Sunday, November 30, 2008

Thanks, Kim

I've written before about how Kim du Toit inspired me to take my kids shooting, and was kind enough to post a new shooter report. I've also posted about why I'll miss his stories.

Quite frankly, without Kim, I would never have experiences like yesterday at the range with #1 Son and JayG.

So thanks, Kim.

Ssg David Bellavia: House To House

The battle for Fallujah was one of the most harrowing - perhaps the most harrowing - battles in the Iraq war. Staff Sergeant David Bellavia was there, and was nominated for the Medal of Honor for his part of the fight. It's hard to find words to describe "his part", which included the virtual single-handed clearing of a fortified house set up as a kill zone - including killing one of the insurgents in hand to hand combat.

The book is simply one of the best battle memoirs I've ever read, period. What makes it stand out from the rest is the description of that fight, which will make your hair stand on end. His squad has just fought its way out of the ambush house, leaving the insurgents unscathed. Bellavia decides that they need to take them out. Tension is high.
I lean into [Lawson] and whisper melodramatically in his ear, "Dude, I'm [redacted] scared to death."

"I know, man, I am, too," he replies.

I spring the trap: "You're a [redacted] pussy. Whadda mean, you're scared?"

He bursts out laughing and the tension breaks for just a moment.
The battle is between the US Forces and the insurgents, but also between his fear and his desire to be a leader for his men. Despite the Audie Murphy stuff, Bellavia is quite up front that he was scared almost to immobility. This conflict between want to do it and afraid to do it is what makes this book stand out.

That, and the story of the fight itself, back in the kill house. The insurgents are hidden, but he can hear them. Their calm, muttered Allahu Akbar almost unnerves him.
I know that I don't have much time left. The younger insurgent is still trying to prep the rocket, but any second his fumbling fingers will get it armed.

I try to remember the Twenty-seventh Psalm. It is one of my favorites. The words do not come. Instead, my brain locks on to The Exorcist again.

The power of Christ compels you.

From the next room I hear more whispers. "Allahu Akbar."

Suddenly, the movie line doesn't seem so foolish and random any more. They have their God. I have mine.

"The power of Christ compels you." Did I say that aloud? I don't know. I don't care. I seize those words. I embrace them. They become a lifeline. I stake everything on the strength they evoke. I utter them again, louder. I have my own mantra now. It is my talisman, my testament of faith.

"THE POWER OF CHRIST COMPELS YOU!"

"ALLAHU AKBAR! ALLAHU AKBAR!"

In one sudden rush, I carry the fight to my enemy.
It's simply an astonishing book, and a brutal - though unspoken - rebuke to a Hollywood that can't seem to find compelling stories of the war.

Highly, highly recommended. I'd give it five stars, but we don't do stars here. Perhaps five bore patches. Or teletubbies.

Boston talk radio host Michael Graham interviewed Ssg Bellavia last summer at the Democrat National Convention. Interesting listening.

Happy Birthday Barbie

Fifty doesn't look bad, really. Of course, here chez Borepatch, we're partial to chicks with guns.


You can't talk about Barbie without landing in a swamp of Political Correctness, and I'm simply not interested. Let me just say that after accessorizing her with a pink
Ruger 10/22M1 Garand*, Barbie is now even more politically incorrect. Free to be strong and feminine. Leftie's heads exploding fembot-like in 3 ... 2 ... 1 ...



*See comments.

Blogroll addition

There's a new blog in town that you should check out, The Unpaid Bill. Stop by and say hi.

Shooting with JayG and #1 Son

Yesterday, JayG invited me to the range, and we took #1 son along.

Just let me say that nothing beats shooting with one of your kids. Matter of fact, there's not a lot that beats shooting with Jay.
Now, my opinion is that #1 Son perhaps plays too much Zombiepocalypse games with his friends. But it's an ill wind that blows no good - in this case, he had a serious itch for pump-action shooty goodness. Jay's (I think it was a) Remington Model 12 .22 pump was just the ticket.

So much so, in fact, that I didn't get a chance to shoot it much. It's insanely accurate, and the short throw means that if you were willing to burn $25 in practice .22 ammo, you could get a pretty decent rapid fire rate.

I spent a fair amount of time with Jay's sweet. sweet Colt 1911. It's also insanely accurate. (cue Wayne's World)
Someday, she will be mine. Oh, yes.
There's simply nothing about this pistol that I don't like. I did catch myself flinching, but extra concentration on surprise trigger break produced acceptable results. 8 yards, 16 rounds (plus a couple of shots of .22 by #1 Son):


While we were there, a car pulled up right next to the range. Since the parking lot was across the street, this seemed unusual. It was a guy bringing his disabled dad to the range. Even in a wheelchair, he did quite credibly, especially with Jay's Colt .22 Police training model. We had quite a nice chat with them, which I find pretty typical of range conversation. After all, we had a lot in common:
  • We were all trying to improve our skill.
  • We all enjoy the art and skill that goes into making a great gun.
  • We all enjoy spending time with our father/son.
Thanks, Jay - this was an outstanding afternoon.

Saturday, November 29, 2008

Lego Art

Sitemeter sometimes serves up some interesting referral strings. It's quite a relief that I'm way down the list (page 4) for "photos of mcdonald's naughty wife". Um, dude? I think you're looking for this. I expect you'll be disappointed, but hey, what do I know?


Sometimes the referrers lead me to something amazing, like this. Mike Stimpson recreates famous art photographs using Lego. Here's Eisenstaedt's photo of the sailor kissing the nurse in Times Square on V.J. Day, and here's Stimpson's Lego recreation. He had to use an airline pilot, because he says that Lego doesn't seem to make sailors.

And here's Charles Ebbet's Lunch Atop A Skyscraper.

With Lego, he recreates D-Day, the raising of the American flag on Iwo Jima, and the protester in front of the tank in Tiananmen Square.

He has non-Lego art as well. My favorite is Spaghetti Code (click through to see it; it's well worth your tim
e if you're a tech geek like me).

And oh, yeah - chicks with guns:

Borepatch and Linux visitors

I'm kind of surprised to see that 13% of my visitors run Linux. It's actually a little less than that, since I also visit my blog (Quality Control - it's a never ending job) and I run Linux. For years, Linux has been hovering around mid-single-digit market share, so this is 2 or 3 times expected.

Same for Mac, at 14%. Apple has only recently approached 10% share of new systems sold, and overall installed base is likely no more than 7%.

I'm not sure why these OSs are so over-represented.

Trace Adkins - One Hot Mama

Earlier this week we saw the spectacle of the lost cell phone. Specifically, Mr. Philip Sherman took naughty pictures of Mrs. Tina Sherman, and then lost the phone. Oops.

Well, when you get past the "are you smarter than a fifth grader" part, there's a bit of sweetness here. It's kind of nice that Mr. Sherman still thinks that Mrs. Sherman is hot, and this leads us to today's Saturday Redneck.

