (as you'd expect) treated very differently than your home DSL, or even corporate networks. The most important protection concept that people rely on is Red-Black Separation: the untrusted (unclassified, or Red) network is kept entirely separated from the trusted (classified, or Black) network. From an architecture perspective, this is summed up in a tongue-in-cheek saying:
An air gap solves a multitude of security sins.
Your computer isn't patched? Doesn't matter, as long as the old saying from Maine applies: can't get theah from heah.

So security architects put all the important stuff on one network that is hermetically sealed from Al Gore's Intarwebz. Cool, right? To break in, you need a real-life spy, who can break into the building at night to install his equipment. The scene in Ocean's Eleven where the computer nerd breaks into the casino computer room to install his monitoring equipment is very well done, and is precisely the threat scenario here. The proper safeguard? Armed Marine guards.

So how does the Fed.Gov's classified network get compromised, to the point that you get headlines and a multi-tens-of-billions-of-dollar program to fix it?
The biggest problem for the architect is that you're not really the architect. You don't really know what things look like, and you can't.
Bob Metcalf is one of the pioneers of computer networking - in fact, one of the inventors of Ethernet. He is to computer networks what Paul Mauser is to rifles: there's a sharp line that divides pre-Ethernet and post-Ethernet history. These days, Metcalf is best known for a description of why computer networks are so danged useful:
The value of a computer network increases with the square of the number of computers connected to it.
Now if Al Gore's Intarwebz just consisted of your computer, and your mom's, then that might be useful to you. Everyone else would (understandably) be less interested. The reason that Al Gore actually deserves a fair amount of credit is that he really pushed early funding of NSFnet (the National Science Foundation's network back in the Pleistocene Age), which hooked up pretty much most universities to the Internet.

A network with you and your mom? Not so useful. A network with Harvard, Stanford, MIT, and the Library of Congress? Yeah, there'll be something useful there.

And now back to security: You mean that you want to air-gap that?

Ignore the logistical problems: you need to extend the Red network all the way to the FOBs in Iraq and Afghanistan, or the troops don't get email from home. You can deal with that problem by throwing money at it.

The problem is that what you want (security) and what your users want (information on Al Gore's Intarwebz) inherently is in conflict. You can't win unless they lose, and vice versa.

And remember, you're not really the architect. These networks weren't so much designed, as grew. Even the Internet itself grew by connecting networks together - a network of networks. The name IP comes from this: Internet Protocol.

So back to the classified networks: did someone connect the Red Network to the Black one? We don't know, and folks who might know won't say. My experience is that nobody knows what their networks look like, and certainly haven't mapped all the connections (specifically, they have maps, but the maps do not reflect reality). But it doesn't matter, because users will bypass the air gap, anyway. With this:
It's a USB thumb drive (translation: an 8 Gigabyte removable file storage device). It fits in your pocket (or, if you follow the link, in your magazine).

Remember, your users want information. It's on the Red network. They can copy it to the thumb drive, and then walk over to a computer on the Black network and upload the information.

Of course, information flows both ways - classified data can go to USB. Very few of your users will do this, because very few are spies or traitors, so data flowing from Black to Red is not the initial problem.

Malicious code going from Red to Black is the initial problem.

Now why on earth would one of your users install malicious code on a Black network computer? Same reason they install spyware on their home computer: they don't know it's malicious. They just want to watch this:


It's the Dancing Baby from the mid-1990s. This was the first example of a mass Internet video meme - it was wildly popular, and spread virally, via email from user to user as people passed the link on to each other. Remember, as the architect, you need to keep the Black network from getting to the dancing baby.

You lose.

So if you are the chief Bad Guy - Dr. Evil, head of an unfriendly government's Intelligence Service - how to you hack the Fed.Gov classified network? Give people interesting poisoned bait - an interesting or funny video that contains embedded malware that runs when the video is watched. They'll want it, because it's interesting. They'll download it from the Red network (Al Gore's Intarwebz) and take it onto the Black network, where it will spread.

And now your spy comes into the picture. All he has to do is pick up the classified data that's been harvested by the malware botnet army that has infested the Black network. Of course there's risk, because he does indeed have to get past the armed Marine guards, but there is a long history of this sort of thing happening.

