When it was released in 1959, Beh Hur became the second highest grossing film in history (behind Gone With The Wind) - saving MGM from bankruptcy. It won an astonishing 11 Academy Awards, including best musical scoring by composer Miklós Rózsa.
It's good music for Easter. I hope that you (like we) are enjoying it with family.
The Queen Of The World's son is visiting for Easter, along with his best buddy Mario from Basic Training. The weather was perfect, and so we met up with one of his High School buddies who happened to be here:
Man, I love Florida.
Sure, NASA spends taxpayer money like a drunken sailor. Sure, Congress is using this program to throw taxpayer money at favored corporations.
But today, no other country can do what we are doing, just like what Old America did half a century ago. And no other country has a SpaceX waiting in the wings to drop mission cost by a factor of 40.
Considering the epic amount of fraud from California's (and other states) Medicare programs (not to mention Learing Centers), all I can say is that this is waste I can get behind.
The French aircraft carrier Charles de Gaulle, the only nuclear powered carrier outside the U.S. Navy, is en route to the Mid-East as part of the French response to recent events in the region. As it is sailing into harm's way, security would understandably be high. The exact location of the ship would be classified.
Strava is a fitness app athletes use to record their activities running or cycling. It's very popular and can be used to allow athletes on training equipment paired with the app to compete with one another or share their individual results with friends or interested fans. Results can be published in near realtime.
The French officer that was getting in a 7 kilometer run on the deck of the ship is was a Strava user. The GPS coordinates of his run pinpointed the location of the flagship in real time. The location was confirmed with publicly available satellite photos.
A French armed forces spokesman said the reported incident did "not comply with the current instructions" and appropriate measures would be taken.
Holy Week calls for the Big Guns of classical music. Hector Berlioz was one of these, and his Messe Solennelle is one of the great works of religious music. Astonishingly, Berlioz was only twenty years old when he wrote this, and then destroyed the music for Messe Solennelle (except for the Resurrexit portion).
A copy of the entire work was discovered in 1991.
Wow. And just plain-jane iOS, too. Out of the box.
As someone who ran across (into?) "Secure Operating Systems" more than once, this is a big deal.
Rest in peach, sir.
The Eyes of the Ranger Are Upon You (Songwriter: Tirk Wilder)
In the Eyes of a Ranger, the unsuspecting Stranger,
had better know the truth of wrong from night
Cause the rule of law and order starts at the Texas border,
with the lone Star of the Ranger shining bright.For the Eyes of a Ranger are upon you;
Any wrong you do, he's gonna see.
When you're in Texas look behind you;
for that's where the Ranger's gonna be.In the Heart of a Ranger he'll never know the danger;
from desperate men with nothing left to lose,
the Ranger keeps on coming; so there ain't no sense in running,
cause he's bound and sure to make you pay your dues.
For the Eyes of a Ranger are upon you;
Any wrong you do, he's gonna see.
When you're in Texas look behind you;
for that's where the Ranger's gonna be.
When a Ranger's on your Trail, he won't know how to fail,
and you can't buy him off at any price;
so if you decide to ramble, and with your life you'd gamble,
know where you are before you roll the dice.For the Eyes of a Ranger are upon you;
Any wrong you do, he's gonna see.
When you're in Texas look behind you; for
that's where the Ranger's gonna be.
If you see him coming' round the outskirts of town,
never take that Ranger for a ride.
For the Eyes of a Ranger are upon you;
Any wrong you do, he's gonna see.
When you're in Texas look behind you; for
that's where the Ranger's gonna be.
Yes, that's sung by Chuck himself.
But this is the song that I associate the most with him. R.I.P.
This is not surprising, but it is pretty interesting, especially the guy in Dubai where Google Maps puts him in the middle of the straight. The discussion about why the Iranians probably have not mined the straight is also pretty interesting.
As background, I've posted several times on the Herculaneum scrolls, here here and here. That last link in particular is a fairly pain-free Youtube video about what the Big Deal is.
And a Big Deal it certainly is. In short: when Mt. Vesuvius buried the Roman town of Pompeii in 79 AD, it also buried it's more prosperous neighbor Herculaneum. One of the (very) rich Romans who lived in Herculaneum was likely the father-in-law of Julius Caesar, and had one of the biggest libraries in the Empire. The extreme heat of the lava flow carbonized the scrolls (books). Researchers have been using CAT scans to image the carbonized rolls and have been applying AI to "unroll" the scrolls virtually and distinguish between carbon-based ink and just plain old scroll carbon. They are starting to read scrolls that have been lost for 2000 years.
