Al Macintyre: Security

Sun, 22 Dec 2002 08:21:38 GMT

Copy of report referred to in NYT story re: Total Internet Monitoring plan. This link to a September, 2002 draft of "The National Strategy to Secure Cyberspace" appears to be an earlier copy of the report mentioned in today's NYT story about Bush administration plans for centralized monitoring of the Internet.

Link Discuss (Thanks, Tom!)
From [Boing Boing Blog]

Mon, 16 Dec 2002 08:09:43 GMT

I started post here today with my idea for e Bounty Hunting of spammers, virus creators, and other e-unwanteds.

Sat, 07 Dec 2002 19:05:51 GMT

Court to rule on software that copies 'protected' DVDs. New Scientist Dec 7 2002 7:05AM ET [Moreover - Science news]

Interesting case here

The really interesting arguement here is that the copy protection scheme has a humogous loophole or design flaw ... the backups of movies are made at a point in the process when the copy protection scheme is non-functional, so nothing in fact is being spoofed. The courts will have to rule on whether or not it is legal to exploit the stupidity of your adversaries.
I thought copyright law made it legal for us to backup software, but did not make it a right, so that software companies were free to offer stuff that is impossible to backup.
I thought copyright law with respect to software backups allowed multiple backups, but basically ruled that only one copy could actually be running ON THE COMPUTER with ONLY ONE USER per software license.
This article implies that I thought wrong about that, and that we are back to the interpretation that loading software from CD Rom or diskette or Internet download is a violation of copyright law because we are COPYING it from the purchase media into our computer.
I thought copyright law was a bit different for different kinds of media ... software, printed literature, music

Sun, 24 Nov 2002 08:35:24 GMT

[David Fletcher's Government and Technology] has many links of Security Interest: QUOTE

The Center for Democracy and Technology released statements regarding the passage of the Homeland Security act and the draft National Strategy for Securing Cyberspace.
FBI's annual crime report.
Security Focus headline: US gov's 'ultimate database' run by a felon
ITAA and the US Attorney's Office, District of Utah sponsored a Regional Forum on Combating e-Crime and Cyberterrorism.

Fri, 22 Nov 2002 04:53:51 GMT

[Ernie the Attorney] QUOTE - I was at Ochsner hospital today (my teenage daughter was having a benign tumor removed, and everything turned out okay). When she was in the pre-op area I noticed the laptop in the room that was on a rolling cart. It was a Dell laptop with a Wi-Fi antenna and, though the power socket was plugged in, the cart was designed to move around from place to place (obviously after unplugging the power cord).

I asked one of the nurses about the wireless system. She told me that the mobile laptops have been used in the surgery area for about two years, and were now being used throughout the hospital. The wireless laptop has access to the Internet, but the laptop is configured with special software that the hospital uses (and other hospitals use as well) for immediate entry of patient information directly into a central database. This allows the hospital to have the patient's information updated on the computer system in real time.

I asked her what she thought about the system. She said that it had taken her awhile to get used to it. The hospital apparently only sent about four "power users" to be trained and then they trained everyone else. But now that the system was running she said it was very good and only had a few problems. She agreed that it was overall a good thing and would lead to better information about patients and less reliance on paper. But she complained that she still had paper forms to fill out and, in fact, had even more paper forms to fill out because of the new system. She said it this was bourne out of an obsession for "backup." I don't think she really knows what the real reason is, but I wouldn't be surprised if she was right. Hospital administrators live in dread fear of mishandling patient records, or at least of being accused of doing so.

But I digress from the more important point: wireless in hospitals.

I knew that Oschner had started to implement a wireless network because one of our firm's outside computer consultants used to work there and had told me about their initiative. I understand that it is a difficult proposition for a hospital to try something like this, and I'm glad to see that Ochsner is giving it a try. I don't know how they've got their system set up, but I will say this: I booted up my laptop in the patient waiting area (which is admitedly far away from the surgery area, i.e. +500 feet) and didn't pick up any signal. Obviously, in terms of network security, that's a good thing.

UNQUOTE [Ernie the Attorney]

Tue, 19 Nov 2002 20:08:39 GMT

I started a story on Identity Protection, which collects various ideas on what to do to minimize our risk of someone stealing our credit, and what should be done after an incident, beyond the standard advice.

Mon, 18 Nov 2002 08:19:18 GMT

www.netcrimes.net and Misdemeanors is the latest book I have taken a look at. It is written great! Each chapter is a mixture of stories of real problems for real people, showing us what it is to be a victim of out-of-control: cyber-stalking (get help via www.haltabuse.org if you a victim of this); identity-theft (more kinds than I knew about, which means I need to say more in Identity Protection than what was implied by Stop Identity Theft because my Banking Stories may have distorted my vision as to where the greatest threats come from, www.cybersnitch.net has advice how not to become the next such statistic); hostile people out there posting stuff that pretends to be from you; spam; hoaxes; all sorts of frauds; what you ought to do about it, with tons of useful links. Some of these connections will be making their way onto my web site in future postings. Some have already come here, although with a somewhat different spin than that of www.jahitchcock.com J. A. Hitchcock. Here are some wonderful starting points.

www.trf.k12.mn.us/lhs/shutthedoor.html = safety brochure to help schools and law enforcement understand about anonymous e-harrassment and what can be done about it
If you want spam or want more than you already getting, then sign up at www.iwantspam.com
If you sent $ in the mail to some place to buy something that was communicated to you via the Internet, and you now think you have been cheated, prompt contact with postal inspectors can put a scammer in the slammer www.usps.gov/websites/depart/inspect
Got questions about computers and the Internet? Check out http://whatis.techtarget.com and www.askanexpert.com
Do you suspect that there are programs hiding on your computer that should not be there? I not talking viruses & trojans but spyware. Check out www.cexx.org/problem.htm and www.lavasoftusa.com
Let's suppose someone might be impersonating you and behaving in a disreputable manner, you can keep track of yourself online by submitting your first & last name, or your e-mail address to www.tracerlock.com and they will e-mail you when it finds a match (I know I am in a LOT of places legitimately)

Fri, 15 Nov 2002 21:10:08 GMT

[Ernie the Attorney] QUOTE Oops! Honey, I forgot to redact the document! - giving your opponent a document with sensitive information exposed is not a good idea. That's why people use black markers. But what about electronic documents? Anyone ever hear of "meta-data"? Please, people. Let's be careful out there. If you are an attorney and don't know what I'm talking about (especially if you use Microsoft Word) read this. UNQUOTE [Ernie the Attorney]

In earlier posts I have shared how Word documents can contain all sorts of stuff you not want to share, and how unscrupulous people can send you what seems like an innocent document, but it really contains software that acts like a virus to do Industrial Espionage. That is a great link by Ernie to an article on www.law.com about electronic documents in general. It is not just Microsoft stuff you have to manage.

Thu, 14 Nov 2002 18:45:57 GMT

I have added Stop Identity Theft which has my proposed solution to a problem that causes grief to far too many people today.

Thu, 14 Nov 2002 04:33:05 GMT

e Week has a big story on where the jobs are in the USA for computer people.

There are a lot of us who are somewhat depressed about the economy, large layoffs all over the place, dot com melt down etc. We can forget that while the economy may be bad overall, there are always places with growth and stability. They move around the country as geography and technology evolves. Some industries have not suffered in the current economy, such as biotechnology, health care, defense spending, which has led to growth in computer jobs some places. e-Week analysed data from the federal Bureau of Labor Statistics and other sources, and concluded that the best areas of the country to relocate to, if you want to be where the computer jobs are:

New York's Capital Region
- Thanks to IBM, Eastman Kodak, Bausch & Lomb, Corning, and other companies, this area was a tech center long before the dot com boom. In 1999, NY ranked 4th in the nation for attracting venture capital, and 3rd for R&D spending. This seven county region, consisting of Albany, Troy and other cities, continues to have a strong economy for growth in computer jobs. One of the newest companies here is looking for experts in bioinformatics, such as analysis of DNA sequences for nanotechnology. Check out www.hightechNY.com for current job openings.
Northern Virginia Beltway

Defense Contractors are booming with approx 5,000 IT jobs going unfilled. Background checks for a good security clearance can take 18 months. Biomedical also has great prospects.