Rock and Roll doesn't lack for song about hot girls. What it does lack are song about hotness after marriage. Or kids. Fortunately, Country is much less hung up on the cult of youthful rebellion, and has all sorts of songs about all sorts of ages.

We've seen Trace Adkins in Saturday Redneck before, so I won't go into background. Mr. and Mrs. Sherman, this Saturday Redneck is for you.

One Hot Mama

 Sports car - yeah baby. And I think it gets simply hilarious at about 3:10.
You're doin' all you can to get in them old jeans.
You want that body back, you had at seventeen.
Baby, don't get down; don't worry 'bout a thing.
'Cause the way you fill 'em out, hey, that's all right with me.
I don't want the girl you used to be.
An' if you ain't noticed, the kids are fast asleep,

An' you're one hot mama;
You turn me on, let's turn it up,
An' turn this room into a sauna.
One hot mama,
Oh, whaddya say, baby?
You wanna?

Well, I know sometimes you think that all you really are,
Is the woman with the kids an' the groceries in the car.
An' you worry about your hips an' you worry about your age.
Meanwhile I'm tryin' to catch the breath you take away.
Oh, an' believe me, you still do.
Baby, all I see, when I look at you,

Is one hot mama;
You turn me on, let's turn it up,
An' turn this room into a sauna.
One hot mama,
Oh, whaddya say, baby?
You wanna?

I can't imagine me lovin' someone else.
I'm a lucky man,
I think Daddy's got himself,

One hot mama;
You turn me on, let's turn it up,
An' turn this room into a sauna.
One hot mama,
Oh, whaddya say, babe?
Oh, now whaddya say, babe?
You wanna?

You're one hot mama,
Let's turn this room into a sauna, yeah.
Whaddya say, babe?
Whaddya say, babe?

Friday, November 28, 2008

Confirmation Bias, Parlaiment, and the Climate Change Bill

Tim Worstall has a very interesting analysis of the UK Parlaiment's recent consideration (and passing) of the Climate Change bill. Basically, it starts from the point of noticing that the bill fails based on the government's own cost/benefit analysis:
Total Cost (PV*) £30 to 205 bn
Total Benefit (PV) £82 to 110 bn
* Present Value

As you can see, we've something of a problem here - particularly as the Bill received Royal Assent this very week. ... But by the standard measures of a c/b analysis the course of action the Climate Change Bill maps out fails.

We've got a possible range of nice to nasty of + 52 to – 95. That's what's known as a fail. We're more likely to be making things worse than we are to be making things better. So by the Government's own calculations we shouldn't be doing whatever it is that is in the Climate Change Bill and should be looking around to come up with something else, a plan B.

It's pretty clear that Worstall agrees with the Anthropomorphic Global Warming Theory. Both my readers know that I don't take that view. However, this article is very, very interesting.

It's an example of a "thinking leftie's" argument. While I think he's wrong on the causes of Climate Change, his world view is coherent and - within the limits of his initial error - logical. It's also refreshing to see someone on the left point out something that we can all agree on:

But that's not what happened - Parliament wafted it through without even discussing its cost and with only five votes against. Lilley goes on to point out one of the great pieces of political wisdom:

"In my experience, our biggest mistakes are made when Parliament and the media are virtually unanimous and MPs switch off their critical faculties in a spasm of moral self-congratulation. That is what happened with this Bill."

Similarities to the Fed.Gov bailout of the banks is purely coincidental. I absolutely agree with this statement:
Which leads us to the next important question, how high should that tax be? That question bringing us back to a c/b analysis; what are the effects of carbon emissions going to be in cash terms?
This is, in my view, precisely where the discussion should be. If the effects of increased carbon in the air are negligible, then the answer becomes obvious from a cost/benefit perspective.

This debate is nowhere near over, but it's refreshing to see something in the press that's not OMG-we're-all-going-to-dieee!!!!1

UPDATE 29 November 2008 10:12: Mr. Worstall stops by in the comments to say that he's not a leftie. Thanks for the comment, and sorry.

It may be that I got caught up in my own confirmation bias: someone writing in the media about global warming - gotta be a leftie. Mea culpa.

Geeky Lego Video Meme

Tam posted Lego "White and Nerdy", which cracked up #2 Son. In the spirit of crazy-insane-stop-action Lego goodness, here's a parody of Iron Chef.

In Lego.



Anyone else have any? A Lego Wallace and Gromit would have some serious stop-action geeky cred.

I am teh stupid

While I've been reveling in my Ubuntu geek-cred (remember, all the cool kids are doing it), my iPod was not a happy camper. I ripped some CDs with Banshee, which then stuffed them down on my iPod.

The iPod just blinked back at me. It saw the songs, but couldn't play them. Any of them.

I was describing this to #1 Son in the car this morning, and he had an observation that was pretty stunning in its simplicity: the iPod only understands a few file formats - m4a, m4v, MP3.

Hmmm. I wonder what Ubuntu is using? A quick check when we got home gives the answer: Ogg Vorbis.

Now Ogg may be the shizzleFlippity Floppity Floop when it comes to free-as-in-beer music ripping, but to the iPod it don't mean a thing if it ain't got that swing.

Worse, Ubuntu doesn't install MP3 support. Oh bother.

But want to know what's cool? An instant of Google-fu led me to a link at Ubuntu that had what I needed. Even more impressive, rather than the usual Linux now what the heck are the command-line switches/oops I forgot to sudo/dependencies aarrrghh! experience, it was a "click here to download and install from Ubuntu." One click, and it needs your password to install (from a security perspective, this isn't just A Good Thing, it's The Right Thing).

And extra credit to you for pointing out that I keep telling you not to download stuff from the Internet, especially if it's a codec. Yes, yes, "free Internet download" is high tech jargon for "open your mouth and close your eyes."

What's different is that I know who I'm downloading from, and I trust them. Heck, I got my whole darn Operating System from them, so if they really wanted to trojan me, then all my computer are belong to them. It's like a Windows user downloading a patch from Microsoft - if you don't trust them, don't use them.

So my iPod is getting stuffed full of music that it's happy to play. Yay me!

Wordpress bloggers, start your patches

Wordpress has fixes a nasty Cross-Site Scripting bug, so if you're a wordpress sort of blogger (and if you don't have someone hosting your server that handled this), then you'll want to upgrade to Wordpress 2.6.5.

But why do you care, I hear you ask. Because if you don't, Bad Guys can anonymously inject malicious Javascript into your blog, which then will infect people who read your blog. You'll be a blogosphere Typhoid Mary, mkay?

Black Friday after action report

#1 Son and I braved the after-Thanksgiving sales, and have safely returned to base.

The stores were crowded, but not mobbed. The feeling of agoraphobia that I'd felt in the past wasn't there.

Boy, howdy - there are deals. We weren't even there at the crack of dawn, and there are deals. A bunch are advertised as "Price good through weekend".

BJ's was pretty empty. We were out of Red Bull, and got through the non-existent checkout line faster than we'd ever done.

Thursday, November 27, 2008

Marketing FAIL


H-S Precision, Inc has the Worst. Marketing. Ever.

