Tuesday, September 30, 2008

300

In three months, I've posted 300 times. I always knew I was a blabbermouth, but now I have an actual measure.

And obligatory quotes from 300:
Persian: My arm!
Stelios: It's not yours, anymore.
and
Persian General Slaughtered: Spartans, lay down your weapons.
[a spear flies out and impales him through the chest, and he falls out of the saddle, dead]
King Leonidas: Persians! Come and get them!
Of course, it's better in the original Greek: Molon labe!

Autumn in the Berkshires

Business trip to Albany, and it's too darn close to fly so I drove. 300 miles and 12 hours later, all I can say is that western Massachusetts is fixin' to be drop dead gorgeous in about 3 weeks. As Michelin would say, it'll be worth a detour, at least. Insane politics, but pretty state.

I'll take a camera. In the mean time, here's one shamelessly stolen from here.

Oh Baby! Meme

Seems Breda's trying to cute-up our corner of Al Gore's Intarwebz. So, as a public service, here's Ted at around 3 years old.















This was obviously before I wore all the cute off.

Somewhere there's an even cuter pic (obviously from when I was even younger - even at this tender age I was wearing the cute off at a serious rate). I won honorable mention in a baby picture content at the Columbus, Ohio Lazarus department store in 1960 (!). That cute's been gone for decades.

Leave a comment if you want me to dig it up.

This is more disturbing than you realize

vint cerf, google, the architect, the matrix

Hope, it is the quintessential human delusion, simultaneously the source of your greatest strength, and your greatest weakness.

Monday, September 29, 2008

Teh Funny (going to Hell edition)

If I'm going to Hell, may as well double down.













Heh.

h/t Just John.

Pig Candy is taking over

And why not? Last friday, I was chatting with nice, chatty deli man at Big Tech Company cafeteria, and mentioned Breda's Pig Candy. Not only did he bust out all wistful-like, he said the words that make a pig lover weak in the knees:
"I could make that."
And Boy, Howdy, can he ever. This week's deli special: Pig Candy Sandwich. As Bruce would say, it's wicked good*.
Turkey slices
Stuffing
Cranberry-Orange relish
Pig Candy
Slap it all between a couple slices of bread, and you're in (ahem) hog heaven. I'm sure that there are things not improved with bacon, but none of them are found at the deli counter.

* Actually, he might play the Wicked Good Band doing it, but that would be even better.

Buzzwords - ur doin it rong

Well, it's EU bureaucrats, so no big surprise there. They're making up new terms:
The European Commission has called out for help on how it can "put Europe into the lead of the transition to Web 3.0". It doesn't seem sure what web 3.0 is or could be in the future - it just knows it wants it.
Probably mostly harmless, whatever it is. The smart money is betting that security isn't an afterthought - it isn't though of at all. But I digress. The Reg has better snark than I do, anyway:
Way, way, waaay back in 2005 when we were all working out what web 2.0 was made of, El Reg ran its own consultation exercise, which determined that mash-up, social networks and wikis are made of badgers paws, stardust and otters tears. And "a great big shit sandwich".
Pretty much sums up Internet Security, come to think of it.

The fun continues in about 2 hours

That's when the Nikkei opens. The US markets caught a bad cold today - we'll see pretty soon whether the rest of the world catches pneumonia.

How's this going to play out? I have absolutely no idea. I have a sheepskin from State U saying I know something about Economics, and I still have no idea. It's very likely that markets are rational in the long run; it's pretty easy to see that the markets can be absolutely, jibbering insane in the short term.

But the headlines of overseas markets won't matter in the US. Maybe this is bad, but it won't. Here's why:








This will, once again, drive Europeans and Democrats absolutely, jibbering insane.

UPDATE 30 September 2008 00:35: Seems so: Japan Stocks Drop Toward 4-Year Low as Bank Rescue Plan Fail. It will be interesting to see if congress goes back into session. Another 300 or 400 point drop and they'll look like Nero fiddling over the flames.

Watch for falling markets brokers

I'm going to Hell for this one.


Dear Sir, I'm writing to complain about that sketch about people failing out of a high building. I have worked all my life in such a building and have never once... WWAAAAAAAAAAAAAHHHHHHHH!!!!!!!!!!!

Sunday, September 28, 2008

Search Term Safari

It's wierd to see that I get enough hits that I can actually put one of these together.

redneck thinking of you quotes
That's awfuly sweet, but I'm already married. Thanks, though!

how to can make boom
Well, squeezing the trigger works for me. Remember, it's squeeze, not pull. Always remember the 4 Rules, and if your "boom" is successful, you'll want ear protection.
teletubbies shooting, shoot time for teletubbies, etc
I see so many of this sort of thing, that I assumed that I was the number 1 Google hit for this. Pretty disturbing. I find, to my relief, that I'm not even on the first page.

That said, you should be ashamed of yourself. I say that as someone who's actually shot a Telletubby.
ur doing it rong
Well, you're here, aren't you?
winchester 30 30 1894 ranger
Mmmmmm. Lever Gun!

In Soviet Russia America



















Ouch. Ouch.

If you haven't run across the "In Soviet Russia ..." jokes, there's a good intro here.

UPDATE 1 October 2008 19:37: DirtCrashr linked. Thanks! If you came here from his place (a DirtCrashralanche!), take a look around.

Unpatriotic - ur doing it rong

Seems Nancy Pelosi thinks that the republicans are "unpatriotic" for not going to a meeting about the banking crisis. A secret meeting. One that they weren't invited to. Oops.

You can't make up stuff crazier than what's actually happening in Washington, DC.

I know, I know, what's new? Sigh.

Cue Mark Twain:
Judas Iscariot was nothing but a low down, premature congressman.

What I remember

Other folks better than I are writing about Paul Newman's films, and why I like an awful lot of them, that's not what I remember about him.

Normal.

That's what I remember - while he was enormously talented, he was a normal, normal guy. Married to the same woman for 50 years. Giving her the credit:
"Why go out for hamburger when you have a steak at home?"
Maybe most people wouldn't act like that given the same circumstances, but Hollywood is about dreams, isn't it? I'll keep this one, thank you very much.

He was a good man, and we could use a bunch more like him. Requiescat in pace.

Quote of the Day

From Jay, Shut up and sing. Leftie musicians supporting politicians who tried to hamstring them?
Like, oh, Bob Weir and Mickey Hart of the Grateful Dead playing at a political fundraiser for Al Gore. Yeah, Al Gore. The political genius behind the PMRC. One can only hope that somewhere, Frank Zappa was kicking Jerry Garcia in the ass...
RTWT.

Saturday, September 27, 2008

New Spam Attack

The Bad Guys continually change their approach to try to stay "fresh" - one thing that is very clear in the Spam community is that they have to try new approaches, ideally to new targets. There has been a suspicion for some time that there's enough money in malware (especially Spam) that it pays for the Bad Guys to employ psychologists to refine their message.