Southern California's Inland Empire

East of Los Angeles created 29,700 new IT jobs in July and 26,000 in August, the highest rate in the nation, because it has become a major center for distribution, thanks to inexpensive land, a diverse industrial base, including industries that are today's drivers of tomorrow's economic growth.

There's an article of tips for relocating, and one on the methodology they used to determine the three top areas.

Mon, 11 Nov 2002 18:00:46 GMT

[Boing Boing Blog] QUOTE

Open spectrum explained for the laity. Seattle Times has run a great story on the group of "lawyers, engineers and telecommunications analysts" who are lobbying the FCC for cognitive radio and open spectrum.

In an ideal world, the FCC would treat the airwaves like a highway system nobody owns and enforce rules governing how people use its lanes without crashing into each other, the group says. And in cases where this isn't possible, the FCC would allow people to drive across other people's "property" as long as they keep a low profile and don't do any damage.
Given this freedom, inventors and entrepreneurs would invent new vehicles and new ways of using the highway, the thinking goes. Consumers would finance the development of the airwaves by buying the devices that suit them best and abiding by the rules of the road that prevent nasty accidents.
But to make this vision a reality, the devices need a slice of the spectrum that would form a virtual park or an airwaves commons where equipment makers and others could experiment. In addition, common protocols — industry standards that allow devices to understand each others' communications — and rules are needed to prevent accidents and to make sure everyone gets a fair shake.

Link Discuss (Thanks, Howard!) [Boing Boing Blog]

Let's hope the FBI crew that's checking up on War Chalkers, also reads this perspective. I also think there may need to be some standards to avoid electronic smog, where equipment is controlled by signals delivered by wireless, but the wireless can also pick up signals from unrelated activity that is sharing the same spectrum. If the controller cannot tell the difference between the authorzed control signals and the unrelated traffic, then something can crash, which can be very dangerous if that something is robotoic, transportation, medical, public services, etc.

Fri, 01 Nov 2002 17:19:12 GMT

Risk Management tips in Oct 2002 Praxis includes ways to hide your e-mail address from spammers, yet still make the obvious to real people (see in my Search Engine Tips the many ways to get at people's e-identity), also what viruses trojans worms etc. threats and Microsoft Vulnerabilities are going around and what you can do to protect yourself.

Tue, 29 Oct 2002 18:50:12 GMT

The Economist: The weakest link. Human failings, in other words, can undermine even the cleverest security measures. In one survey, carried out by PentaSafe Security, two-thirds of commuters at London's Victoria Station were happy to reveal their computer password in return for a ballpoint pen. [Tomalak's Realm]

Sat, 26 Oct 2002 18:04:52 GMT

What I personally fear the most about embedded chips is that

If having this chip makes it easier to find someone who has been kidnapped, then at the same time, having this chip makes it easy for would-be kidnappers to find their victims, chop out the chip from the body, and leave it with a ransom note, so that when the rescuers zoom in on the chip, they find what the kidnappers want them to find. Also kidnappers can browse info about people in a crowd, to match up someone easy to seize with someone who is worth seizing, on the basis of what the embedded chip tells them, when they look up the code number.
Some institutions will begin to require that their employees or customers have this embedded chip as part of their security system.
Potential crooks will think the embedded chip is the only thing they need for access to the facility.
Humans will be assaulted for the purpose of chopping off whatever part of their anatomy is thought to contain the chip, so that the crook can then use a human arm with an embedded chip as the key to try to unlock access to whatever facility they want to break into.
- At one college, it is your thumb that the thieves will want to chop off. http://www.wired.com/news/privacy/0,1848,53912,00.html http://www.vortex.com/privacy.html
It is bad enough now that crooks want to steal my wallet, or break into my home and steal property from me, or steal my identity, but with this technology, future crooks will want to chop off part of my body.

Wired Articles on Privacy:
http://www.wired.com/news/privacy

http://www.wired.com/news/privacy/0,1848,55999,00.html

The initial version of the VeriChipID is the size of a grain of rice. http://www.adsx.com/prodservpart/verichip.html It needs to be activated by a scanner. It gives a code number, that when looked up in a data base, gives whatever info the wearer has decided will be in that data base. However, much more advanced versions are in the pipeline, such as Digital Angel, which combines Global Positioning (GPS) system and monitoring service, to help keep track of people with certain medical conditions, school children, where the legal system needs to keep track of them, and potential kidnap victims. Sex Offenders are branded for life in some states, but not yet with this chip. Perhaps some Catholic Priests need to have the Mark of the Beast added to their anatomy, so parents can scan child care providers before entrusting their children to their care.

http://www.wired.com/news/business/0,1367,50004,00.html

http://www.wired.com/news/privacy/0,1848,55740,00.html

http://www.wired.com/news/school/0,1383,54604,00.html

http://www.wired.com/news/business/0,1367,53075,00.html

Remember Lojack? http://www.lojack.com/ This is a system used to help the police locate stolen vehicles, that have had Lojack installed in advance. Depending on how large Lojack is, and how obvious it is to thieves who might want to remove it during the theft, before the theft is discovered, some people might want this installed on other products of value ... would it interfere with the operation of a computer for example?

Well what we are talking about here is a similar concept embedded in human bodies.

A similar chip has been embedded into pets so animal shelters can identify the owners. Three different companies market these devices. There is some controversy over whether the technology works as advertised.

http://www.gcn.com/archives/sl/1997/November/desk.htm

Several versions of this product, from several companies, are being marketed in Latin America with an GPS that keeps track of where the person is, who has the chip. This can help locate people who have been kidnapped, before the kidnappers remove the chip from their bodies, and it can also be used by kidnappers to help them find their kidnap victims. Kidnapping is big business in South America, and the US State Dept has a travel warning on Columbia due to this. A politician in Brazil has volunteered to be chipped, to demonstrate how safe it is to the people. The capital of Brazil is also the kidnapping capital of Brazil.

http://www.wired.com/news/business/0,1367,52253,00.html

http://www.wired.com/news/business/0,1367,50004,00.html

http://travel.state.gov/colombia_warning.html

http://www.wired.com/news/technology/0,1282,50435,00.html

Wherify makes a bracelet that parents can lock onto children wrists, to allegedly track their physical movement, and their Internet travels, to allegedly keep the children safe, until a kidnapper removes the bracelet. http://www.wherifywireless.com/corp_home.htm If the child strays, does not report in when supposed to, the parents can use the internet to identify the child GPS signal on the map.

http://www.wired.com/news/school/0,1383,54604,00.html If the child encounters a situation he or she has been trained to deal with, like a stranger making certain claims, the child can punch a 911 button to send an alert to the police that is GPS linked. The device can also send out a police alarm if someone tries to forceably remove it, so obviously the criminals have a bit of work cut out for them to jam the signal before they do the removal. http://www.wired.com/news/business/0,1367,55731,00.html

However, the technology exists such that the parents could have software continuously checking on where the child is in transit, to make a little map of all the places the children have been to, and the speed of transition (implying when in a vehicle in excess of speed limit).

There is a big controversy over what the FDA has to say on the subject, with representatives of Applied Digital Solutions site/ad http://www.adsx.com/ mentioned in the article, claiming that different FDA have been telling them contradictory stories.

