Monday, June 30, 2008

Inartful

Look, it's been consistent all along. Okay? OKAY?


Heller and the 2008 Election

There is a lot of discussion about Heller and the 2008 election. George Will says that Heller is good for Obama, and takes gun control off the table. Eric Raymond says wait a minute, the 5-4 split was too close, so it's a big issue. In the meantime, we've seen more and more states adopting "shall issue" CCW laws.

I wondered what the baseline electoral college vote total was for gun rights states, so I went to 270toWin and played with their map. Any state with "shall issue" CCW fell into the Red State camp, and all others fell into the Blue State camp. Here's what it looks like:
347 Red votes, 191 Blue votes. Don't think I'm buying that. Compare to 2004:
Clearly, there are some obvious failures of the algorithm. Alabama isn't likely to go Blue, even though it isn't (de jure) a "shall issue" state (it seems to be, at least de facto). Washington and Vermont are unlikely to go Red, and New Hampshire and Minnesota seem to the Blue, at least for now (according to Election Projection). Maine may very well split. Obviously, most people aren't single issue voters.

However, it seems like there is a conclusion that we can draw, that there is a base of roughly 350 electoral votes that naturally lean against gun control (currently represented by the Democratic party, despite their efforts to back-pedal). The more energized gun supporters are, the deeper the hole for the Democrats this fall.

How will it play out? Dang if I know. However, a lot of folks seem pretty energized.

Massachusetts post Heller

Pro-Gun Progressive has an interesting post speculating on what will happen to Maryland's "ridiculously capricious and unfair CCW permit law":
Dave doesn’t mention MD specifically, but we’re basically cut from the same arbitrary cloth (permits issued to the connected, the police, the wealthy, and that’s about it).
Maryland makes Massachusetts look good by comparison. Having lived in both states, my take is that this reflects the government centralization in MD (the counties and state run everything) vs. the relative decentralization in Mass (the towns and the state run everything).

Not that the Commonwealth doesn't have it's own problems in the "arbitrary and capricious" department. Even the Boston Globe has noticed that your License To Carry pretty much depends on which town you live in.

Sounds to me like there's a storm a'coming, and when it gets here there'll be Heller to pay.
At a minimum, looks like handguns will have to be added to the FID permit. And why is the Browning Buckmark pistol banned here? Doesn't strike me as an "unusual" or "dangerous" weapon, at least compared to non-banned ones. (OK, OK, no more cheesy Heller throw-aways)

Boy, howdy, I just used the phrase "relative decentralization in Mass" ... only those of you who have lived in Maryland will understand.




Sunday, June 29, 2008

"Common Sense" Regulatons = Heffalumps

This started out as Quote of the Day, from Bruce (with my original comment):
From the Progressive Dictionary:
Common-sense (adj.): a term used to describe laws that allow rich, white people to enjoy the exercise of their Constitutional rights, while systematically denying the same to low-income people of color.
They think that they can talk people out of it.

Socialism a failure? Gun control a failure? Schools failing? Do it again, harder. We'll talk the rubes out of it. After all, we're nicer and smarter, right? What could possibly go wrong?

That was the original post. I thought it would be quick and fun, just toss a few corroborating links and get your snark on. After going way overboard on links, I found the fun evaporated. As I read the links, I could feel my mellow (did I mention that I'm on vacation? thanks for asking!) being harshed. It became a link rant.

Of course the "progressives" are going to keep trying the same thing a different way. We have a clash of world views here. Heller is part of it, but so is Iraq, the relationship of the citizen to the government, the whole thing. When you disagree on basic premises, it's really hard to find common ground. You're messing with their faith.

So Heller's only a start. Heller isn't the beginning of the end for gun control, at best it's the end of the beginning.

Bah. My mellow was so harshed, that I had to turn to the Relevant Literature for help in dealing with liberal "Common Sense" arguments. Ta da! Instantly, all became clear, my mood lightened, a spring returned to my step, and a gleam to my eye. The problem is that we try to argue with facts (I'm looking AT YOU, Kevin). They argue with Heffalumps.
One day, when Christopher Robin and Winnie-the-Pooh and Piglet were all talking together, Christopher Robin finished the mouthful he was eating and said carelessly:

"I saw a Heffalump today, Piglet."