I must admit that this one is pretty creative. It's a little scary how the message has been refined and targeted. Since this one is broadly targeted (millions and millions of people effected) and since the text changes little from email to email, I'm reproducing the bulk of the message (spelling mistakes in original):
I NEED TO ASK YOU TO SUPPORT AN URGENT SECRET BUSINESS RELATIONSHIP WITH A TRANSFER OF FUNDS OF GREAT MAGNITUDE.

I AM MINISTRY OF THE TREASURY OF THE REPUBLIC OF AMERICA. MY COUNTRY HAS HAD CRISIS THAT HAS CAUSED THE NEED FOR LARGE TRANSFER OF FUNDS OF 800 BILLION DOLLARS US. IF YOU WOULD ASSIST ME IN THIS TRANSFER, IT WOULD BE MOST PROFITABLE TO YOU.

I AM WORKING WITH MR. PHIL GRAM, LOBBYIST FOR UBS, WHO WILL BE MY REPLACEMENT AS MINISTRY OF THE TREASURY IN JANUARY. AS A SENATOR, YOU MAY KNOW HIM AS THE LEADER OF THE AMERICAN BANKING DEREGULATION MOVEMENT IN THE 1990S. THIS TRANSACTIN IS 100% SAFE.

THIS IS A MATTER OF GREAT URGENCY. WE NEED A BLANK CHECK. WE NEED THE FUNDS AS QUICKLY AS POSSIBLE. WE CANNOT DIRECTLY TRANSFER THESE FUNDS IN THE NAMES OF OUR CLOSE FRIENDS BECAUSE WE ARE CONSTANTLY UNDER SURVEILLANCE. MY FAMILY LAWYER ADVISED ME THAT I SHOULD LOOK FOR A RELIABLE AND TRUSTWORTHY PERSON WHO WILL ACT AS A NEXT OF KIN SO THE FUNDS CAN BE TRANSFERRED.

PLEASE REPLY WITH ALL OF YOUR BANK ACCOUNT, IRA AND COLLEGE FUND ACCOUNT NUMBERS AND THOSE OF YOUR CHILDREN AND GRANDCHILDREN TO WALLSTREETBAILOUT@TREASURY.GOV
SO THAT WE MAY TRANSFER YOUR COMMISSION FOR THIS TRANSACTION. AFTER I RECEIVE THAT INFORMATION, I WILL RESPOND WITH DETAILED INFORMATION ABOUT SAFEGUARDS THAT WILL BE USED TO PROTECT THE FUNDS.

YOURS FAITHFULLY MINISTER OF TREASURY PAULSON
I can't remember an example that targeted more people, or for more money. Stay safe out there.

h/t Clayton Cramer.

Range Report - Marlin 1894C






This is a good week - shooting twice, and two range reports.

Let me tell you, it was quite a sight at the range, seeing not just the Winchester 1894, but two new Marlin 1894 carbines. One in .30-.30, and this one in .357/.38 Special.

Both my regular readers will remember me gushing about JD's 1894 in .45 Long Colt. I think that a lever gun in a decent pistol caliber is a simply an outstanding idea, for several reasons:
  • Ammunition is cheap. JD said that he uses reloads, since .45 LC is a bit spendy, but .38 Special is, well, cheaper than dirt. Cheaper than Dirt currently has .30-.30 at 76¢/round, .45 LC at 68¢/round, but .38 Spec at 24¢/round. Cheaper ammo = you shoot more = you become a better shot.
  • A pistol round has much, much less recoil. In my range report for the Winchester, I was developing a flinch by the time I had shot 20 rounds, and had a nice, fat bruise on my shoulder when I was done. This time, we shot 50 rounds each and ended with nothing more than ear-to-ear grins.
  • If you have a hankering for yummy venison, it's hard to see that .357 in this rifle wouldn't be up to the job. I actually like my chances better this way, because I'd shoot many, many more practice rounds, and therefore become a better shot. The question is not so much about caliber, as about shot placement.
So you can imagine my anticipation as I stepped up to the lane. Here are some impressions:
  1. The Marlin ejects the spent shell to the right, not straight up like the Winchester does. This means that you can keep the rifle mounted while you work the lever without worrying about a face full of hot brass. It also means that you could mount a scope, but only a communist would mount a scope on a lever gun, right?
  2. It seemed like the lever action was possibly less robust (meaty) than the Winchester. This is very impressionistic, so take this with a big, big grain of salt. Maybe it was just my mood after a long week. Certainly the action works smoothly.
  3. Esthetically, I think I prefer a darker wood stock. The Winchester just looks nicer to me, but it's years older than the brand new Marlin, and could very well have darkened over time. Your mileage is almost certain to vary here.
  4. The iron sights aren't great. The front sight is a bead, which I guess is OK, but the rear sight is a v-notch. If I were to buy one, I'd replace the sights with something that I find quicker and easier to align.
  5. The trigger is great. No take up at all, that I noticed; clean surprise break. Fun, fun, fun.
  6. It has a safety, near the trigger. I'm not sure why I found that wierd, but somehow it just seems out of place on a lever gun. As my buddy the lawyer says, "If it weren't for lawyers, you wouldn't need them!"
  7. It's fun to shoot stuff.
One thing that was a problem is that my eyes are getting old. No surprise there, as pretty much all of me is getting old. Between the blurry, out of focus target pattern and the fact that my left eye is dominant (i.e. I'm shooting mostly with my non-dominant eye), any frustration from the day's shooting can't be blamed on the rifle.

A couple of posts kind of skirted this issue (especially the comments). In one (can't find it - I'm surprised to see that I have almost 300 posts in the three months I've been blogging), Random Acts of Patriotism left some great comments on ways to see better. I'm sorry to say that I ignored his advise, and it showed in my groupings. However, I have a bleg of sorts:

Any ideas about the effectiveness of prescription shooting glasses? There seem to be some on the market.

Anyone had any experience with these? Yes, yes, I know I should work on my technique, improve my skill level, yadda yadda. That said, are these gimmicks, or do they really work?

Heh

Just heh.

Teh Funny (proud dad edition)

#2 son's desktop wallpaper.















They say it like it's a bad thing or something ....

Now where did he get that sense of humor?

Saturday Redneck - Rodney Atkins

While I'm a father, I only have boys. JayG, on the other hand, is blessed with a little girl.

Fortunately, he has a plan for when she starts dating. Heh.

Jay, this Saturday Redneck is for you.

