I'm not any kind of gun or shooting expert. I like shooting, and shoot a fair number of different guns, but I'm really a dilettante. Your mileage may vary, void where prohibited.
I don't do scientific, repeatable tests. There's no checklist, although that's not a bad idea. I write about what I like and don't like, but it's pretty much stream of consciousness. Opinion, we got opinion here. Step right up.
I'm not a shooting teacher, although I do like to introduce people to shooting. Maybe some day I'll take the NRA teaching class, but until then, you get a dilettante's view. You'll get opinion here, but if you get serious about shooting, you'll want to get someone who knows what he's doing to give you some pointers. It can help.
And oh yeah, shooting things is fun.
Wednesday, December 31, 2008
New Shooter Report (Chicks with Guns version) with CZ 75
Internet Security 2008 as a Spaghetti Western
This is pretty clever, and for those of you who aren't Internet Security geeks, it provides great context about what's happening.Security pundits are fond are characterising personalties in information security with reference to Westerns - hence hackers wear either a "black hat" or a "white hat" like their cowboy counterparts.
More recently these analogies have been replaced by comparisons with the horror genre. Security firms (usually ill-advisedly) talk about "silver-bullet" security technologies and, of course, networks of compromised PCs are called zombie botnets. Call us old fashioned but we still prefer the Westerns and, in celebration of one of the few quintessential American art forms (alongside jazz), we'd like to take a look back at 2008 in information security through the lens of classic Westerns, with a few Vulture Central casting suggestions.
Tuesday, December 30, 2008
What is it with stupid Chicago criminals?
We wrote the stick-up note on the back of his paystub:
According to the Chicago Tribune, 40-year-old Infante last Friday handed the written demand, scribbled on half of the pay stub, to a teller in a Fifth Third Bank in Chicago. It read: "Be Quick Be Quit. Give your cash or I'll shoot."Ignoring the failure of the Chicago public schooling system to teach proper spelling, perhaps Mr. Infante can share a cell with Mr. Blagojevich.
What the Well-Dressed Gentleman is wearing
Monday, December 29, 2008
That was fast
Malware.
No extra charge, folks.
Now why would someone want to do that?
The Fine Print®:
It may be that this is not malware, but rather, the software was packaged with software that is often used to pack up malware. In other words, the antivirus software recognizes signs of the packer, rather than malware per se.
It doesn't matter one bit. This was clearly not tested with antivirus scanners, which means that the manufacturer doesn't care whether you get infected with actual malware. Seems that WalMart doesn't care, either. This sort of test isn't exactly rocket science.
Don't spend it all in the same place
Hat tip Slashdot, where as usual, the comments deliver up the snark.
A Failure of Imagination
Cross Site Scripting is an attack technique that lets random people add their own (typically malicious) code to a web site. There's a painless flash demo of how it works here. XSS (as it's called) has been around for about ten years now, so it's rather dismaying that you still see it, especially in high visibility sites like Amex.
Especially because the credit card companies - including Amex - require that people who handle credit cards online ensure that there are no XSS vulnerabilities in their web code. Oops.
Even worse, it seems that the guy who discovered the vulnerability tried to tell the Amex folks, and they ignored him. For weeks.
Sigh. All fixed now, so that's not the point of this post. The question is How come this keeps on happening? After all, XSS has been known for about ten years. Heck, buffer overflows have been known for over thirty years and we're still seeing them.McRee aired the American Express dirty laundry here after spending more than two weeks trying in vain to get someone inside the company to fix the problem. After getting no response from lower level employees, he emailed a director of a department responsible for information security at Amex. None of his emails was answered.
"I believe they have an obligation to respond, even if it's brief and callous," McRee told El Reg. "You don't have to be polite. Just fix it."
The answer, sadly, is that programmers lack imagination. There, I said it. Sorry to all my friends who are programmers, but with the exception of about five of you, unfortunately, you lack imagination.
Specifically, validating user input (what users type into forms and that sort of thing) is tedious and boring, and in looking for a reason not to have to do it, you ask The Question:
Why would someone do something like that?The classic way to find a buffer overflow is to get a form field and type a thousand "A" characters. The program doesn't expect that (the programmer didn't check user input), and so makes the assumption that the buffer contains no more than, say, 100 characters. Boom.
Why would someone do something like that?
I've posted this cartoon before, but it illustrates what happens when you don't validate user input.
Database commands entered into a web form? But why would someone do that?
Sigh. (Uses quiet, patient voice that you use when talking to a loved but rather slow child)
Because, punkin, there are Bad Guys out there. Sometimes they want to steal things, and sometimes they want to hurt people, but they're bad. That's why we call them Bad Guys. I'm so terribly sorry that you have to learn this, but you're old enough to know it, and when you're a grown-up, it will be important for you to understand this.The problem with the web is that web pages are a horrid mix of text ("web pages are a horrid mix of text") and code:
It's all on the same page, and it's all munged together. You can see it yourself, if you want to. In Firefox (you're not using Internet Explorer, are you?), go to the "View" menu, and select "Page Source." Voila! Javascript city!if(window.addEventListener) {
window.addEventListener("load",
function(){ object[attribute] = val; }, false);
Sometimes code takes user input, and mostly it doesn't. Now imagine that you're the developer who is writing a major site's web site - maybe hundreds of thousands of lines. Find the XSS flaws. Go ahead; we'll wait.
Actually, we won't. And your boss won't, either. Time is money, and the site has to go live, and get it done already, mkay? There's always time to fix it later, although somehow nobody ever does. Besides, why would someone do something like that?