Sebastian is running a Photoshop contest, so here's mine. I'd add a reticle pattern, but (a) it seems kind of over the top, (b) I can't decide if it should be centered on mother or daughter, and (c) my Gimp skillz are weak.

If you have a suggestion, feel free to leave it in the comments.

UPDATE 27 November 2008 10:47: Looks like it's a Snowflakes-in-Hell-alanche! Take a look around, and leave a suggestion on improving the pic in the comments.

UPDATE 27 November 2008 11:57: This may only be understood by people who shoot a lot.  #1 Son helped me with his considerable Photoshop-fu, so here's a (much) improved version.


UPDATE 28 November 2008 13:46: Davidwhitewolf in the comments points out that I misspelled Horiuchi's name. Thanks. Fixed.

UPDATE 1 December 2008 14:05: Voting is open over at Snowflakes In Hell. If you like this one, it's #6.

UPDATE 2 December 2008 20:36: Congratulations to Tim, who won the contest. My entry came in second, so thanks to everyone who voted for it!

Thanksgiving thoughts


To our soldiers, sailors, airmen, marines, and coasties: thank you.

Stay safe, and come home soon and victorious.

Wednesday, November 26, 2008

Ubuntu Linux is teh awesome

I'm a Linux geek - this started back in 1994 with Slackware (0.99 kernel) on 25 pounds of floppy disks. Along the way, I've gotten less interested in recompiling kernels and messing around to make things like sound and video work. I'd run Red Hat for a while, and tried SuSE, and ended up with boring old Red Hat Enterprise Edition.

Well, all the cool kids have seemed like they've been trying Ubuntu, so I loaded it this afternoon. Let me tell you, this is the Linux for the masses. In 15 minutes, I had this:


Trivial to Import my data from USB, grabbed my pics from the iPhone (and no, there are only Safe-For-Work pictures, thank you very much).

It comes with all the office applications (word processor, spreadsheet, etc). It also comes with the Gimp, which is an open source Photoshop type app. I used it to make the Palin/Breda logo (don't blame the app; my skillz are weak).

I haven't installed iTunes. Yet. This is the only mission critical app left, and is in a sense an acid test: Apple does not want people running iTunes on Linux. Either I'll try it running under emulation (WINE or VMWare), or I'll toss the whole thing and try Banshee.

Note to Apple: all you're doing is giving me an interesting challenge. The old definition of copy protection applies here:
It's a method of preventing incompetant pirates or legitimate users from using your product.
Arrrrr.

Anyone sick of spyware and malware should think about this. It's way, way easy. I'll update everyone on the iTunes thing - that's the last bit that would keep you suffering on Vista.

Arrrrr.

Free Windows Security Tool

Secunia is a well regarded Internet security firm, and they've released a free tool that all you Windows folks should take for a spin. It analyzes the applications on your computer, and tells you which ones need security updates.

Even better, it gives you clear instructions on how to get the updates.

It's been in beta for a year and a half, and has nearly a million people using it, so don't worry that you may be the first kid on the block to try it.

Full disclosure: I haven't run this myself (I'm a Linux bigot). However, Secunia has always impressed me as having a clue. Not that this wouldn't be useful for Linux or Mac, but it's much more urgent for Windows.

Quote of the Day, British Understatement Division

From the Rt. Hon. Philip Davies, MP:
You are saying that the purpose of a lap dancing club is not to be sexually stimulating? Most people would find that a rather incredible claim.
This is why I love Her Britannic Majesty's Parlaiment. We uncultured colonials would phrase this (ahem) somewhat differently.

Boy, howdy.

Range Report - Beretta Cx4 Storm (Revisited)

A while back, I shot a Beretta Cx4 Storm carbine. It was a frustrating experience - in particular, I had trouble with the iron sights and the trigger. I think that this was the only Range Report where I couldn't find much good to say about the gun. #2 Son liked it, though. So I thought that since I still get a fair number of hits (for me) from people using their Google-fu for information about it.

As it turns out, the nice folks at the range had two in stock. The one I got this time had a peep sight. As it turns out, the trigger had much less take up than the first one. So did it make a difference?


You could say that. Boy, howdy. 25 yards. offhand, iron (peep) sights. 50 rounds.

Now, the interesting thing here is not the grouping: 25 yards really isn't very far, so there's not much to brag about here (it's an indoor range). What's interesting is that my impressions from the first time were pretty far off the mark. I was quite frankly pretty flummoxed the first time around. Going back to the well - especially with modifications that addressed the biggest objections - was instructive.

So here's my thinking about the Beretta Storm:
  1. It's handy: short, pretty light, points well. All the carbine virtues are well represented.
  2. Since it's chambered in 9mm pistol round, it's not spendy to shoot. I'm not sure that this would be the ideal home defense gun, but you'd want +P hollow point rounds. As for a carry gun, fuggedaboutit.
  3. If you get one, you'll want to think pretty hard about replacing the basic iron sights. You may also want a trigger job.
  4. #2 Son really likes shooting this.
  5. Beretta, I'm sorry I said those bad things about your product. I take it all back.
I guess that if you shoot something that simply doesn't sit well with you, it's worth while trying it out again sometime.

Oh, and the standard disclaimer:
I'm not any kind of gun or shooting expert. I like shooting, and shoot a fair number of different guns, but I'm really a dilettante. Your mileage may vary, void where prohibited.

I don't do scientific, repeatable tests. There's no checklist, although that's not a bad idea. I write about what I like and don't like, but it's pretty much stream of consciousness. Opinion, we got opinion here. Step right up.

I'm not a shooting teacher, although I do like to introduce people to shooting. Maybe some day I'll take the NRA teaching class, but until then, you get a dilettante's view. You'll get opinion here, but if you get serious about shooting, you'll want to get someone who knows what he's doing to give you some pointers. It can help.

And oh yeah, shooting things is fun.
UPDATE 27 November 2008 05:30: Via a comment by Mr. Bruce, a typo of herculean proportions.
"Maybe some day I'll take the NSA teaching class..."

??

If that's not a typo, you are The Man!
Heh.

Fixed now. Thanks!

How to really get that data off that hard disk

Thermite.

Yeah, that should work.

Marcus Ranum has a post about using armor piercing .50 cal BMG to sanitize a disk, which is nearly as spectacular and I'd think somewhat less risky during the prep phase.

Now, I'm a simple man, with simple tastes. While I haven't set up a Box O Truth style test on the effect if different calibers on hard disks, initial testing suggests that 20 ga slugs are nifty for this.

And a note to Mr. Philip Sherman of Fayetteville, Arkansas: don't put thermite on your iPhone. There are simpler and less dangerous ways to keep your wife's photos from falling into the wrong hands, like not keeping them on your phone. Just sayin.

Tuesday, November 25, 2008

The sound of inevitibility

Just mind the gap, Mr. Anderson.

Yum

Made. Of. Win.

You can buy one, but you have to click through.