If this interests you, there is a must read essay on what's been happening over the previous 18 months, the progress that's being made, and the challenges that are still present. This part is really, really interesting:
So the central question has shifted from whether text could be recovered at all to whether it could be done routinely. At the current pace, processing the full Herculaneum library would take several years. The Vesuvius Challenge Master Plan, published in July 2025, outlines a series of steps intended to compress that timeline. These include improved surface extraction, deeper automation, and tools designed to reduce manual intervention at every stage.
According to Schilling, the problem is not that current methods fail outright, but that they require too much human steering.
“It’s not as fast or effective or cheap as it should be,” he told me. “Right now, we have solutions that work but that require human input.” What researchers want instead is a “global optimal solution” — a system that can isolate papyrus surfaces, unwrap them, and detect ink reliably across many scrolls without constant correction.
We're not there yet, but people are starting to figure out how to get there. And it looks like there are a bunch of scrolls that were entirely lost over time that we will be able to read:
These scrolls are believed to contain Greek prose that largely vanished elsewhere, including philosophical works from the Epicurean tradition that were rarely recopied because they conflicted with Christian doctrine.
Very, very cool
Via a link from HMS Defiant (who is on quite a roll lately), this is a very interesting analysis of the war from Open Source Intelligence sources (i.e. non-classified published sources). Very, very interesting indeed.
Top o' the morning to you, and happy St. Patrick's Day (almost). This is my traditional Paddy's Day post, mostly because I love the music here.
What is the "Classical Music" of Ireland? It's not (Italian) Opera, or (German) symphonies, or even an (English) homage to
Ralph Vaughan Williams (who studied under an Irish music professor)
"countryside music" in the concert hall. Instead, we find something ancient.
He
married very late, at 50, and had many children. But his first love
was Brigid, daughter of the Schoolmaster at a school for the blind. He
always seemed to have carried a torch for her.
So
why is this post in the normal slot reserved for Classical Music?
Listen to this composition of his, and you see the bridge from the
archaic Celts to Baroque harpsichord.
And
keep in mind how this brilliance might never have blazed, had Mrs.
MacDermot Roe not seen the talent in a blind Irish boy and set him upon a
path trod by many equally unexpected geniuses, all the way back to St.
Patrick. It is truly said that we never know what our own path will be
until we set our foot down on it.
But
his was an ancient path and he inherited much from those who trod it
before him. His "Farewell to Music" is said to be more in the
traditional mold, and might have been appreciated at a feast held by
Vercingetorix before the battle of Alesia.
This
music is a bridge between modern and the ancient that disappears into
the mists of legend. Perhaps more importantly, it is a music that is
still alive today, after a run of perhaps two and a half millennia.
And
it is a music where you still hear the yearning of a young blind man
for his muse, Brigid. That is a vitality that should not be exiled to a
single day of celebration, even if it is for as illustrious a Saint as
Patrick. On this Feast Day of St. Patrick (almost), remember just how deep the roots of our
civilization run.
(Originally posted March 16, 2014)
Country music is alive and well in the Emerald Isle. Glór Tíre is a long running and highly rated country music talent competition on Ireland's TG4 channel. The last season's winner was Paddy Treacy with this song. It's Irish (for sure) but it is indisputably country. I love this video - it looks like he and his mates had a blast filming it.
Nightnoise is one of the most famous Irish jazz ensembles, combining jazz with traditional Irish themes. As we come hard into St. Paddy's Day, this seems a fun kickoff that a bunch of you should like.
As HMS Defiant points out, there's no There there:
The knowing world watches and mocks as the mighty Royal Navy and Great Britain struggle to get ONE SINGLE SHIP underway 12 days after the war started and still the damned thing is unable to leave port ...
You can say exactly the same about all of the Britain's pantywaist partners in NATO. Not one single one of them has ponied up a ship or fighter squadron or bomb wing to send off to do something about the sudden and complete dramatic disruption to their oil and gas supplies. NOT ONE OF THE BASTARDS HAS STIRRED.