I have a hard time believing that the Applied Digital Solutions chip was accurately depicted to FDA personnel who told Applied Digital Solutions that this chip did not need FDA approval, if the company proceeded in a certain way in their advertising claims and statements to the media, because Section 201 of the Federal Food, Drug, and Cosmetic Act, implants and other devices that "affect the structure or any function of the body of man or other animals" require government approval. http://www.fda.gov/opacom/laws/fdcact/fdctoc.htm Any foreign object inside human body, for any length of time, has the potential to impact that human's well being, and thus must have FDA approval. Many implants, that have no medical purpose, come under FDA regulation.

However, it is clear from news reports that someone at the FDA did in fact approve the Applied Digital Solutions chip, but not 100%. http://www.wired.com/news/politics/0,1283,55952,00.html

Perhaps we want to invest in Applied Digital Solutions, as there are sure to be lots of people who will want to buy the product, without taking the risks seriously, but suppose there is law suit thanks to major abuse? Be ready to sell the stock real fast. Applied Digital Solutions is also in the news because of conflicts with their auditors, which puts them at risk of being in violation of their restructured loan with IBM Global Credit.

http://www.wired.com/news/ipo/0,1350,52499,00.html

FDA = http://www.fda.gov/ = Food and Drug Administration

Hearing Aids, Contact Lenses, Tattoos, surely are less intrusive on our bodies than embedded chips, but they are in fact covered by FDA regulations. Something does not compute here.
Anything we eat is covered by FDA regulations, with a large chunk of the food chain from agriculture also covered, and packaging of Halloween candy to give to kids
Any medicine we take is covered by FDA regulations
Vitamin Pills and alternative medicine covered by FDA regulations
Medical tools in the home like thermometer or blood pressure measure or know if pregnant are covered by FDA
Chemicals placed on our bodies, like cosmetics, ointments, anti-mosquito repellant, sun tan, you name it, is covered by FDA
Products that emit radiation, are covered by FDA regulations, such as Cell Phones, Lasers, Microwave Ovens, Personal Computers ... but somehow this embedded chip in our bodies which is connected by radio to GPS to track who we are and where we are, is to be exempted from FDA regulations. I have a hard time believing this story.
Safety of nation's blood supplies, from say West Nile or AIDS, is covered by FDA
On-line medicine and imported treatments covered by FDA
Bioterrorism information from FDA web site

FDA Investigator's Concern about potential health risks to humans from having this chip embedded in their bodies:

http://www.wired.com/news/business/0,1367,55626,00.html

The Jacobs family in Florida got a lot of publicity when they got chipped,

http://www.techtv.com/news/culture/story/0,24195,3372523,00.html

then a week later the FDA announced that it was investigating the company, and as a result NASDAQ temporarily put trading of Applied Digital Solutions on hold.

http://www.techtv.com/news/culture/story/0,24195,3384927,00.html

Apparently, during a press briefing of the implications of what had happened with the Jacobs family in Florida, Applied Digital Solutions representatives spoke of the chip being linked to FDA compliant medical data base. The FDA says it is illegal to use the FDA name in such a way that it sounds to be an endorsement of any product.

Any company, that is marketing products that might have government approval implications for some aspects of their products, ought to have its marketing department briefed by appropriate lawyers with respect to what you can say and what you ought not say. It sure sounds like Applied Digital Solutions is not following that safety protocol, which so far has resulted in a whole series of foot in mouth incidents that will probably eventually cost the company millions of dollars in fines, lawsuits, and lost business. I can only conclude that either Applied Digital Solutions management is extremely inexperienced, or deliberately taking serious chances because they think the publicity and scandals will help them much more than any damage.

Additional Links to stories about the Jacobs family.

http://www.techtv.com/news/culture/story/0,24195,3384209,00.html

http://www.techtv.com/news/culture/story/0,24195,3384016,00.html

http://www.wired.com/news/privacy/0,1848,50187,00.html

I have not been following this story in detail, so it is not clear to me what the precise sequence of events are. The news media seems to be implying that of Applied Digital Solutions tried to put something over on the FDA, and the FDA either fell for some of it, or we are already seeing abuses.

Remember Lindows, where that company clicked I agree that everyone has to click to get a product, then in their advertising claimed a relationship that the I agree vendor felt was excessive and sued to have them stop saying that? Well the FDA has a similar gripe, and they are not the only place with gripes.

Allegedly Applied Digital Solutions asked the FDA what they had to do to avoid needing FDA approval, then after FDA told them, they both violated that understanding, and advertised that they had government approval to market the thing. Here is another example of where Applied Digital Solutions actions have triggered a storm of media controversy ... was it deliberate or by mistake?

It sounds to me that if the FDA told them what they had to do to avoid needing FDA approval for the device, and if they complied with those conditions, then they did in fact have government approval from the FDA, and the only problem would be with how they phrased it.

Allegedly Applied Digital Solutions asked various hospitals if they would be willing to provide this chip as a service. 12 hospitals said they interested in exploring what's involved. Allegedly Applied Digital Solutions then claimed the 12 hospitals were now offering the service. http://www.techtv.com/news/culture/story/0,24195,3384209,00.html

This sounds to me to be very sloppy business practice, or outright attempt at fraud, another example of where Applied Digital Solutions actions triggered a storm of media controversy ... was it deliberate or by mistake?

FDA Spokesperson Claim that so long as no medical information is involved in this tracking of human beings, it is not subject to FDA regulation. It is Ok to have it connected to a medical data base, and it is Ok for people to use it to save them in medical emergencies, but so long as the device itself is not gathering medical information about the person it is embedded in, it is not subject to FDA approval.

http://www.newsday.com/ny-fdachip0406.story?coll=ny-homepage-more-breaking-news

The Executive Director of the New York ACLU says that this has enormous potential for benefits at the same time as enormous potential for abuse. I agree with both.

Potential benefit and abuse at the same time

National Identity

Potential benefits

Similar to medical alert bracelet ... you wheeled into hospital unconscious, and this thing tells medical professionals what you would have told them had you been conscious, about your medical allergies for example.
Your child is kidnapped, and assuming the kidnappers don't have one of these scanners to locate and destroy the chip and injure your child in the process, the police use GPS to find your child.
Alzheimer's patients who may get lost.
Some felon is supposed to report to authorities regularly, out on bond, or on parole, but of course this only works for criminals who lack the desire to cut up their own bodies to remove the thing. http://www.ptm.com/
Article listing benefits and claiming no risk to privacy. I do not believe the latter claim. http://www.techtv.com/siliconspin/features/story/0,23008,3375490,00.html The article claims that the data bases will be protected using the full state of art, but I know from past experience and education that the state of art is full of holes. Plus, there are various risks I talk about elsewhere in this post.

Potential abuses

Many concerns stated above, such as the risk to having our arm chopped off if the chip is used for something really critical access, such as security key to get into a facility that terrorists or criminals desire to get into.
You walking, minding your own business. Someone scans you, gets your code #s, looks up the data base, and pretty soon there is in your face advertising, tailored to the contents of your data base.
Suppose you win the lottery. A kidnapper could use the chip to locate your child. Start off by searching the internet for info about you, to determine what kids you have and what the code numbers are of any chips in them, then use portable scanners to look at kids in your neighborhood to see which one has the chip for the parent that just got wealthy.
Go through airport security - it sets off some kind of alarm - special legislation needed to say that people with this are allowed to use the nation's airlines. Ok now the homicide bombers seek to manufacture pieces of weapons that can masquerade as this stuff, then a terrorist team takes turns using the privacy of the airplane toilet to dig the pieces out of themselves to assemble their weapon. The initial version is about the size of a grain of rice and needs to be activated by a scanner. It does not have the GPS feature.
Applied Digital Solutions CEO Richard Sullivan said, in an interview, that this could be used to track foreigners in the USA.
- You show up as a tourist, student, business person, or whatever, and have to have this injected into your body, as a condition of being in the country, then you would be treated as a suspected criminal until you leave. Those of us already here might have to show up to some government office to be injected. This way only the real criminals who smuggle themselves into the country and do not voluntarily go to the government offices would not have them.
- I also expect that some criminals would indulge in identity theft and have injected into themselves one of these gadgets with a forged code number that agrees with the person whose identity they are stealing. I wonder how difficult it would be to change the code number so that on different days the criminal will be masquerading as different people.
- Although the company is now downplaying their CEO's remarks, there has allegedly been an effort in the UN to mandate this for keeping track of refugees and other stateless persons.
Electronic Frontier Foundation Attorney speaks out about Issues and Concerns with the VeriChip in http://www.techtv.com/siliconspin/features/story/0,23008,3375488,00.html
Gary Wohlscheid, President of Last Days Ministries http://www.tldm.org/, is comparing this chip to the Biblical Mark of the Beast. http://www.tldm.org/News4/MarkoftheBeast.htm

Thanks to V. of TYR for bringing these links to Al attention. Discuss this at Tech TV also here and here and here. I may have lost track ... many of the Tech TV articles have at the very bottom, links to other articles that are related, then below that there is an area where people have been commenting on these stories. Some of the Wired articles also have space at the bottom for commenting on them.