"What was it doing?" asked Piglet.

"Just lumping along," said Christopher Robin.

"I don't think it saw me."

"I saw one once," said Piglet. "At least, I think I did," he said. "Only perhaps it wasn't."

"So did I," said Pooh, wondering what a Heffalump was like.

"You don't often see them," said Christopher Robin carelessly.

"Not now," said Piglet.

"Not at this time of year," said Pooh.

Then they all talked about something else, until it was time for Pooh and Piglet to go home together.
Think I'm joking? The Heller dissents can only be classified as Heffalumps. Do Heffalumps self-refute?

So there, Bruce. You come at them with facts, and they'll see your facts and raise you a Heffalump.

What would I do without my kids?

Saturday, June 28, 2008

Saturday Redneck

I grew up listening to pretty much everything: classical, rock, country, folk. Then a couple of things happened: radio stations started becoming very niche-specialized as the marketeers sub-divided and then sub-sub-divided the listening audience, and rock got all whiny-like (thanks a lot, Curt Cobain).

As a result, by the mid-1990s I found that I listened mostly to country, because a couple of changes had happened there: country got a big influx of rock ("Southern Rock" especially), and it kept (and if anything improved) the "story telling" tradition that had been the hallmark of folk.

So there's really quite a lot of country music for people who think they don't like country music.

SHeDAISY is a very interesting trio (three sisters, in fact). They write their own music, as well as play and sing. "She gets what I deserve" combines the elements I find most compelling: a simple melody that lends itself to acoustic, a good turn of phrase (in the title), and an unflinching (and non-maudlin) presentation of a bad situation. In a different day and age, we'd call this folk.
She doesn't know me by name
But I know everything about her
She likes to work in her rose garden
And vacation in New Hampshire

She gets him every holiday
And every Sunday afternoon
By 8, she tucks his babies in
I know she loves him like I do
And I wanted to call her so many times
But I never found the nerve
She gets what I deserve

It's not the way that I planned
Just the right man, the wrong time
Even the moments he's holdin' me
I know he's not really mine
When I appear into the windows of the home
I'm torn apart
I can't help but wonder
Whatever happened to my heart
Such an uninvited lesson
I never meant to learn
She gets what I deserve

I can't whitewash my excuses
I can't cover up the stain
I can't give back what I've taken
I should be the one to bare the pain
I just pray that God forgives me
For what I've done to her
She gets what I deserve
She gets what I deserve
Any discussion of country "chick bands" inevitably leads to talk about the Dixie Chicks. Which of the following would a typical country music fan choose?

SHeDAISEY tribute to the troops.

Natalie Maines sucks up to foreign audiences.

Not saying one's right or wrong, but as Jeff Foxworthy said, "I hope they really mean it, because it looks like that's a hundred million dollar opinion."

Formatting bleg

I know that I only have about 3 readers (Yay, you! Well done all!), but if anyone knows how to add the nifty-keen-o "Click 'more' to see the rest of this uber post that ate Sheboygan", well, I'd be mighty obliged.

I'm an idiot about this still.

Patching is a pain in the bore

Anyone reading this is familiar with computer bugs, because you're using a computer (hello!). Bug fixes are called patches. Keeping your computer patched is basic computing hygene, just like cleaning your gun after a trip to the range is basic shooting hygene.

The similarities end there. Excessive use of bore patches on your rifle won't do any harm - in fact, if you're using crummy old commie corrosive ammo, you probably can't be excessive in your use of Hoppes, bore snakes, brushes, patches, etc. Patching computers is a different beast.

The problem with computers is that software is not very well understood. Computer programs (and especially Operating Systems) are so huge and complicated that literally nobody really knows how they work.

True story: In my younger days (very much younger, in fact, in the 1980s) I worked for Gould Computer Systems. We made minicomputers that had a "Real Time" operating system: highly specialized so that programs could have exceptionally quick response even running on the quite modest hardware available at the time. These computers were used extensively for things like airplane flight simulators, because when you put the stick forward, the nose dropped then, not 150 miliseconds later.

The amazing thing, looking back today, is that the absolute maximum size that the Operating System could be was 64 kiloBytes (that's kilo, not Mega). Tiny, in today's terms.