I have watched as people are concerned that poor Britain is struggling to get a ship underway but that really isn't the real problem. You see, any relevant and serious government would have seen the damage to their economic fortunes by the oil and gas embargo and sortied the entire fleet and sent every other fighter and bomber to the Middle East to squash the Iranians and as we have all noticed, not one of them lifted a finger.
Yup. If they don't care about oil from the Gulf being cut off, let them buy Permian Basin fracked oil. Otherwise, His Majesty's Government would tell Lloyd's to keep insuring tankers. But they don't.
The USA has let them act like children for so long that they no longer know how to act like adults. c.f. German Chancellor Mertz' comments yesterday that shutting down German nuclear power was a huge mistake, but it's too late to change the decision. Maybe you should try adulting sometime, Chancellor.
And the last word goes to HMS Defiant:
I think the first wave of European refugees is looking around now and beginning their research; where do they want to settle when they pick themselves up and their families and maybe even their businesses and move lock, stock, and barrel to the United States or Western hemisphere as they start fleeing the dire fate their elites have arranged for them all.
This wave of destruction is now unstoppable.
Sure looks that way to me.
It used to be a real pain to install Linux. My first Linux distro was Slackware on a v0.99 kernel that came on 35 floppy disks (ask your parents, kids) way back in the early 1990s. Things have come a long, long way since that. You don't even need to muck around with dd and create a boot USB anymore. Super easy.
Sometime in the last two or three weeks the odometer here ticked over 20 Million page views. Seems kind of weird that I wasn't tracking that, but whatever. In three months we will celebrate the 18th blogiversary here.
Silicon Graybeard has an interesting theory about all the traffic lately.
His Majesty's fleet seems to be entirely unable to protect His Majesty's subjects abroad. There seems to be only a single ship (MHS Dragon) that can be sent to Cyprus for anti-missile defense, and it has taken more than a week to prepare to sail. And they still haven't left port.
The Royal Navy is no allied force worth considering. Perhaps HMS Defiant can comment on his place.
As they point out, the Royal Navy was ready to sail in three days when the Iron Lady Maggie Thatcher told them to stand ready in the Falkland crisis. And then they had something like 100 ships. Now they can't get a single one.
As Donald Trump would say, sad!
Although I like what he says about the "1000 ship Navy" at about 11:40 into the video. 'Tis a consummation devoutly to be wished.
But after all, what today is the "special relationship" or even the transatlantic alliance? But it's really weird that we're getting more support from Germany than from Great Britain these days.
Whatever you do, don't mention the war. Gosh, the darn Krauts have no sense of humor ...
The Royal Navy is the fleet of Great Britain. You know Great Britain, right? It used to be where Britain is now. Sic transit Gloria Mundi.
This is Jeremy Clarkson from 1998, four years before he rebooted the Top Gear show. They still had F-14s on the carrier. This is a very cool look back to Old America when it still was America.
The 1980 film assembled an all-star cast of musicians. This was perhaps the weakest song in the movie.
The English language has evolved for basically as long as there has been English. A great book on this subject is Robin MacNeil (and company) in The Story Of English (highly recommended if you are a history nerd like me).
Well, via a link from someone I've forgotten (sorry! Midwest Chick? A Large Regular?) there is a fabulous demonstration of this where the writer starts in the present and where each paragraph goes backwards in time 100 years. I started getting lost around 1200 AD, and I've messed around casually with Old English before. I would catch the odd word before 1200 but the overall gist was a mystery.
And I love the URL for his site. LOL.
But at the end of his post he links for a Youtube video of a guy who speaks the different versions of English, starting in 400 AD and going forward 100 years at a time. I found this a lot harder than reading, only starting to pick up some comprehension around 1500 AD. But when he turns on transcriptions it's amazing how far back I recognize a lot of words.
Wild. I've embedded it here. Highly, highly recommended. And I guess I'm not the only one who's interested - 1.2 Million views in two months? Yowser.
I posted about this 15 months ago. Midwest Chick has an update:
The New Zealand navy was so proud and happy to have a lesbian from Britain come on board that they gave her a $100M survey and dive vessel, which she crashed and sank.
The lesbian “diversity hire” captain of a Royal New Zealand Navy ship that ran aground and sank off Samoa has been charged with negligence along with two other officers over the loss of the vessel.