Fri, 25 Oct 2002 07:56:30 GMT

Anyone stop to consider this guy might be a cop? [Adam Curry: Adam Curry's Weblog]

Well now that he has been arrested we know he really is ex-military, All American deadbeat family abuser. I thought he might be media. The trick was not in getting to the attack site, but in being non-suspicious after an attack. What profession can legitimately be in any community at any time, without anyone questioning them? A news media person.

Stick around, wait for the police to descend on the scene. Show up and try to interview them.

But now we know the sniper team was driving around in a personal attack vehicle disguised as an ordinary auto, so when stopped at a road block, the weapon hidden below the trap door.

Tue, 15 Oct 2002 09:37:48 GMT

I have worked with various different kinds of computer security over the years, but I am no expert at it.

Al Rule # 1 = You cannot padlock a tent or house of cards. Security needs to be built into the foundation of the computer system, preferably via a rock solid operating system.

Al Rule # 2 = Computer data can be accessed by a variety of tools, software hardware and tapping into the flow of data. Just because the software you using cannot see the passwords or unencrypt the data flow does not mean that some other person software cannot do so.

Al Rule # 3 = It is not unusual for purchased computer systems and software to come with back doors left there by developers. You have to do business with reputable firms that do not condone such behavior.

[BlogFish] found insight in [Jon's Radio]

Use Private Keys, no - Use Public Keys, no - ....

Jon Udell is opening a can of worms, I must not look...

I always knew there were ways to encrypt information and I accepted that. Then I was assigned the task of revamping our software licensing process. This required me to choose an encryption method. Choosing an encryption method required me to justify my selection against its alternatives. Justifying my selection required me to understand both my selection and the alternatives that I did not choose.

So I did some reading, and once I understood the difference between Private Key Encryption and Public Key Encryption, I changed my mind. Public Key Encryption surely seemed like the better choice.

If some rogue ex-employee were to take the private key and issue passwords for a discounted price, we could throw out the old key pair and replace it with two new keys. Because one of the keys of the pair is public, we could simply distribute it along with the encrypted information. No need to hard-code the private key in the software, right? No need to require customers to reinstall existing software, right? No need to maintain legacy password generation programs, right? (Anyone who has done this before, please comment...please throw me a clue...)

Yes, I thought I finally had gotten it. Public Key Encryption provides more convenience, more security, more robustness than Private Key Encryption.

I am trying to resist looking at Jon Udell's post. He is questioning his long-held assumption that Public Keys were the way to go.

Remind me why I need a public key. Dick Hardt, founder and now CTO of ActiveState, was prowling around the digital ID conference asking a deceptively simple question: "Why do I need a key pair?" ...
[Jon's Radio]

[BlogFish]

Mon, 14 Oct 2002 08:50:57 GMT

Avoiding the Sniper

Dog News lives in the target zone so I been sending her various thoughts. Here below are some of what I think were my brighter ideas. Some of my ideas may be a bit dumb, but I hope on balance I have shared ideas that Y"all will find worthwhile thinking about. I have updated this mini-essay several times, most recently mid-day Thursday Oct 17. If you want to print it out, figure 5 pages.

She told me about a friend seeing a vehicle that looked exactly what the police were watching the public to be on the look out for, but all the police phone lines were busy, so I suggested calling that into the news media. Have them tail the suspect vehicles until the police clear them. The friend was not able to leave her job, at the time of the witnessing. Another thought is to have standard forms, downloadable from police web site, for witnesses to fill out when something fresh in their mind but access to the police not practical. At the time of the anthrax scare, and at times of bomb threats, we have had similar forms from the police that spell out what should be done when an incident occurs.

Put in perspective that while the sniper has killed 11 people in 11 days, in the same time period there have been 14 unrelated homicides in 5 of the 6 communities where the sniper has been active, while even more people die in traffic accidents (68 a year in DC, 660 in Maryland, 935 in Virginia). This is not really as bad as people in other countries have to put up with all the time. Get a pen pal in another country to understand what it is like for them and see that we might be over-reacting to this latest crime spree.

Is this a good time of year to visit Disneyland? Get away from the daily worries and have a good time somewhere else? Your auto club can probably print out maps of driving routes that take you to interesting places that are not on the sniper past visitations or even close.

If you want to get away for a while, consider that while you have a good job, there are hundreds of thousands of people around the country who are out of work. Perhaps you can organize a trade. You get away and live in someone else community for a while, and someone else take over your job and income until you ready to come home. In academia this is called taking a sabattical. Some Professor and family trade homes and jobs with some other Professor and family in some other city. The University has teacher all the time. Professor and family have nice place to live. Basically they trust each other, something like exchange students.

Say, how about exchange students your kids go live in some other city until DC is safer place again? Travel broadens the mind, so it is educational also.

The sniper is not neccessarily someone with police or military training, because so far all the victims have been people who were easy targets for someone who is a good shot, and desires to continue killing random victims. Ask someone who does have relevant training to suggest to you how to avoid being an easy target.

I think that right now, many people in the communities, that the sniper is preying on, could use a police briefing, not on the kind of stuff that the media is demanding, regarding progress or lack of progress finding this serial killer, because past criminals of this nature have gone on killing sprees that have lasted months or years before they got caught. Rather, what I think the people need is community policing meetings briefing the people on how to minimize risk of becoming a next target, and which of these various ideas are most constructive.

I have in the past suggested that Homeland Security Professionals could benefit from a seminar series put on by professionals from other walks of life - health and computer auditors for example. For other posts by me on security topics see my security category, or ask for copies of one of my Word documents on security issues.