We're going to keep seeing this sort of thing, folks. The reason is that the incentive structure is working against us. Spot who loses when there's a XSS flaw:
The Line of Business VP. He's all about profit and loss, and going online helps his profit.So, dear End User, you're screwed. Don't feel bad, I am, too. That's why I work really hard to limit the damage that can happen. That means giving up some pretty attractive things - like online banking.
The Director of Software Development. He's all about programmer efficiency - how many lines of code per dollar spent. Code reviews and testing take time, don't generate any lines of code, and while it improves code quality, this is astonishingly hard to measure well.
The Software Developer. He's all about meeting the deadline, and to a very small amount, he's about the number of identified bugs per line of code (yes, kids, that's precisely how it works).
The poor sod End User. Its his credit card or identity that gets stolen.
Why would someone do something like this? We've asked that before.
Sunday, December 28, 2008
Perspective
One of my favorite observations is that “Age doesn’t necessarily bring wisdom, but it does provide perspective.”That seems right. And so, in the spirit of the transition from the old year to a new one, I have a confession: I used to be a snob.
Even worse, I'm not sure that I knew it. I was focused on the Right Wines, or interesting European travel destinations, or reading the right (properly intellectual, that is) books.
Perspective has given me this realization: I'm sorry. It's taken a while to get to this point, but it's a huge relief to be here.
Nowadays, I get a kick out of people doing their own thing. Like this gentleman (it's almost certainly a gentleman, in my experience). He gets a kick out of lighting up his yard with Christmas cheer, and why the heck not? Sure, this would bug the heck out of the Conde Nast Traveller crowd, or even the Garden and Guns crowd. Perspective says that's not a bug, it's a feature.
Wrapping your palm tree with lights, and lining your walkway with glowing candy canes, all presided over by an inflatable Snowman - this is what liberty looks like.
Bravo Zulu, sir. Bravo Zulu.
And you know what real freedom is? Neighborhood competitions to see who can get the most tricked out holiday lighting:
The Baby Jesus, Santa on a Polar Bear (bear hidden by the bush, sorry), and the Angel Gabriel. Plus light-up icicles on the eves. And a light up reindeer behind the bush. The winning house* has the ultimate holiday light show:
- The Baby Jesus in a creche;
- Light up, inflatable Frosty the Snowman;
- Santa; and
- Mickey Mouse in an inflatable snow globe.
Sometimes - not often, but sometimes - getting old is teh awesome.
* Sadly, we only saw this during the day. If I find it again, I'll post a picture of it, lit up at night.
Blogging will resume tomorrow
Advice to the Linksys Product Manager
If you're going to call your setup program "EasyLink Advisor", then it should be easy, mkay?
Otherwise, you should probably call it "Easy-if-you're-set-up-the-way-I-think-otherwise-it's-a-bitch-Link Advisor".
Vista is here to stay. You really should handle it.
Your software should be smart enough to know that it is getting installed on Vista. It should be smart enough to say "Hey, IP version 6 needs to be turned off, or you won't be able to get on Al Gore's Intarwebz." It should really be smart enough to say "Hey, IP version 6 needs to be turned off, or you won't be able to get on Al Gore's Intarwebz. Do you want me to do this?"
I'd think that this would cut down on a bunch of support calls. Support calls = $$ to you, which is your problem. Support calls = pain in the butt to me, which is my problem. I think we're both unhappy right around now.
Please don't make me downgrade Acrobat Reader before you install your User Guide.
It's not polite. Besides, I won't do it. And if you hide your User Guide on your web site, you'll get another support call from me. Just because you can't be bothered to install a dang PDF doesn't mean that I'll let you muck with my applications.
If your PC software is so obviously shoddy, what does that say about your router software?
I know, I know, these are different projects, run by different teams. I also know that the PC software group really isn't your A Team. But when your PC software simply doesn't handle errors or unexpected conditions, it suggests that your router software doesn't, either.
Now, I actually don't think that this is the case. I actually think that your router software is pretty good, even if your PC software is teh suX0Rz. But I think so, I don't know so. You put a Linksys brand on lousy software, you start to pollute the brand.
Hokey Smokes, dude, I'm a long time customer and I'm about spitting nails here. A new customer would have this cute little router back at Wally World by now.
You know what it costs to acquire a new customer. You also know that it's essentially impossible to reacquire a customer who gets so frustrated that he switches to a different brand. This is the second time this has happened to me with your stuff.
Pleasepleaseplease can this be the last?
I only say this because I care.
Saturday, December 27, 2008
Keith Urban - Somebody Like You
Keith Urban writes his own music, plays a mean guitar, and is married to Nichole Kidman. In many ways, he is a typical "ten year overnight sensation" - someone who works for a decade before Nashville notices, and then explodes onto the music scene.
After working for ten years as a studio guitarist, Urban's breakthrough was in 2002, with the ARIA Country album of the year, Golden Road. Somebody Like You captures the optimistic spirit and rock crossover of the "New Country".
(Songwriters: Keith Urban, John Shanks)
There's a new wind blowing like I've never knownOther hunky men from December's Saturday Redneck:
I'm breathing deeper than I've ever done
And it sure feels good to finally feel the way I do
I wanna love somebody, love somebody like you.