The $100 million HMNZS Manawanui, which was under the command of UK-born homosexual Yvonne Gray, crashed on the south side of Upolu on October 5, 2024, due to human error including failure to turn off autopilot, an inquiry found last year.
This is the official inquiry report which is leading to Commander Gray's Courts Martial. Obviously the entirety of His Majesty's New Zealand Navy is a bunch of dirty misogynists ...
Midwest Chick adds this tidbit that I had missed:
This isn’t the first time that a NZ naval diversity hire damaged a ship. It happened in 2024 with a different female captain.
And that’s what happens when you choose diversity over competence. Wonder if the New Zealanders will actually learn from this??
Now maybe our own Navy could do something about our (multiple) female commanders who run into ships on the high seas.
A cruise ship got stuck in the ice off Antarctica, and the Coast Guard (by chance) had an icebreaker nearby. Well done.
I stumbled across this and like it. Not sure if it's Country or not, but if it's finger-pickin' then you're at least Country adjacent.
So Donald Trump seems to be following the ravings here. Consider this post from December:
In general, mid-term elections favor the party out of power. This is true so often that it is almost considered a law of nature, particularly during a President's second term. What you don't ever see is anyone ask why do voters reject the party in power in the mid-terms? There's quite a simple answer.
Fatigue.
The voters have had some time to get used to the Administration and starts to tire of the typical amount of scandal, incompetence, and general dum-assery that any administration accumulates.
That's not at all what we see today. The main focus of the Trump 47 administration has been border security, deporting criminal illegal aliens, economic growth, and lower inflation. There are remarkable results for all of these, despite the legacy media's frantic efforts to hide them.
Each of these are 80% issues - i.e. the issues all get 80% support in polls.
I would go so far as to say that the voter fatigue is on the other foot. It's the Democrats who spent the last four years stumbling through a morass of dumb-assery. And who are all on the 20% end of the issues that voters care about.
And here comes DJT with the State of the Union Address. Here's the TL;DR version:
Boy, those Democrats are crazy, aren't they?
You're welcome.
We are fresh off of President's Day, and this is one of the few country songs that name-checks a President.
TP-Link is facing legal action from the state of Texas for allegedly misleading consumers with "Made in Vietnam" claims despite China-dominated manufacturing and supply chains, and for marketing its devices as secure despite reported firmware vulnerabilities exploited by Chinese state-sponsored actors.
The Lone Star State's Attorney General, Ken Paxton, is filing the lawsuit against California-based TP-Link Systems Inc., which was originally founded in China, accusing it of deceptively marketing its networking devices and alleging that its security practices and China-based affiliations allowed Chinese state-sponsored actors to access devices in the homes of American consumers.
Anyone who has ever ordered something from Amazon that looked like a good deal, only to discover that the photos weren't exactly depicting what you got - you know that the People's Republic of Chine (a.k.s. PRD, a.k.a. Red China a.k.a. West Taiwan) has a very different (dare we say "predatory") concept of truth in advertising than we do on these shores.
Me, I wouldn't buy one of these things on a dare. FYI, they are something like 60% of the market because they're cheap.
In the great digitization of all my family photos I came across this image.
I worked on it in GIMP, because Photoshop costs too much for how often I would use it, and managed, despite my woeful lack of skills, to get it looking like this.
Okay, okay - Mass.gov has been hallucinating for years and years. But now they're automating things:
Today, Governor Maura Healey announced the launch of the ChatGPT-powered Artificial Intelligence (AI) Assistant for the state’s workforce, with the goal of making government work better and faster for people.
"Open the pod bay doors, HAL."
Is this plausibly the first rap song? Probably not because it's actually a fun listen.
I've recommended Mint Linux before, but this is a great overview of why users new to Linux should consider Mint.
Tomorrow we'll talk about how a seasoned IT guy has moved from Windows to Linux. Spoiler alert: it's less technical work to make Linux work right than it is to make Windows work.
I've posted this each President's Day for quite some time but have found no reason to adjust the rankings.
It's not a real President's birthday (Lincoln's was the 12th, Washington's is the 22nd), but everyone wants a day off, so sorry Abe and George, but we're taking it today. But in the spirit intended for the holiday, let me offer up Borepatch's bestest and worstest lists for Presidents.So happy President's Day. Thankfully, the recent occupants of 1600 Pennsylvania Avenue haven't gotten this bad. Yet.