We don't know any details of the recent breaches, but we do know this: DoD has banned USB. It's not the only time we've seen malware infections via USB, either unintentionally or on purpose.

And this is why Leyden sums up the problem so well:
Problems such as maintaining extended supply lines or knowing the terrain on which battles are fought really translate into the sphere of cybersecurity.
You don't know what your network looks like, it's evolving too quickly for you to ever know this, and even if you did know, you don't control the logistical flow of information.

Monday, December 22, 2008

Happy Hanukkah!

When we moved from Atlanta to the western Boston suburbs, we bought one of the local rabbi's house. Soon after we moved in, there was a neighborhood block party. As the New People, everyone was curious about just which house we bought, and I found that after several false starts, the easiest way to describe it was "we bought the rabbi's house."

You see where this is going? One person talked to another person, who talked to a third, and by the end of the evening, I was the new rabbi.

Well, a couple months later, the lovely and green-thumbed Mrs. Borepatch was planting in the yard when one of the neighbor ladies walked by. She stopped to talk, and the converstation went something like this:
Nice Neighbor Lady: So, what are you planning on doing for Yom Kippur?

Mrs. Borepatch (a little confused): Well, we really weren't planning on doing anything.

NNL: ???

NNL: Boy, you must really be Reformed.
Well, when we told this story to some of our Jewish friends in Atlanta, and after they stopped giggling, they gave me a new nickname: Reb Ted*. Heh.

So Joel and Corey-Jan, and all other jewish readers, Mazel Tov and Happy Hannukkah from Reb Ted and the Borepatch crew.

* When I bake bread, this was originally dubbed "Ted Bread". Now it's "Reb Ted's Ted Bread," especially at Passover. Yeah I know you don't have bread at Passover. Didn't used to. Need to be careful or you get an "oops" like Passover bread or a Santa Dreidel:

0% Cowboy


I think I like the recent cowboy meme.

Al Gore, call your office

First time since 1971 that "All parts of Canada" may see white Christmas. Coldest December day in Beijing in a half a century.

Ten below in New York City. 30 below wind chill in Chicago.

I blame Global Warming! Nothing that a major takeover of the world's economy by the Usual Suspects can't fix! And anyway, the science is settled ...

Meanwhile, closer to home:

Periodic Table of Awesome

In a hurry, but per Don comes this bit of absolutely perfect sci-geekery. You have to click to embiggen (this will take you to the other site), but it's very, very clever in a sci-geeky way.


For those of you who studied chemistry, you'll recognize the groupings (after you stop giggling hysterically) - for example, the "awesoments" representing food is in column 16 - Ch (Cheese), Sg (Sausage), Rm (Ramen).

Of course, Bn (Bacon) is the very first awesoment.

Guns and beer are also included for the awesome trifecta.

Sunday, December 21, 2008

JFK Blogging

Not the president, the airport.

The blizzard closed Logan airport - well, it was the 50 knot wind gusts, which are unhealthy for children and other living things if they're in airplanes trying to land.

So #1 Son and I drove from Boston to JFK where her flight was diverted. Five and a half hours of I-95 in a blizzard, and we're on our way back. Blogging is (ahem) expected to be light.

UPDATE 22 December 2008 01:00: Back now. Maybe yesterday I was only 75% cowboy, but today I'll take the full measure, thank you very much. It's not about how you ride a horse, it's about doing what needs doing. Even if it's fetching your lovely bride from a distant airport and then snow blowing the driveway so she can get in.

There's a certain satisfaction at doing what your loved ones need, when they really need it.

The second greatest Christmas song, ever.



And the proper order of descending greatness is Bing Crosby and the Andrew Sisters, then Dean Martin, and only then Jimmy Buffet. Sorry, Jimmy.

Oh, and ACLU, go ahead and sue me. It's been snowing for three days straight, and we're headed to Phoenix this week. I heard there are Palm Trees there. Just read this before you give me any sermons about slippery slopes of fundamental rights.

Sheesh, I must be grumpy. Even Christmas music is making me cross.

Happy Solstice to the ACLU

I know, I know, I've posted not one, but two Christmas Carols. I'm sorry.

Happy Solstice!