Rodney Atkins is fairly new to the country music scene, and is pretty mainstream country - slide guitars, fiddles, you know what I'm talking about. He also has a funny sense of humor that he puts in his songs. Cleaning this Gun is about a Dad whose daughter is going out on a date, and the chat he has with the young man. Once again, heh.
The Declaration of Independence
Think I could tell you that first sentence
But then I’m lost

I can't begin to count the theories
I've had pounded in my head
That I forgot

I don't remember all that Spanish
Or the Gettysburg address
But there is one speech from high school
I'll never forget

(Chorus)
Come on in boy sit on down
And tell me about yourself
So you like my daughter do you now?
Yeah we think she's something else
She's her daddy's girl
Her momma's world
She deserves respect
That’s what she'll get
Ain’t it son?
Hey y'all run along and have some fun
I'll see you when you get back
Bet I’ll be up all night
Still cleanin' this gun

Well now that I’m a father
I’m scared to death one day my daughter
Is gonna find
That teenage boy I used to be
That seems to have just one thing on his mind

She’s growin' up so fast
It won't be long before
I’ll have to put the fear of god into
Some kid at the door

(Chorus)
Come on in boy sit on down
And tell me about yourself
So you like my daughter do you now?
Yeah we think she's something else
She's her daddy's girl
Her momma's world
She deserves respect
That’s what she'll get
Now ain't it son?
Y’all go out and have some fun
I'll see you when you get back
Probably be up all night
Still cleanin' this gun

Now it's all for show
Ain’t nobody gonna get hurt
It’s just a daddy thing
And hey, believe me, man it works

(Chorus)
Come on in boy sit on down
And tell me about yourself
So you like my daughter do you now?
Yeah we think she's something else
She's her daddy's girl
Her momma's world
She deserves respect
That’s what she'll get
Now ain't it son?
Y’all run along and have a little fun
I'll see you when you get back
Probably be up all night
Still cleanin' this gun

Son, now y'all buckle up and have her back by te- let's say about nine...thirty.
Drive safe.
While there's no CMT video for this, here's a Youtube with the lyrics.


UPDATE 27 September 2008 08:55: Hey, it's a Jayalanche! Welcome, and take a look around. There's more here than just redneck. Well, maybe not much, but some.

Friday, September 26, 2008

Unfortunately, it's true















Geeky security t-shits - get 'em here!

Oh well - the Intarwebz may be coming to an end, but at least we can laugh!

New comments policy?




















Let's be careful out there ...

Bad security news, part 2

It looks like Clickjacking is not only a real problem, but worse than we thought.
In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch. With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening.
The biggest concern is when you visit sites like Paypal, your online bank, or broker. The vulnerability allows the attacker to modify parts of the web page you view, filling out forms without your knowlege. This includes overwriting buttons (like "Submit") to do something different. Slashdot has a good discussion with the following comment that does a good job of summing up the situation:
Imagine you're in a car showroom looking at a super-expensive car. It looks great and price is pretty good. So you tell the dealer you'll take the car. Except when you get in the car, you realize that someone had put a cardboard cutout in front of the car. The car you got in was actually an economy vehicle. Except now it's too late to undo your purchase!

Here's another one: Let's say you've got a bunch of buttons on your dash. Most of them control the radio, but one controls the ejection seat. While you're away, some neighbor kids from MIT think it's funny to come over and rewire the buttons on your radio. Now when you press the button to turn on your radio, you actually get ejected from the car.
Yuck. So, what do you do?

First, while the 2 Simple Rules of Browser Security are still a good idea for general security problems, it doesn't help here.

Second, it appears that this exploit would likely be tied to a Cross Site Request Forgery (CSRF) attack. This gives you some things you can do that should noticeably improve your chances:
  • When you're done at your bank or broker, always click their logout button. This will kill your session, which will keep a CSRF attack from another site being able to try to hijack the session. No session, no hijack.
  • Don't have multiple tabs open in a browser when you're going to one of these financial sites. It's possible that a CSRF attack from a different tab might be able to start a clickjack attempt in the banking tab.
  • Sites that randomize the URL string (for example, contain something like "random=FUOUOY3273" in the URL) are resistent to CSRF. Resistent, not necessarilly immune, but this is still a win. However, the random part of the URL needs to be different each time you visit (or it isn't random, right?).
Oh, and Paypal has a reputation for being vulnerable to CSRF attacks. This is a bit of a problem, if you use it (I won't). If you do, monitor your account regularly.

UPDATE 30 SEPTEMBER 2008 20:03: Related article and discussion at Slashdot.

Bad news, part 1

A while back, I posted on Industrial Security? We'll see. Well, we're starting to see.
... an attacker can use his control over the FEP server to insert a generic electric grid malware...in order to cause harm to the grid
It's pretty surprising how vulnerable the power grid is to someone who wanted to start taking it apart, bit by bit. The grid was designed to be robust against storms and natural disasters, and is very robust indeed. Against single impact events. An attacker who exploited this SCADA vulnerability to take out an important point in the grid would stress the entire grid, as it tried to route around the failure. If the attacker took out another key point, and possibly another, the grid might collapse.

Think New York City in 2003, but across the entire eastern seaboard.
The advisory comes as concern mounts about the safety of software used to run gasoline refineries, manufacturing plants and other industrial facilities. In June, a now-patched vulnerability in CitectSCADA potentially exposed plants' critical operations to outsiders or disgruntled employees. Law makers on both sides of the Atlantic have warned that lax security may make critical infrastructure vulnerable to saboteurs or terrorists.
Forget nukes. If the Mullahs want good deterent, this is a lot cheaper.

From a security point of view, the real question is not "Is the power grid vulnerable?" Of course it is. The real question is what parts of the grid do the bad guys already own?

Thursday, September 25, 2008

Help the message, help the messenger

Oleg Volk is an incredibly talented photographer. He's one of the few second amendment supporters who can meet the anti-gun side on their own ground - emotional arguments - and beat them.

Soundly.

He could use some help, if you can.

Range Report - Glock 22

Late blogging today because I was at the range - the second time this week! Shooting with an old friend and coworker from Internet Security startup company lo these many moons ago. He needs one of the shirts that Jay got. Just sayin'.

We shot a Glock model 22 chambered in .40 S&W.


Now I'm not quite as adamantly opposed to Glocks as Kim Du Toit (" 1. ugly 2. plastic 3. made by furriners"), but I can certainly sympathize with an appreciation for the great old designs - 1911 or Colt SAA, for example. Or new "old" designs like the Ruger Vaquero. The Glocks, while reliable and accurate as all get out, are functional and utilitaritarian, rather than poetic. Nothing wrong with that, of course, if that's your cup of tea.

I'd never shot one, which seemed like a shame. I'd also never shot the .40 S&W cartridge, so this was a two-fer of new shooty goodness.

The Glock did not disappoint for accuracy (10 yard target). The first set of 5 shots were in the center of the target. You see the "ladder" effect as I was getting used to the sights. After that, it was everything you'd want in a pistol, and was everything you've heard.

The sights are simply outstanding. If you've never fired one, the square front sight is white on a black background. The rear sights are black, highlighted in white. The front and back sights line up better than maybe anything I've ever fired, once you get used to them. I have no idea how well they would work in tactical situations (presumably very well indeed), but there was nothing to complain about on the range. Boy, howdy, not at all.

The safety was unusual, as you'd expect if you've heard about Glock safetys. It's a small trigger-like mechanism that protrudes from the pistol's trigger. When you squeeze the trigger, you're automaticlly releasing the safety. Basically, this means that it's impossible to release the safety unless something is touching the trigger. If you are scrupulous about following Rule 3, it's hard to see how this could go wrong. It also means that it's impossible to forget to set the safety when you put the pistol down. Clever.