It's been a while since I posted Blues on Thursday. Mea maxima culpa.
So here's what may be the Platonic Ideal of a Blues Ballad. If you don't like the Blues but you do like Pink Floyd* then you'll like this.
* A band with deep roots in the Blues.
OldNFO has an important post about how Microsoft is moving very aggressively to a 100% online subscription licensing model. This is important enough that I won't excerpt any of this; instead, you should go read the whole thing. It's not too long, but if you care about the security of your home network (especially the whole who has access to my data and can I even know thing), go read. I'll wait.
What this means is that you don't own any Microsoft software. Sure, you may think that because you paid them money (most often when you bought your computer - some of that purchase price went to Microsoft in the form of a license fee for Windows). But you actually don't own "your" copy of software. At all.
Rather, you have the right to run the software on your computer. That may not seem like a big difference, but it is. The license agreement (you know, the one you didn't read before you clicked "I Agree") allows Microsoft to change the terms of the agreement at any time, at their pleasure.
Microsoft has just done this in a big, big way. Key new stuff in Windows 11 is:
The proper technical term for that first bullet point is that your Windows operating system is essentially now an "AI Agent" which if you are a regular reader you know is very, very bad security juju.
Combine this enormous security hole with the requirement to essentially be online 100% of the time (bad security) and the liklihood that OneDrive will slurp all your data to some Internet black hole in a Microsoft data center, Windows is simply unsecurable.
Yes, I know that is inflammatory, but there is simply no way that you can get assurance that your security is sane. I say that as someone who has spent decades inn Internet Security (and particularly in security assurance). Not to put too fine a point on it, but I don't think that I could get decent assurance that things aren't going "bump in the Net". For most of the readers here, it's not even worth trying.
So what do you do, assuming that you are not a tech nerd like me?
Interestingly, Microsoft has just flipped the technical script on this. It used to be that it was easier to stay on Windows than to move to alternatives like Linux. Now that's out the window, at least if you want to protect your data from that OneDrive vacuum cleaner and whatever the AI agent will do to you.
But this is admittedly a big step for a lot of people. So as it turns out, you can "kick the tires" on all the different flavors of Linux without installing it. All you need is a web browser.
This is really slick. The Linux equivalent of the Windows Start Menu lets you try all the apps (I use the Office apps which are every bit equivalent to Word and Excel, etc, and will save files in Microsoft format like .DOCX).
Take a few weeks poking around, you will likely see that it's not a big learning curve.
Long time Internet Security guy Fred Cohen has some interesting thoughts on how AI can be less obnoxious [PDF]:
The nature of the problem (I think) is that the attempts at safety reflect the behavior of the people who programmed and trained the AI engines, and they are apparently snarky, obnoxious twits that think its better to argue about meta issues than to serve their customers, like me, with the real capabilities they have developed.
Their version of safety is the opposite of mine. If you want children to be safe from AI, don’t let them use it.
If you want adults to be safe from AI, don’t make it available.
If you want a ship to be safe, don’t put it out to sea… but that’s not what ships are for. We trade the utility for the safety, and while making ships that leak like a sieve is a bad idea in my view, making ships that don’t sail is a fruitless effort.
...
Solution
The solution is to put someone in charge of these mechanisms in these companies who is not a snarky, obnoxious twit… and I hope this doesn’t exclude me from the candidate pool.
There are also some rather direct solutions to the problem of providing information to people where the information is not something that should be provided to anybody as a matter of policy. The most obvious solution is not to incorporate any of that sort of policy-violating information in the learning process.
Of course the snarkiness is the same problem. If you don’t teach the LLM to be snarky by feeding it snarky crap, it will probably not behave that way. It’s no different than a child brought up by respectful parents vs. disrespectful parents. They learn from their teachers.
Conclusions
If you don’t want trouble, stop asking for it. If you teach a dog to bite, you are unlikely to be successful at later telling it not to. If you train an LLM with views of pedophiles, fraudsters, and murderers, you are unlikely to get it to not carry that behavior through later on.
I think that Fred's entirely correct here (note that we ignore the very serious problem of AI Hallucinations here). AI training is generally crap layered on top of the hallucination engine*.