Your pooch pals need to be able to run outside while you remain indoors. I can send you attached to e-mail, some of my joke collections that will have you ROFL so much that you won't care about the real world until this is over.
- If you not have much in the way of a back yard for the dog, where you could have a long cable with the leash to it so dog can run back and forth, find a wooded area where you can walk out of sight of the highways.
When you have to be outside, in the role of a pedestrian, do not remain stationary. Walk briskly, not in a straight line, but zig zag. Wear dark clothing, stay in dark shadowed areas, so that you are not an easy target.
- This is directly opposite to the kind of advice I would ordinarily give a bicyclist. Living in Evansville Indiana, where the crime rate is almost zero, so that we have the privilege of laws like it being illegal to play radio so loud in auto that it is annoying to adjacent cars in traffic, a lot of young people seem to be extremely careless about personal safety. I find pre-schoolers in middle of side streets with no look outs for traffic, wearing dark clothing at night. I see college age kids on bicycles, with no lights, just tiny reflectors, no safety helmet, dark clothing, on limited access highways at night, where the speed of the motorists like 50 mph. These kids are accidents looking for an auto to hit them.
- But when a sniper is around, a person needs to emulate these kids.
Perhaps people going about their business in groups, so you guarantee that if a member of the group gets struck, survivors will have some clues to share. Think group of friends, neighbors, co-workers traveling together like a military expedition, with multiple lookouts in all directions, so if you fired upon, there's someone else looking in every direction. Have the group carry a camera to capture clues to share with the police.
So far the sniper has shot at people outdoors, loading car in parking lot of strip mall retail outlets, waiting at a bus stop, mowing yard, at a gas station. So, you need to patronize establishments that have parking garages attached to where ever it is you want to go. Doesn't downtown have an underground garage? Don't some shopping centers have attached parking garages, where you can walk between car and shopping, and be hidden from sniper view at all times? Is there a safe subway system where you can go from indoors to indoors?
- The 10th incident, Monday nite, sounded like it was in the bottom level of an open air split level parking structure, not a real enclosed garage. When I say to park in a garage, I mean one that when you get out of your car, you are not visible outside the garage to some sniper. For the sniper to get you, also have to be inside the garage.
- In answer to one of my questions, dog news has informed me that several shoppers, inside the split level partially covered parking garage, witnessed a man standing behind his Astro Van, quickly taking the shot, and then getting into the van and leaving.
The 4 gas stations were MOBILE SHELL SUNOCO EXXON
You want to patronize one of those brand names on the assumption the next gas station will be a 5th brand name.
MICHAELS CRAFT STORE was location of FOUR of the shootings, either right there, or in a shopping area that had one.
Look up in Yellow pages where they all located.
Mark on a map.
Do not go anywhere close to any other such store.
- After the sniper is apprehended, use that map to assist in deliberately shopping near Michaels Craft Stores so as to undermine whatever economic purpose was why the sniper was frequenting those areas.
- You can hope that the police have all the Michaels Craft Store shopping areas staked out, and are running simulations what to do if this one is the next place the sniper raids.
If you have a vehicle anything close to the description the police looking for, ask them to move it to police impound lot or other place of their choosing, so as to get similar vehicles off the streets and make it easier to find the one and only one left.

Suppose you are a retail commercial store and you want to protect shoppers visiting your establishment. Did you see the police putting a sheet like on a clothes line to protect the crime scene and victim? A shopping center could put something like that up to protect their parking lot patrons from visibility from the highways. Not a permanent structure, but temporary curtains on a split level parking lot. Put stuff in windows of stores like you batten down the hatches to protect against a storm or a riot, so the customers can be inside, not seen through the windows, and thus safe from sniper, while inside.

Shoppers need to be able to have their cars loaded in an enclosed area as they leave the store. It could be like a tent up against the building. Car drives into the tent, gets loaded, drives out. Someone to move the cars who should be wearing bullet proof vest and heavy plastic helmet like riot police, so that they can see where they going, but their head protected from bullet.

Customers arrive. Stop in tent covered area, give car keys to person in the plastic helmet, at which point there is a receipt that identifies car description and who drove it here, helmeted person moves it to parking area, turns in copy of receipt and the keys to person near cashier desk, with identification of parking space added. Customers ready to leave. Identify selves. One of the helmeted workers gets corresponding car keys, with paper saying which parking space that car located, goes to get it, drives it into tent covered area. It gets loaded. Customer leaves.

Customer is never exposed to sniper, except through windows of car, in the scenario that I have described. The only people exposed to sniper are helmeted people who are wearing bullet proof clothing. The cost for this would be minimal. What do curtains, or tent cost, or block up the windows of a store? The cost is the labor for the people wearing the bullet proof clothing. Hey, the economy could use some more people with jobs. Would shoppers be willing to make a donation to a fund for this kind of protection, so they have places they can go with this added peace of mind?

Do you have a drive in garage at your home that is large enough to accomodate a visiting vehicle? If so, use the Internet to order groceries, alternatives to Pizza, other stuff. Each neighborhood could have a weblog category that announces new businesses that have setup e-business services for their community, then webloggers can subscribe to that announcement category, and use it to link to the new announcements. (See Al's Understand Radio News Aggregation if you unfamiliar with this concept.) Sign up as a customer, specify wants, give directions to get to your home - store phones you before making a delivery to make sure someone ready to accept delivery and make payment. Then when this is all over, e-business has had a boost in your area. If sniper not caught any time soon, you have now setup infrastructure that can be used for Christmas shopping.

Business district organizations need to study how to get people from enclosed parking areas to retail establishments, without becoming exposed to the sniper.

Transit systems like buses and taxis need to review where their people wait for them, and find ways for the people to be enclosed, while at same time the drivers able to see when someone is waiting for them.

Do we need an Amber for Cops? ... someone calls in some alert, and a signal is sent to all police, irrespective of which agency, informing them of where some event occurred, then they react according to their stations relative to that location and type of event.

Employers need to think about this also. Do your employees drive to work and have their cars in a parking lot visible from the street? Do your people arrive and leave at predictable times? What can you do to make your employees less at risk?

Has Halloween been canceled? What does this do for the kids fun, and the economy of the stores that cater to their business?

Think gift certificates, substitute events, e-halloween, and contests in safe areas with top prize being like trip to Disneyland (something kids want, and also get you out of town for a great trip).

Ask Amtrak for a special evening or weekend trip. Kids from the neighborhood are driven to an enclosed railway station and board a train that will go on a special trip out of town, perhaps with a different return route. Many of the cars will be like neighborhood block parties for groups of people who cannot do outdoor stuff while this scare is going on. Kids visit with the various neighborhoods on the Amtrak trip. Can older kids be connected to the Internet from this?

Stores with web sites combine visitor # onto their web site with a program to print e-gift certificates that can be cashed in after the sniper is caught, in one of several special kids party weekends.

Have some quality time parents and children at home on grand tour of kids friendly web sites. Familes vote which is best in several categories (different, wild, fun, educational) and send them (the kids friendly website organizers) e-gift certificates from the local stores, that can be cashed in at national chains that have outlets in your community.

Result - local commercial economy does not get hurt, parents and kids have quality time, internet innovation is stimulated.

Assuming there is a shopping mall where people can drive into an enclosed garage, and there is some security like I been talking about, a shopping mall could have a Halloween weekend, in which extra security is put on for the weekend. Down the middle of the mall have little shoppes selling halloween related stuff, and each of the main stores provide gift certificate discount coupons, in which the kids have something to cash in when the sniper is no longer an impediment to going shopping. Stores know what to do - buy one get one free coupons.

Have a treasure hunt in the mall ... each store may contribute a clue that is related to the stuff they sell. The first 25 kids per hour to come in with the right answer receive a gift certificate discount coupon or something even better.

Are you annoyed by the Gun control people trying to take advantage of the big scare? The pro-2nd amendment crowd can fight back with a Neighborhood NRA watch ... people who have gun permits, and have had appropriate weapons training, could escort their neighbors on errands, prepared to shoot back at the sniper. Have a web site where people can sign up to have the Neighborhood NRA watch provide them with an armed escort. The police would be asked to swear in these people as temporary deputies with special badges showing that they have been checked out and are trusted to be traveling the city with weapons ready to fight the sniper.

[dws.] Asks QUOTE To: Anyone who publishes material related to the sniper in DC, Please do not give the idiot (sniper) in Washington a title that feeds his/her ego. "The Beltway Sniper" is too glamorous. Refer to him/her with a title that is more fitting, and less likely to be bragged about in prison, such as "The Murdering Coward". UNQUOTE [dws.]

Sun, 13 Oct 2002 21:07:23 GMT

What we have here are some links inspired by me visiting places that are visited by people who also visit my site, showing some interests that we have in common.

Christian stories that never happened.
- I'd like to see something similar on other Religions, because those of us who are not believers can sometimes have a hard time distinguishing truth vs. distortion.
Computer Virus Myths - how to spot them.
- Warning - that site disables the back button.
Darwin Awards for people who have found incredible ways to remove themselves from the gene pool. These are true stories, that someone could easily think were made up.
Discuss Urban Legends.
Electronic tour of artistic renditions of Urban Legends.
- I was not impressed with what I sampled, but different strokes for different folks.
Hoax Identification Education
Hoax Kill Service

Once you find out if a message is a hoax you can send it to a designated email address and their software will then extract the addresses of all previous recipients from the message and inform them all that the message is a hoax.