The trigger itself is fine. Not a spongy two-stage trigger like the Beretta 92 - very little take up and a good surprise break. That was a very good thing, because the .40 S&W was a snappy round. I mean snappy.

Most times when I shoot a new gun I mentally take note of which Borepatch family member might like to shoot it some time. The Marlin 1894C in .357/.38Spec is something that I could go for. The 1911 was one of #2 son's favorites. The Thompson? #1 son, all the way.

Which would like to shoot the .40 S&W? (sound of crickets chirping)

Note that I am not saying that this cartridge is insane, or unshootable. It did have a lot more recoil than most I've shot, and the recoil was sharper (more of a upwards kick to the barrel) than you'd get from .38 special in a revolver, or even .45 ACP in the 1911. I had to conciously work on a surprise trigger break to avoid developing a flinch, but this was obviously manageable. Chris Byrne has a good post comparing "defensive" caliber cartridges, if you're interested in more on this topic.

And it could have been worse. The guys a couple lanes down were shooting this.
Ruger Super Redhawk snubbie in .454 Casull. Wow. I'm not at all ashamed to say that I'm not man enough for this pistol. Sure was fun watching the guys (big guys) wince after each trigger squeeze.

Wednesday, September 24, 2008

And there's a lot more where that came from, buster!

Seems I'm the number 5 hit on Google for "starving african children" - although my post is on how environmentalist's policies are killing them.

I guess that if I have to use my super Jedi Google powers, there are worse causes out there. These are not the links that you're looking for ....

h/t Marko, who has much, much funnier search safaris than I do.

And just so you know

It's not all redneck, all the time ...

Right now, it's Eric Johnson, Cliffs of Dover. Man can play.

iDump is the shizzle Flippity Floppity Floop

Just saying.

Now I'll have to go all Tam and stuff the iJunk with gobs and gobs of Saturday Redneck.

Tuesday, September 23, 2008

US Leads in Cyber Attacks

Before y'all start painting your faces red-white-and-blue and hollering "USA!" what everyone is talking about is the US is the source of most of the cyber attacks seen in the world.

20 million attacks came from computers in the land of the free and the home of the brave.

Now before the Euros get all snotty, this doesn't mean that the attackers are in the US. Some are, of course, but there are an awful lot in eastern Europe and China, among other places. So what gives?

As I posted in the early days of this blog:
So, everything is vulnerable. Attackers can pretty much get anywhere they want to , if they're patient and really want to - the smart ones can, at least. The rest of us face a never ending Hobbesian Choice of patch and pray.
Computers in Lima, Peru are no more secure than computers in Poughkeepsie. So why are there so many infected ("bot") computers here?

Follow the money. If you're Dr. Evil, do you try to scam users in a nation of 300 million well-off computer owners who all speak the same language, or do you go after owners in much poorer countries, where lots of different languages are spoken? We're a target rich environment, probably the biggest, wealthiest target out there.

Good day. Please allow me to introduce myself. I am Dr. Clement Okon, Deputy Energy Minister ....

So don't let anyone tell you that we're slacking off on security here in the good ol' US of A. Well, we are. But everyone else is, too. We're just a bigger, more interesting target than they are.

Stupid security

There's an awful lot of it, and sometimes security that tries to be smart ends up being dumb. From Ars Technica:
Follow-up questions revealed that the students seemed to find any dialog box a distraction from their assigned task; nearly half said that all they cared about was getting rid of these dialogs. The results suggest that a familiarity with Windows dialogs have bred a degree of contempt and that users simply don't care what the boxes say anymore.
Well, yeah. Especially when they get security popups like this:
"The instruction at '0x77f41d24 referenced memory at '0x595c2a4c.' The memory could not be 'read.' Click OK to terminate program."
What the heck does this mean? So what folks think is "I remember that time I clicked 'No' and my browser wouldn't run any more. I think I'll click 'Yes'". Even the article, written by security geeks for security geeks, recognizes this. They have a popup that might be an improvement:


This is actually not a bad idea, although it does way too much hand-waving on "Malware is BAD, mkay?" An improvement is to capture information about what an expert would do, sort of like this:
"The instruction at '0x77f41d24 referenced memory at '0x595c2a4c.' The memory could not be 'read.' Ted at Borepatch thinks that this is no big deal. Do you want to do what he did, or something else?"
Actually, if you replace "Ted at Borepatch" with "Best Buy's Geek Squad", this might work pretty well, as long as you don't overwhelm the user with security popups, like Vista:



Slashdot has a really misleading title ("Popup Study Confirms Most Users Are Idiots"), but the comments in the post thrash the headline within an inch of its life. Good to see the big tech egos at Slashdot not throwing typical users under the security bus.

Monday, September 22, 2008

Foodblogging - Peach Cobbler

#1 son and I made peach cobbler for dinner. Easy and fun.

Ingredients:
  • 4 ripe peaches (you maybe could do this with canned, but I haven't tried)
  • 1/2 tsp ginger paste (I like the kind that comes in the tube)
  • pinch salt
  • 2 packets instant (maple and brown sugar) oatmeal
  • 1/2 stick butter
Halve the peaches, and slice into 1/4 inch slices. Put peach slices, ginger, and salt into a bowl and mix to combine. Dump into an ungreased baking dish. Spread oatmeal on top, then slice butter on top of that.

Bake at 375 for 30 minutes. Then turn oven to broil, and brown the streusel top.

For extra credit, refrigerate over night and serve on waffles for breakfast. I hear it's good, but somehow none ever seems to last the night ...

Feds doing the right thing on DNS security

When you file your taxes online, you want to be sure that the Web site you visit — www.irs.gov — is operated by the Internal Revenue Service and not a scam artist.
Well, yeah.

I've blogged a lot about the DNS vulnerability from Hell, because, well, it's a scammer's dream come true. Imagine being able to have your own site where people go, thinking they're paying their taxes online.

Well, the Fed.gov is doing The Right Thing - they're implementing a secure version of DNS called DNSSEC throughout the entire .gov domain.

This is a lot of work that I'm sure lots of people would rather not be doing, and it is a big step in the right direction. A lot of us like to laugh at the feds, but this is a great example of them leading from the front.

Well done.

Sunday, September 21, 2008

Teh Funny (Reactive target edition)

Ur doing it rong.















Not quite like the Clays that we shot earlier today.

h/t #2 son's computer wallpaper. Now where on earth would he have gotten that sense of humor?

I'll take "Zen-like States" for $1000, Alex

What is an afternoon shooting at clays with JayG?

In a fit of insanity (and generosity), Jay invited me shooting. A couple hours later, my blood pressure is still 30 points lower, and this is even after driving back route 128.