But I wonder if this is an opportunity for AI companies? If you did a better job training the AI to be well-behaved (like you'd do with your kids or your dogs) would you have a different - and more attractive AI offer? How about politeand wellbehavedAI.com? That's a branding that would stand out from all the others. You could market it to parents worried about their kids, or to old fuddy-duddies like me who hate everything about AI?
I smell a billion dollars of venture capital here ...
* It seems very likely that the AI algorithms cannot be prevented from hallucinating.
Quote of the Day goes to B, who hits center mass:
50 years from now, no one is gonna bother to restore an electric Mustang to collect or drive.
Just sayin’.
Yup.
Farewell to the Washington Post. Journalists never cared when mills across the land shut down and people and towns were wiped out; now it's wailing like the End Of The World by journalists, for journalists.
I'm having trouble summoning up sympathy. Welcome to the club, pal.
This is a fascinating breakdown of the (quite serious) engineering problems facing SpaceX as they attempt to build a Mars city.
Last year a company called Magellan sent a deep sea rover 15,000 feet down to the site of the final resting place of the battleship Bismark, sunk 86 years ago. The video is simply spectacular. Here is a shortish excerpt with commentary.
And since we're talking about the Bismark, this song is obligatory.
In this case, marine diesel engines which used to be famously long lived. The Detroit Diesel engines of old were famous for running 20,000 or 30,000 hours before a four day rebuild at the dock set them up for another 20,000 or 30,000 hours. You couldn't kill these engines. Rather, you would leave them to your kids in your will.
That's over now, and it's because of the EPA. Over a span of 15 or 20 years, they ratcheted up the emission requirements for these engines to the point that Detroit Diesel would be fined millions and millions of dollars for selling their old (famously reliable) design.
And so now you have to rebuild after 10,000 hours, and you have to replace three times as many parts. Plan on a month, rather than four days.
This is a very interesting video on the subject. While I'm not an expert on diesel engines, it certainly seems solid from an engineering perspective.
Here are the main points.
1. Pressures have gone from 10,000 psi to 30,000 PSI for a bunch of EPA-imposed constraints. This shortens the lifespan of parts used in the engines.
2. The higher pressure means that engines are much more vulnerable to bad diesel fuel: water particles or tiny flakes of rust now essentially sandblast the pistons, valves, and cylinders. This didn't used to take place at the old lower pressure. This sandblasting effect shortens part life even more, which makes engine rebuild and cost even higher.
3. Because parts will fail much more often now, manufacturers put all sorts of sensors in place. The sensors themselves can fail - the high seas is a notoriously unforgiving environment and salt water will get into the engine room. This causes corrosion, which triggers sensor faults. The engine's computer (itself a new thing, with software of questionable quality) will detect the fault and sometimes put the engine into "Limp Home Mode" - not allowing it to go above, say, 1000 RPM. A ship in a storm may find its engine dangerously under powered, putting at risk the lives on board and the safety of the ship itself. If a ship sinks in a storm under these circumstances, the fuel oil in the tanks will pollute the environment.
4. Not pointed out in the video, ocean-going vessels do not have to worry about emissions. From a pure regulatory perspective, that is. However, finding a new engine with all the design "upgrades" discussed here is the challenge. I don't know what EU regulations are, so maybe a MAN engine doesn't have to deal with this. But I'm nasty and suspicious and think that EU regulations could be even worse than EPA's.
Thanks a whole lot of nothing, EPA. You're supposed to protect the environment. Oh, and not get Americans killed.
The only thing I think is unfair about the video is the title. Engine manufactures design their engines to fail after 10 years because the EPA forces them to.
You could roll back all the environmental regulations since 1990 and shutter the EPA and this Republic would be a whole lot better off.
And more importantly, which should you not trust?
This post is the fourth in a series on how to make your home network harder to attack. Here are links to posts one, two, and three.
Now you might think the question in the post title is a bit strange - after all, these are you devices, so you'd think that they're all trustworthy. You'd be wrong. There are at a minimum two different categories of trustworthiness:
Your main computing devices. These are computers (duh) such as laptops and desktop computers, servers (a future post will talk about why these can be useful to you, and your cell phones (which are nothing but tiny hand held computers).