And I'm letting go of all my lonely yesterdays
I've forgiven myself for the mistakes I've made
Now theres just one thing, the only thing I wanna do
I wanna love somebody, love somebody like you
Yeah I wanna feel the sunshine shining down on me and you
When you put your arms around me
You let me know theres nothing in this world I can't do
I used to run in circles going no where fast
I'd take one step forward and look two steps back
I couldn't walk a straight line even if I wanted to
I wanna love somebody, love somebody like you
Whoa here we go now
Yeah, Hey i wanna love you baby
Yeah I wanna feel the sunshine shining down on me and you
When you put your arms around me
Well baby there ain't nothing in this world I can't do
Sometimes it's hard for me to understand
But you're teaching me to be a better man
I don't want to take this life for granted like I used to do
I wanna love somebody, love somebody like you
I'm ready to love somebody, love somebody like you
And I wanna love somebody, love somebody like you (yeah)
Hey I wanna love you baby
Blake Shelton - Don't Make MeNext month will be Hot Country Ladies on Saturday Redneck.
Tim McGraw - Suspicions
Jason Meadows - 100% Cowboy
Friday, December 26, 2008
Zero Rounds Expended
We went over the four rules of gun safety, although I also introduced Greg Morris' Rule Five, which I think is simply an outstanding idea with a new shooter. Then we saddled up and headed to the Scottsdale Gun Club range.
It was packed. I'm not a member, since it's a long drive to go shooting here if you live in the People's Republic of Massachusetts. We put our names on the list, then had a leisurely lunch, and we still weren't anywhere near the top of the list. So we reset to a different day. Oh, bother.
So, mission not accomplished.
Gonna be a good day, Scooter
Security problems in Voting Machines?
The claim against Texas-based Premier, formerly Diebold, alleges that state elections officials were forced to spend millions of dollars to address a host of security flaws in the machines from 2003 through the November election.So no big deal, right? I mean, what could possibly have gone wrong?
Many of the problems could have compromised the integrity of the election had they not been fixed, officials said. Now the state wants its money back.Oh.
You know, I don't see what's wrong with the old paper ballots. Yes, it takes longer to count. Yes, things become hairy if the election is super close like in 2000. But you can't have them, you don't have to have thousands of system administrators to cover technical problems at the polling stations, and you simply don't have questions about whether the election results can be trusted - the system is transparent, in that you don't need a MIT PhD to understand how the totals were computed.
Biggest sources of Spam in Thailand?
Prime Minister Abhisit Vejjavjia assigned deputy Democrat leader Korn Chatikavanij to seek cooperation from three mobile phone network operators, AIS, DTAC and True, to send SMS messages to people, asking them to help the prime minister solve the country's crisis.So the new PM spams the entire country. What could possibly go wrong?Interested callers are asked to send back their postal codes, costing them three baht.
After a user sends the postal code, he or she receives a message saying, "I am Abhisit Vejjajiva. Thank you very much, and I will get back to you."
Ms Saree said many consumers had complained about the messages.Wow, didn't see that coming.
Note to Democrats: I know that y'all are excited about the new President-elect and everything. But if anyone says "Hey, I have an idea! Nation-wide spam will bring the country together and help solve the fiscal crisis!" can you pretty please put him on the next tramp steamer to Wasilla or something?
Hat tip Slashdot, where - as expected - the comments provide quality snark:
Heh.
No more VHS Tapes
If you're like me, you're probably surprised to hear that there are still VHS tapes around. Seems there was quite a niche market for them:
But no more. Like I said, get 'em now, because there probably won't be any more, at least easily.But as shops unloaded their unwanted VHS inventory, Florida-based Distribution Video Audio was there to scoop up the refuse and make a tidy profit. Distribution told The LA Times it sold more than four million VHS videotapes during the last two years.
Its clients are mostly bargain stores, outlet malls, truck stops, and mom-and-pop operations - places that don't exactly cater to the bleeding edge of technology. Public libraries, military bases, and cruise ships were also buying VHS tapes, although nowadays are mostly only interested in DVDs.
I have to say, it's not better picture quality that did VHS in for me. It was small children frustrated at having to rewind. Of course, DVD just meant that it was easier to play Mickey's Songs To Annoy Dad again faster.
Thursday, December 25, 2008
I have the best readers, ever
Well done, you.
Merry Christmas
So Merry Christmas to all, and (hopefully) to all a good night!
Wednesday, December 24, 2008
Symantec Antivirus puts you at risk
Symantec makes a popular antivirus (sometimes referred to by the brand "Norton" or "Norton Internet Security"). Now it's not particularly effective, and it is a performance hog - it will bring your computer to a standstill toute suite. But that's not the point of this post.
Symantec's on-line support procedures for people who get infected could not be better designed to maximize financial damage to Symantec customers.
Here's what happens: someone gets some sort of new malware on their computer. They smell a rat, and go online to Symantec for help. If their annual antivirus subscription has expired, Symantec's support site makes them enter their credit card number:
So what's wrong with this? Most of the malware today includes software that records every keystroke you type. So the malware gets to intercept the credit card details:
The punch line? Symantec's own annual Internet Security Threat Report says that 70% of malware captures credit card information that is typed in by the user.After railing at Symantac's customer support people via their online chat support for not properly protecting his machine, Delano was told to speak with their premium support folks who could remotely take control over his system and give it a thorough inspection and cleaning.
Delano said he initially protested, but after pricing other services like Best Buy's Geek Squad, he agreed to pay Symantac $100 for the service. He was instructed to enter his credit card number and other billing information at a secure symantec.com Web site. However, the keyloggers that were still on his machine, intercepting his information.
So, Symantec can't say that they don't know.
If you think that you have malware on your computer, do NOT use Symantec antivirus and absolutely, positively DO NOT ENTER YOUR CREDIT CARD.
