Thursday, July 31, 2008

This will put me out of a job ...

I mean, really. How am I supposed to compete with this?
Sexy Hacking is creating a series of online videos where sexy girls teach hacking techniques, tips, how-to's, tools, social engineering, security industry news and spoofs. Why read some boring news article or lame documentation when you can get the goods demonstrated by a sexy hacker girl? This is real information security - just sexier.
Well, that about deals me out. Oh, bother.

And no, I haven't checked out the vids. And you shouldn't either. Just sayin'.

Via Mark Curphey, who has a good eye for sexy hacking.

OK, so I did check out the vids. Kinda silly, actually. But how can you not love the term "Damsels Causing Distress?"

Internet Security Advisory System

OK, so it looks like this DNS thing is pretty bad:
Miscreants are actively exploiting a gaping hole in the internet's address lookup system that can cause millions of web surfers to receive counterfeit pages when they try to access online banking services and other types of websites.
The problem is, unless you're a security geek like me (and you're not, or you wouldn't hang out here listening to my blather; just sayin'), nobody tells you how it effects you.

It's sort of like the Homeland Security Advisory System - lots of pretty colors and hyperventilating, signifying nothing of use to a normal person.

Just what the heck is anyone supposed to do when the threat level goes to Puce/Rouge/Commie Red? Beats me, and probably beats you, too. Same with Internet Security.

Until now. As a full service blog covering Internet Security, I offer the first practical Internet Exploit Threat Advisory system for the masses. It is descriptive, in that it gives a concise, one word description of the situation. It is practical, because it gives detailed advice that mom can use to stay safer for the duration of the situation.

So, with the DNS-exploit-from-Hell, where are we? Well, Scooter, move the slide up to "Dang". Don't go anywhere popular today, because the Bad Guys are setting up spoofed web sites that match them, and dumb old DNS lets them. Paypal is an example. Your online bank is another, but you already know my opinion there.

Now if you'll excuse me, as an Internet Security Professional, I need to fix a pitcher of Martinis ....

Oh, and El Reg says there is something you can actually do to help:
To test whether your ISP is an offender, please run the tests here or here, and report the results in the comments section. Be sure to include the name server's IP address and the name of the ISP.
No comment on whether the Bad Guys are spoofing the domains hosting the tests. Slide it right up to "Martini", Scooter ...

Wednesday, July 30, 2008

You're really a Linux geek if you laugh at this









Boy, howdy. I personally keep away from the hard stuff like Gentoo. But I can give it up any time I want. Really.

Why are you laughing?

Department of Irony

A couple weeks ago I wrote about the Security Vulnerability From Hell:
There's a problem in DNS (for those of you new to Al Gore's Intarwebz, that's what changes cute names like "borepatch.blogspot.com" into actual, you know, addresses). Seems that if you're really clever, you can pretty much pwn DNS at will, which lets you do all sorts of fun and games - like impersonate web sites.
Now this was really a big deal for Internet Service Providers, but not so much for anyone else (unless you're a security geek). Nothing ironic here.

The irony comes in when you hear that the security researcher who put an exploit for the vulnerability into popular security testing tool has been victimized by the Bad Guys:
"HD Moore has been owned. Moore, the creator of the popular Metasploit hacking toolkit, has become the victim of a computer attack. It happened on Tuesday morning, when Moore's company, BreakingPoint, had some of its Internet traffic redirected to a fake Google page that was being run by a scammer. According to Moore, the hacker was able to do this by launching what's known as a cache poisoning attack on a DNS server on AT&T's network that was serving the Austin, Texas, area. One of BreakingPoint's servers was forwarding DNS (Domain Name System) traffic to the AT&T server, so when it was compromised, so was HD Moore's company."
Not his fault - AT&T ran the DNS server that got poisoned. But still, this is the biggest security + irony story since, well, maybe it's the biggest ever.

Slashdot has the story and, as always, top shelf snark. And OBTW, Metasploit rocks, at least if you're a security geek. Not sure if it's a great idea downloading it via a pwned DNS server, tho.

Massachusetts is insane

Some of you will remember the story of the child molester caught in the public restroom. The police let the perv go free, but arrested the kid's dad for punching the perv in the nose.

Well in a development that surprised nobody except the police, the perv didn't show up for court:
Now this guy is still out there wandering around, and he has learned that he will have to hid his molestation better next time so he can get away with it.
In another development that surprised nobody except for the police, it seems that the perv is an illegal immigrant:
Gee, do you think that maybe Rodriguez didn't show because maybe, just maybe, he's afraid of being deported? And how dumb does it make Massachusetts look that the guy's been arrested for sexual assault, hasn't shown for his court appearance, and we STILL don't know his immigration status!
Can someone please remind me why these Super-Size-Cranium-Liberals think they're so much smarter than the rest of us?

Oh, and the kid's dad? Still facing felony assault.

UPDATE 30 July 2008 18:54: A friend emails me a spot-on excerpt from Jasper Fforde's First Among Sequels:
Unlike previous governments that had skillfully managed to eke out our collective stupidity all year round, the current administration had decided to store it all up and then blow it all on something unbelievably dopey, arguing that one major balls-up every ten years or so was less damaging than weekly helping of mild political asininity.
Except it's every ten days, not years. But the part about the unwisdom of burying half-wittedness in landfills, because it percolates to the surface in future decades, is pretty funny.

Tuesday, July 29, 2008

Fond memories of boot camp

No, not mine. But Random Acts of Patriotism waxes poetic bout early morning on the rifle range at Parris Island:
The marksmanship instructors check the line, double checking each rifle. It is time to move back, another hundred yards. The sun is fully up now, the temperature rising through the 90s. There is more to do at 300 yards, and then at 500. Iron sights on an M-16 at 500 yards. Two weeks ago, it seemed impossible. Today, some recruit will shoot a perfect score at that distance.
I think that this is the first time that the words "waxes poetic" and "boot camp" have appeared together. It's a great post; RTWT.

And in February, I took #2 son to visit Parris Island while we were on vacation in Hilton Head. I had what I thought was a great idea - The Marines should have a public range, as part of a recruiting effort ("Come shoot with the Marines!"). The problem is that I probably couldn't hit a target the size of Luxembourg at 300 yards with iron sights. 500 yards? Yikes.

Hacking Vista - Video at 11

Every time Microsoft releases a new version of Windows, they bill it as "the most secure Windows Ever!!!" Whatever the truth of the matter, there's no doubt that the Bad Guys are shifting to "poisoned bait" - sending documents that have been made to look important so that the recipient will open them.

Like the PDF email attachment that contains an exploit telling a CEO that his company is being sued. Or the one that targets online banking customers.

It works like this (via Orange County Register). (Video at the link - my embedding-fu is weak)

As if online banking customers didn't have enough trouble.

They Bad Guys are targeting more than just PDF: iTunes, Winzip, and Mac OS X, among others.

So what should you do? First, a personal firewall is your friend - the malware will always try to connect from your computer to the Internet. A message along the lines of "Hey, pwn3r.exe wants to connect to the Internet. OK?" gives you a chance to stop it from phoning home to the Mother Ship. Second, be very suspicious if you click on something and the application you were using crashes. This is bad security juju in general, and really bad security juju if your firewall immediately asks you about pwn3r.exe.

UPDATE 7/30/2008 12:47: Wow - it's a Tam-alanche! Welcome, and take a look around. There's a recent post on how to scrub sensitive data from your hard disk using .50 BMG armor piercing rounds!