Unofficial patch released for Microsoft vulnerability

No, it didn't come from Microsoft. No, this isn't usual. At all.
The vulnerability affects Enterprise and Ultimate versions of Vista in both 32 and 64 bit flavours of the operating system. XP is immune. Phion has published a workaround in the absence of a fix from Microsoft itself.
It raises eyebrows when someone patches someone else's code. It's happened before, but not very often.

If it were me, I wouldn't use the patch. This seems to be a pretty hard bug to exploit. Certain classes of bugs, like Shatter, Blue Pill, and (maybe) this require pretty serious skills, and aren't easily scriptable. Net/net, you're unlikely to get attacked this way.

Confirmation Bias, the media, and the Academy

People process information in a peculiar manner. When we're introduced into a new situation, we gather much more information than we do when we're in a familiar situation. It's sort of a heightened state of alert, as the mind gathers data to make sense of the situation. Once the mind has figured out a pattern that explains the situation, it issues a "Stand Down" order to the conscious intellect, and we can focus on other things.

This is why you want a driving instructor with new drivers; they don't always process data with the same reaction time that an experienced driver does. As the mind constructs mental patterns of behavior, it can shift more to an "auto pilot" mode and still handle things competently.

Normally, this is a good thing. There are far too many things going on, and living in the heightened state 24x7 would be exhausting. The brain's mental patterns help us live more productive, happier lives.

It's enough of a value that people very much resist changing established patterns. Marketeers understand this, and it's why it costs so darn much to introduce a new brand into the market. It's also why most of those new brands fail, and fail fast. People essentially say "Look, I'm sure that your toothpaste is very nice and everything. But I've already picked a toothpaste that I'm happy with, and it's simply not worth the mental effort to honestly evaluate your stuff." Of course, they don't say this in so many words, but it's there anyway.

The brain essentially sorts data into "relevant" and "irrelevant" buckets. "New Toothpaste Brand" is often put into the "irrelevant" bucket, while "That car doesn't look like it's going to stop at the red light" goes into the "relevant" bucket. After a little training, it all happens automagically. Again, this is usually a good thing.

It goes wrong when the mind puts data into the wrong bucket, and it does this a surprising amount of the time. If the cost of a miss like this is low, then it really doesn't matter. The new toothpaste may be the shizzle Flippity Floppity Floop, but so what? The mental model works well enough, and the new data is rejected, even if it would be superior.

The rejection of data that does not fit the mental model, but which would be superior to the current model, is Confirmation Bias. We all have it, it's one of those facts of life. Adam Shostack has a good post over at Emergent Chaos on this, with a very funny example of Confirmation Bias:
There's a really funny post on a blog titled "Affordable Indian Astrology & Vedic Horoscope Provider:"
Such a choice of excellent Muhurta with Chrome release time may be coincidental, but it makes us strongly believe that Google may not have hesitated to utilize the valuable knowledge available in Vedic Astrology in decision making.
This is a beautiful example of confirmation bias at work. Confirmation bias is when you believe something (say, Vedic astrology) and go looking for confirmation. This doesn't advance your knowledge in any way.
Groups have it, too, when a mental model is transmitted within a group. This is where Confirmation Bias becomes damaging, where a Group Think can form because of competing rewards systems. Group members accept the maladaptive data categorization because the group dynamics reward conformity. It doesn't happen all the time, in all groups, but when it does it can produce spectacular failures.

We're seeing one right now with the media. There are far too many examples to cite, but they all have a characteristic in common:
Bad news that's damaging to Democrats, and good news that would help Republicans are suppressed.
A rational thinker would wonder why they would do this - certainly the loss of perhaps half of their market (so far) would cause the Adult Supervision at the media companies to make some serious changes. They haven't, in any sort of way that matters. So how come?

Partly, it's just bad luck that their industry is already in a disruptive transition. One of the most interesting business books of the last decade is The Innovator's Dilemma, by Clayton Christensen. Even good companies get in trouble with extremely disruptive market transitions, and so we wouldn't expect media companies like The New York Times to be any different.

We would expect that a well run media company would resist driving half their potential customers away. We're sure not seeing that resistence. The 2008 election was stunning in its display of media bias (again, there are too many examples to cite here; use your Google-fu). I have no explaination, but I do have a suggestion:
Once you have more than a certain portion of a group all exhibiting the same philosophy, Confirmation Bias becomes institutionalized, as there aren't enough remaining members to say "wait a second - that doesn't make sense."
It felt right to the NYT to sit on the story of John Edward's illegitimate child, to the point where they were scooped by the National Enquirer. It made sense to the NYT to run three front page stories about Bristol Palin's pregnancy. I'm not saying it makes any sense to me, but it did to them. In their mental model, reversing these (as the rest of the world would consider to be rational) would be like changing brands of toothpaste. Why would you bother? The newsroom already has a perfectly functional (to them) view of how the Universe works.

Adam Shostack has another interesting post on what this all means for the media, because now it's possible that we (you and I) have constructed our own model of how the media work:
We've been talking a lot lately about confirmation bias. It turns out that newspaper endorsements are more influential when they are unexpected.
The Boston Globe endorses Obama? Didn't see that one coming. The media runs a story on shooting that's pretty straight up? The Gunblogosphere posts about it.

Universities have a big dose of this as well. Second Amendment types will hold up Bellesiles and the Harvard study showing a 40:1 ratio of family-to-Bad Guy casualty rate for guns in the home as Exhibit A. The Global Warming fraud is exhibit B.

If it's true that group dynamics reinforce confirmation bias once a certain threshold of conformity is reached, then it means that the media (and Academia) have to take a big, unpopular step: Intellectual Diversity has to become top priority. The NYT has actually tried this, bringing on conservative writers like Bill Kristol.

It's not enough. The centers of groupthink need to be integrated, and for the NYT this isn't the Op-Ed page, it's the Newsroom. For Universities, it means the faculty lounge, particularly in the liberal arts. This will be terribly unpopular in the newsrooms and faculty lounges, and will require pretty forceful leadership. The media will get that - there's a Bad Moon Rising in media company boardrooms; if the board doesn't take care of this, the shareholders will ultimately get a board who will. Ot the companies will go out of business.

Academia is a more interesting case. Much of the University system in this country is publicly funded. If a significant portion of the population decides that it's not worth the candle, then the tipping point will arrive suddenly. Right now, confirmation bias runs in favor of the Academy: most people still think that the University is about learning truth. It's not, and that's a major risk. If lots of people find that they've spent a ton of dough for a diploma that doesn't help them get a job that gives them a return on that investment, all sorts of questioning will begin. The confirmation bias will be shattered, and people will revert to a heightened state of alertness for things dealing with education. At that point, the new brand of toothpaste may be welcomed.

Monday, November 24, 2008

Broken Skype security enables Phishers

If this looks familiar, it should. Only this time, it's not PayPal's security that's broken. Instead, Skype users that use something called Pamela to manage their phone accounts should be extra careful. Customized phishing attacks aimed at your PayPal info are in the wild:

Skype users who use a piece of software dubbed Pamela to manage their online phone accounts should be on the lookout for customized phishing attacks following revelations that one of more user databases containing names and email addresses have been breached.