Humor about Hoaxes.
Latest Urban Legends.
Net Lore and Urban Legends.
Norton Symantec Security Response Directory of e-mail Hoaxes.
Researching Urban Legends.
- This might be where my sister got the idea that the volume of visitors to a website, translated into extra charges for bandwidth. Oh! that Is a true story for this site.
Scam Busters list e-mail chain nonsense and other scams, tips on fighting spam, lots of good links, also including links to info on real computer viruses.
Scope of Urban Legends.
Many people think something is a hoax when it is not. See my Sep 20 post about the plight of a Nigerian woman, sentenced to be stoned to death for the crime of being jilted by the husband of her child, in which I got a flood of referers due to people searching Gooble and other engines for information on the hoax details on this story, so their only hits were on sites that both talked about this real life situation, and some unrelated hoaxes.

Thu, 10 Oct 2002 20:20:23 GMT

[Chicago Sun Times] reports insider identity theft of 5,000 employees of the state of Illinois in which crooks in Indiana, and other states, opened credit card accounts in the names of the victims, then stuck them with the bills for what was purchased on those accounts.

Wed, 09 Oct 2002 22:13:49 GMT

W-O-O-D-Y-S--O-F-F-I-C-E--W-A-T-C-H Volume 7 Issue 47 is really annoyed with Microsoft.

W-O-O-D-Y-S--O-F-F-I-C-E--W-A-T-C-H describes QUOTE security holes in Word so big they defy description. UNQUOTE Subscribe to W-O-O-D-Y-S--O-F-F-I-C-E--W-A-T-C-H for the low down on understanding that Microsoft Security is an Oxymoron. There is a wealth of information in this regular e-newsletter.

Scenario:

Bob has access to a file.
Alice wants it.
Alice sends Bob a document, innocently asking Bob to edit it and return it to her.
When it comes back, it contains the file that Alice wanted, and Bob is none the wiser. Bob cannot block this with anti-virus or any of the usual PC security because this is the way Microsoft Word is supposed to work.
or, Word can "phone home" to Alice web site, delivering what she wants. Bob does not need to send the document back to Alice and she can still get copy of the file she wants.
- Woody showed Microsoft step by step exactly how that could be done, Sep 17, and the latest Microsoft press release is still pretending that this capability is not in their software.
- Oct 5 Woody sent Microsoft a demonstration Word document that when opened, sends Woody the first 230 characters of any file on your PC that he cares to name, to anywhere he cares to send it.
Contrary to Microsoft public statement, Alice does not need to know the absolute path to Bob's file. The person doing the pilfering can use just the name of the file without knowing what directory it is in.
You can go after just about any file, such as the passwords file, so long as you know how Windows organizes these things.
The ability to do this stuff is what Microsoft calls a feature, so obviously, to Microsoft, this is not something they have any commitment to fixing.

W-O-O-D-Y-S--O-F-F-I-C-E--W-A-T-C-H QUOTE

LIES, DAMN LIES, AND MICROSOFT

Man, am I ticked off.

On October 8 - yesterday - I received a copy of Microsoft's

Inside Office Newsletter. Under the headline "Answers to

Concerns About Security in Word" there's a link to

http://www.microsoft.com/technet/security/topics/secword.asp

, where you'll find the same press release Microsoft posted

a month ago about the "confusion and speculation"

surrounding the huge security holes in all versions of

Word. This is the first time Microsoft has notified its

customers about Alex's Document Collaboration Spy problem,

as far as I can tell, and instead of telling something

resembling the truth, all we get is more obfuscation.

Recycled obfuscation at that.

Only Microsoft would have the unmitigated gall to lie so

blatantly, at this late date, and expect their customers to

swallow it. I use the term lie quite deliberately,

Microsoft is still making statements that it knew then and

knows now are totally false.

YODA tore the press release apart in Woody's Windows Watch

a couple of weeks ago

(<http://www.woodyswatch.com/windows/archtemplate.asp?5-18>).

But YODA only knew part of the story: he didn't know

about the security holes I've been feeding to Microsoft,

and he hasn't seen the gaping exposures other folks have

encountered. The truth is far more devastating than

anything YODA could imagine.

In this issue of Woody's Office Watch, I'm going to show

you specifically how Microsoft is lying to you.

UNQUOTE

and Woody does so, with ample examples.

BACKGROUND

On August 26^th Alex Gantman released to a small community of fellow anti-virus analysts details of a new type of security breach in Word, which has many variations and consequences. He didn’t misuse his discovery but told other computer security specialists through an avenue that Microsoft closely watches. Therefore Alex did notify Microsoft, at the same time as others. Microsoft objects to anyone else being told about security problems with Microsoft products, preferring to be the sole clearing house for information and arbiter of what their customers should know. It was only after Woody published some details in Woody’s OFFICE Watch on September 6th that the mainstream press got a hold of the story.

If you like the no-nonsense straight scoop of W-O-O-D-Y-S--O-F-F-I-C-E--W-A-T-C-H, assuming I have done an adequate job of translating / reviewing the latest news on this Microsoft Security is an Oxymoron front, here are some books to look out for from Woody (Al advertisement for Woody here in appreciation for the great education Al gets from Woddy).

Windows XP All-In-One Desk Reference For Dummies", Hungry Minds http://www.woodyswatch.com/l.asp?0764515489

"Special Edition Using Microsoft Office XP" with Ed Bott, Que

http://www.woodyswatch.com/l.asp?0789725134

"Special Edition Using Microsoft Office 2000" with Ed Bott, Que http://www.woodyswatch.com/l.asp?0789718421

"Woody Leonhard Teaches Office 2000", Que

http://www.woodyswatch.com/l.asp?0789718715

Wed, 09 Oct 2002 06:15:09 GMT

[Eclecticity: Dan Shafer's Web Log] QUOTE

The Problems With Word on OS X Are Worse Than I Imagined

Word has become, for me at least, almost unusable since my upgrade to Jaguar. Here's what Microsoft's MVP support team has to say on the subject:

Unfortunately, Word is not going to work properly under Jaguar unless Microsoft releases a patch for Microsoft Office. The problems have now been analyzed, and the experts have found that Word v.X is not fully compatible with Jaguar, and there is nothing you can do to make it so.

What incredible garbage. Now what am I supposed to do? I have a publisher waiting for a book. They use Word. Their feedback to me is in Word comments, which are frigging broken in Word on Jaguar. Arrogance screws the little guy once again.

UNQUOTE [Eclecticity: Dan Shafer's Web Log]

Well here is a candidate for a souped up Lindows, since Word works on that Linux package. Do your word processing on Star Office for Linux and output the document as RTF standard which Word will accept. Just use Lindows to make the file acceptable to your publishers, and to get at their comments, while you do your real work on the computer of your choice.

Thu, 26 Sep 2002 21:45:52 GMT

[Chicago Sun Times] shares a couple stories about Zero Tolerance of Modern School Administrators:

A Nebraska 7th grader found some marijuana in his classroom and turned it into to the office. He was suspended because, the act of picking it up and carrying it to the authorities constituted possession of marijuana.
A Florida sophomore honor student saw a bag of pills on school grounds and did not follow the example of the Nebraska student because she was afraid of getting in trouble for possession of the contraband in the short distance of carrying it to the authorities. She has been told she will be expelled for failure to do so.

This reminds me of in Illinois where youngsters are encouraged to clean up the environment, but it is illegal for them to remove beer cans and alcohol bottles from the road side, because that means that those empty containers inside their garbage bags constitutes possession of those containers by a minor.