You can get a second opinion via free online antivirus scanners: I like Trend Micro's House Call, but there are ones from ESET (well regarded for technical capability) and F-Secure as well. You'll have to use Internet Explorer, and while I tell you not to, just this once I'll forgive you.
But Symantec clearly doesn't give a fig for their customer's safety. While IANAL, this strikes me as such egregious negligence that they may be liable for damages.
Note: if anyone from Symantec reads this and wants to respond, you can leave a comment or email me (email contact info is in the links on the right hand side). Technical folks can expect some sympathy; marketing flacks better bring a good story.
No additional charge, it's all part of the service
And she posted a picture of me, so my Secret Identity is now all compromised ...
Six months of blogging
Comments are teh awesome. I hadn't anticipated just how important these are. I've learned a lot from y'all in the comments you leave, and a whole bunch of them make me laugh out loud. Also, it's very cool when people comment. As Chris Matthews would say, I feel a thrill run up my leg when you do. And not in the icky Internet-stalker way, either.
Technorati seemed really cool at first, but not so much now. A lot of folks don't seem to use it, so the rankings don't reflect reality. I find that I never look at it any more. The Truth Laid Bare has always been broken, so I have no idea whether it's fun or not.
Sitemeter is teh awesome, especially after going back to "Sitemeter Classic." Hits are fun! I write because it amuses me, but it seems to amuse some of you, which is very nice indeed.
I seem to be a bit of a Chatty Cathy. This is post 642, in six months. But I can stop anytime I want. No, really.
This post is definitely filed in "get a life."
ClustrMaps is fun. If you have a blog, you should check it out. Eventually, I'll get the entire World Map covered in red dots, like some horrible Borepatch disease. Next stop - World Domination!
I need to update the "Best Posts" category more often. I try not to have more than 5% of my posts in this category (you know, only the good ones), so it helps to wait a week or so before deciding whether a post is good enough. But what I really do is wait until I don't have anything to blog about. So if you see a bunch of posts go into this category some day, you'll know I was bored.
Surprisingly, the "Best Posts" are pretty much my best posts. I'm not a writer - more like a spewer - but these are about as good as I can do.
Thanks to the folks who stop by, and especially the folks who leave comments. If you didn't, I probably wouldn't blog much, so you have Great Power. Remember to always use it for good.
Orbitz stinks
Orbitz is teh Anti-awesome. Orbitz sucks all the awesome out of the room.
Specifically, while they let you pick your seating assignments, they do not confirm said assignments with the airline. Therefore you have tickets, and think that you have seats. All the airline thinks is that you have tickets, because stupid Orbitz didn't tell them the seats.
This is a bad week to be flying without a seat assignment.
OK, well look, Ted, I hear you say - stuff happens. It's Holiday week, and we all need that little extra bit of patience as a lubricant in a difficult world. Maybe the nice Orbitz phone support man could help. So how's that work out for you?
Not so great, actually. Pretty badly, actually. As in "You're running up my minutes on a call that I'm not going to help you on, and that will give me bad stats."
Unlike Ashley at US Air, who owned the problem and did what was possibe, Orbitz phone guy really wasn't interested. They had their money, and hoped I could sort it out.
So if you want my advise, don't use Orbitz.
In the unlikely event that anyone from Orbitz wants to clarify Whiskey Tango Foxtrot is up, I'm happy to post your side of the story. My email contact is on the link bar on the right hand side of the blog.
Ashley at US Air/Logan is teh Awesome
However - and this is important - Ashley at US Air (Logan Airport) is an absolute gem. Kind of the definition of grace under fire. Ashley, thank you for taking care of us.
I won't post her last name, because that might be a little creepy and Internet-stalker-like, but if anyone from US Air management wants to contact me about this, my email contact is in the link bar on the right. Give her a raise. Really.
Just for perspective, I've flown between a million and a half and a million and three quarters miles. She's one of the top ten or so "Airline helped me out" situations. Just sayin'.
And a personal request to my fellow bloggers who might read this: please link to this post. I'm not trolling for hits, but think it would be awfully nice if the top Google hit for "Ashley at US Air" said she was teh awesome. Because she is. I'd be mighty obliged.
Tuesday, December 23, 2008
It's a fair cop
You are an Anti-government Gunslinger, also known as a libertarian conservative. You believe in smaller government, states’ rights, gun rights, and that, as Reagan once said, “The nine most terrifying words in the English language are, ‘I’m from the government and I’m here to help.’”
Take the quiz at www.FightLiberals.com
Hat tip to Southeast Texas Pistolero, another Anti-Government Gunslinger.
It's twenty degrees warmer
... in Iceland.
Can we all just shut up about Global Warming, now?
UPDATE 23 December 19:24: OK, Liberty, you win. I'll shut my piehole on the subject of "cold." Yikes.
MBTA not teh stupid after all
Now it seems that the MBTA folks are taking a plausibly sensible approach to the security problem:
The Massachusetts Bay Transit Authority (MBTA) said it would work with Zack Anderson, RJ Ryan, and Alessandro Chiesa to make improvements to the agency's fare collection system "that will be as straightforward and inexpensive to address as possible." In August, the MBTA obtained a court order gagging the trio just hours before they were scheduled to speak about the gaping holes at the Defcon hacker conference in Las Vegas.Now I'm not a fan of hiring hackers to help your security, but that's not what's happening here. The MBTA chose a system with lousy security, and then sued researchers who were going to discuss it (can you say "prior restraint"). The researchers aren't hackers under any workable definition of the term.
That said, seeing what the transit authority can learn to correct the weaknesses is The Right Thing to do. So well done, MBTA.