Now I've been in security for long enough that I get a bit twitchy about mobile phone security (I'll address this in a future post as well). However, that ship has sailed and even a security nerd like me won't bother making a separate network just for these. So they're computing devices for this discussion.
Then there's everything else. It's surprising how any Internet-connected thingies there are these days. Ring doorbells, Nest thermostats, online appliances (fridges, washing machines, etc). At this point the Borepatch from four years ago would have told you to just walk away from all this nonsense. Don't Internet-enable anything in this category.
Today's Borepatch sighs and tells you that this is coming to a home near yours. It's here in my home. No, not the thermostat (which was installed by the previous owner and which I have not connected to the WiFi). However, the TVs all come with streaming apps for Netflix, Prime, and Youtube (among dozens of others). And The Queen Of The World reminds me that the kids like to stream when they come and visit. She likes it when they come and visit, as do I. And so we have to do something for these devices.
Fortunately, you don't need any new kit to do this. If you remember from the last post on water tight compartments, you don't own the Internet box from your network provider. Basically, you can't trust it, so you install a new firewall box running DD-WRT. It's trustworthy because you own it and have your own software and configuration on it.
All of your main computing devices connect to it's WiFi. All of the other devices (doorbells, thermostats, TVs, appliances) connect to the WiFi from your network provider's box.
What you've done is to put a firewall between your computing devices and your untrusted devices. It doesn't matter if your TV gets hacked because it can't get through your DD-WRT firewall to your computers.
Likewise, your TV is at least somewhat protected from the outside world because it's behind the firewall in your network provider's box.
This is a fascinating conversation.
This is SO not like the NASA interviews when I was a kid.
Who would have guessed a hundred years ago that Stanley Baldwin was right?
I dunno - he looks a little Woodrow Wilsonish to me. But if you're right, you're right.
And Nota Bene: it seems that DuckDuckGo can't find the link to that last post. Strangely, Google can. Search sting site:borepatch.blogspot.com best worst presidents on each site. So long, DuckDuckGo, it's been fun. But I can't trust you, and neither should my readers.
This post is the third in a series on how to make your home network harder to attack. Here are links to posts one and two.
Post two introduces the concept of a Firewall which is a device that lets you connect to the Internet without letting the Internet connect to you. Firewall technology comes embedded in your Internet provider's device like a Cable TV modem. A recent article does a comparison on a number of these devices.
If you look at the device it will look a lot like this:
Installing the device is really simple - red (labeled "WAN") goes to the outside which is untrusted, and yellow/WiFi go to your own devices which are trusted.
Except nothing is as simple as that. Your Internet provider actually owns the firewall device, it's not really yours. Some providers run their own WiFi network for other subscribers who happen to be passing by - Verizon is notorious for this, and you will often find all sorts of WiFi networks called "VerizonXYZ" or some such.
So who is outside the firewall, and who is inside? The question may sound pedantic but it's terribly important. Fortunately there is something you can do about this.
Ships used to sink all the time but this is pretty rare these days. One major reason for this is that they are divided into compartments which are watertight - if the ship hits a rock (or, like the Andrea Doria gets rammed by another ship) only one compartment will flood and the ship can likely make it to port.
_under_construction,_1_April_1940.jpg) |
| USS South Dakota under construction |
And it really is your firewall, although you'll have to buy it with cash money. But your devices connect to your firewall's yellow network connections, or to your firewall's (NOT your provider's firewall) WiFi.
Now you don't have to trust your provider because their device doesn't have access to your internal "watertight compartment".
Linksys, Netgear, and TP-Link are low cost options, running $30 - $70 or so.
The first thing you should do is replace your firewall's operating system with dd-wrt:
DD-WRT is a Linux based alternative OpenSource firmware suitable for a great variety of WLAN routers and embedded systems. The main emphasis lies on providing the easiest possible handling while at the same time supporting a great number of functionalities within the framework of the respective hardware platform used.
Here's a step by step tutorial on how to install dd-wrt on a Netgear device:
[UPDATE: Rick T in the comments says to check the dd-wrt website before buying a device, to make sure that the software supports that particular hardware.]
Why go to this hassle? Product longevity. Consider a $60 Netgear device. The profit margin on this to Netgear is probably $5. You can't pay for a lot of enhancements or security bug fixes with that. DD-wrt is an open source project with a bunch of passionate contributors. I like my chances on having a viable, supported software five years down the road with them. Not so much the device manufacturers.