The upshot was that it was humanly possible for a single person to know just about everything about the OS.

Fast forward to today. Microsoft XP Service Pack 3 is hundreds of Megabytes in size (I haven't bothered to look up the exact size - compared to the Gould OS, it's measured in "humungatrons"). Remember, this is not the XP Operating system; SP3 is a set of security patches for XP. XP is much larger.

So who cares that nobody really understands how programs really work? The problem is that by fixing a bug (applying a patch), you change the program or OS in potentially unpredictable ways. By fixing one problem, you may introduce a new (and worse) problem.

A patch to fix broken functionality provides a tangible value to the person running the program - it's fixing something that doesn't work, so these are typically seen as a Good Thing. It may break something else, but things are broken now already, so it's probably worth a try. Security patches are a very different thing: nothing is obviously broken to the people running the program, so applying the patch risks breaking something that "works fine". Lowering the chance of the computer getting owned is important to a set of people (like me!), but sometimes not the ones who typically run the business.

As a result, businesses will typically test patches in general, and security patches in particular, very carefully. This is expensive, and time consuming, and quite frankly not very much fun. In other words, patching is a pain (and boring).

Security administrators are also put in a situation where they're damned if they do and damned if they don't. If they apply a patch and it breaks an important program, everyone blames them. If they don't apply the patch, and the computer gets hacked (and, say, 20 million credit cards get stolen), everyone blames them.

There's a great article about this dilemma that really covers the "should we/shouldn't we" agony: Patch and Pray. Anyone remotely interested in this should go read it. Now. I'll wait.

Now this wouldn't be a problem if any of several criteria were met:
  1. Suppose there weren't very many security patches. This was situation ten years ago - in 1998 there were around 300 security patches for all operating systems and programs combined. The number patches any one system administrator had to apply was sort of manageable. This hasn't been true for a long time: last year there were over 7,000. Game over. (Note that I don't agree with CERT's number for 1998; the Bugtraq mailing list had a somewhat different count that I like better for some pretty obscure reasons).

  2. Suppose everything was not on Al Gore's Internet thingie. It would matter a whole lot less if you were vulnerable to attack if not many attackers could get to your computer. Back in the 1980s when I worked at Gould, this was pretty much the situation. When the Morris Worm - the first really important Internet Security incident, where everyone thought that Internet was coming to an end - hit in 1988, there were only a few thousand computers on the whole Internet. Heck, DNS was still new, and some computers used lists of addresses from (manually maintained) HOSTS files. Now, pretty much everything is on teh Intarbebs, including a bunch of stuff that shouldn't be (like electric power distribution controllers). Game over.

  3. Suppose Bad Guys didn't write exploit programs to attack vulnerable computers. Unfortunately, we've seen a progression of motivations over the last fifteen years:
1995 - "Napoleon Dynamite" hacking: "Girls want boyfriends with skills ... Bow hunting skills ... Nunchuck skills ... Computer hacking skills."

2001 - Bragging rights hacking: I was actually at the Infosec computer security conference in 2003 when Fluffy Bunny was marched out in handcuffs by the Police. I always thought that he was one of the funnier of the web site defacers.

2006 - Hacking for Dollars. Malware (Spam, Phishing, electronic credit card theft, etc) is now a Billion dollar industry, attracting serious talent and funding (Mafia, etc). The Bad Guys are better funded than we are. Game Over.
One last example before I get to my point. In 2000, we saw the introduction of Microsoft's Windows 2000 as a sea change in how companies manage their security vulnerabilities. Up until then, the Windows 95/98 OS just didn't have many network facing services, so there wasn't too much of a target for an attacker. Windows 2000 introduced what was essentially a server-class OS to desktop machines. As a result, I started telling my customers that they could no longer test just their servers for vulnerabilities; rather, they needed to test everything. One of my Really Smart Customers (RSC) took this to heart. I got a very interesting phone call one morning:
RSC: Hi, Ted.

Me: Hi, RSC.

RSC: Remember how you told me I need to scan everything, not just my servers? Well, we just did.

Me: Well done, you! How'd it go?