Formatting a hard disk with .50 BMG













A typically fun and useful post over at Marcus Ranum's place, about free (yes, free) software to encrypt your hard disk. Plus, what to do when you really, really need to get rid of the data, and have spare armor piercing .50 cal hanging around.

Remember the bit about "free". Open Source software is a very cool concept.

Marcus should come shooting with us - he'd fit right in.

And the rest of you should go check out TrueCrypt, for some security-fu.

Monday, July 28, 2008

On-line bank security: is it hot or not?

Not.
The vast majority of US bank websites jeopardize the security of their online customers by including design flaws that expose passwords and are susceptible to tampering by attackers, researchers say.
Unless you're from San Francisco, in which case the city has published all the passwords ...

I hate to say this, but none of this is remotely surprising. The nifty new "Web 2.0" technology that all the Marketing VPs want on their web sites is too new for anyone to really understand the security implications. The schedule is always rushed, so the programmers are always in a hurry. Since nobody really understands enough to say Whiskey Tango Foxtrot, the thing goes live with security strong as moonbeams and cotton candy.

Use an ATM. They have a camera that takes your picture, so there's proof it was you.

Lawyers - a security threat?

Seems so, at least if they work for San Francisco.
San Francisco prosecutors have put the city's network at further risk by placing access passwords and usernames on the public record as part of their case against Terry Childs, the sysadmin alleged to have hijacked the city's wide area network.
Sheesh. When they let a "Rogue system administrator" basically shut down their network? Seems he was the only one who knew the password.
Meanwhile his former bosses were unable to access San Francisco's new multimillion-dollar FiberWAN (Wide Area Network). The network provides access to confidential databases including payroll files and law enforcement documents.

Childs allegedly created a password that gave him exclusive access to the system. Pass codes he gave to police failed to work.
So, what have we learned? If you hire jerks who won't tell you the passwords, you're screwed. If you hire lawyers who blab all the passwords over the internet, you're screwed.

The common theme? You've got no steenkin' security.

Got to love the PR flacks, tho:
After initially declining to comment, a spokeswoman for the DA's office said that "the court files have been amended".
I'll bet they have.

Sunday, July 27, 2008

1000th visitor

For a new blog, it's always nice to see people coming and reading. It's been a busy weekend, so I just now saw that visitor #1000 from Portland, Oregon stopped by yesterday at 1:15 PM Eastern time (10:15 west coast).

Thanks! I'd send you a Teletubby, but I'm all out.

UPDATE 27 July 19:58: #2 son just told me "Not bad. 1000 out of 6.5 Billion people." Don't get cocky, kid ...

Gun envy

Yes, envy is one of the seven deadly sins, but to see these is to want them. Young and Crotchety has a new (to him) CMP M1 Garand and M1 Carbine. Made by IBM. And enough ammo to make Mr. FedEx Man really unhappy.

Man, if there's something that could wean me away from my Lever Gun love affair (No, Ted! Say it ain't so!), this is the ticket.

UPDATE: Typos fixed. Thanks, Jay.

Saturday, July 26, 2008

Must read on home defense

Random Acts of Patriotism is on a roll lately, this time with a great post about strategies for home defense. Sounds like it would even apply to the People's Republic of Massachusetts:
Defense doesn't win. It doesn't win in football, baseball, boxing, or combat. What defense does is keep you in the game. It may buy you time, force the opponent to use his energy, or keep him outside a perimeter.

In a home defense situation, you need enough time to wake up, orient yourself to the evolving situation, and respond. This requires a defense in layers.
Go RTWT.

Range Report - AR-15

My regular readers (both of you!) know that I get all weak-kneed and trembly-like when I look at a lever gun. So it was a bit of a walk on the wild side last week at the blogshoot when I took an AR-15 for a spin.













Now, we're just not going to get into the politics between the AR fanboys and the "poodleshooter" crowd, so please just stop right now.

First impression was surprise at how much it weighed. It's plastic (compo) after all. This one had a solid (read: heavy) stock, and you can make it into kinda what you like since it's more or less infinitely customizable.

Second impression: No recoil to speak of, so very easy to stay on target for follow up shots. Not a surprise at all, since that was one of its design goals. Have to admit, that this makes it really easy to shoot - no shoulder bruise for me here. Wikipedia has a good discussion on the .30-.30, which a picture comparing the AR .223 with the .30-.30 Winchester.

Third impression: Decent trigger, meaning it didn't distract me while I was shooting. Not sure if this was standard or aftermarket, but it doesn't really matter - no news here is good news.

Fourth impression: Hokey smokes, is this accurate or what? I'm not by any means the world's best shot (trying to make up for lack of skill with extreme enthusiasm), but La-La twitched every time I squeezed the trigger. Every. Time. With this, I'm maybe almost as good a shot as Lissa! Whoo hoo!


Fifth impression: Sarah Brady cries every time you squeeze the trigger. And like Lissa says, "Every time Sarah Brady cries, and Angel gets it's wings."

I'm not turning into an AR fanboy, but I can sure see the attraction - this rifle makes even a guy like me look like a dead shot. If they had a nice wood stock (i.e. make it look like a Garand), I might think hard on this ...

Now, I said we weren't going to get into the politics of fanboys vs. poodleshooters, but one discussion point is interesting. From my short introduction, it seems like about the only real downside to this rifle is the small caliber cartridge, and that's a downside probably only for battle. Of course, the dang thing was designed as a battle rifle, so that's kind of the heart of the matter.

The cartridge issue has been addressed better elsewhere, and there seems to be a fair amount of confirmation from the guys in the Sandbox. So the question I've never seen addressed is: If you increase the cartridge size so you put the Bad Guy down with one shot, do you destroy the light-recoil-quick-back-on-target-insane-accuracy part? IOW, is the cartridge a key part of the rifle design, and changing that changes everything else?

I simply have no idea. Both my regular readers are invited to help edumacate me in the comments.

UPDATE 28 July 2008 0:49: Boy, howdy - it's an Uncle-lanche! Thanks! Folks visiting feel free to look around.

UPDATE 27 September 2008 21:13: A month after I posted the question on whether the ammo and rifle were closely matched, John Farnam offered a short discussion on the 6.5 Grendel round, that seemingly destroys the AR guts:
"In testing the 6.5 Grendel round though the existing AR-15 platform, we've discovered that the two don't mix! I wrecked our test copy within just a few hundred rounds, disintegrating the two locking-lugs on either side of the extractor, and this was all with the manufacturer's recommended ammunition. The 6.5 Grendel is just too much for the AR"
If you're interested in this topic, RTHT.

Note to right wing whacko telemarketers

Just because you bought my name and phone number from big pro-shooty organization does not mean I'm in your camp. Just because I can't stand the Contemptible (D) party does not mean I like much of anything the Stupid (R) party has done lately. Stop. Calling. Me.

Don't make me want to change my tone.

And note to big pro-shooty organization: thanks a lot for selling my name to a bunch of whackos. Way to make a new member question whether renewing his membership is A Good Idea. You must be registered members of the Stupid party.