So now you have a device you can trust for the long term. We're not done yet, because there's all sorts of new tech evil that people want to use - Ring doorbells, Alexa, etc. That's tomorrow.
Forget about the Internet and security for a moment - you already own something with a firewall. Your car has one between the engine and the passenger compartment, even if your car isn't a sweet 1969 Dodge Charger.
The firewall in your car is designed to contain engine fires to the engine compartment, not letting the flames spread to the passengers. Firewalls have been around cars for a long, long time - certainly since the 1930s, and probably a lot longer.
Now back to the Internet and security. Internet firewalls are designed to keep bad things (and Bad Guys) out of your network, so they don't burn down all your devices. Yes, I stretched that metaphor, but that's exactly where the name came from.
An old Internet wag once described a firewall as a device that "keeps the bad guys out while letting the good guys out". That's a really good description. Internet firewalls have been around for basically as long as there has been an Internet, say from around 1990. The technology is very well understood, and very mature. That's the good news.
The bad news is that there are a million ways to set up your firewall so it's more full of holes than Swiss cheese. This post will try to help you avoid this.
More good news: your Internet Provider almost certainly has a firewall capability in hte box that gives you Internet access. For example, if you get Internet via cable TV, you have not only a cable box that changes channels, you have a separate box that gives Internet. That thing has a firewall built in, so yay.
You an check this yourself via a web site that I've linked to a number of times over the years, Steve Gibson's Gibson Research. You should see something that looks like this:
So what went on when you ran that? There are a bunch of Internet services like web, email, and so on. Each uses a "port" - email is 25, web is 80, there are a bunch of others. What Gibson's app did was to try to connect to all of these posts on your IP address. Ideally, your firewall (like mine) dropped these connections in the trash can.
So from a first cut, your firewall is letting you out onto the Internet (so you can read this, hello!) but keeping the Bad Guys out.
But the devil is in the details of how we (and our devices) use the Internet. The next post in this series will explore this: Secure Your Home Network: Can (and should) you trust your devices?
This is the beginning of a new series about what (mostly) non-technical readers can do to lock down their home networks to a decent level of security. I need to start with some caveats here:
So if you're interested in this kind of thing, and are willing to spend a nominal amount of time and money to raise the bar on your home network security, follow along on this series of posts.
Tomorrow's post: What is a Firewall and why do you care?
The top 4 are all very, very old. I myself demonstrated #4 when I taught a computer security class (with corporate IT Security present) back in 1994. That's three decades ago.
And what's with numbers 11 and 14? One of the classic papers on software security is Smashing The Stack For Fun And Profit - from 1996.
Numbers 3, 6, and 22 are web server vulnerabilities that are over 20 years old, and I've posted about them before.
17, 19, and 21 have been known since before I was in this industry. Call it the 1980s, although it's likely older.
I guess it's nice to see a shout-out to DoS (number 25) although geez, this is depressing.
So that's half the list having been known for literally multiple decades. So what gives?
I blame Agile Software Development. I guess I'm the cranky old guy yelling at the sky here, because this is how all software is developed these days. Product Managers (my old field) are to blame here, having spent the last 20 or 30 years pushing Go Ugly Early - get working product shipping as soon as possible and let customers tell you how to improve it. Essentially, a lot of what you would have the developers spend their time fixing are things that customers just don't care about.
This has led to a pushback of sorts from software professionals, particularly the Software Craftsmanship movement. Their manifesto is interesting:
As aspiring Software Craftsmen we are raising the bar of professional software development by practicing it and helping others learn the craft. Through this work we have come to value:
- Not only working software, but also well-crafted software
- Not only responding to change, but also steadily adding value
- Not only individuals and interactions, but also a community of professionals
- Not only customer collaboration, but also productive partnerships
So what's missing from this? How about don't keep making the same dumb security mistakes that people have been making for decades?
And what do Product Managers miss in their rush to go ugly early? How about don't keep making the same dumb security mistakes that people have been making for decades?
And so here we are. The IT infrastructure of the 21st Century has been constructed out of moonbeams and cotton candy.
I don't see anything changing here, as the incentive structures are all stacked against good security.