Somehow, I'd never gotten around to shooting target clays (OK, I was slow as a child). The Cliff's Notes summary:
  • Boy, it's fun when they blow up.
  • .357 makes them blow up very impressively indeed.
  • It's an interesting feeling when you didn't break the clay because you hit it in the exact center. After all, you hit it in the exact center. But it didn't blow up!
  • Shooting things is fun!
Dang. Now I want a range here at Chez Borepatch. But then I wouldn't get out with Jay at his range again. Hey, I win either way!

Thanks, Jay!

We're in ur dollhouse, shooting ur enemiez

And boy, howdy, some folks really don't like it.

















This looks like the sort of toy that Norman Podhoretz or Bill Kristol would buy for their kids.
Not that there's anything wrong with that, of course. And just who is in ur dollhouse?


















Gov Palin and the First Dude, that's who.

And this is made out of AWESOME. I get the feeling that Barbie can reload her 10/22 without chipping her nail polish. RTWT.














Like most little girls I longed for a Barbie doll, but unlike most little girls, I never got one. This was because my mom, a radical feminist, felt that they were sexist.
That sound you hear? Radical feminist's heads coming off, like that Fembot scene in Austin Powers.

Oh, and the real Shoothouse Barbie has a new shooty toy.

Saturday, September 20, 2008

Saturday Redneck - Shania Twain

Shania Twain is a Country star that crossed over to pop, so much so that she has the top selling album by a female artist. Ever. She's the only female musician who ever had three albums certified diamond. Going pop hasn't hurt her on country music radio - she still gets a lot of airtime even though she hasn't recorded much of late.

For some reason, her song If you're not in it for love reminds me of the trouble that the Democratic party keeps having with the Reagan Democrats. Nobody likes to be tken for granted.
Mind if I sit down?
Can I buy you a round?
Haven't seen your face before
Are you new in town?
It's the same old line
Oh every time
Are you here alone?
Can I take you home?
Now every woman sees
With every "pretty please"
There's a pair of lyin' eyes
And a set of keys
He says come be a star
In the back seat of my car
Oh but baby slow down
You're goin' way too far

Let me make it clear
To you my dear

If you're not
In it for love (baby)
If you're not
Willin' to give it all you got
If you're not in it for life
If you're not in it for love
Let me make it clear
To you my dear
If you're not in it for love
I'm outta here!

Babe I can change your world
Make you a cover girl
Yeah you could be a beauty queen
In a magazine
Now tell me, what's your sign?
Why always the same old line?
I'll be number 409
If you change your mind

Let me make it clear
To you my dear

If you're not
In it for love (baby)
If you're not
Willin' to give it all you got
If you're not in it for life
If you're not in it for love
Let me make it clear
To you my dear
If you're not in it for love
I'm outta here!

(repeat chorus)

If you're not in it for life
If you're not in it for love
I'm outta here!
Bitter and clingy, yessiree.

Friday, September 19, 2008

Pirates?

I have to confess that I just don't get Talk Like A Pirate Day. Yeah, yeah, it's fun. Whatever.

I guess I could ask Weer'd Beard - he sort of talks that way every day. 'Course he actually knows a lot about ships and the sea, not to mention shooting. Kinda a trifecta, that.

OK, OK. Arrrrrr.

Apple security - not ready for corporate use

Apple's security fix process is a little, shall we say, not insanely great:
On September 9th, security teams met, reviewed the updates, set priorities and assigned resources. Remember that unlike other vendors, Apple did not provide any advanced notification on timing or the magnitude of the updates. This update caught everyone off guard. Then again, without notice, security teams were brought back to the meeting room to discuss the updates on September 12th (repeat drill above). Then yes, you guessed it, same story again on September 15th and again on the16th. Who knows, maybe by the time this is published, there will be another update?
Microsoft thought long and hard before shifting all security patch releases to "Patch Tuesday." Apple is still releasing willy-nilly, which makes it very hard for corporate IT staffs to plan their update workload. As Apple finds itself releasing almost as many security patches as Microsoft (maybe more this month), it's starting to look like it's more expensive to manage OS X than Windows.

If security's your thing, then RTWT.

Via ZDNet's Zero Day security blog, which is new addition to the blogroll.

Patriotism - ur doing it rong

Joe Biden, September 18, 2008:

Biden Calls Paying Higher Taxes A Patriotic Act.

Barack Obama, September 2007:












You keep using that word. I do not think it means what you think it means.

Thursday, September 18, 2008

Sarah Palin's (and your) email account

This is more interesting than I thought it would be. No, it's not because the Bad Guy looks to be a stupid, punk kid, but because this really wasn't password guessing. It's more subtle, and more pervasive, and therefore much, much more dangerous.

The problem is not passwords, although if you want to set yourself as a 'leet haX0r, remember that corporate end users have lousy passwords. Somewhere, someone has a password that's the same as their user name.

But Sarah Palin didn't have a bad password. OK, maybe she did, but that wasn't how her account got hacked. So what did she have?

A password reset capability on the mail server. You have one, too. You have it, because the nice folks who run your email system don't want to have to pay someone to sit at a telephone answering "I forgot my password" calls. Instead, they have a web page that asks you questions that they think you will know, but other folks won't:
  • What was your mother's maiden name?
  • What street was your first house on?
  • What's your zip code?
  • What's your birthday?
The problem? Google sees all, forgets nothing. It will lead you to places where there is all sorts of information. Like this.

So stupid punk loser boy let his fingers do the walking through Al Gore's Intarwebz until he got enough information that Yahoo unlocked Palin's email account for him.

It will unlock your account for him, too.

UPDATE 19 September 2008 20:24: Good additional info at Zero Day.

Is it worth fixing?

Eric Raymond has an interesting post on the trouble that the Democrats are getting in, because the media/academic echo chamber has removed a key sanity check, for example about the war in Iraq:
There’s no way for the Democrats to cope with this as long as the echo chamber they’ve constructed for themselves keeps reassuring them that the war is lost, and if it’s not looking lost right now it’s unwinnable, and if by some freaky fluke in the dialectic of history we win it voters will…uh, yeah, they’ll understand that we shouldn’t have fought it and surely, surely the ultimate American defeat that will make us look wise and prescient will be secured when the Iraqis oblige us by fucking up badly (this is the stage Obama is at right now).
The nature of the echo chamber has been discussed all over the place, but most interestingly at Engram Backtalk. What's interesting there is numeric analysis of the leftwards bias in the media:
















Note that this is the self-described political orientation of the media. The Academy is as bad:















In both cases, the center of gravity is noticeably shifted leftwards from center, as compared to the general population. The general population notices:













So, the intellectual class is left of center (possibly well left of center), sees itself as the vanguard of progress, and is actively engaged in pushing the left of center party even further to the left. Raymond, once again:
That’s the trouble with cocooning. There always comes a point at which reality stops cooperating and you have to deal with what is rather than what you wish were so — the surge, and the Sarahcuda. That’s what happening to the Democrats. And they’re not coping well, not at all. They don’t have a lot of time left to recover before voting day.
So the super size cranium liberals are damaging the Democratic party. The question that Raymond doesn't ask, but needs to be asked, is at what point is society better off without them?