Saturday Redneck - Terri Clark

Country music is full of "that happened to me" songs. Offered for your consideration is the greatest song (for anyone who's ever been married), I just want to be mad for a while, by Terri Clark.
Last night we went to bed not talking
Cause we already said to much
I face the wall you faced the window
Bound and determined not to touch

We've been married 7 years now
Some days if feels like 21
I'm still mad at you this morning
Coffee's ready if you want some
I've been up since 5
Thinking about me and you
And I've got to tell you
The conclusion I've come to

[Chorus]
I'll never leave, I'll never stray
My love for you will never change
But I ain't ready to make up or get around to that
I think I'm right I think your wrong
I'll probably give in before long
Please don't make me smile
I just want to be mad for awhile

For now you might as well forget it
Don't run your fingers through my hair
Yeah that's right I'm being stubborn
No I don't want to go back upstairs
I'm going to leave for work
Without a goodbye kiss
But as I'm driving off
Just remember this

[Chorus twice]

I just want to be mad for awhile
I just want to be mad for awhile
I just want to be mad for awhile
My Google-fu is weak, or there's no Youtube of Terri doing this (there is a youtube of someone else doing the song, but I can't inflict that on y'all first thing in the morning).

Note to Terri Clark's people: Youtube is your friend.

Since I can't leave you without a video for Satrurday Redneck, here's what's probably her biggest (and maybe funniest) hit, Girls lie too.

Thursday, July 24, 2008

Regarding Self Defense

Random Acts of Patriotism has a heartbreaking must read post about self defense. If you liked Lissa's post this week (and if you didn't, then you're no damn good) go read.
By all accounts Dr. Petit is a fine man, he had a loving, accomplished wife and two beautiful daughters. When evil came through the door at 3 AM, he was unprepared to defend them, and they were unprepared to assist in their own defense. Two small time criminals, men who if they had been stopped by Dr. Petit, would have only been suspected of burglary, overwhelmed him, and then proceeded to commit an atrocity.
Animals. Hanging is too good for them, but it's Connecticut, so the taxpayers there will have foot the bill for incarceration. At least it isn't Massachusetts: they'd get let out early.

Breda sums it up:
Teach the women you love how to shoot. Today.

And speaking of Spam ...

Seems Edward "Spam King" Davidson has escaped from jail.

I was going to say something snarky about how the Nigerian Vice Minister of Internet Financial Transactions was the getaway driver, but it seems that he's part of a murder-suicide. One child is dead, another hurt.

Can't really work up any snark here, folks. Sad.

Astronaut is a Moonbeam

Seems Apollo 14 "Spam in a can" Edgar Mitchell thinks there are space aliens, they've visited us, and that the Fed.Gov is covering it up. Feel free to insert your own snark here.

Via Slashdot, which offers some top shelf snark on the subject of a massive gov't conspiracy. If the conspiracy is so effective, then why oh why don't they shut Dr Mitchell up? Easy:
Well oblivious they KNEW he would look like a crackpot so we would obviously not believe him. On the other hand they KNEW that we would think that we know they think he wants to look like a crackpot so we would obviously not believe NASA. However, we know that he has been on the moon, so he might have gone mad, so obviously we can not believe him. However knowing he has been on the moon means he was privy to a lot of highly classified information so we obviously can not believe NASA. However only a great fool believe in what has no proof so we can obviously not believe him. On the other hand NASA knows the slashdoters of the world are not great fools, and they were counting us not foolishly believing him, so we can obviously not believe them. INCONCEIVABLE!

Wednesday, July 23, 2008

You want to read this

I know this, not because of my exceptional perceptiveness, but because you're reading a blog.

Ever wondered what sort of security a blog has? Could someone take over a blog and post malware that might infect you? As a full service security blog (when I'm not shooting Teletubbies), let's take a look.

One of my early posts talked about security vulnerabilities (flaws that could let a Bad Guy take over the computer or program). Now, not all vulnerabilities are equally serious, or equally easy for the Bad Guy to exploit. However, comparing the number of vulnerabilities in two different, competing products can be instructive.

CVE is an open source repository for vulnerabilities, tracking vulns in pretty much everything. Like Blogger, Livejournal, and Wordpress. You can query for bug count. Let's look at a score:
Blogger: 21

Livejournal: 5

Wordpress: 138 (ouch)
So We'erd Beard, you win the "Most secure blog in my bloglist" award. I owe you a Teletubbie. Lissa, not so much. Everyone else, you're in the same boat as me, for whatever that's worth.

Now numbers aren't everything, so let's take a little deeper dive.

Blogger. Still new vulnerabilities being discovered, but at a fairly low rate (3 so far this year). Least important is that someone could change your post. Most serious is the directory traversal flaw that lets someone run code remotely - web servers saw this sort of thing a long, long time ago. Let's party like it's 1999. We'll give Blogger a "Gentleman's C" for a grade.

Livejournal. No recent vulnerabilities (good). Most recent vulnerability is a stack based buffer overflow (bad). Still, it was a while ago, so let's give Livejournal a B-.

Wordpress. 43 this year. Ouch. Even worse is that there's a bunch of stuff like this:
Cross-site scripting (XSS) vulnerability in WordPress 2.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
This means that a Bad Guy can feed malicious HTML and scripts to a wordpress blog, and you folks could be attacked by it. And it's not just vulnerabilities: got yer Wordpress exploits right here (don't try this at home kidz, we're trained professionals). Wordpress gets an F (sorry, Lissa).

Cross Site Scripting is serious. Here's a great demo on how it works - go watch it.

So what do you do? First read my other early post on safer browsing. Second, ditch Wordpress (if you're paranoid like me). There's bad juju in them thar hills, and it could leave juju stains all over your computer. It looks like a trifecta of a popular application, lousy security programming, and a lousy architecture that lets any Tom, Dick, and Harry write their own lousy security in their plug-in. Get out of there.

Do it for the childrenTM

Quote of the Day

Via Dave Hardy, commenting on a pro-shooting sports article in the Boston Globe:
Or maybe it's as P.J. O'Rourke says. All kids have a drive to shock their parents. This is a problem for kids today, many of whom were conceived during drug-laden public sex at Woodstock; there's no way to shock your parents anymore. Except by enlisting. Esp. in the US Marine Corps, so you can come home and tell them you like the doctrine of "every man a rifleman."
And a shoutout to nephew (and Lance Corporal) Dan, in Fallujah. First working on George Bush's re-election campaign in 2004, and now this. Stay safe and come home soon. The next range report is for you.

Man bites dog

Who would have thought that Katie Couric and CBS News would actually present straight-up news about Obama's and McCain's views on Iraq. Couric looks stunned when Obama won't even admit that the surge has improved the situation, and asks him very specifically, several times. Obama looks like a rookie, and won't even answer her question.

McCain was, well, McCain. But at least he made sense.

Via Ann Althouse, who has a must read on the media. Kouric played this straight.

Cats and dogs, living together.

Tuesday, July 22, 2008

More Ballistic Sculpture

Or at least Jackson Pollock-y shooty goodness, over at Marcus' place. Slow motion 'splodey watermelon, too. If you're not sick of dead Teletubbies and computers, take a look. And if you're a security geek, stick around and check out that too.

My choice

Lissa posted a new shooter report, from the new shooter's perspective. It's well worth a read, but what really struck me was this, about how a Super Size Cranium Liberal views someone who actually wants to shoot:
To those who grew up in a liberal family, guns are dangerous weapons that cause untold injuries and death every year, that bring blood and destruction, and that are only loved by odd folk at best, and ignorant rednecks at worst.
JD comments on the typical Super Size Cranium Liberal reaction to someone wanting to go shooting:
They will ask “ Why would you want to learn that?” and “What good is it? You want to hurt someone?”
Man, oh man, how to answer? The snarky reply is "Hurt who?" The more thoughtful reply is to echo Col. Jeff Cooper, who when told that violence only begets violence replied "I certainly hope so. Anyone who would try to inflict violence on me or my family will receive quite a lot more violence than he will have stomach for."