UPDATE 23 December 2008 7:50: Interesting discussion over at Slashdot, especially this comment:
So it's progress, but not as cut and dried. The Charley Card system is still fundamentally broken, and an investigation of the company who makes the technology would have shown this.Except the MBTA system isn't fixable. It's just full of fail.
For starters, the card's balance is stored ON THE CARD and nowhere else.
Secondly, the fare-taking devices are not hooked up to any sort of network. They just kind of assume that only the special blessed writing device can change the balance on the card.
This isn't quite as stupid as it sounds since the devices use PKI so that theoretically the write request must be signed by a blessed source.
Except, rather than use a tested encryption source like AES (which is available), they went with some proprietary 40-bit encryption scheme for the smart card. The ticket was even worse, there they used a 6-bit checksum. Yes: 6 bits.
So the only way to fix it is to build a network to monitor potential fraud, rip out all the fare-taking devices, and replace every single ticket and smart card.
Now you can see why the MBTA sued: their massive incompetence means that fixing the problem they created will easily run into the billions of dollars.
Then again, this is the same group of people who successfully sued the glue manufacturer who created the glue that failed to hold up 2-ton slabs of concrete. Never mind that the glue was never designed for such an application or that no one in their right mind GLUES 2-ton slabs of concrete to the ceiling of tunnels.
How to hack a classified network
Participants in a recent cyber-warfare exercise told Reuters that the exercise highlighted problems in leadership, communications and readiness. The two-day exercise brought together 230 government agencies, private firms and other participants. Participants were split into two groups - attackers and defenders - before each developed tactics for attacking and defending critical infrastructure systems, such as those controlling banking, telecommunications and utilities.As is frequently the case, John Leyden gets to the absolute heart of the problem in the last paragraph. Knowing the terrain on which battles are fought is the problem.
[snip]
Attackers always have the advantage over defenders in cybersecurity and, by extension, cyber-warfare. Problems such as maintaining extended supply lines or knowing the terrain on which battles are fought really translate into the sphere of cybersecurity.
Important networks like classified DoD networks are (as you'd expect) treated very differently than your home DSL, or even corporate networks. The most important protection concept that people rely on is Red-Black Separation: the untrusted (unclassified, or Red) network is kept entirely separated from the trusted (classified, or Black) network. From an architecture perspective, this is summed up in a tongue-in-cheek saying:
An air gap solves a multitude of security sins.Your computer isn't patched? Doesn't matter, as long as the old saying from Maine applies: can't get theah from heah.
So security architects put all the important stuff on one network that is hermetically sealed from Al Gore's Intarwebz. Cool, right? To break in, you need a real-life spy, who can break into the building at night to install his equipment. The scene in Ocean's Eleven where the computer nerd breaks into the casino computer room to install his monitoring equipment is very well done, and is precisely the threat scenario here. The proper safeguard? Armed Marine guards.
So how does the Fed.Gov's classified network get compromised, to the point that you get headlines and a multi-tens-of-billions-of-dollar program to fix it?
The biggest problem for the architect is that you're not really the architect. You don't really know what things look like, and you can't.Bob Metcalf is one of the pioneers of computer networking - in fact, one of the inventors of Ethernet. He is to computer networks what Paul Mauser is to rifles: there's a sharp line that divides pre-Ethernet and post-Ethernet history. These days, Metcalf is best known for a description of why computer networks are so danged useful:
The value of a computer network increases with the square of the number of computers connected to it.Now if Al Gore's Intarwebz just consisted of your computer, and your mom's, then that might be useful to you. Everyone else would (understandably) be less interested. The reason that Al Gore actually deserves a fair amount of credit is that he really pushed early funding of NSFnet (the National Science Foundation's network back in the Pleistocene Age), which hooked up pretty much most universities to the Internet.
A network with you and your mom? Not so useful. A network with Harvard, Stanford, MIT, and the Library of Congress? Yeah, there'll be something useful there.
And now back to security: You mean that you want to air-gap that?
Ignore the logistical problems: you need to extend the Red network all the way to the FOBs in Iraq and Afghanistan, or the troops don't get email from home. You can deal with that problem by throwing money at it.
The problem is that what you want (security) and what your users want (information on Al Gore's Intarwebz) inherently is in conflict. You can't win unless they lose, and vice versa.
And remember, you're not really the architect. These networks weren't so much designed, as grew. Even the Internet itself grew by connecting networks together - a network of networks. The name IP comes from this: Internet Protocol.
So back to the classified networks: did someone connect the Red Network to the Black one? We don't know, and folks who might know won't say. My experience is that nobody knows what their networks look like, and certainly haven't mapped all the connections (specifically, they have maps, but the maps do not reflect reality). But it doesn't matter, because users will bypass the air gap, anyway. With this:
It's a USB thumb drive (translation: an 8 Gigabyte removable file storage device). It fits in your pocket (or, if you follow the link, in your magazine).
Remember, your users want information. It's on the Red network. They can copy it to the thumb drive, and then walk over to a computer on the Black network and upload the information.
Of course, information flows both ways - classified data can go to USB. Very few of your users will do this, because very few are spies or traitors, so data flowing from Black to Red is not the initial problem.
Malicious code going from Red to Black is the initial problem.
Now why on earth would one of your users install malicious code on a Black network computer? Same reason they install spyware on their home computer: they don't know it's malicious. They just want to watch this:
It's the Dancing Baby from the mid-1990s. This was the first example of a mass Internet video meme - it was wildly popular, and spread virally, via email from user to user as people passed the link on to each other. Remember, as the architect, you need to keep the Black network from getting to the dancing baby.