The public is answering this about the media. Just check out their stock prices. The public is probably answering this about the Academy as well. We certainly see this in lower confidence in the public school system, and there are signs that this is true for Universities as well:
State support of public universities has been declining, forcing many public universities to seek private support.
Add the fact that the Academy seems to be pricing itself out of the market, and there's a Bad Moon Rising. While support for hard sciences, engineering, and (maybe) economics remains strong, how long should the intellectual class expect support for postmodern theory, ethnic studies, and the rest?

Wednesday, September 17, 2008

Guitar Hero is Teh Awesome






So is XKCD.

Sarah Palin's email account hacked

Her Yahoo! Email account was hacked by the same guy who's waged a one-man cyber war with the Scientologists.

The cache of stolen data contains five screenshots from Palin's account, including the text of an e-mail exchange with Alaska Lt. Gov. Sean Parnell about his campaign for Congress.

Another screenshot shows Palin's inbox and a third shows the text of an e-mail from Amy McCorkell, whom Palin appointed to the Governor's Advisory Board on Alcoholism and Drug Abuse in 2007.

This is pretty boring, but raises some interesting questions:
  • What, oh what, would be the reaction if someone did this to Senator Obama?
  • What is the Governor of a state doing using email from Yahoo!?
  • If it is true that "Gentlemen do not read each other's mail," what does this say about this political season?
Overall, this seems way less of a hassle for her than most of what we've seen so far.

However, unlike the Scientologists, the Secret Service is investigating. It will be interesting to see what comes from this.

UPDATE 17 September 2008 20:14: Looks like password guessing. Very 1994. How immature are you?

Important Skeet shooting safety message

You need to go watch this. No, really.

UPDATE 17 September 2008 21:16: Link fixed. It would be nice if they let you embed the video.

Browser "Clickjacking" security discussion pulled

A presentation on security flaws in Adobe, effecting all major browsers is not going to be given after all:
Jeremiah Grossman and Robert "RSnake" Hansen say they planned to demonstrate serious "clickjacking" vulnerabilities involving every major browser during a presentation scheduled for September 24 at OWASP's AppSec 2008 Conference in New York. They canceled their talk at the request of Adobe, one of the developers whose software is vulnerable to the weakness, they say.
This is a big, big deal in the security field, for several reasons:
  1. Jeremiah Grossman and Robert Hansen are big, big names in the "White Hat" (good guy) security research community. If they think there's a problem, guys like me listen.
  2. OWASP is possibly THE web security group. They're non-corporate, and don't sell anything, so are very credible indeed.
  3. Adobe Acrobat basically runs in any browser that you'd want to use, which kind of blows some of my advice.
It's a nasty vulnerability, if it works the way they say it does:
The pair planned to disclose flaws in the architecture of all of today's web browsers that allow malicious websites to control the links visitors click on. Once lured to a fraudulent address, a user may think he's clicking on a link that leads to Google - when in fact it takes him to a money transfer page, a banner add that's part of a click-fraud scheme, or any other destination the attacker chooses.
While this perhaps could be fixed on the web server (as opposed to the browser), this is extremely unlikely to happen. First, it might not be possible. Second, the web server's owner would have to know about the problem in their HTML - most won't. Lastly, the web server's owner would have to care, and unfortunately, that's not a bet I'd care to risk my personal information on.

Hansen struck a more conciliatory tone in discussing the cancellation.

"I must stress, this is not an evil 'the man is trying to keep us hackers down' situation, a la Michael Lynn vs. Cisco, or Chris Paget vs. HID, or MIT vs. MBTA and so on," he wrote, referring to some of the more visible examples of security researchers being forcibly muzzled.

Both my regular readers will remember the discussion of the Boston MBTA fiasco.

I'll post more when I find out more. As Drudge would say, "Developing ..." (gotta get me one of those flashy light thingies).

Tuesday, September 16, 2008

Because they're idiots, that's why

I have in front of me the October 2008 issue of National Geographic, open to page 25 (my Google-fu is weak, but it looks like they don't have this issue online yet).

Anyway, see if you can detect what's wrong with the article, "Deer Crashing," by Thomas Hayden. Seems lots of folks run into deer with their cars; a good time is had by nobody, especially the deer:
Efforts to reduce the number of collisions - which cause thousands of human injuries and some 200 deaths a year - haven't been very successful. ... Some experts believe that the only real solution is wildlife overpasses and underpasses to get animals, from salamanders to grizzly bears, safely across the roads.
Hmmm, let's see. Lots of people hurt, some killed by a wildlife problem. The solution according to "some experts"? Spend a ton of the taxpayer's dough on animal bridges.

Why would "some experts" propose this? Well, you could cheat and look at the title of the post, or you could ask yourself what other solutions might be available:
  • Can we get a bunch of people to volunteer their time to solve the problem?
  • Could we get these people to bring their own equipment?
  • Could we get these people to pay their own money for the privilege of solving society's problem?
  • When they were done, would the deer be more likely to keep away from places where there are a bunch of people they might encounter?
  • Might these people use tools like this to solve the problem?
Mmm ... Lever gun!

Could it be that "some experts" don't like guns? Or don't they care about the animals?

Me? I love animals.

Mac fanboys, time to get patching

Gobs of security goodness in the latest OS X security update. You want this one:
The flaws in ImageIO, QuickDraw Manager, VideoConference and ATS could lend themselves to hostile code injection. Meanwhile security bugs in libresolv could allow DNS cache poisoning, Apple's security notice explains.
Hostile code injection has become one of the preferred techniques that the Bad Guys use to whack you. And while Apple likes to snark at Microsoft about security, they are starting to get a reputation for being slow to update. They only now fixed the DNS-flaw-from-hell problem that I discussed back in July.

Look if Jay G can keep all his guns clean, can't you do a once-a-month security update? You'll be glad you did. And your Mac won't smell like Hoppe's #9 when you're done. Not that there would be anything wrong with that.

Monday, September 15, 2008

Last Pix from Galveston

From the webcams, anyway. Galveston.com hosted a webcam that lasted into the middle of hurricane Ike. Here's it's last pic:


You can see the street flooded by the 12 foot storm surge. The blank white space is the rest of the picture image that the webcam never got the chance to upload.

Via The Register.

UPDATE 24 September 2008 18:39: Welcome everyone visiting via Google Images. At the risk of contributing to Internet ADD syndrome (Ooh - shiny!), take a look aroung. I have a helpful Best Posts category - if you like it, stop back. If you don't like it, well, that's as good as I can do!

The definition of cool

... is watching MXC with your kids. Because they're old enough now. This may be the new Three Stooges.

Birthday party

For #1 son. He's old enough to have long since graduated from Chuck E Cheese to Firefly's BBQ (yay!). And from Pokemon cards to Airsoft. Blogging will be light.

Sunday, September 14, 2008

New Shooter Report

One of the women at the office wanted to go shooting, so we went.