The lesson for these kids is to

Do not touch the illegal substance - drugs, guns, whatever.
Carefully write up a statement of where you saw this illegal substance, in a report to the authorities.
Make sure your report is addressed to the authorities before you leave the scene, so that if an undercover officer sees you seeing the illegal whatever and not picking it up, your statement is part of your defense.
Make a copy of your statement before you turn it in, so that if you later get hassled, you can take your statement to a lawyer, the news media, or where ever your parents think will most embarrass the school authorities into backing down.

Thu, 26 Sep 2002 06:49:28 GMT

Safety of Nuclear Power Plants Again Questioned. VOA Sep 24 2002 9:33PM ET [Moreover - Science news]

We are living in a different world today. In recent years it made sense to

Build a nuclear power plant right next to a major city, because nothing serious likely to go wrong, but now power plants are potential terrorist targets, so we do not want them right next to major cities.
Build an airport in the middle of a major interstate interchange so easy to bring passengers real close to check in counters, but now a truck bomb can take out an airport, so we need a different kind of transportation infrastructure to unload the passengers from ground transport further away from the air tranport, and run everyone through screening suitably distant from buildings that might be major targets of terrorists.

VOA = Voice of America ... there's links here to what headlines VOA is sharing in various places in the world ... an interesting site worth revisiting occasionally.

Africa

Amnesty International protests torture of child prisoners in Burundi
Intervention in Ivory Coast
Uranium Security in Africa - is that an Oxymoron?

Asia - Pacific

China ultimatim to Iraq
North Korea gets special envoy from Pres Bush
a lot of stories I had not seen on local national news

Asia - South and Central

US Troops in Afghanistan discover another chilling al Quaida site.
Dutch and Germans to take over NATO command in Afghanistan when Turkey time runs out.
Iran nervous about US troops near their border with Afghanistan
Suicide terrorists seized an Indian temple, leading to another gunfight.
Terrorists attack a Christian Charity.

Americas

Argentina and Brazil economies still in bad shape
Chilean Appeals court throws out 7 cases against Pinochet
Colombian President visits USA President
Mexican Banker gets record bail
That storm in the Carribean

Middle East
- Britain and Iraq
- China and Iraq
- Kuwait hosts USA military exercises
- Lebanon scandal with Israel
- Palestinians
- USA politics and Iraq
- USA and Pakistan cooperation
USA
- Brushfire in Western USA
- Iraq and Partisan Politics
- Various legislation

Tue, 24 Sep 2002 09:10:42 GMT

I added a small reference directory of "e Discussion Groups": e-commerce; computer security; etc.

Tue, 24 Sep 2002 07:20:48 GMT

[Scott Granneman's Security Category] covers topics of e-law; human stupidity; Microsoft gotchas.

Tue, 10 Sep 2002 19:38:32 GMT

FROM [Ray Ozzie's Weblog]

Tyranny, Terror, and Technology. Some thoughts about the intersection between the challenges confronting business, and those confronting government and society. UNQUOTE Ray Ozzie's Weblog]

This is a dynamite thought provoking essay - I highly recommend it - my words of wisdom pale in comparison.

I believe that beaurocracy, and inter-communications within an organization, is like glue.
- Too much and the enterprise is all gummed up with rules that get in the way of doing the job.
- Too little and everyone is flying off in different directions, counter productive.
- The challenge is to get it just right, so that you have an agile team effort.
  - This is further complicated by the organization fluctuating in size, so you need different strategies for different scales of operation. Also there is a spread of individual skills of participants in the organization, so until you get everyone up to speed on something, there has to be another way of getting the job done. Any time things are changed, there will be transitional confusion.
Organizations can be too large and unwieldy.
- Remember the book The Mythical Man Month, which I consider to be one of the classics on software engineering?
- Basically the permutations of all the different people who need to intercommunicate can bog down some things so that nothing can get done.
- Thus it is essential to organize focus teams and have a hierarchy such that there is no wasted baggage in your structure that gets in the way of a lean and mean team.
An excess of organizations focused on different tasks is good in business.
- Competition leads to better Quality, Features, Economies.
An excess of organizations with overlapping responsibilities is bad in government.
- They can have turf wars that get in the way of them doing what they are supposed to be doing.

Tue, 10 Sep 2002 19:18:17 GMT

FBI warns of potential threats [USA Today : Front Page]

As usual, nothing specific ... if they had something specific they could stop it from happening ... except right before 9/11 both CIA and FBI were independently tailing 2 of the hijackers because of their involvement in a prior terrorist attack on USA and GOV was trying to identify all the conspirators, and what they up to, and build court case, but the 2 hijackers gave their tails the slip and the rest is history. There is a hard balance there to achieve between ability to get a court conviction, round up evidence what going on, (correlate the masses of clues that they get, many of which might be misleading or erroneous), and actually prevent something bad from happening.

Unconfirmed reports of AlQ targeting oil tankers, add that to laundry list of other things identified in past like nuclear power plants, and shipping containers.

Question detainees - risk they will share every fantasy whacko scheme any alQ group ever dreamed up, but was abandoned as impractical.

I sure hope GOV and MIL doing war game simulations into what might go wrong, and keep secret results until they have plugged holes that the simulations uncover.

Historical patterns logic ...

Our enemies hate what West stands for, and international western institutions, so they may target meetings of UN or World Bank.
Pearl Harbor was on a Sunday when Amercian Air Defense at Peace and high religious ethic what do on a Sunday.
Oklahoma City was on the anniversary of Waco because some whacko with no relationship to Waco wanted to do something on that anniversary date.
Well, people who hate us are inspired by bin Laden example, people with no contact with alQ.
- I sure hope long term Foreign Policy goals can include addressing why these people hate us so much, and do something about turning the tide of recruitments into ranks of our enemies, so that potential enemies do not go down that path.

Mon, 09 Sep 2002 19:15:31 GMT

[Adam Curry: Adam Curry's Weblog] QUOTE

I found out via an email exchange that one of the founders of the [newly relaunched] electronic intifada website is Dutch. Arjan El Fassed also posted several comments to yesterday's posting. Of course there are counter posts now as well that is forming a lively conversation.

My advice to Arjan is to re-re-launch electronicintifada as a weblog. Perhaps a multi-user weblog for multiple authors. Currently the site appears to emulate a BigPub and imho detracts from their mission.

As with all aspects of war, be careful not to become what you are fighting against. UNQUOTE [Adam Curry: Adam Curry's Weblog]

This is also like the appearance of impropriety. The enemies are not clearly understood by government intelligence, let alone anyone else. When any group of people discuss something, the odds are that several are police spies, journalists trying to ferret out a story, pure innocents trying to figure out what is going on, and it may be that none of the participants are any of the bad guys, but in a war, the rules of innocent until proven guilty are sometimes altered into round up suspects before someone pulls another 9/11.

Mon, 09 Sep 2002 19:08:41 GMT

[Adam Curry: Adam Curry's Weblog] QUOTE

All dutch helicopter companies, including ours, received a fax from the authorities this morning, warning of 'journalists' that will attempt to proove our natuional security is flawed, by staging an 'air assault' over the country on sept. 11th.

Geez guys, get a life already. I've posted the fax on my dutch weblog.

UNQUOTE [Adam Curry: Adam Curry's Weblog]

I think the threat to National Security is more from Journalists than from Air Companies, from the perspective of doing something stupid.

Many people, who work in Air Companies learned their trade, as military pilots, or have around them people of that patriotic perspective that can provide a sense of balance.

The risk from Air Companies is that in the management of costs, there will be a trade off that sacrifices safety and security.

It is self evident to anyone, who lives in a democracy, that various national monuments and institutions can be seriously hit by something like the Oklahoma City Bombing, if the perpetrators do not care if they get caught, and the only way to protect ourselves is to become a police state.

If you doubt this, show me your credentials (such as a policeman badge) that you have need to know my theories on how bad guys could hit the very stuff that is sacred to our democracy, such as various government buildings and important places to the infrastructure of our economy, and I will tell you how, but not via a public forum.