You lose.
So if you are the chief Bad Guy - Dr. Evil, head of an unfriendly government's Intelligence Service - how to you hack the Fed.Gov classified network? Give people interesting poisoned bait - an interesting or funny video that contains embedded malware that runs when the video is watched. They'll want it, because it's interesting. They'll download it from the Red network (Al Gore's Intarwebz) and take it onto the Black network, where it will spread.
And now your spy comes into the picture. All he has to do is pick up the classified data that's been harvested by the malware botnet army that has infested the Black network. Of course there's risk, because he does indeed have to get past the armed Marine guards, but there is a long history of this sort of thing happening.
We don't know any details of the recent breaches, but we do know this: DoD has banned USB. It's not the only time we've seen malware infections via USB, either unintentionally or on purpose.
And this is why Leyden sums up the problem so well:
Problems such as maintaining extended supply lines or knowing the terrain on which battles are fought really translate into the sphere of cybersecurity.You don't know what your network looks like, it's evolving too quickly for you to ever know this, and even if you did know, you don't control the logistical flow of information.
Monday, December 22, 2008
Happy Hanukkah!
You see where this is going? One person talked to another person, who talked to a third, and by the end of the evening, I was the new rabbi.
Well, a couple months later, I was planting in the yard when one of the neighbor ladies walked by. She stopped to talk, and the converstation went something like this:
Nice Neighbor Lady: So, what are you planning on doing for Yom Kippur?Well, when I told this story to some of our Jewish friends in Atlanta, and after they stopped giggling, they gave me a new nickname: Reb Ted*. Heh.
Me (a little confused): Well, we really weren't planning on doing anything.
NNL: ???
NNL: Boy, you must really be Reformed.
So Joel and Corey-Jan, and all other jewish readers, Mazel Tov and Happy Hannukkah from Reb Ted and the Borepatch crew.
* When I bake bread, this was originally dubbed "Ted Bread". Now it's "Reb Ted's Ted Bread," especially at Passover. Yeah I know you don't have bread at Passover. Didn't used to. Need to be careful or you get an "oops" like Passover bread or a Santa Dreidel:
Al Gore, call your office
Ten below in New York City. 30 below wind chill in Chicago.
I blame Global Warming! Nothing that a major takeover of the world's economy by the Usual Suspects can't fix! And anyway, the science is settled ...
Meanwhile, closer to home:
Periodic Table of Awesome
For those of you who studied chemistry, you'll recognize the groupings (after you stop giggling hysterically) - for example, the "awesoments" representing food is in column 16 - Ch (Cheese), Sg (Sausage), Rm (Ramen).
Of course, Bn (Bacon) is the very first awesoment.
Guns and beer are also included for the awesome trifecta.
Sunday, December 21, 2008
JFK Blogging
The blizzard closed Logan airport - well, it was the 50 knot wind gusts, which are unhealthy for children and other living things if they're in airplanes trying to land.
So #1 Son and I drove from Boston to JFK where her flight was diverted. Five and a half hours of I-95 in a blizzard, and we're on our way back. Blogging is (ahem) expected to be light.
UPDATE 22 December 2008 01:00: Back now. Maybe yesterday I was only 75% cowboy, but today I'll take the full measure, thank you very much. It's not about how you ride a horse, it's about doing what needs doing. Even if it's fetching your lovely bride from a distant airport and then snow blowing the driveway so she can get in.
There's a certain satisfaction at doing what your loved ones need, when they really need it.
The second greatest Christmas song, ever.
And the proper order of descending greatness is Bing Crosby and the Andrew Sisters, then Dean Martin, and only then Jimmy Buffet. Sorry, Jimmy.
Oh, and ACLU, go ahead and sue me. It's been snowing for three days straight, and we're headed to Phoenix this week. I heard there are Palm Trees there. Just read this before you give me any sermons about slippery slopes of fundamental rights.
Sheesh, I must be grumpy. Even Christmas music is making me cross.
Happy Solstice to the ACLU
More Christmas Music
Now that's just fun. Another cup of coffee, and I think I'll feel quite myself again.
The greatest christmas song, ever
Heal me, Bruce.
Google is teh stupid
Looks like an ad for Chrome, their new browser. So, did Ted just get up on the grumpy side of bed Chez Borepatch?
Well, maybe. But this is annoying, and they should know better. Consider:
- Chrome only runs on Windows XP and Vista. Their ad even says this.
- I'm running Ubuntu Linux, which is Teh Awesome, except for that Chrome-doesn't-run-on-Linux thing.
Kind of cool to see Windows ME. Macintosh and especially Linux is overrepresented here, maybe because I post a lot about Internet Security, and a lot of security guys run Linux.
OK, so they know I'm running Linux, and gave me an ad that was essentially "Nya, Nya - you can not haz Chrome!" If this were momandpop.com, then I wouldn't even notice. Momandpop.com maybe doesn't know all the ins and outs of Al Gore's Intarwebs.
But this is Google.
Well, maybe this is a Good Thing. When they become our new Internet Overlords and decide what the heck, let's try this Evil thing then maybe they will still be Teh Stupid and we'll be saved!
/sarcasm
Man, I am grumpy this morning. Grumpy enough to grab two screen shots, even. Time to put on some Christmas music.
Saturday, December 20, 2008
Happy Birthday, #2 Son
The candles spell out thirteen, in case you couldn't tell.
Now I always thought that kids born near the end of the year got a bum deal - their birthday is so close to the holidays, that all their presents come in one big chunk. The size of the chunk may be such that they just don't get as many birthday presents. So we celebrate "Half Birthday" in June - all the presents well away from the holidays, so nobody loses count.