That's my Y chromosome talking there. And the blogshoot was admittedly over-represented by the Y-chromosome crowd.

Women have more reason to learn to shoot. Not only are they often targets for scumbag predators, but they tend to be at a physical disadvantage. Lissa continues about shooter's attitudes:
In their minds, Sarah Brady has made it a life crusade to deprive them and others of their Constitutional rights — a right that, for a young woman like myself, could quite possibly make the difference between life and death during an assault by a large man — and freely distorts facts to do so.
She's not the only one. Breda writes of a woman who died after a particularly savage attack:
Now for the rest of my days, in moments of self-doubt, moments where I say to myself, "You're being paranoid" I will remember that bright smile, stolen forever - and I will go to the range and practice until the calm finds me.

Teach the women you love how to shoot. Today.
Zendo Deb has a whole library of stories about people who choose to fight, and perhaps live:
How is a petite woman supposed to defend herself against 2 armed home invaders?
OCALA - A petite woman, firing a .357-caliber Magnum handgun until it was empty, chased two intruders from her home ... on Wednesday morning.
Oh, and her 11-year-old daughter was home at the time.

The goblins attacked her boyfriend; she ran for a handgun.
I think that there's a common thread, even for the men-folk shooters. Back to JD's hypothetical question: Do you want to hurt someone?

Of course not. But you don't always get a choice that you like. Until, as Col. Cooper puts it, you "see the elephant", you don't know how you will react, but it's my choice. Mine. Not Sarah Brady's, not Gov. Patrick's. My choice.

I'd like to think that if it ever were to happen, I'd react like Tam describes:
I ain't goin' out like that. Whether it's some Columbine wannabe who's heard the backward-masked messages on his Marilyn Manson discs, distressed daytrader off his Prozac, homegrown Hadji sympathetic with his oppressed brothers in Baghdad, or a bugnuts whackjob picking up Robert Frost quotes transmitted from Langley on the fillings in his molars, I am going to do my level best to smoke that goblin before my carcass goes on the pile. I am not going to go out curled into a fetal ball and praying for help that won't arrive in time.
My choice.

There's the common thread among shooters, liberal and conservative. I ain't goin' out like that. Of course we hope it never happens, but my choice.

That's why we take new folks to the range, to learn how to shoot. Because then it's their choice. And that's why this is why we resent the Brady campaign, and others cut from the same cloth, who want to take away that choice. Lissa continues:
Yet if the folks from yesterday met her, I bet they would be polite and courteous, even as they informed her of her numerous mistakes and incorrect information. And then they would offer to take her shooting.
Sure would. And #2 son would teach her the 4 rules. He's an expert now.

Monday, July 21, 2008

Quote of the Day

Since it's impossible to narrow things down to a single winner for QoTD, here's a trifecta of shooty, snarky goodness.

From JD, capturing the attitude of the Massachusetts Ruling Elite:
As others have said better than I, there seems a problem with the logic of the gun grabbers in MA and elsewhere. I was around lots of armed folks all day, with lots of guns of all kinds going off, and no one got mad, no one got shot, no one got threatened but they all had a good time. I guess there is just something wrong with us, maybe the blogging but there was no blood spilled of any kind that I saw. . . .
Saying the same thing more concisely is Bruce:
Suck it, Cadillac.
And my blogfather Jay, thinking that somehow I may be less immature than him:
Apparently my insane feces flinging here inspired him to start his own blog (I would guess under the auspices of "Hell, if this retarded chimp can do it, anyone can")...
Jay, you may be retarded, but I'm retardeder. I keep archives to prove it.

Solaris vs. NT Bloggershoot Security Smackdown

People ask which OS is more bullet-proof, Microsoft's Windows NT series (NT/2000/2003) or Sun Solaris. We had an excellent opportunity to put this to the test, to try to resolve the question once and for all.

A quick note on our testing: We used a Sun Sparcstation 10 and an HP somethingorother, both shown in laboratory prep here. Our exploits were pretty diverse, as you would expect from a large and experienced group of penetration testers. Favorites included 7.62x54mmR, with a fair amount of 5.56 NATO, and smattering of 9mm and .45 ACP. All in all, a normal Pen Test configuration.

The NT system, as many suspected, had rather a lot of holes:















It did, however, remain standing when the smoke figuratively settled. Or literally, in this case.

Solaris was both more and less robust. Many fewer observed holes, but the server was surprisingly easy to knock over, so it would appear to be more subject to Denial of Service (DoS) attacks, or Jay's 16 20 gauge slugs:














Jay will be posting a vulnerability announcement to bugtraq shortly.

So what conclusions can we draw from all this? There are a lot more holes than you'd expect in standard server-class Operating Systems, at least at a Blogshoot. On the other hand, both NT and Solaris are much, much more robust than fruit (Watermelon in this particular case).

Left unanswered is whether Macintosh - particularly old obsolete Macs would be more resistent to remote exploits. Sorry, the range doesn't allow targets containing glass.

Sunday, July 20, 2008

La La was here





But the Nu-Nu has everything tidied up now.

Teletubby Shooting Gallery

Alternate title: I can haz Bayonet?

Today was the Northeast Gunblogger shoot. Jay G organized it, and Doubletrouble arranged the super secret rendezvous location. The view downrange at the guest of honor:













The red patch on LaLa's tummy screen is a stick-on target, of course. After the first couple of rounds, LaLa turned to face the wall, whether in mortal fear or receiving coded messages from Outer Space I'm not sure.

There was a large and enthusiastic turn out:

























Everyone had a great time, but the carnage was brutal:

















The day ended in a blaze of glory, with a bayonet charge:


It was fun to get together and meet the area gun bloggers in real life, and shoot off a whole boatload of ammunition. The words "There are enough guns here to invade Canada" were heard more than once.

Liberty brought a Furby, so LaLa wasn't alone on the firing range. Make sure you stop by his place for pix of the Furby shooty goodness.

And JD brought an absolutely scrumptious Marlin '94 in 45 Long Colt. This is an absolute dream to shoot, and if anything even more accurate than the Winchester .30-.30. As I thought, the pistol cartridge had almost no recoil at all, and the .45 LC packs even more wallop than .45 ACP. You could use this rifle and cartridge to hunt just about anything east of the Mississippi, except Moose and Black Bear. With a hot load, I'm not sure you couldn't hunt even them. Thanks for letting me shoot it, JD.

A big, big "Thank you" to everyone for showing up and sharing guns and ammo, and to Jay and Doubletrouble for the heavy lifting getting this from concept to reality!

UPDATE 27 September 2008 18:20: Boy, there are a lot of folks exercising their Google-fu for "Teletubby shoot" or something similar. If you like this sort of thing, there's a sequel post here. And assuming that you're not entirely revolted by this site (and if you're searching for "teletubby shooting gallery" then shake not thy gory locks at me, scooter), check out the Best Posts category. If you like it, stop back sometime. If you don't, well it's about as good as I can do.

Saturday, July 19, 2008

Lock and load


















Legion's silent ranks
meet ballistic projectile.
Kinetic sculpture.

Can I has NEA grant?