The attack, which took place last week, has already led to one phishing campaign that calls recipients by their real names and then tries to trick them into turning over personal information. That added personal touch could throw some users off guard because most phishing emails address their marks by generic terms such as "Dear PayPal User."

Nobody who asks for your account info via email can be trusted. Nobody. Don't ever give it via email, and don't ever give it via a web link in an email.

Instead, if you get an email saying there's a problem with your account, and if the email looks like it might be legitimate, don't click the link in the email. Instead, go directly to the web site. There will be a link for "Support" on the main page. From here, you will be able to either find the problem ("My Account" or something like that) or ask for help.

For example, paypal.com has a link ("Log In") on their home page. If you get an email telling you that there's a problem with your account (trouble at the mill), handle thsi manually:

1. Open a new browser (you're using Opera for financial transactions, right?).

2. Log in.

3. There will be a notification of the problem. No notification, no problem.

Why blogger doesn't trust Gmail

I always wondered about this. Blogger simply doesn't accept Gmail accounts as the blog owner's account. Now remember, Google owns Blogger, and it owns Gmail. So what gives?

Security. Specifically, lousy security:

A Gmail exploit which might be abused to allow domain hijacking has reared its ugly head once more.

The reported vulnerability revolves around the potential ability for hackers to create a malicious filter without needing to obtain the login credentials for a Gmail account. A flaw of this type hit web designer David Airey back in December 2007. Security watchers thought that Google had a handle on the problem, but now it seems that this confidence might have been misplaced.

Lots more geeky security stuff at The Reg, about Cross Site Request Forgery and cool stuff like this.

What's interesting is that this underlines (and boldfaces) the problems with web security. Even Google can't get it quite right. Consider:
They clearly have the capability. After all, Google has buildings full of wicked smart web secelopers and security types. Their market cap is something like a Billion Jagillion dollars.

They clearly have the motivation. Google Apps is trying to move all sorts of folks away from Microsoft Office. If they mess up the security, then their all-your-data-are-belong-to-us strategy gets harder.
So what do you do? Don't use Gmail for anything important (other than emailing to borepatch at gmail dot com, of course!). Especially don't use it for something important like PayPal or Online Banking. Keep your important data somewhere else (remember to back it up).

Just don't keep it on your cell phone.

UPDATE 25 November 2008 19:50: Google security folks deny that this is a vulnerability. Doesn't explain why you can't use a Gmail account to start a blog.

Cell phone pictures and privacy

It seems that Philip and Tina Sherman have an affectionate marriage. In their case, this would include Mr. Sherman taking naughty pictures of Mrs. Sherman. Nothing wrong with that if that's your bag, baby. Just don't lose the phone:
An Arkansas man on Friday filed a lawsuit against McDonald's, alleging a restaurant location uploaded nude photos of his wife onto a web site.

In the suit, Phillip Sherman said he left his phone at a McDonald's location in Fayetteville, Arkansas, and that a manager promised the phone was secured for him to retrieve it. After picking up his iPhone, photos of Sherman's wife Tina Sherman made their way onto a web site -- along with her name, address and contact information, the suit claims.

Oops.

Now I can see how the Shermans are mad enough to spit nails over this, and expect that some McDonalds employees will soon be ex-employees. But a word of security advice to any other Mr. (or Mrs.) Shermans out there:
Assume anything on your cell phone is public information. Losing your phone is giving your data to whoever find it.
Pretty simple, mkay?

Oh, and it seems that "Tina Sherman Pictures" is way up the Google rankings. I'm certain that neither of my readers would actually (ahem) investigate, but if any of these sites tells you that you need a new codec to see the pics, just say "no". "Free Download" is Intarwebz-speak for "Open Your Mouth And Close Your Eyes."

H/t Pogo Was Right.

UPDATE 24 November 2008 21:24: Boy, that didn't take long. I seem to be the #3 Google hit for the search string "mrs sherman cell phone pictures". Boy, howdy - some folks are fixin' to be disapointed.

Sunday, November 23, 2008

Feed me, Seymour

No, it's not Little Shop of Horrors. I've added a subscription feed on the right hand sidebar, down by the contact info. Be the first kid on the block to get my ravings!

(I think there's a pill that helps with that.)

Okay, okay, here's Little Shop of Horrors. Because you asked nicely ...

MFA and MRE

Living behind enemy lines here in the People's Republic of Massachusetts, I have to say that Boston has it going on when it comes to museums. Today we packed up the crew in the Borepatchmobile and went to Boston's Museum of Fine Arts, which is one of the world's great museums.

#2 Son is studying Egypt, so we thought we'd take him to see the Egyption collection (Dr. Who fans will recognize the question "Are you my mummy?").

However, what struck me was the Thanksgiving massacre depicted here on this ancient vase (I presume that it's Thanksgiving, as the vase is from Turkey). Actually the Phyrgian mother goddess Kubaba, shooting a leopard. And Sarah Palin simply ignored it. Ignored it, I say. Keith Olbermann wanted me to whisk the children past this to less traumatic displays (perhaps statues of naked women), but I told him that it was a harsh world, and it would be counter productive to try to shield the children.

Or something.

The Egyptian exhibit had some surprises. This mask is from the late Old Kingdom. It's a plaster mold of the deceased's face, and was used in the tombs. Eventually, embalming advanced to the point where the body form was maintained, and they stopped making the masks. I'd never known this, and was impressed. #1 Son was impressed in a different way.

It cost $64 for us to get in. My first reaction was Whiskey Tango Foxtrot? Then I asked how much for an annual family membership. $100, and today's $64 counted towards it. And parking was half price. They want repeat business, and will get it from us.

Those of you in New England who are ancient history buffs, there's an exhibit going on until January 4. The material is on loan from the British Museum, so you know that it's top shelf. Having an empire covering Egypt and the Fertile Crescent gave them time to stock up on priceless national patronomies on the cheap. But don't tell Keith Olbermann - I'm sure that Sarah Palin isn't paying attention to all the animal carnage depicted by the Assyrians, either. Hey, those Assyrians must have been a bunch of Red State Rednecks or something. However you describe them, "Candy Asses" doesn't fit.

Two teenage kids burn through a lot of calories. They also are continually outgrowing their clothes. The Army Barracks surplus store on Massachusetts Avenue has an excellent stock of camo britches at decent prices. And a bunch is actual Army surplus - we got a GI issue camo winter coat for #1 Son, since he's outgrown last year's.

We also picked up more MREs. A couple readers commented the last time we got some (along the lines of why would anyone who didn't have to eat one want to eat one?). All I can say is "Teenage Boys."

It did give me one of the awesomest post titles, though.

Well that's a bit of a relief






We think http://borepatch.blogspot.com is written by a man (87%).



What with all the princess stuff lately, you have to wonder. Maybe it's the guns?

I notice that they're not much more accurate than 50/50.