And cake is always a good idea.
But now #2 Son is a teenager. Yikes.
Policeman uses Crime database to blackmail criminals
A UK policeman used his access to a database of sex and drug offenders to blackmail the criminals:
He was caught, prosecuted, and convicted, so well done for the UK police services. So far.PC Amerdeep Singh Johal, 29, was arrested by anti-corruption cops from Scotland Yard in July 2007. Johal was employed in checking names and address on the police database, called Crimint, on behalf of beat cops.
He abused the role to contact 11 convicted offenders and threaten to spill the beans on their crimes unless he was given "hush money". Johal requested between £29,000 and £31,000 for his silence, threatening to tell work colleagues or neighbours of convicted sex offenders about their crimes. In one instance Johal demanded £89,000 as a "goodwill gesture".
Well, that's all right, then. Srlsy.The case has raised wider concerns about the misuse of police databases, which the Metropolitan police is keen to downplay.
A Scotland Yard spokesman told the BBC: "There are strict guidelines in place regarding the use of intelligence databases and if anyone abuses it that is taken extremely seriously."
People on the seedier side of cyber security used to have a saying ten years ago. You want to give someone a Bad Day, break into the National Crime Information System and put out an All Points Bulletin: Armed And Dangerous.
The most compelling argument for small government is that all government power will eventually get abused. In this case, it was the bad apple doing a bit of unauthorized moonlighting, but we see this occur for purposes both large and small.
Joe the Plumber had political flunkies snooping into his background. Some other folks were just arrested for applauding a speaker at a Board of Supervisors meeting in Phoenix.
The problem of petty officials abusing their authority is very, very old - literature is full of examples. Until the crooked timber of humanity is straightened, we can't expect any change.
This is precisely the argument against the Patriot Act: we don't know the specifics of how it will be (is?) abused, but we know that it will be (is?). It's the reason that gun owners oppose - or should oppose - registration.
From a computer security point of view, there's nothing that you can do about this that does not result in FAIL. You have an authorized user accessing data that they are authorized to see. There are no technical controls that can be used to mitigate this risk. About all you can do is aggressively prosecute (and jail) bad apples like Police Constable Johal.
And it's why it's so important to always err on the side of prosecution. It doesn't happen this way, of course, but each small episode of "we'll deal with it internally" further erodes the system.
UPDATE 22 December 2008 12:04: For a system that is high risk for this sort of abuse, read this. Yes, the ATF is involved.
75% Cowboy
No plowing today, so I don't get full marks. But the snowblower is the
I shoot better than I ride, so y'all should have an idea of what I look like on a horse ....
UPDATE 20 December 2008 11:14: Now this guy can ride a horse, even if he isn't a cowboy. Hat tip Heart of a Warrior.
I, for one, welcome our new Generalissimo Overlord
Galba (succeeded Nero)Now the Romans hadn't conquered pretty much everything in sight by not being organized, and four emperors in a single year didn't really set a new standard for organization. Vespasian was from the old school of no-nonsense you-have-30-seconds-to surrender-or-we'll-kill-you-all-now-it's-29-seconds Roman commanders, and so he pretty much put a stop to the multiple emperor foolishness, to general relief.
Otho
Vitellius
As an example of his take-no-prisoners attitude, he had the Colosseum built during his reign. On the site of Nero's old Golden Palace. New boss in town, different than the old boss.
And oh yeah, in 1803, the United States purchased Louisiana from the Emperor of France, setting up a whole bunch of folks for misery during hurricane Katrina. I blame George W. Bush.
Jason Meadows - 100% Cowboy
Jason Meadows was runner-up on season 3 of Nashville Star. I thought this was a shame, since he was my favorite.
It didn't hold him back from cutting an album, 100% Cowboy. The song with that name really captures what I liked about his performances that season: straight up and honest. He actually is a honest to God cowboy. Yes, that's him riding the horse in the video. Sideways. It ain't bragging if you can do it.
I don't claim to be John WayneOther hunky men from December's Saturday Redneck:
Ridin' across that silver screen
And I ain't that picture in your head
Of all these modern day wannabes
I'm just proud that I can say
I don't wear this hat for show or fame
If you don't like who I am
You got momma and daddy and the good lord to blame Amen
(Chorus)
I'm a straight up, no jokin', buck knife, gun totin'
Give you the shirt off my back
I'm up at the crack of dawn
Work until the sun is gone
I ain't got time for no crap
No I'm not one of then posin' pretty boys
I'm an everyday, all the way, hundred percent cowboy
I've always tucked my shirts in
I crease my own blue jeans
An I don't do it cause its who
Somebody says I oughta be
Yeah, when I'm laying in that old pine box
And all my family's gathered 'round, they'll say
There goes a dying breed
Six feet in the ground
Chorus
Hey, I'm a straight up, no jokin', buck knife, gun totin'
Give you the shirt off my back
I'm up at the crack of dawn
Work until the sun is gone
I ain't got time for no crap
No I'm not one of then posin' pretty boys
I'm an everyday, all the way, hundred percent cowboy
No I'm not one of then posin' pretty boys
I'm an everyday, all the way, hundred percent cowboy
Yeah I'm a cowboy
I said I'm a cowboy
100% I'm a cowboy
Yeah, just like Chris LeDoux, I'm a cowboy
Blake Shelton - Don't Make Me
Tim McGraw - Suspicions
Friday, December 19, 2008
Braise
First you have to brown them. Yes, of course properly. I do it in stages, putting the browned ones on a plate while I do their compatriots.