RSC: Well, we have a quarter million vulnerabilities. We kind of wish we hadn't done it, because now we think we really should do something about it, and there's NFW.
If he did it now, he'd probably have 5 million vulnerabilities. Game over.

So, everything is vulnerable. Attackers can pretty much get anywhere they want to , if they're patient and really want to - the smart ones can, at least. The rest of us face a never ending Hobbesian Choice of patch and pray.

Yikes! This is turning into the Post That Ate Sheboygan. I'll continue in part 2: "So what do we do?"

Quote of the Day

"I mean if the Beach Boys don’t mean freedom, then why the heck have convertibles and bikinis?"

Yeah, it's about Heller, yeah he rewrote the Beach Boys, yeah you should RTHT.

Favorite stanza:
Well conserves can’t stand it
’cause it tramples on liberty now
(It tramples liberty, it tramples liberty)
It makes the Soviet Union look like it’s home of the free now
(It tramples liberty, it tramples liberty)

I don't care who you are, now that's funny.

Friday, June 27, 2008

Number series

Mathematicians (obviously) love playing with numbers. One of the games they come up with are series, where a particular sequence of numbers makes an interesting pattern (interesting if you're a mathematician*, any way).

An example of a series is the Fibonacci numbers. Each number in the sequence is the sum of the last two numbers. For example, in the following sequence ...
1 1 2 3 5 8 13 21 ...
... 2 is the sum of 1 and 1, 3 is the sum of 2 and 1, 5 is the sum of 3 and 2, etc. This is known as the Fibonacci series, after the Fibonacci brothers (famous Mathematicians, if you have an open-minded definition of the word "famous").

Here's another series that we've just had confirmed yesterday:
1 3 4 5 6 7 8 9 10
These are the Amendments in the Bill of Rights, as proposed by the ACLU (a civil liberties group, if you have an open-minded definition of the term "civil liberty"):

Heller: a bit of a constitutional straightjacket for our elected leaders:

"he [sic] Court was careful to note that the right to bear arms is not absolute and can be subject to reasonable regulation. Yet, by concluding that D.C.'s gun control law was unreasonable and thus invalid, the Court placed a constitutional limit on gun control legislation that had not existed prior to its decision in Heller. It is too early to know how much of a constitutional straitjacket the new rule will create."

Sheesh. Since when has the ACLU worried about "constitutional straightjackets" constraining the government? Oh, wait ...

*Want to know if you could be a mathematician? Want to impress your friends? Attract girls (OK, maybe not that, unless they're mathematicians, too)? Try the Number Series Contest!

Teh Funny (killing bunnies version)

Scene Chez Borepatch: I'm relaxing in front of Blogger, basking in the glow of vaction. Number 2 son comes in from outside, all sweaty-like.

#2 Son: Hi dad. I just rode my bike!

Me: Well done, you! Where'd you go?

#2 Son: Around the pond. I saw a rabbit!

Me: Yum, rabbit!

#2 Son: Yeah! And I didn't have a gun! No dinner for you!

Me: (looks for towel to wipe off computer monitor)

Now where on earth would he have got a sense of humor like that?

New anti-phishing browser plug-in

As a break from the "all Heller all the time" coverage yesterday, there's an interesting new browser plug-in from Stanford University that's designed to help block phishing attacks. It's free.

The good: The red/yellow/green notification is probably the right user interface. Not all phishing attacks are easy to identify ("Good day. My name is Jabbo Mbuto, financial secretary to His Excellency ...") - anything that wants to be effective will have to satisfy the "Mom Test" of security (can your mom use it effectively?).

More good: Some of what they do is pretty clever - for example, comparing the domain name that you're currently visiting to domains in your browser history list. So if you were trying to go to borepatch.biogspot.com (note the "i" replacing the "l"), it would flag this as way, way too similar to somewhere you've been recently. This likely can prevent some attacks on your paypal, or bank accounts.

The possibly-not-so-good: Not as sure about checking URL sanity (e.g. attacks like paypal.com@1.2.3.4), because there are lots (I mean lots) of ways to encode parts of a URL to make them look harmless (e.g. UTF-8). The image comparison is another neat idea that might be pretty easy for the Bad Guys to get around. I have to confess that I haven't played with this, to see if you can break it. May work just fine.