(please don't sue me)

More Christmas Music

Both my regular readers will remember SheDaisy from Saturday Redneck. In fact, they were the very first Saturday Redneck. But there's nothing redneck about this.



Now that's just fun. Another cup of coffee, and I think I'll feel quite myself again.

The greatest christmas song, ever

I was grumpy after the last post, so I need some Christmas music to put be back in that full-of-the-milk-of-human-kindness mood.

Heal me, Bruce.

Google is teh stupid

Specifically, their advertising team is teh stupid, since you would think they would understand how Google does ads. Consider the following:


Looks like an ad for Chrome, their new browser. So, did Ted just get up on the grumpy side of bed Chez Borepatch?

Well, maybe. But this is annoying, and they should know better. Consider:
So how is the Google Advertising teh stupid? Because they know what Operating System I run. It's reported by the browser to the web server in the HTTP request, via the user-agent variable. I see it here, too:
Kind of cool to see Windows ME. Macintosh and especially Linux is overrepresented here, maybe because I post a lot about Internet Security, and a lot of security guys run Linux.

OK, so they know I'm running Linux, and gave me an ad that was essentially "Nya, Nya - you can not haz Chrome!" If this were momandpop.com, then I wouldn't even notice. Momandpop.com maybe doesn't know all the ins and outs of Al Gore's Intarwebs.

But this is Google.

Well, maybe this is a Good Thing. When they become our new Internet Overlords and decide what the heck, let's try this Evil thing then maybe they will still be Teh Stupid and we'll be saved!

/sarcasm

Man, I am grumpy this morning. Grumpy enough to grab two screen shots, even. Time to put on some Christmas music.

Saturday, December 20, 2008

Happy Birthday, #2 Son


The candles spell out thirteen, in case you couldn't tell.

The lovely but distant Mrs. Borepatch is, well, distant. As "in Georgia", not "in Massachusetts". If she's lucky, there will still be cake when she gets back tomorrow.

Now I always thought that kids born near the end of the year got a bum deal - their birthday is so close to the holidays, that all their presents come in one big chunk. The size of the chunk may be such that they just don't get as many birthday presents. So we celebrate "Half Birthday" in June - all the presents well away from the holidays, so nobody loses count.

Did have to have cake today, though. Cake is always a good idea.

Back when I wore a younger man's hair, and the lovely and expecting Mrs. Borepatch was expecting #2 Son, his due date was actually December 31. She had a checkup on December 20. Imagine my surprise when the receptionist at work interrupted a class I was teaching (Internet Security, thanks for asking) with an "urgent call."
Mrs. Borepatch: I'm going into labor.

Me: ??? But he's not due for a week and a half. You were fine this morning.

Mrs. B.: The doctor induced, silly.
Silly me. I actually thought that some Ob/Gyn was going to be on call on New Year's Eve.

But we got to welcome #2 Son. Now he's a teenager. Yikes.

Policeman uses Crime database to blackmail criminals

It sounds more complicated than it really is, and represents a big, big problem.

A UK policeman used his access to a database of sex and drug offenders to blackmail the criminals:

PC Amerdeep Singh Johal, 29, was arrested by anti-corruption cops from Scotland Yard in July 2007. Johal was employed in checking names and address on the police database, called Crimint, on behalf of beat cops.

He abused the role to contact 11 convicted offenders and threaten to spill the beans on their crimes unless he was given "hush money". Johal requested between £29,000 and £31,000 for his silence, threatening to tell work colleagues or neighbours of convicted sex offenders about their crimes. In one instance Johal demanded £89,000 as a "goodwill gesture".

He was caught, prosecuted, and convicted, so well done for the UK police services. So far.

The case has raised wider concerns about the misuse of police databases, which the Metropolitan police is keen to downplay.

A Scotland Yard spokesman told the BBC: "There are strict guidelines in place regarding the use of intelligence databases and if anyone abuses it that is taken extremely seriously."
Well, that's all right, then. Srlsy.

People on the seedier side of cyber security used to have a saying ten years ago. You want to give someone a Bad Day, break into the National Crime Information System and put out an All Points Bulletin: Armed And Dangerous.

The most compelling argument for small government is that all government power will eventually get abused. In this case, it was the bad apple doing a bit of unauthorized moonlighting, but we see this occur for purposes both large and small.