When the last ones are browned, remove them to the plate and toss in diced celery, carrot, and onion (a couple handfuls of each). This is a mirepoix, which adds a flavor base. Like I said yesterday, add flavor.
You need a liquid. You could use water, but that doesn't add flavor. Stock (chicken or beef) and/or red wine bring flavor to the party. You'll want the meat to be about half submerged. It looks (and smells) better in real life. The meat should NOT be submerged.
This is the basic braise. As to flavor, you can go a bunch of different ways:
Southern, with a rub (and no, you're not allowed to use store-bought rub unless it's from Corky's. Sure wish Swallow in the Hollow did mail order). Serve over grits.Don't forget the garnish, or Martha Stewart will make you take her shooting. Not that that's a bad thing.
Continental, with thyme, garlic, and pepper. You can use Paprika if you want to get all jiggy, and serve over noodles. Fresh pasta is easy and lets you present a more rustic texture.
Oriental, with garlic, ginger, soy sauce, and Old Bay (yeah, it's not oriental, but I like it and that's what's cooking). Serve over short grained (sticky) rice.
Now the one way that's guaranteed to kill the dish is cooking over high heat. Once everything is up to a simmer, toss the meat back in the pot, and turn the heat to low. By "low", I mean as low as your cooktop will go. Check after ten minutes, and if there's no simmer, you can turn the heat up a bit. But there will be simmer, trust me.
Let it go 45 minutes, and flip the ribs. Let it go another 45 minutes, and then they're going to be done.
Take the ribs out and wrap them in foil. Strain the vegetation, and save it. Return the liquid to the pot. NOW you can goose the heat. You want to reduce the sauce by half - remember, half the volume doubled the flavor. This is the time to correct the flavor.
Perfect stick-to-your-ribs for a Conquering Hero returning from snowblowing the driveway.
UPDATE 19 December 2008 19:23: Oops, I forgot to mention that after you reduce the sauce, you'll want to hit it with a little vinegar to "brighten" it. The type can vary: rice wine vinegar for oriental, red wine vinegar for continental, malt vinegar for southern. Long cooking causes some of the acids to fall apart, so you'll want a couple or three tablespoons of vinegar to bring it back.
Snow? In New England? Srlsy?
Beef. It's What's For Dinner. Except in New England, where we're all out. I won't show you the toilet paper aisle. Oh the humanity!
Now southerners are not allowed to scoff (I remember school being canceled in Atlanta based on a forecast that there might be snow). However, you are hereby given leave to roll your eyes when some pompous Northerner talks about how they not only had to walk 5 miles uphill to school both ways, they had to shovel a path through the snow first.
I have to say that I do miss my old beater F250 pickup. Yeah it was a rustbucket, and yeah it kept breaking down, but it not only had a snowplow, it had an industrial sized snowplow. I was king of the road. But it was a beater, and it did break down, and I had to shovel once because it broke down. I did the Happy Dance when we got rid of it.
I wanted a small plow for the Wrangler, like this. Not king of the road, but maybe prince of the road.
Don't do it, said the family. Get a snowblower, said the family. "If we get a snowblower," said I, "will you boys do the driveway?" Of course, they said.
And they did. Well, #1 Son did. He wouldn't be plowing in the Jeep, so this seems a win.
Thursday, December 18, 2008
Meat that you do not want to brown
Cooking (almost) like a pro
Me? I cheat. But that works a surprising amount of the time. Like today, for example. #1 Son had some friends over, and wanted to invite them to dinner. So I had four teenagers to feed (yikes - and I thought gas was expensive). So big, fast, and tasty was the order of the day.
Time to cheat, then. I had an industrial sized pack of pork chops that was sacrificed for the higher cause. Now to the cheating part - how to make this almost-as-good-as-you'd-get-in-a-restaurant?
1. Add flavor. James Beard has a great recipe for Piquant Porkchops in his American Cookery cookbook. It has a sauce containing onion, vinegar, and Tabasco. It's a fine base to start with, and flavors that jump out at you take you half way to the finish line.
2. Take the time to brown the meat. A lot of folks skip this, or only do it half way, and it may be the single most important step to get that wow-this-is-as-good-as-a-restaurant result. What you're doing here is essentially caramelizing the outside of the meat, via the Maillard Reaction, and don't skip this step. Yes, it will take you an extra ten minutes to do it properly. Do you want to bask in the admiration of your public, or don't you?
3. Reduce the sauce. What you're doing is removing water while leaving flavor. More flavor in less volume is, well, more flavor. I never grill a steak any more, because if you pan sear it, you can make a pan sauce: a little red wine to de-glaze the yummy scraping, reduce, salt and pepper, a dab of butter - bingo. Besides, this gives you something to put on the mashed potatoes.
4. Garnish. I love a sprinkle of chopped parsley. Yeah, it's Martha Stewart-y - so what? Maybe it's psychological, but it sets everyone's expectations differently than if you just sling some hash to 'em. Not that there's anything wrong with that, of course.
As you can see, this is no big deal. But it let me feed a house of hungry teenagers food that they wolfed down, on the table in 30 minutes.
GOOD DAY TO YOU SIRS OR MADAM
I AM [PRIME MINISTER OF KINGDOM OF THAILAND]. I HAVE BUSINESS PROPOSITION TO MAKE YOU. Have URGENT POLITICAL CRISIS to get out of the country; need you to send 10c ([TEN CENTS]) to me and it's yours.
Is NOT pyramid scheme
Signed,
[Thai prime minister]