Saturday, November 22, 2008

Why is Microft giving away free antivirus?

Earlier this week, Microsoft announced that they were going to give away their antivirus for free.

Now antivirus is pretty big business - much bigger than the browser market that got them in hot water with the Justice Department. Now, with another Democratic administration coming into office, why would they risk going back for a second helping? What's their motivation?

I mean, Symantec Corporation's shares fell almost 10% the day of the announcement. They have a lot more money to get all lawyered up than Netscape did. So what gives?

Eric Raymond has a post that gets near - if not dead on - the motivation, although he doesn't mention antivirus. Microsoft has already lost 30% of the sub-notebook market:

30% is significant share, well above the single-digit range that desktop Linux has been stuck in for the last decade and larger than ISVs can afford to ignore. And it’s hitting Microsoft’s bottom line:

The devices, which usually cost less than $500, are the fastest-growing segment of the personal-computer industry — a trend that’s eating into Microsoft’s revenue. Windows sales fell short of forecasts last quarter and the company cut growth projections for the year, citing the lower revenue it gets from netbooks.

30% of one market may not sound like a lot, but it's enough to make them cut their revenue projections. The market is brutal when that happens, in what looks unfair at first glance, but is actually very sensible. After all, if you exceed your earnings expectations by a penny a share, the market yawns; if you miss by a penny, your stock can close down 15%. The reason is that the market knows that CEOs hate to miss the target, and will do anything legal (and sometimes illegal) to keep from missing. If they miss anyway, then something really bad is happening.

And so it is with Microsoft, if they're downgrading their targets. Eric's post has some interesting numbers about this:

That will be at least four million netbooks running Linux by year’s end. The truly deadly news, however, is at the end of the article:

Equipping Linux on a computer costs about $5, compared with $40 to $50 for XP and about $100 for Vista, according to estimates by Jenny Lai, a Taipei-based analyst at CLSA Ltd. [...] “The engineers designing computers understand that if they want to cut costs, the only way to do so is to get rid of Microsoft,” IDC’s Chang said.

So how does this relate to antivirus? Consider the security software that the laptop buyer has to pay for with the following laptop options:
Apple MacBook: nothing.

Linux laptop: nothing.

Windows Laptop: Antivirus. Anti-spyware. At least $50 per year.
If you keep your $500 notebook for four years, you've paid another $200 minimum in a "Microsoft Tax", and Microsoft doesn't even see any of that money!

All you Mac and Linux fanboys can stop giggling now.

So why would Microsoft dare risk the ire of a newly expansionist Department of Justice, and antivirus competitors with the better part of $10 Billion market cap? Because the best way for them to squeeze cost out of the Windows laptop is by eliminating the antivirus software. Consider:
$5 Cost of Linux OS for manufacturer, ultimately paid by customer.

$35 Cost of Windows XP OS for manufacturer, ultimately paid by the customer.

$200 Cost of antivirus software over 4 years, paid for by customer.
From the point of view of a Microsoft Product Manager, this is a no brainer - it's the easiest call that they'll make in their entire career. Throw in the antivirus, which is a commodity anyway, and Microsoft becomes a little more viable. Sure, Symantec and McAfee get screwed, but quite frankly the entire antivirus market is parasitic on Microsoft anyway.

If this saves Microsoft 10% of the notebook market, and even 5% of the rest of the computer market, then this represents maybe $2 - $4 Billion dollars a year in Microsoft earnings. Interestingly, that's about the size of the antivirus market.

Microsoft is being squeezed. They're squeezing what they perceive as a parasitic market out of existence, to capture that part of the value chain as their margins tighten.

US Intelligence predicts EU will be "Hobbled Giant" in 2025

US Intelligence also predicts that sun will rise in the east in 2025:
It forecasts that Europe's shrinking working-age population will become a major test of its social welfare model. "Progress on economic liberalization is likely to continue only in gradual steps until aging populations or prolonged economic stagnation force more changes – a crisis point that may not hit before some time in the next decade and might be pushed off even further." The agency said there will be no easy solutions for the problem, save cutbacks in health and retirement benefits, "which most states have not begun to implement or even to contemplate."
Now, in all fairness, this is the unclassified report that they've released to the press. I hope that the classified one has deeper insights than this:
Disagreements in threat perceptions and a likelihood that defense spending will remain uncoordinated suggests the EU won't be a major military power in 2025, the report states. "The national interests of the bigger powers will continue to complicate EU foreign and security policy and European support for NATO could erode."
Anyone who reads Robert Kagan would be able to tell you this.

Heck, it'll probably look like this in 5 years, let alone 17.

Taylor Swift - Love Story

The question for the week has been What is it with Princesses and Cowgirls? Country music is favored with a set of outstanding young ladies who not only perform, but write their own music.

Taylor Swift is one. At 18, she's the youngest of the ladies featured here in Saturday Redneck. She also has the most crossover appeal - her song Teardrops on My Guitar got quite a lot of airplay on non-Country radio. Her new album Fearless has only been out for 11 days, and has sold 800,000 copies. Not everyone likes Crossover Country, but the record execs must.

As with all interesting writers, she writes about what she knows. Love Story is a school girl's view of relationships, viewed through the lens of Romeo and Juliet. In some respects, this is her answer to the question What is it with girls and princesses? We shall watch Miss Swift's career with great interest. We hope for a similar level of insight as she gets older and expands her life's experiences.



We were both young when I first saw you.
I close my eyes and the flashback starts:
I'm standing there on a balcony in summer air.

See the lights, see the party, the ball gowns.
See you make your way through the crowd
and say hello;

Little did I know
That you were Romeo; you were throwing pebbles,
And my daddy said, "Stay away from Juliet."
And I was crying on the staircase,
begging you, 'Please, don't go.'"

And I said,
"Romeo, take me somewhere we can be alone.
I'll be waiting; all there's left to do is run.
You'll be the prince and I'll be the princess
It's a love story - baby just say 'Yes.'"

So I sneak out to the garden to see you.
We keep quiet 'cause we're dead if they knew.
So close your eyes; escape this town for a little while.
'Cause you were Romeo, I was a scarlet letter,
And my daddy said "Stay away from Juliet,"
But you were everything to me; I was begging you, 'Please, don't go,'"

And I said,
"Romeo, take me somewhere we can be alone.
I'll be waiting; all there's left to do is run.
You'll be the prince and I'll be the princess
It's a love story - baby just say 'Yes.'

Romeo save me - they're tryin' to tell me how to feel;
This love is difficult, but it's so real.
Don't be afraid; we'll make it out of this mess.
It's a love story - baby just say "Yes.'"

Oh.

I got tired of waiting,
Wondering if you were ever comin' around.
My faith in you was fading
When I met you on the outskirts of town,

And I said,
"Romeo save me - I've been feeling so alone.
I keep waiting for you but you never come.
Is this in my head? I don't know what to think-"

He knelt to the ground and pulled out a ring and said,
"Marry me, Juliet - you'll never have to be alone.
I love you and that's all I really know.
I talked to your dad - go pick out a white dress;
It's a love story - baby just say 'Yes.'"