And yes, that is a Sun workstation in the rear ranks.

Whiskey Tango Foxtrot

I mean Whiskey Tango Foxtrot-ing Foxtrot?

350 knife assaults per day in Merrie Englande?

Hmmm. Let's engage in some higher mathematics:
350 per day x 365 = 127,750 per year

UK population = 60,776,238 (July 2007)

Knife attacks per day per 100,000: 210
Let's compare and contrast:
US Firearms homicides (1996): 18,382 (US Dept of Justice)

US Firearms homicides per day (1996): 50

US Population (1996): 263,814,032 (July 1995 est.)

US Firearms homicides per day per 100,000 (1996): 0.2
OK, this is a bit apples vs. oranges. Gun homicides vs. knife assaults. 1996 vs. 2007. However:
  • Brits always complain about our gun crime and murder rate, so let's look at it.
  • My Google-fu is weak; it was easy to find homicide stats for 1996. It's lower now, and was clearly declining substantially even in 1996. So if anything, this overstates the US homicide rate.
  • UK crime rates have been increasing over the last 12 years, in contrast to declining US rates. However, even in 1996, the UK had a higher assault rate.
So, to all those brits who complain about how violent the US is, with our cowboy shoot-first-ask-questions-later, your knife rate seems to be 105,000% higher than our shooty problem. Boy, we must be really bad shots.

Dudes, you're bringing a knife to what should be a gun fight.

Boy howdy, I hope we're not next.

Engineers solve problems

Saturday Redneck - Miranda Lambert

In honor of the Northeast Gunblogger's shoot, we need a country song that has firearms. Fortunately, that's not hard to find ....

On a more serious note, one thing that attracts me to country music is you often find song that has a real "Don't mess with me" attitude. When you combine that attitude with an important social issue, you sometimes get something astonishing.

Miranda Lambert was runner-up on the first season of Nashville Star, a country music version of Americn Idol. In her song Gunpowder and Lead she takes on the issue of wife abuse, with a rockin' beat:
County road 233, under my feet
Nothin' on this white rock but little ole me
I've got two miles till, he makes bail
And if I'm right we're headed straight for hell

[Chorus:]

I'm goin' home, gonna load my shotgun
Wait by the door and light a cigarette
If he wants a fight well now he's got one
And he ain't seen me crazy yet
He slap my face and he shook me like a rag doll
Don't that sound like a real man
I'm going to show him what a little girls made of
Gunpowder and lead

It's half past ten, another six pack in
And I can feel the rumble like a cold black wind
He pulls in the drive, the gravel flies
He dont know what's waiting here this time

I'm goin' home, gonna load my shotgun
Wait by the door and light a cigarette
If he wants a fight well now he's got one
And he ain't seen me crazy yet
He slap my face and he shook me like a rag doll
Don't that sound like a real man
I'm going to show him what a little girls made of
Gunpowder and lead

His fist is big but my gun's bigger
He'll find out when I pull the trigger

I'm goin' home, gonna load my shotgun
Wait by the door and light a cigarette
If he wants a fight well now he's got one
And he ain't seen me crazy yet
He slap my face and he shook me like a rag doll
Don't that sound like a real man
I'm going to show him what a little girls made of
Gunpowder and lead
I'm going to show him what a little girl's made of. Boy, howdy.

Zendo Deb writes often and well about women who have to deal with an abusive man. Self defense is a human right. Oleg Volk has a series of amazing photographs on this as well.

Song, written word, picture, all saying the same thing: molon labe. His fist is big but my gun's bigger.

And for those of you not from the South, yes, "bail" and "hell" do in fact rhyme. Why did you ask?

Friday, July 18, 2008

Malware in infected MP3 files

From Slashdot comes news of a new form of malware that uses MP3 files to carry its worm code:
Infected files launch IE [Internet Explorer - Ed] and load a page that asks the user to download a codec. The download, a Trojan horse, installs a proxy program to route other traffic through the PC.
OK, there's lots of geeky security stuff at the link if you're interested. If you're not, there's a simple rule:

ANY time you're told that you "need to download a new codec" you say NO.

Gozer: Are you a God?

[Ray looks at Venkman, who nods]

Ray: No.

Gozer: Then... DIE!

[Lightning flies from her fingers, Ghostbusters almost wiped out]

Winston: Ray, when someone asks you if you're a god, you say "YES"!

So, if y'all like to download MP3s from p2p networks, and Gozer asks you if you want to download a new codec, go ahead and say yes. If you're a God.

Quote of the Day

I don't need to snark on Windows security when Liberty is around (from the comments):
Though I’ll say, I have developed a mature love/hate relationship with XP. It’s like having a retarded puppy that eats your DVD collection, vomits whenever you have guests over, and filths itself in front of your refrigerator while you’re in the shower. Sure it has issues … but the place just wouldn’t be the same without it.
That's going to leave a mark there, yes sir.

I guess it's hard to tell we're pompous Linux bigots, huh?

Firearms and computer security

These are two of my favorite things, and it's not often that I can indulge both at the same time.

The last post talked about the Northeast Gunblogger's shoot. Well, I've been getting ready like everyone. Maybe my kind of getting ready is a little different.

Scene: Big Tech Company, the mail room. In corner is big electronics recycle bin, full of old obsolete computers.

Me: Hey, what happens to that stuff?

Mail Room Guy: Someone comes and hauls it away.

Me: Can I haul some of it away?

MRG: Sure. We have to pay to get it taken out. You're helping us keep costs down. [Well done, Ted!] It may not work, tho. Most of it doesn't.

Me: S'OK. It doesn't have to work. It's a target.

MRG: ????

I've seen lots of exploits targeting Sun Workstations, but never in the 8mm caliber ...

Shopping

Posting was late today, since I had to go shop.

Why, you ask? Well, there's the upcoming Northeast Gunblogger Shoot: Meat, Greet, and Skeet. So, got to shop!

Dick's Sporting Goods: Targets, recoil pad (yeah, I'm a recoil wussie - thanks for asking). Check.

BJ's Wholesale: Gatorade (it's summer, hot!), meat, more meat, Yet Even More Meat. Check.

Late. Kids hungry. (Sheesh - do I have to feed them every day?) Stop by Tennessee's BBQ for meat. And oh by the way, they do so have burnt ends. Yum. Sorry, Jay, this won't last until the shoot.

All this is cutting into my blogging time. But I can stop anytime I want.

Really.

Security Rock Stars

Bruce Schneier is one of the security industry's big guns (so to speak). His area of expertise is in cryptography, secret codes and that sort of thing.

This isn't news. Nor is the news that he and some friends found a security weakness in some crypto software (well, it is but only if you're a security geek like me, and I assume you aren't).

Slashdot discusses this, of course. And of course, the best stuff is in the comments, in this one about Bruce:

Some of you may not be aware of the stature of Bruce Schneier in the field of computer security, so here is some background information:

http://geekz.co.uk/schneierfacts/facts/top [geekz.co.uk]

Bruce Schneier once decrypted a box of AlphaBits.

Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes.

Bruce Schneier's secure handshake is so strong, you won't be able to exchange keys with anyone else for days.
There's lots more. Enjoy. That's some quality security geek snark, right there.

Bad News

JD has an illness in the family. Stop by his place and leave a note.

More on Macintosh and Security

Well, not just Mac. Tam left a quite interesting comment to my earlier post on Macs and security:
"So what happens if Macintosh market share doubles?"