Joe the Plumber had political flunkies snooping into his background. Some other folks were just arrested for applauding a speaker at a Board of Supervisors meeting in Phoenix.

The problem of petty officials abusing their authority is very, very old - literature is full of examples. Until the crooked timber of humanity is straightened, we can't expect any change.

This is precisely the argument against the Patriot Act: we don't know the specifics of how it will be (is?) abused, but we know that it will be (is?). It's the reason that gun owners oppose - or should oppose - registration.

From a computer security point of view, there's nothing that you can do about this that does not result in FAIL. You have an authorized user accessing data that they are authorized to see. There are no technical controls that can be used to mitigate this risk. About all you can do is aggressively prosecute (and jail) bad apples like Police Constable Johal.

And it's why it's so important to always err on the side of prosecution. It doesn't happen this way, of course, but each small episode of "we'll deal with it internally" further erodes the system.

UPDATE 22 December 2008 12:04: For a system that is high risk for this sort of abuse, read this. Yes, the ATF is involved.

75% Cowboy


No plowing today, so I don't get full marks. But the snowblower is the shizzle Flippity Floppity Floop.

I shoot better than I ride, so y'all should have an idea of what I look like on a horse ....

UPDATE 20 December 2008 11:14: Now this guy can ride a horse, even if he isn't a cowboy. Hat tip Heart of a Warrior.

I, for one, welcome our new Generalissimo Overlord

On this day in AD 69, Roman general Titus Flavius Vespasianus entered Rome, becoming emperor and putting to an end the "year of the four emperors" which saw short-lived rule by:
Galba (succeeded Nero)
Otho
Vitellius
Now the Romans hadn't conquered pretty much everything in sight by not being organized, and four emperors in a single year didn't really set a new standard for organization. Vespasian was from the old school of no-nonsense you-have-30-seconds-to surrender-or-we'll-kill-you-all-now-it's-29-seconds Roman commanders, and so he pretty much put a stop to the multiple emperor foolishness, to general relief.

As an example of his take-no-prisoners attitude, he had the Colosseum built during his reign. On the site of Nero's old Golden Palace. New boss in town, different than the old boss.

And oh yeah, in 1803, the United States purchased Louisiana from the Emperor of France, setting up a whole bunch of folks for misery during hurricane Katrina. I blame George W. Bush.

Jason Meadows - 100% Cowboy

This is "Real Man" month here at Saturday Redneck, and what's more Real Man that a cowboy? Country music has a great tradition of singing cowboys, so this fits right in.

Jason Meadows was runner-up on season 3 of Nashville Star. I thought this was a shame, since he was the lovely and fine-judge-of-manflesh Mrs. Borepatch's and my favorite.

It didn't hold him back from cutting an album, 100% Cowboy. The song with that name really captures what I liked about his performances that season: straight up and honest. He actually is a honest to God cowboy. Yes, that's him riding the horse in the video. Sideways. It ain't bragging if you can do it.



I don't claim to be John Wayne
Ridin' across that silver screen
And I ain't that picture in your head
Of all these modern day wannabes
I'm just proud that I can say
I don't wear this hat for show or fame
If you don't like who I am
You got momma and daddy and the good lord to blame Amen

(Chorus)
I'm a straight up, no jokin', buck knife, gun totin'
Give you the shirt off my back
I'm up at the crack of dawn
Work until the sun is gone
I ain't got time for no crap
No I'm not one of then posin' pretty boys
I'm an everyday, all the way, hundred percent cowboy

I've always tucked my shirts in
I crease my own blue jeans
An I don't do it cause its who
Somebody says I oughta be
Yeah, when I'm laying in that old pine box
And all my family's gathered 'round, they'll say
There goes a dying breed
Six feet in the ground

Chorus

Hey, I'm a straight up, no jokin', buck knife, gun totin'
Give you the shirt off my back
I'm up at the crack of dawn
Work until the sun is gone
I ain't got time for no crap
No I'm not one of then posin' pretty boys
I'm an everyday, all the way, hundred percent cowboy

No I'm not one of then posin' pretty boys
I'm an everyday, all the way, hundred percent cowboy

Yeah I'm a cowboy
I said I'm a cowboy
100% I'm a cowboy
Yeah, just like Chris LeDoux, I'm a cowboy
Other hunky men from December's Saturday Redneck:
Blake Shelton - Don't Make Me
Tim McGraw - Suspicions

Friday, December 19, 2008

It's snowing?