Oh, oh.

We were both young when I first saw you...

Friday, November 21, 2008

Obama's web team: slow learners

Seems the POTUS-elect's web sites have (surprise!) lousy security:
A cursory look at Change.gov and MyBarackObama reveal enough amateur mistakes to make even the most ardent supporters wonder just who in the heck is in charge of security.
I think that would be "Blanche DuBois", guys.

But hey, everyone's entitled to one mistake, right? Oh, wait:
Then consider this: If Change.gov were to be breached by miscreants, it wouldn't be the first time an Obama website has been hacked. As previously reported, the campaigns for both Obama and his Republican rival John McCain were penetrated by sophisticated overseas attackers who stole large amounts of information. You'd think that would have been enough to give the Obama camp religion about the importance of good computer hygiene, but evidently not.
Evidently. It looks like William the Silent works with Obama's flacks, too:
We left messages for Obama's press contacts, but had not received any response by time of publication. We similarly reached out to Blue State Digital, the company that designed the CMS for Change.gov, but no one was available to speak with us late Wednesday afternoon. At some point, it would be nice to know if the system has been audited by an outside security firm. If anyone gets back to us about that, we'll be sure to update this article.
I'm sure they're getting right on it.

So for a bit of fun, here's a poll for you uber-l33t types. Just like in Obama's home town of Chicago, vote early, and vote often!

What sort of Change to Obama's web site can you believe in?

View Results
Create a Blog Poll

Broken PayPal security enables Phishers

OK, maybe this isn't the most embarassing security mistake ever, but it's close. Unlike Microsoft's screw up, it lets Phishers target your account.
PayPal, the online payment service that is a major target of phishers, has been caught sending customer emails that confuse its own login page with a third-party landing site that offers spyware protection and a bevy of other products.
Dumb, dumb, dumb.
The faux hyperlink to secure.uninitialized.real.error.com was included in official emails PayPal sent to customers to confirm recent payments. PayPal advertised it as the official address to log in to the service. Recipients who configured their systems to read email as HTML wouldn't notice the link was incorrect unless they were paying close attention.
Dumb, dumb, dumb. They're supposed to be security experts, so that you don't have to. Doesn't seem like the folks at error.com were involved:
"We're completely unaware of anything that would give us traffic" from PayPal, said Drew Griffin, director of business development for Reflex Publishing, the Florida-based company that owns error.com. "We have no clue as to how it got there. They should fix it."
Yah, that's be right.
This quick Yahoo search turned up this page showing a PayPal customer receiving the link more than two months ago. That's a long time for a financial services company to be sending their customers to an incorrect login page.
Yah, that'd be right, too.

So, let's see what happened:

1. Programmer drone at PayPal makes rookie error.

2. Security propeller-head types at PayPal miss rookie error.

3. PayPal users get sent to Lord Knows Where, for months.

So what do you now know about PayPal's uber-l33t security system? Their security division is run by Blanche DuBois. And their PR division is headed up by William the Silent:
The snafu was the result of an internal PayPal error that was fixed on Tuesday, Michael Oldenburg, a spokesman for PayPal parent company eBay, wrote in an email. Oldenburg didn't respond to a reply email that asked how long the error had persisted.
PayPal users, now you know.

Everything's amazing now, and nobody's happy

Here's another great rant from Louis C.K. I can't argue with any of this.



H/t A Large Regular.

Soccer May Only Be Played In The Archery Range

This is a great rant from Seth Godin, about why (and how) things get broken. It's hard to argue with most of this.

Thursday, November 20, 2008

I don't think so

I'm sure I'm very flattered, but I still don't think so.

27.5 miles per gallon
I think that the data here are about as reliable as NASA's climate data, but very flattering. Thanks!

I used to joke that I'm in great shape for a guy of Sixty, but as I get closer to 60 than to 40, the joke loses some of its humor.

H/t Expert Witness, who has a bunch of new stuff - including an Assault Weapons petition that's worth your time.

At the range

Lucky me!

Practicing double action with a Ruger Security Six. Light posting until later.f

Wednesday, November 19, 2008

500 posts

Actually 501. I guess that's not too bad for only blogging 5 months or so.

And Breda's link broke my hit counter (you have to scroll all the way to the bottom of the page to see it). Biggest day ever, wh00t! Thanks, Breda. I'd rather go hunting with you than with Dick Cheney, anyway.

NASA, Data Integrity, and Global Warming

Microsoft isn't the only ones lately with data integrity problems. NASA released some hyperventilating news last week that October 2008 was the warmest ever recorded. The usual suspects in the Media (you know the ones I'm talking about, the ones who slept through science class because it was "wicked boring") took that ball and ran with it.

Except there was no ball. It seems that NASA's data was a crock. People are starting to notice.
Based at Columbia University in New York, GISS is the division of NASA that is responsible for global climate data and is used by the media in assessing global warming. After analyzing the data, GISS reported that October 2008 was the warmest October since reliable record-keeping began in 1880. But there was something very wrong with the numbers.
First was the ZOMG We're All Going To Die!!!!1! part:

Wow. Read = Hot, right? But wait - let the backpedling commence:

All set now? See - Siberia is still teh Hotzup. Oh, waitaminute ... Again?
Oh. Siberia isn't Teh Hotzup after all. And this is where it gets interesting:
NASA acknowledges the changes, but other than that provides no details nor any explanation whatever. The older versions of the maps are removed from their site. So why did neither GISS nor NOAA see fit to take a second look?
Here's what we know:

1. Someone at NASA copied September temperature data from 90 weather stations into the spreadsheet for October. Who, how, and why are not explained.

2. Someone else at NASA looked at the output, and instead of a wrinkled brow and a "Hmmm, I've haven't heard anything about record heat in Siberia ..." the reaction was "Quick, Robin, to the PRmobile!"

3. Yet someone else at NASA has decided to use data sources of questionable quality, such as weather stations that have been surounded by lots of hot asphalt parking lots, rather than more reliable data sources. What might those sources be, you might ask? Satelites. You know, space thingies. The ones that NASA runs.

Steve McIntyre was the guy who broke this story, because he smelled something fishy (although NASA didn't credit his work when it made its corrections). He disects what's been going on, and it's not pretty:
Are you like me and a little puzzled as to exactly how the GHCN-GISS problem happened? GISS blamed their supplier (NOAA GHCN). Unfortunately NOAA's been stone silent on the matter. I checked the Russian data at meteo.ru and there was nothing wrong with it. Nor is there anything wrong at GHCN-Daily for stations reporting there. So it's something at GHCN-Monthly, a data set that I've been severely critical of in the past, primarily for the indolence of its updating, an indolence that has really reached a level of negligence.

[Lots of informative scientific climate stuff removed, but you should RTWT - ed]

I don't plan to spend time doing an inventory of incidents - surely NASA and NOAA have sufficient resources to do that. However, this one incident is sufficient to prove that the present incident is not isolated and that the same problem exists elsewhere in the system. I'm perplexed as to how the problem occurs in the first place, given that the error doesn't occur in original data. I'm sure that we'll find out in due course.