We keep running obsolete versions of the Mac OS.

It'd take a bored hacker to make a serious run at OS 9.2. ;)
This is exactly right, but if you're a geeky security guy like me, what's interesting is why it's so right.

Really old OS versions are obsolete for a reason - lots of new programs (can you say Quake?) won't run on them. Old browsers won't give you the "new" cool features, like AJAX, and new browsers won't run on them either. A different way to say this is that there's a lot less capability in the OS. Less capability = less code.

Bug count is very closely related to code size (OK, I over simplify, but with everything else the same, the program with more code will have more bugs). Bugs in features tend to be more easily discovered during testing than security bugs: "Hey, the fratsulator just crashed again when I double clicked it." Security bugs often are latent, waiting until someone pokes the system the wrong way and finds that it's possible to run his own code on it.

From a security perspective, a security bug that lets the attacker run his own code on the computer is the worst case scenario, especially if the program runs with lots of privileges (IOW, permission to access everything). Thus the beauty of Tam's suggestion - obsolete OS versions like Mac OS9 or Windows 98 simply don't provide many ways for a bad guy to get his code to the computer. As they say up in Maine, "you can't get there from here."

Network communications rely on two things: addresses and ports. All computers have an address, at least if it wants to move onto Al Gore's Intarwebz. Typically the computer gets the address from the ISP - for exmple, right now I'm something.something.verizon.net (the magic of DNS translates names to actual addresses, but they're really referring to the same thing).

Ports, on the other hand, are owned by the computer itself (the ISP doesn't play here); the computer gives ports to applications that use the network. Some ports are "well known", like the web (80) or email (25). Others are entirely random.

Now from a security perspective, the really important port is the one used by the application that is a server. My Firefox application is using who knows what port right now; Blogger.com is using port 80. This means that to a Bad Guy, it's really really hard to get to me, but it's trivial to get to Blogger.com.

So what does this mean to Mac OS9 or Windows 98? They don't run server programs. Even if the Bad Guy wanted to get you, nothing's listening when he calls. He wants to send you his malware code to run, and nothing will take it from him.

More modern OS versions - Windows 2000/XP/Vista or Mac OSX (or Linux) typically have gobs of applications listening on gobs of ports. Target rich environment. Plus, the new OS has many, many more lines of code than the old versions: more code, more bugs. More bugs, more security bugs. The fact that the OS is pretty primitive is A Good Thing.

So Tam is absolutely right - burning the late night oil to learn how to be the ultimate h4X0r for OS9 is not going to give you a lot of targets. It's also a whole lot harder than becoming a good Vista hacker.

Thursday, July 17, 2008

That's why they call it the "Hub"

HUB = Heavy, Uncontrolled Borrowing.

Tekmage has a great post on the Mass.gov financial crisis. Seems they didn't exactly estimate what the Big Dig was going to cost. Oops.
The Big Dig latest score –
Original Quote - $3 Billion
Today’s Quote – $22 Billion

And we will be paying this off until 2038. . . .
The money's spent, on graft and corruption and sweetheart deals:
Massachusetts political hacks and their union stooges saw a chance to dive into a bucket full of money. They knew the numbers were lies. They knew the contract was a taxpayer ripoff. But because some cousin got a job leaning on a shovel, many Bostonians laughed up their sleeves and let it go. As long as we were shaking down Uncle Sugar for the money, who cares?

Oooops. Turns out we're paying 78% of the tab out of our own Bay State pockets. The state is so broke, we're borrowing money to cover paychecks for current workers. When you have to put payroll on the Visa card, you know you're in trouble.

Who will pay the price? Will anyone even be punished? Nobody but us taxpayers.
Bruce piles on, with a "ya think this is done?" moment:
Of course, what they forgot to mention is that this $22 billion figure is only valid until the next catastrophic failure.
As bad as this is - an uncontrollable political class drunk on money and power, and with as much self restraint and concern for the future as an 18 year old with a fake ID - just wait until the state and local public pensions come due:
Too, these articles rarely see fit to mention the other ways in which these wounds have been self-inflicted--the habit of making ever more lavish pension promises to the public sector unions, for example. Public pension funds are now officially a disaster. Politicians promised benefits without funding them. The befuddled fund managers seem to have mistaken beta for alpha, pouring their assets into riskier asset classes because they couldn't make up the deficit on a safe, modest appreciation every year. If these were private companies, most of those managers and their bosses would be under indictment. The problem is about to get worse, of course, because when do pension funds need the most topping up? During downturns, when asset values decline.
So let's run down the Massachusetts political checklist, shall we?
Project billions over budget again? Check.

State budget underestimated by hundreds of millions of dollars? Check.

Police and Attorney General abusing the citizenry? Check.

Y'all going to vote for us again? Check.
Any you guys think you're smarter than folks down south? Boy, howdy.

Macintosh and security

There seem to be two reasons that people buy Macs instead of PCs: easier to use and better security. The second reason may get tested, if things keep going the way they are:
"According to Gartner and IDC, Apple now has between 7.8 and 8.5% of market share. While those numbers are not astonishing, they are not insignificant, and their growth does not seem to be slowing down.
While Mac has a better security architecture, some of the reason that there isn't so much malware targeting it is that there aren't nearly as many Macs as PCs. Combine easier attacks with more targets, and Windows becomes an irresistable magnet for Bad Guys.

So what happens if Macintosh market share doubles? Does that installed base attract criminalized malware? We may get a chance to see.

In the meantime, let's be careful out there.

Firefox security fixes

Let's be careful out there.
Mozilla has plugged two critical security holes in versions 2 and 3 of Firefox.
The Mozilla team have a good reputation for quick security updates (as do the Internet Explorer team, props where due). Firefox has a superior update mechanism, so many of y'all will soon see the "Firefox has just installed an important update" message.

When is a Machine Gun not a Machine Gun?

When it's not:











The Washington D.C. government told Dick Heller that since his pistol was loaded from the bottom, it is legally defined to be a Machine Gun. No pistol permit for you, because the Supreme Court decided in DC v. Heller that there's no constitutional right to unusual or dangerous weapons, and hey, machine guns are dangerous, mkay?

Now, my Google-fu may be weak, but a search for definition:"machine gun" turns up a whole heaping helping of definitions, none of which include the term "Semi-automatic pistol". They all talk about "fires repeatedly and automatically as long as the trigger is depressed and ammunition is fed to the gun." This pistol doesn't fit that bill.

Plus, I'm sure that Captain Sam Woodfill would have been surprised that he was awarded the Medal of Honor for using a "machine gun":
To the left of the church, bright muzzle flashes were seen from the loft inside a stable. Only one shot silenced this machine gun. (Was it one of those slimmed-down Spandaus?) In stalking the third machine gun he had seen, he suffered mustard gas poisoning in a shell hole, but continued. He took cover behind a pile of gravel in a ditch, sighting on a machine-gun muzzle poking through a clump of foliage about 40 yards away (this distance is in dispute), and laid out his Ml9lI pistol. Through his stinging eyes, he finally saw a face and fired. He finished his five-round clip on four succeeding faces. A sixth crew member tried to escape and was shot with the pistol (the rifle was empty) through the head -- a moving target at more than 40 yards distance, Inspecting the site, he shot a seventh crew member with a pistol when attacked.
Hmmm - the word "pistol" and the term "machine gun" are both used in this, and they don't seem mean the same thing. It must be that I don't possess the super size craniums of the DC Government.