Before we went, we started with the basics, meaning the four rules. I also pointed out one of my older posts, about how things went wrong with a combo four rules failure, pellet gun, and sliding glass door. At the range, she surprised me with her ability to rattle the rules off - she had clearly paid attention.

We also discussed the importance of keeping the muzzle down range, and finger off the trigger (rules 2 and 3), as these in my experience are the most frequently violated rules on the range. She was scrupulous in observing these - she didn't have a single safety lapse. Maybe I'm too used to taking kids, but I found the whole experience much more enjoyable than usual, since I didn't have to play range safety officer at all.

We also talked about how loud things can be at an indoor range. While we weren't planning on shooting anything that makes super loud booms, I did want to set her expectation that even with hearing protection, there are unexpected loud noises that can startle you. Turns out that it was good that we covered this.

Lastly, I brought #2 son's CO2 pellet gun, to go over grip. I'm not by any means an instructor, but she'd never held a gun before. Now she quite likely has all sorts of bad grip habits, but they're very similar to my bad grip habits. In any case, it de-mystified what to do with the real guns. Since she took to them like a duck to water, I assume that this was fairly worthwhile.


We started with a Ruger Mark III .22 pistol. This is light, accurate, quiet (no big BOOM), little recoil. Semiautomatic, she remembered not to have her left thumb behind the barrel (ouch!). The trigger on this is very nice; with the bull barrel absorbing just about whatever little recoil there was, she didn't show any sign at all of developing a flinch. While reloading, we had an interesting discussion on target shooting competitions. Not only does one of the guys in the office compete in these, but her daughter used to compete at archery. Not a 100% connection, but close. It will be interesting to see if she gets into competitive shooting.

As she started shooting, I remember Lady Elf's advice to men teaching women to shoot, which is to squash the tendency to focus on technique, and let her have fun shooting. This not only worked well - she would ask questions regularly that let me introduce new ideas at more or less a good time - but once again it let me shift into "have fun mode" rather than "firearms instructor mode".

She did fabulously well - at 5-10 yards, nothing outside the 7 ring, and a good portion (15% or so) in the X-ring. Fun!

After 100 rounds or so, she asked about "what's the next bigger gun?" She was happy to keep shooting, and liked the idea of trying something bigger. Twist my arm ...

Since we'd shot a semiautomatic, we tried a Ruger SP101 .357 revolver (although we shot 38 special). This not only introduced wheel gun load/eject concepts, but single vs. double action. Now I quite like this gun, and had no trouble making friends with the trigger. She found the single action pull very nice, but the double action pull too heavy.

Once gain, lots of shooty fun, and excellent grouping for a first outing. By this time we'd shot enough to have the discussion about not worrying so much about the x-ring, just keep the groupings small.

The BANG was a lot more than the .22 of course. As was her grin. What is it about shooting louder guns that causes everyone to bust out grinning?

Not that we were the loudest kids on the block: two lanes down, someone had a shotgun. I was glad we'd had the discussion about how sometimes loud things happen at the range. We had fun talking to a girl that I think was his girlfriend, who had absolutely no intention of shooting the thing. Seems like he missed an opportunity, but hey, he got her to the range, right?

My coworker is probably going to move from the People's Democratic Republic of Massachusetts to New Hampshire. No sense paying high taxes now that her daughter is out of the house, and getting a gun in her town is a royal pain in the butt. After the shotgun episode, she clearly wasn't too keen on getting one for home defense (any suggestions on getting a lady shooting a shotgun, Jay?), but she is planning on going back shooting again. The advantage of a range that rents guns is that you can try a lot of different ones before you buy.

LadyElf, thanks for the great, great advice. Guys, if you take ladies to the range, shut up and let them have fun shooting!

UPDATE: 16 September 2008 13:47: Holy cow, it's a Jay-alanche! Welcome, and take a look around.

UPDATE: 16 September 2008 13:50: And a Greg-and-Beth-alanche! Thanks!

Off to the range

New shooter report later.

Saturday, September 13, 2008

Euros don't get it, episode XVI

European intellectuals have a terrible time trying to actually understand America. The London Times is particularly bad at this; their default position is to fall back into a reflexive sneer when flummoxed. As a former subscriber, I speak from experience.

Offered for your consideration, Exhibit A. Observe the sneer.

You Americans. Guns are bad, mkay? Palin is hockey mom, get it? You're about to load up a hockey mom. Get it? GET IT?

Observe the utter lack of comprehension as to why so many people here look at it and say "Hell Yeah!" And not in the way that they had anticipated.

Memo to Eurosnobs: We'd listen to you more if you didn't combine cluelessness with condescension.

Memo to American Liberals: Don't be like them.

Gerard Baker is perhaps the sole exception at the Times. He gets it. As Dick Cheney would say, "Big time."

Saturday Redneck - Garth Brooks

Jay has an interesting Country Music question about Garth Brooks' "Learning to Live Again". Divorcee or widower? Stop by and leave your thoughts in the comments.

There is interesting ambiguity in that song, but Garth does non-ambiguous pretty well, too. The Thunder Rolls captures the ambiguity in the first two verses, and destroys them in the not frequently heard third verse.
Three thirty in the morning,
Not a soul in sight,
The city's lookin' like a ghost town
On a moonless summer night.
Raindrops on the windshield,
There's a storm moving in.
He's headin' back from somewhere
That he never should have been.
And the thunder rolls.
And the thunder rolls.

Every light is burnin'
In a house across town.
She's pacin' by the telephone
In her faded flannel gown.
Askin' for a miracle,
Hopin' she's not right,
Prayin' it's the weather
That's kept him out all night.
And the thunder rolls.
And the thunder rolls.

(Chorus)
The thunder rolls
And the lightnin' strikes.
Another love grows cold
On a sleepless night,
As the storm blows on
Out of control
Deep in her heart
The thunder rolls.

She's waitin' by the window
When he pulls into the drive
She rushes out to hold him
Thankful he's alive
Through all the wind and rain
A strange new perfume blows
And the lightnin' flashes in her eyes
And he knows that she knows
And the thunder rolls
And the thunder rolls

*chorus*
The music video only does these verses, but the story line gives away the ending.

The Thunder Rolls (video)


The third verse (mine is from the Double Live album) also removes all doubt:
She runs back down the hallway
To the bedroom door
She reaches for the pistol
Kept in the dresser drawer
Tells the lady in the mirror
He won't do this again
Cause tonight will be the last time
She'll wonder where he's been
*chorus*
Interestingly, the video was banned from CMT (and TNN) when it came out in 1991. When the GAC network first started, it was the first to air the video, and it was the first video they aired.

Friday, September 12, 2008

"It's OK, it has a Firewall."

Just go watch.



I'm not sure about how effective the new Bill Gates/Jerry Seinfeld commercials will be, but this sure is funny.

And I confess to being an amoeba with a blog, even if the Truth Laid Bear ecosystem is totally broken here.

And I'm no longer Youtube video lame! But I don't think there's malware in this.

Hat tip: Mark Curphey.

iTunes and iPhone upgrade crashes Vista

On Tuesday, Apple released iTunes 8.0. On Tuesday, iTunes and iPhone software all over the world started to upgrade itself.