Compare and contrast.


I miss the south. Sure is pretty here sometimes, though.

Braise

One of the easiest (although time consuming) ways to cook is a braise. It's a long, slow, low-heat, partially-submerged cooking method that turns inexpensive, tough, chewy almost-not-worth-eating cuts into Food Of The Gods. Like short ribs.

First you have to brown them. Yes, of course properly. I do it in stages, putting the browned ones on a plate while I do their compatriots.


When the last ones are browned, remove them to the plate and toss in diced celery, carrot, and onion (a couple handfuls of each). This is a mirepoix, which adds a flavor base. Like I said yesterday, add flavor.

You need a liquid. You could use water, but that doesn't add flavor. Stock (chicken or beef) and/or red wine bring flavor to the party. You'll want the meat to be about half submerged. It looks (and smells) better in real life. The meat should NOT be submerged.


This is the basic braise. As to flavor, you can go a bunch of different ways:
Southern, with a rub (and no, you're not allowed to use store-bought rub unless it's from Corky's. Sure wish Swallow in the Hollow did mail order). Serve over grits.

Continental, with thyme, garlic, and pepper. You can use Paprika if you want to get all jiggy, and serve over noodles. Fresh pasta is easy and lets you present a more rustic texture.

Oriental, with garlic, ginger, soy sauce, and Old Bay (yeah, it's not oriental, but I like it and that's what's cooking). Serve over short grained (sticky) rice.
Don't forget the garnish, or Martha Stewart will make you take her shooting. Not that that's a bad thing.

Now the one way that's guaranteed to kill the dish is cooking over high heat. Once everything is up to a simmer, toss the meat back in the pot, and turn the heat to low. By "low", I mean as low as your cooktop will go. Check after ten minutes, and if there's no simmer, you can turn the heat up a bit. But there will be simmer, trust me.

Let it go 45 minutes, and flip the ribs. Let it go another 45 minutes, and then they're going to be done.

Take the ribs out and wrap them in foil. Strain the vegetation, and save it. Return the liquid to the pot. NOW you can goose the heat. You want to reduce the sauce by half - remember, half the volume doubled the flavor. This is the time to correct the flavor.

Perfect stick-to-your-ribs for a Conquering Hero returning from snowblowing the driveway.

UPDATE 19 December 2008 19:23: Oops, I forgot to mention that after you reduce the sauce, you'll want to hit it with a little vinegar to "brighten" it. The type can vary: rice wine vinegar for oriental, red wine vinegar for continental, malt vinegar for southern. Long cooking causes some of the acids to fall apart, so you'll want a couple or three tablespoons of vinegar to bring it back.

Snow? In New England? Srlsy?

It's not only December, it's nearly the Solstice. So not only is snow possible in New England, it's expected. So how do these hardened, experienced New Englanders react to the forecast of 6-9"?


Beef. It's What's For Dinner. Except in New England, where we're all out. I won't show you the toilet paper aisle. Oh the humanity!

Now southerners are not allowed to scoff (I remember school being canceled in Atlanta based on a forecast that there might be snow). However, you are hereby given leave to roll your eyes when some pompous Northerner talks about how they not only had to walk 5 miles uphill to school both ways, they had to shovel a path through the snow first.

I have to say that I do miss my old beater F250 pickup. Yeah it was a rustbucket, and yeah it kept breaking down, but it not only had a snowplow, it had an industrial sized snowplow. I was king of the road. But it was a beater, and it did break down, and I had to shovel once because it broke down. The lovely and not-happy-to-shovel Mrs. Borepatch did the Happy Dance when we got rid of it.

I wanted a small plow for the Wrangler, like this. Not king of the road, but maybe prince of the road.


Don't do it, said the family. Get a snowblower, said the family. "If we get a snowblower," said I, "will you boys do the driveway?" Of course, they said.


And they did. Well, #1 Son did. He wouldn't be plowing in the Jeep, so this seems a win.