It's like they just don't want to let anyone have a gun or something.

Whee! That was fun - let's play again:

When is an Assault Rifle not an Assault Rifle?

When it's not:








I know, I know, it looks like a deer rifle. It's actually one of the most popular target shooting riles in America. But wait - it has a muzzle compensator. It's an Assault Rifle!

It's like they just don't want to let anyone have a gun or something.

How about another?

When is a Militia Weapon not a Militia Weapon?

When it's not:









All the super-size cranium liberals kept saying that the Second Amendment only applies to firearms as relating to the militia. This AR-15 is functionally identical to the military M-16, except it is semi-automatic (only fires one shot per trigger pull). That makes it the ideal weapon for the citizens to arm themselves with, to be ready for militia duty (presumably with M-16s). Strange, the discussion goes something like this:

Me: So assuming that the Second Amendment relates to the necessity of a citizenry well trained for militia duty, how about everyone should buy an Evil Black Rifle?

Super-size Cranium Liberal: Eeek!

Me: Can I show you the difference between automatic and semi-automatic guns?

Super-size Cranium Liberal: Eeek!

Me: Can't we discuss this like adults?

Super-size Cranium Liberal: You must be compensating for something.

It's like they just don't want to let anyone have a gun or something!

Disclaimer: Say Uncle says that Heller's pistol wasn't even the Manly Colt 1911 .45 ACP. It was a .22. We seem to have discovered the world's first .22 machine gun!

UPDATE 17 July 2008 21:50: My Google-fu is strong - at least stronger than the Brady Campaign Against Gun Ownership. A Sitemeter referrer log led me to the following Google blogsearch string: "DC Heller"

Borepatch: Search result #25

Brady Campaign yadda yadda: Search result #26.

Whoo hoo! And there's a lot more where that came from, you Super-size cranium liberals!

UPDATE 17 July 22:21: Well, it was fun while it lasted. I must be in an earlier timezone than the big boy bloggers. Oh bother.

But there is still more where that came from! And they're still Super-size cranium liberals ...

Last Update 18 July 21:17: Lots of misinformation, although none of it changes the thrust of this post. However, for the record, Mr. Heller tried to register a 1911 pistol, he was turned down because it could accept a magazine with 12 or more rounds, which makes it a "machine gun" in Washington DC. He was able to successfully register his revolver.

Wednesday, July 16, 2008

Quote

From Ahab:
We have facts and statistics. They have penis jokes.
Now that's funny. And quality mockery.

Why I no longer listen to NPR

I used to listen to `em every day, standard commute car fare. Got sick of `em back in 2003 (biased, unreliable, blah blah blah).

Left work late today, no game on, hey why not tune in and see if it's worth a listen?

NPR: "Is invading Iran going to be George W Bush's last act as president?"

Look, I can see how someone might want to go hating on ol' W. But can we at least get the hating up to at-least-able-to-fog-a-mirror level of intelligence? As Jeff Foxworthy would ask: Is NPR as smart as a Fifth Grader?

Not so much. Let me explain it to you. [Uses quiet, patient voice you use when talking to particularly slow children]

What happened in 2001, after the Taliban let Osama sucker punch us? 60 days of lead up, public appearances, TV addresses, dozens of administration officials talking smack.

What happened in 2003? A year of buildup, speeches, State of the Union address, Congressional vote.

What's happening now? Hello? Bueller?

Look, ain't saying that old W won't go all Medieval on Iran's butt. Just not ready to stock up on toilet paper and bottled water yet.

So NPR? You think you're smarter than the rest of us. Show me, mkay?

Blogging: The third week

Boy, howdy. Tam linked, and the hit counter started spinning. Got as many visits yesterday as I had before yesterday. Whoo hoo!

Note to self: you still have to get your work done when you're at work, and not pester people with "I've gotten over 100 200 hits! Yes it's fun to watch the hit counter spin 'til it's dizzy, but you sound like a n00b.

Plus, Jay G linked, about the New England Gunblogger ("Meet, Greet, and Skeet") event. This should be a great time, although I still think that Weerd Beard will kick sand in my face.

Stats:

17 posts, down a lot from last week (48!). That's what happens when (a) you work for a living and (b) have to visit the range for an exhaustively researched range report. Thanks, guys!

1 more comment. Keep those cards and letters coming.

451 total visits, 292 this week. Still may be suffering a hangover from yesterday's Tam-alanche, but looking at 40 visits so far today.

Visitors from 7 countries, plus "Unknown". The snarky thought is that "Unknown" is from liberals who are embarassed at being American.

And I'm finally starting to kick Technorati's butt: #2,590,938. Whoo hoo! Almost as much fun as watching sitemeter spin!

Tuesday, July 15, 2008

XKCD on Airport Sercurity

Just go. Right now.

He's way funnier than I am, even when I get my snark on.

The Law of Small Numbers

Thanks to today's Tam-alanche, I've about doubled the number of visits, per sitemeter.

So to my 3 new readers, hello!

Sure was fun watching the numbers today, though!

Quote of the Day

From Megan McArdle:
I thought the fall of the Soviet Union had rather spectacularly demonstrated that it's hard to allocate goods and services without markets.
The idiots complaining about the efficacy of the market economy? University professors, of course.

What's that? You say it could be the Mass.Gov? Healthcare way over budget? Oh, stop it, you're killing me.

Let's be careful out there

The security folks at SANS have a post measuring the average time for a new, unpatched Windows computer to get hacked once it's been put on the Internet.

4 minutes.

There's some discussion at Slashdot about how this may be too low, and that the real time is more like 16 hours, but it's still not a lot.

As Dave LeBlanc likes to say, "Boot it, and they will come."

NAT firewalls cut out the easy attacks. Being sensible with how you browse is always a good idea, too.

Of course, it's different if you're a hobbyist:

Monday, July 14, 2008

Quote of the Day

From the late, great Shelby Foote, author of the three volume, million word The Civil War: A Narrative, writing in 1958:
I am a Mississippian. Though the veterans I knew are all dead now, down to the final home guard drummer boy of my childhood, the remembrance of them is still with me.
When I was a boy growing up in the 1960s, the old veterans were the ones from World War I. They're all gone now, too, at least the ones from my town.

Foote's greatest gift was giving voice to the men who fought, making them more than just dates and maps. Human.

Like General Thomas Wood at the battle of Murfreesboro, ordered to stop an overwhelming confederate advance:
"Goodbye, General," Wood replied as he set out in the direction of the uproar, which now was swelling louder as it drew nearer. "We'll all meet at the hatter's, as one raccoon said to another when the dogs were after them."
General Wood survived the war, and the battle, with his sense of humor intact.

And on a lighter note ...

We can't be all about the government boot in the people's face, at least not all the time.

Mark Curphey (behind enemy lines in England) links to an outstanding Rube Goldberg contraption. Go watch. Just because.

Oh, and Mark - Internet Security Management is much, much more complicated than this.

New England following Old England down the drain

Tekmage has great post about Massachusett's idiot Attorney General, Martha Coakley. For those who haven't heard, here's the Cliff Notes version:
  1. Pervert molests 4 year old in public bathroom.
  2. Kid's (ex-Marine) dad catches him, and goes all Semper Fi on perv's ass.
  3. Police show up, take one look at situation, and arrest the dad.
When Atty Gen Coakley was asked WTF was up with this, her reply was "We don't encourage self help." Well now.