The definately-not-so-good: When it tells you something, it drops into powergeek-speak (security version). Not impossible to figure out, but the smart money isn't betting that mom will handle this as gracefully as the red light/green light paradigm. Here's an example:


The Bad: It's only available for Internet Explorer (version 6). It's a whole 'nother story why some of us use Firefox (read: avoid IE like the plague), but I'm not super keen on going back to IE - you need a lot of patches to keep Internet Explorer's muzzle clean, if you catch my drift.

So, do you want this? If you use IE as your browser, and if you're moderately careful when you browse teh Intarwebs, and if you've got a decently high computer geek level, it's probably worth trying.

Firefox users, check out noscript. I'm more concerned with evil Javascript (or worse, AJAX). If you're really paranoid (good for you!) check out Opera.

Lastly, what's the most important thing to increase your browser security? Remember that every site you visit is somewhere else, that the content comes from someone else, and "open your mouth and close your eyes" sometimes gives sub-optimal results.

Thursday, June 26, 2008

Getting my Technorati on

Whee!

Technorati Profile

UPDATE (8:50 PM): Seems my Technorati-fu is weak:

Rank: 4,978,471

We're number 4,978,471! We're number 4,978,471!

There seem to be some doofuses on SCOTUS

Good grief. You can agree or disagree with the majority, but can't the dissent at least be correct as a matter of law, precedent, and history?

So, the 4 (four! don't they read their own opinion?) justices blow the issue of who created the National Guard and when. Maybe they were busy, or didn't read the US Code (The Act of January 21, 1903, 32 Stat. 775). What do I know, maybe this is standard procedure. But they base most of their dissent on US v. Miller, and didn't know that Miller never was convicted?

Money quote: "Of course, Miller was never convicted and US v. Miller certainly didn't uphold any convictions. That's just factually invalid. How did Stevens, Souter, Ginsburg, and Breyer all miss that when US v Miller is the core precedent that the dissent was based on?"

It's a good thing to read. Wonder when they'll start.

UPDATE (9:25PM): Ha! Justice Breyer's self-refuting dissent in Heller - I don't care who you are, now that's funny! Is there anything that the Supremes can't do?

Breaking news: Bill of rights applies to you and me

I guess I can tear up that militia application form. Shooty goodness all around. Just remember to clean your gun when you're done.

In other news of the obvious, I'll still need to apply next month's Patch Tuesday updates. In related stories, it won't do any good (Patch Tuesday that is, not Heller v. DC).

UPDATE: Eric S. Raymond has a typically outspoken post on his blog. The next few years are likely to be really interesting. Since Massachusetts is a "May Issue" state for handguns, and since the Heller decision was quite explicit that the Second Amendment gives you a right to a handgun in your house for self defense, it seems likely that we taxpayers of the Commonwealth will get to foot the bill for a futile defense of the current laws. Looks like Chicago is already going to have to defend their laws.

What he said

Back in the glory days of the Republic, this SOB would have been run out of town on a rail, but not before he'd had a generous coating of tar and feathers applied by the good citizens of the area. Instead, he chairs the Massachusetts House Committee on Ethics.

Explains a lot about Massachusetts, when you come to think about it.

RTWT.

UPDATE: It seems that the SOB in question was on Jim Braude and Margery Eagan's talk radio show yesterday. No walking back from the ledge. Michael Graham has a post at his Natural Truth blog that includes a link to the audio.

I wonder if Hoppes #9 cleans tar?

Wednesday, June 25, 2008

Well, duh

128

As a 1930s husband, I am
Very Superior

Take the test!



Unfortunately, it's not the 1930s. Oh, bother.

The Browser you have, not the browser you want

Interesting post at The Reg about a crisis of confidence in browser security. Longer than the usual Reg post, but worth while reading.

Brings to mind Larry Ellison's comment (paraphrase): you've got no stinking browser security; get over it.

The article doesn't discuss a different approach to Internet/browser security, currently in use Chez Bore Patch: the lovely Mrs. Bore Patch refuses to give up her online shopping despite my best efforts. She knows what the situation is (I've told her), and I know what the situation is (she's told me). Oh bother.