On Tuesday, Vista owners found that their computer crashed whenever they plugged in their iPod or iTunes.

As Slashdot says, now that's a killer application.

This is what security folks call a Denial of Service situation, and has had some high visibility examples. Accidentally doing it to yourself when you upgrade your applications is a good way to find yourself administrator of paper clips, not servers. This is the major reason that people don't like to patch, even (especially) when they have important systems.

So if you have vista, don't update to iTunes 8.0. Actually, it may be XP, too, so be careful.

And as always, the comments at Slashdot satisfy, this time with a riff on the "Hi, I'm Mac ... And I'm a PC" commercials:
"Wow PC, it looks like your Vista users are really having headaches running great software like iTunes 8. Mac runs them just fine."

"You son of a bitch." (Pulls out a gun)

"Whoa PC, whoa, let's not..."

BLAM.

Teh Funny (Redneck Security edition)

One of the Google search strings that led someone here was "Redneck Security". I guess it's a fair cop.

It was too good not to check out, which led me to Lindsay's place, which had this:
HOW TO INSTALL A HOME SECURITY SYSTEM IN THE SOUTH

1. Go to a second-hand store and buy a pair of men's used size 14-16 work boots.

2. Place them on your front porch, along with a copy of Guns & Ammo magazine and your NRA magazines.

3. Put a few giant-sized dog dishes next to the boots and magazine.

4. Leave a note on your door that reads:
Go check it out for the punchline. Not only is it funny, I'm fixin' to do it here in the People's Republic of Massachusetts.

I'd just change the note so it's addressed to Jay G ...

My lameness saves me

Well, maybe not me. You:
Miscreants have created a tool that dumbs down the process of using fake YouTube websites to spread malware.
So yesterday when I couldn't embed a Youtube video, this may be a feature, not a bug. Just looking out for my readers.

The exploit is actually downloaded not from Youtube, but from somewhere else. That's the first hint that something isn't right. The second hint is when you're told you need to download a new codec. Of course, it's not an actual codec, but rather is spyware.

As I posted a while back:
ANY time you're told that you "need to download a new codec" you say NO.

Gozer: Are you a God?

[Ray looks at Venkman, who nods]

Ray: No.

Gozer: Then... DIE!

[Lightning flies from her fingers, Ghostbusters almost wiped out]

Winston: Ray, when someone asks you if you're a god, you say "YES"!
Remember, "Download this code" is internet-speak for "open your mouth and close your eyes."

Thursday, September 11, 2008

Why there hasn't been another 9/11

Lots of discussion today about why there hasn't been another attack like 9/11.

Fighting for Liberty posts a video of Ray Charles, singing America the Beautiful. But that doesn't explain why we haven't been hit again.

Toby knows.God bless the military. Thanks, guys.

Yeah, I know I have to figure out how to actually embed a Youtube video. In a hurry now.

Why teach your kids to shoot?

To get them away from the X-Box.

Both sons tell me that no, they don't want to come to dinner, thank you very much. This time, instead of being in the middle of Halo, they're outside in the yard (!) shooting Air-Soft.

Not only does my heart swell with fatherly pride (shooty goodness), they're out in the fresh air (exercise).

I expect a call from the local constabulary any minute. Some sort of PSH about a kid with a gun. It is Massachusetts, after all.

The children of 9/11

I doubt that this is a complete list, but the airplanes had a number of children on them. Here are some of them.
Christine Hanson, 2
Juliana Valentine McCourt, 4
Zoe Falkenberg, 8
Dana Falkenberg, 3
David Brandhorst, 3
Bernard Brown, 11
Asia Cottom, 11
Rodney Dickens, 11
The town I live in has a 9/11 memorial, for the three residents who were on the planes.

All expendable. Requiescat in pace. And God bless the military who have kept this from happening again.

But our intellectual superiors are on the case. Just today the Boston Globe had an article about how Sarah Palin was the same as the Taliban. Note to the Globe: you hate her because she doesn't kill babies.

Wednesday, September 10, 2008

Quote of the day

Via email from the LawShark, pointing out a story:
Good news. The most recent poll shows Barack is favored by 80% of the electorate--the French electorate!
Ouch. I mean, ouch.

I do not think that word means what you think

Seems Obama is jazzed by constitutional rights for terrorists, and waxes poetic:
"The reason that you have this principle is not to be soft on terrorism. It's because that's who we are. That's what we're protecting," Obama said, his voice growing louder and the crowd rising to its feet to cheer. "Don't mock the Constitution. Don't make fun of it. Don't suggest that it's not American to abide by what the founding fathers set up. It's worked pretty well for over 200 years." [my emphasis]
Mkay, how about this?
A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed.
Hey, dude. Don't mock the Constitution.

My first link to Kos. Their hit counter's fixin' to spin.

Industrial Security? We'll see

Both my readers will remember the recent post on SCADA vulnerabilities. Seems that now there's exploit code in the wild. The next few months could prove interesting indeed.

This is probably the worst situation that a security guy can be in. You know that there's a credible threat to your systems. If this system is running a power plant, refinery, or factory, someone might get hurt if something goes wrong. But a lot of managers won't want to apply the security patch.

How come? Because you almost always have to shut down the computer when you do this, which means you have to shut down the power plant, refinery, or factory. This costs money. Hey, maybe it'll all be OK, right?

Patching is hard. Downtime costs money. This is why important computers should never, ever, be on Al Gore's intarwebz thingie.

Via Slashdot. The comments are well worth reading.

Apple: We don' need no steenkin' security patches

Or something like that. What, you didn't hear about the critical security patches for iTunes and Quicktime? Don't feel bad - seems like Apple kept it hush hush:

Those who use Apple's iTunes or QuickTime on either a Mac or Windows machine, or who own an iPod touch, will want to install newly released updates that fix a raft of serious security bugs. Not that Apple is going out of its way to warn of the risks, mind you.

The most serious of the batch seem to be updates for QuickTime, which plug holes that could allow attackers to hijack a Mac or PC simply by tricking a user into viewing a maliciously crafted video or picture. (And given the presence of millions of recently compromised websites, how hard can that be?)

El Reg concludes with generous and understated advice:
Apple's diligence in stamping out bugs is commendable. But its Howard Hughesian obsession with secrecy and marketing imperils their considerable number of users, and that's a pity.
Mine isn't quite as understated. Hey Apple, don't be evil patches are an insanely great idea. Let folks know.

Tuesday, September 9, 2008

Quote of the Day

I find it disingenuous and beyond bothersome for the Police to constantly beat the drum of, “just give them what they want,” or “don’t fight,” or, “just cooperate” and then come out and wag their fingers because nobody threw themselves in front of a claw-hammer-wielding psychopath.
Gruesome attack on the Chicago subway, by a hammer-wielding psycho.

But don't worry, the Chicago police have it under control. Listen to them tell you what to do, then listen to them blame you for doing it. Remember, they're smarter than you.