Spank your child, go to jail:
Massachusetts lawmakers say a proposed measure that would ban parents from spanking their children, even in their own homes, is a way to protect kids from abuse.
Grope a toddler in a restroom? Not so much:
Although Rodriguez faces a felony charge, police decided not to arrest the suspect at the scene due to his advanced aged and lack of a criminal record.
On the surface, this just looks like another episode of Massachusetts Looney Tunes. It's not. Let's break the situation down into its constituent components:
  • Perpetrator of what used to be a capital offense let go by the local constabulary? Check.
  • Honest citizen arrested for execution of what used to be recognized as his public duty? Check.
  • Local politicos engage in public round of "Tsk Tsk, don't you dare try to stop this sort of thing! You're to call us immediately!" Check.
Yesterday, I posted about idiotic airport security:
Actually solving the problem is hard. So look busy. If you can't do something productive, at least do something. The more visible, the better.
Unfortunately, that's not what's happening this time.

At first blush, it seems that the $64,000 question is "Why would the authorities not want the public's help?" Suppose that the Mass.Gov really wanted to reduce child abuse. They'd give the dad a medal, and haul Mr. Feely off to durance vile. Then everyone would retire to the local saloon: Whiskey for my men and beer for my horses.

That's sure not happening. So the real $64,000 question is "Why not?" The answer is ugly.

It's not ugly because the idiot police let the molester go free, although that's pretty ugly. While the molester is a threat to the community, he is not a threat to the authorities.

What is a threat to the authorities? Mr. Marine Dad, who wasn't a good victim, who didn't go running to the Nanny State for help, who handled things.

How's the Mass.Gov supposed to justify more spending on public safety when the public is, well, keeping itself safe. Can't have that. Listen to Ms. Coakley again:
We don't encourage self help.
You'll know that you understand her completely when a shiver runs down your spine.

So what does this have to do with Olde England? Well, we've seen this sort of thing before, in spades:

For more than two years, Sydney Davis’ house has been under siege from stone-throwing youths. And more than two hours into the latest attack on his family home, the police had yet to respond.

So after a particularly large missile landed in his kitchen, the 65-year-old grabbed a plank of wood and ran towards the gang to scare them away. But his desperate act came just as the police finally arrived on the scene - where they promptly arrested him for possession of an offensive weapon.

He now faces up to six months in prison.

There are so many of this sort of story from old Blighty that Rachel Lucas set up a whole new blog category for them. She's not the only one:
A former British soldier endures as his neighborhood terrorized by a pack of feral young thugs (“yobs,” as they call them over there) for several days. He calls the police; they never come. He looks for an officer; finds none. Coming home one day to find his wife in tears and terrified, he finally has enough, and goes out to execute a citizen’s arrest, dragging one of the thugs into house and calling his mother. Thereupon the police arrive with the mother — and naturally arrest the homeowner.
Old England is just further down the road than New England - so far so, in fact, that you can put a fork in them - they're done. The Brit.Gov is just about done assuming all power (but not responsibility - never responsibility). Crime isn't subversive to the government. Citizens are.

If the schools actually taught Massachusetts history, people might think differently. Can't have that:
If ye love wealth better than liberty, the tranquility of servitude better than the animating contest of freedom, — go from us in peace. We ask not your counsels or arms. Crouch down and lick the hands which feed you. May your chains sit lightly upon you, and may posterity forget that ye were our countrymen!
Sam, Sam, Sam. The Mass.Gov will not tolerate self help. It's subversive.

Sunday, July 13, 2008

Airport Security is Kabuki theater

Tam writes a great post about how, while she has always loved flying, she won't anymore because airport security is criminal insane:
I love planes. But I won't go to the airport anymore. Not with the farce that flying has become. Two-hour waits for a ninety-minute flight. Inane security procedures. I'll drive instead, because my car won't grope me or steal stuff from my luggage.
Hey, it's a small price to pay for public safety, right? Kind of like the time the TSA has forced a military honor guard flying with a fallen comrade to strip on the tarmac,

How about this story of the woman, who was forced to publicly remove her nipple rings before going through the metal detectors? A Google search for that turned up stories from The Age (Australia), National Post (Canada), RTE (Ireland), and The International Herald Tribune (World + Dog). I guess George W Bush's policies really are getting us mocked overseas.

I once made the mistake of booking the lowest cost flight to take #2 son to see his grandparents. The round trip turned out to be two one-way tickets on different airlines (Bad Ted! No biscuit!). #2 son had to take off his shoes to get wanded down. 4 years old. At least he could get on the plane, unlike Senator Ted Kennedy.

Jonathan Adler wrote about a 3 year old who was forced to go through the explosive sniffer blower chamber by himself (cue Dr. Evil: Muhahaha!):
Amos Guiora's op-ed on the failings of airport security prompted significant response, here and elsewhere. Among other things, readers debated whether his example of TSA subjecting a three-year-old to the explosive-detecting "blower" was a good example of poor prioritization and a failure to focus on resources on actual threats.
Poor prioritization? Boy howdy.

A Google search for tsa+search+toddler returns over 100,000 hits. At least we're reducing the terrorist threat from Sippy cups and bottled breast milk.

Snark aside, there is a real downside from all this, when the public starts to assume that this is normal and prudent, and starts trying to "help" - like the grandmother who sent her infant grandson through the X-Ray scanner.

Bruce Schneier wrote about the bureaucratic approach to airport security. Surprise! It's not very effective:
Exactly two things have made airline travel safer since 9/11: reinforcement of cockpit doors, and passengers who now know that they may have to fight back. Everything else -- Secure Flight and Trusted Traveler included -- is security theater. We would all be a lot safer if, instead, we implemented enhanced baggage security -- both ensuring that a passenger's bags don't fly unless he does, and explosives screening for all baggage -- as well as background checks and increased screening for airport employees.
So why do they do it? I think it's related to why towns first cut libraries (sorry, Breda) whenever there's a budget cut, or why big city mayors like gun control despite its clear failure (not to mention unconstitutionality):

Actually solving the problem is hard. So look busy. If you can't do something productive, at least do something. The more visible, the better.

Ordinarily I'd be sympathetic. I work in an industry (Internet Security) where we're trying to so something that's hard, maybe unsolvable, and people fall for security theater here, too. As an example, look at the web site of one of the gurus of Internet Security, Marcus Ranum. Except you can't, at least with Firefox. The site is currently blocked by Google's "malware" detection (idiots). Firefox swallows this hook, line, and sinker (idiots). Ignore my advice, and take Internet Explorer and look at dumb idea #6:
There's an important corollary to the "Action is Better Than Inaction" dumb idea, and it's that:

"It is often easier to not do something dumb than it is to do something smart."
So it's hard to be sympathetic when some petty TSA functionary adopts Ready-Fire-Aim as standard policy, to show the rubes that we're from the government and we're here to help. Hey dude, can you pretty please stop doing something dumb?

No? Dang. I guess I'll drive.

Update 7-13-08 18:55: Holy tar-and-feathers, Batman! It seems like there's a web site devoted to tracking stupid TSA abuse. Hat tip to Stupid Security, which is a fun read and worth following if you care about security theater.

UPDATE #2 7-15-08 11:12: Whoo hoo! A Tam-alanche! Thanks, and hope y'all take a look around. My snark's not up to her level, but I try. ;-)

UPDATE #3 7-15-08 21:30: For the lighter side of airport security, you can find XKCD's take via here.