The bigger issue is, of course, why NOAA and NASA have been unable to update the majority of their network for 20 years.

The more interesting question is why didn't NASA notice? Trevor Butterworth has an answer: Confirmation Bias.

A colder than usual fall does not mean that global warming is not happening, nor does one or more errant sets of data suggest that it’s all a bunch of hooey; but the admission that there isn’t “proper quality control” over how this data is collected should be seen as alarming - as should the failure to spot the anomalous findings until critics began speaking up.

What it suggests is a bad case of confirmation bias: Goddard’s researchers are so focused on confirming that global warming is getting worse that they were overly disposed to accepting data which confirmed their worst fears and under disposed to double check its veracity. This is how science gets skewed.

Confirmation Bias is when you interpret new information in a way that confirms your existing world view, and discount new information that does not support that world view. It's "Sentence first, then the trial."

Smart Economy weighs in as well, with a comparison of stories about Global Warming vs. Global Cooling ones.

If you search Google News to see if the media is reporting on both sides of the story, you only get 297 hits with stories that include the term “global cooling” , compared 25,757 for global warming – a 2 order of magnitude difference or a 1 to 86.7 ratio.

Ok that's the media. But in theory, scientists are supposed to be balanced --looking at both sides of a theory or controversy. They are not and their bias is evident in most articles.Using Google scholar you see slightly more papers on global cooling but a equally skewed ratio - 6400 papers mentioning global cooling. vs 198,000 on global warming . ( a 1: 30.9 ratio).

We all knew that you have to take what the media reports on Global Warming with a huge grain of salt; now we know that the basic data from NASA on global temperature is at best shoddy, and at worst being manipulated for political purposes.

Too bad; I remember when NASA was the best of the best. Sic transit gloria mundi.

Read all the links, it's worse than I say here. You also might check out my post Why I'm A Global Warming Skeptic.

Most. Embarassing. Vulnerability. Ever.

Vista users, prepare to crash your systems. No, really - this is (mostly) harmless, and it's an instantaneous demonstration of the single most embarassing computer vulnerability I've ever seen.

First, the vulnerability:
Microsoft Device IO Control wrapped by the iphlpapi.dll API shipping with Windows Vista 32 bit and 64 bit contains a possibly exploitable, buffer overflow corrupting kernel memory.
The kernel is the core of the Operating System - the guts of Windows, in this case. Corrupting kernel memory is never a good thing. At best, you'll make something important crash. The Bad Guys look for this sort of thing, because when you make something crash, sometimes you can get your own code to run instead.

Now Buffer Overflows have been known for literally decades, so this isn't anything new. Usually, you seen some righteous uber-l33t skillz to do it.

So, Vista users - ready to show your uber-l33t crazy h4x0R skillz? Make sure you've saved all your work ....

Step 1. Open a command shell. You'll have the familiar "C:>" prompt.

Step 2. Type the following command:
route add 1.2.3.4/240 4.3.2.1
At this point, your monitor will turn a restful shade of blue, as your kernel barfs its guts out.
I hope you remembered to save your work.

Now this is all very jolly, but you might be wondering why is this the most embarassing vulnerability ever?

Microsoft has been trying really, really hard on security for a long time. They have scary smart security people working there. One of them wrote the book on secure coding, and if you were a microsoft developer, billg made you read it. All of these efforts have paid off, and while Microsoft security for sure isn't perfect, it's a whole different game than it was ten years ago. In other words, it wasn't a joke any more.

And then someone made a boneheaded, "oops I forgot to check user input for validity" mistake that everyone knew was boneheaded twenty years ago. And your mom has the uber-l33t crazy skillz to exploit it.

And remember, Windows Vista is the Most Secure Windows Ever.

Now this doesn't really mean anything in the grand scheme of things. You have to be logged in as Administrator for this to work, so you're not going to escalate your privileges any higher. If you can get a remote administrator command shell, then you're starting from Game Over, so there's no straight forward remote exploit.

But Jeez Louise, guys. This is simply [redacted] stupid. If I were the head of Vista marketing, I'd have (ahem) words with development. It'll make people turn to Solaris ...

UPDATE 5 DECEMBER 2008 12:55: Welcome /b/ Random readers. Lots of security and snark (and security snark) around here. Take a look around.

Tuesday, November 18, 2008

Palin/Breda 2012


Acepilot_Jim has the idea of the century. Unfortunately, all you had was my Photoshop Gimp skillz. #1 Son will get this tricked out with flames and pinstriping.

They'll need a slogan. Some ideas:
"Vote for us. We can hit you even if you run away."

"The Sarahcuda Bredalucion: the choice of chicks with guns."

"Yes, we married well."
UPDATE 19 November 2008 15:01: Lissa linked. Thanks, Lissa!

UPDATE 19 November 2008 15:03: Hokey smokes, it's a Bredalanche! Thanks! Welcome, and take a look around.

Computer Virus turns back Armor Brigade

I had to admit that I did a double take when I saw the headline: PLA Armor Brigade Exercise Fails Due To Computer Virus:
According to news.ifeng, an unidentified PLA armor brigade was the victim of a computer virus that caused electronic ammunition resupply orders to show up blank. During the force-on-force, Red and Blue exercise, operations were hampered due to a computer virus that left the main attack force without ammunition resupply.
Now I initially thought that this was a crock; hyperventilating Internet security junkies pimping for hits. But the more I thought about it, the more concerning it became. Especially once my thinking coalesced around two thoughts:
  1. A lot of hacking and malware activity is coming out of the PRC these days, so it's very interesting indeed to see that "they have the same problem that we do".
  2. Logistics is the logical (so to speak) place to start when you start thinking about force on force (government vs. government) cyberwarfare.
If you think this through, it's the perfect "live fire" exercise for ChiCom computer warriors. How do you stop a modern army? The key is in the old saw:
When people start talking about warfare, amateurs talk strategy. Professionals talk logistics.
An armored brigade needs tons of supplies - especially gas and ammunition. If you can't take out the tanks, then throwing a huge dollip of sand into the gears of the resupply effort will do very nicely indeed. One brigade gets the other's gas, the other gets the first's ammo. After 3 days, nothing can move, or shoot.

So, from a threat perspective, this is plausible. So what about our side? How does the vulnerability landscape look?

The tank brigade isn't the weak point. There aren't too many folks who'd want to stand up against it. But what about the supply chain computers?

Now I have to say that I have absolutely no knowledge of the state of our cybersecurity here. It may be that the finest minds and technology have MILnet* hardened to where you could drop an anvil on it from a failed HALO exercise, and it wouldn't miss a beat.

Maybe.

And maybe our cybersecurity is Teh sUx0Rs.



* Yeah, I know it's not MILnet any more. The names have been changed because it's none of your danged business.

The Dark Visitor is now a regular read, and on the blogroll.