Now some commentators seem to have an attitude that parallels that of Juvenile Computer Crackers ... hey, here is a weakness not properly protected ... broadcasting it daring someone to find a solution, and meanwhile the bad guys have been delivered of an idea that perhaps they might not have dreamed up for a while, so the article has just made the job of Homeland Security that much more difficult to get done.

This is reminiscent of past wars where journalists pretended to be impartial. Remember Saddam's troops shooting up various air conditioning ducts in downtown Kuwait? Why did they do that? Well some refugees crossing the border to freedom were surrounded by journalists to cover their story, and among other things they said they hid in air conditioning ducts of some office buildings. Saddam's military intelligence was watching Western media and picked up on that information, and other clues about how people were escaping, and some refugees did not make it out safely, thanks to many journalists not understanding that loose lips sink ships.

What we need are private briefings in executive session to Legislators and Homeland Security agency workers, to make sure that they are aware of things that people in other professions can see.

Architectural Design Professionals
Computer Professionals
Journalism Professionals
Public Health Professionals
Security Professionals
Transportation Professionals

Sun, 08 Sep 2002 20:06:48 GMT

On a thread in the e-com-sec discussion group, I asked what are we supposed to do when we get spam from known criminals such as the Nigerian Scam. We have a moral obligation to report criminals to the government, but police seem to be ill equipped to deal with individual internet solicitations of criminal activity. The tip lines are so overwhelmed as it is with more serious issues, that GOV has a serious need for a software magnet to find the key needle clues in their information haystack.

I was basically told that we should treat any spam as spam, forget about trying to deal with criminals the same way as is done in the real world outside of the Internet, and given an interesting link to a back issue of Sysmod's Praxis, which I have previously mentioned on my weblog. It included the following stimulating topics:

Europe's anti-spam legislation.
Microsoft IE patch
The person in personal decisions about the computer you think you own, and stuff stored on it, is not you but Microsoft.
Google Features
Cyber Squatting
Euro Glitches
Euro Zone
Nigeria Scam Clones
Worst Web site (warning: protect your eyes)
Longest domain name

Thu, 05 Sep 2002 21:23:31 GMT

Comment on Al's Radio Doc Sources using Quick Topics. Eventually, Al wants to look into pros & cons of several different commenting systems for Radio, but we have to start some place.

Mon, 02 Sep 2002 21:54:58 GMT

[Scripting News] QUOTE

A mostly user-level discussion on Blogroots about syndication and aggregation. It's good to get grounded with users every once in a while to relearn that what to us seems neat and cool, often trips up people who have expertise in areas other than ours.

UNQUOTE [Scripting News]

[Ken Dow] also shares links from [Dave Winer's Scripting News] from [Wired] QUOTE

"[Verizon] refused to comply with the order, arguing the entertainment industry is presuming the guilt of its users without any due process."

UNQUOTE [Scripting News]

While reading related stories on [Wired] I came across a law suit against Hollywood by people who want the right to Edit the Movies to remove material that they find to be objectionable. The suit has been brought by someone who has a patent pending that will help home users, such as parents, to edit what Hollywood delivers to the home, to remove material unsuitable for their children.

You have probably heard my opinion on this before. But I restate it and revise it as reality shifts.

Intellectual Property Rights need to be protected, so that there is good incentive for people to improve the quality of what we get, be it literature, music, movies, software.
- If we accept a society in which anyone can take whatever they want, without proper compensation to the artists and authors, then the market place quality will be driven towards crud.
- We are in a society in which the mass consumers seek the lowest price and are getting what we are paying for, and the intellectuals are having a hard time getting a decent income.
- The publishers of the intellectual property are getting the lion's share of the income, and there is rebellion against them by both the consumers, who want freedom to get the stuff at low price, and the artists who think they are not getting fair share of the income.
- There needs to be ways that we can get the entertainment that we want and pay a fair price for it.
- My sister composed and performed music which she sent me by e-mail. Is that kind of artist to audience delivery to now be banned because so many people are abusing the communication links for delivery of entertainment for which the copyright has been violated?
- I am extremely unhappy about the degree to which advertisements are intruding on the content stream, and law suits by the advertisers to try to block the ability of consumers to switch channels, fast forward, etc. to get around having to view the ads. The main product should be packaged at a price that we can get it without having any of the advertisements in the first place.
Computer usage can get complex. Business Accounting is complex and difficult to understand. Some of it is that way deliberately, where special interests lobby Congress to make it complex.
- Consider our Income Taxes ... how many people figure it out themselves without help from some software or going to a Tax place to figure it for us?
- Those tax places lobby Congress to keep it so complicated that we have to go to them to figure our taxes.
Decisions are made that rule our lives by people who not understand the implications of what they are mucking with.
- One thing that really alarmed me was when I bought and read a book by a former National Security Advisor about cyber threats, it shows that he seemed to be really ignorant about some computer stuff, reminiscent of the kinds of thinking that Bruce Sterling wrote about in his book The Hacker Crackdown.
  - We've talked about some of these things in Computer Community and it is evident that some of this is hogwash (threat is not real) and some of it is naive (threat is much worse than these people realize) but the news media repeats the book author stuff without much review by people who theoretically can comment on how much the author got it right and how much should have got expert advice before finalizing these writings.
- I believe that the computer community needs to give seminars to the law enforcement community to bring them up to speed on where the risks really are, and which of the risks in the popular media are really Science Fiction.
  - End consumers ought to be allowed to obtain entertainment in one form, and listen to it in another form, be it put those tapes into your car stereo, boom box, walkman, home appliance, or whatever. Just so long as the original obtaining was legally purchased or legal copies.
  - End consumers ought to be allowed to obtain information or software onto their computers and make reasonable backup copies. The issue should be related to the number of users and the number of platforms, and the licensing agreement should make it clear what the ceiling is, with a way to upgrade the ceiling, or to move your stuff from your old computer to a replacement one. Just so long as the original aquisition was a legal purchase or legal copy.
  - End consumers ought to be allowed to remove software, like games, or entertainment, like music, from their computers and personal places, like home and auto, then sell or trade that with some other consumer. Just so long as the original user no longer keeps the copy.
- It seems like Government Beaurocracy is growing out of control. All those agencies competing with each other and not doing a great job of communicating with each other in a national crisis.
- New ordinary users of computer technology often do not understand e-etiquette let alone all the stuff their software is doing, so they learn by emulating the other users around them.
  - We see this blind leading the blind process with all the people on the public highways who are oblivious to speed limits, and the accident rate from drunk drivers.
  - We see this blind leading the blind in the cyber-plagues of our own making, popularly known as computer viruses, and how people get infected.
  - Consumers are smart enough not to be wearing t-shirts with their credit card numbers emblazened for anyone to use, or take the doors off of homes for anyone to help self to contents, but there seems to be a widespread misconception that there is such a thing as Internet Privacy. That is an Oxymoron. If you not want anyone to copy your stuff, do not connect it to the Internet.
- A generation or so ago, before PCs invented, students were stealing computer time to play space war simulation games. The students had no conception of intellectual property rights, a problem that continues to this day. The owners of the stolen computer resources had no conception of security, a problem that continues to this day.
  - Now that the price of computer power has dropped so that anyone can use it, we have new generations of people making the same mistakes. Put your stuff on the Internet and have this fantasy that no one is going to use it.
- Professional places, that post stuff to the internet, do a really good job of confusing the customers.
  - Visit just about any news organization web site.
    - With one message they clearly state that to copy anything from that site without their permission is a violation of copyright. In other words reading the data from screen through my eyes to my brain is in violation of their rules.
    - With other messages you can push a button and get a printer friendly copy, e-mail it to some discussion group, or copy the pages.
  - Who reads the contract that comes with software?
    - Radio license clearly states that this is not to be exported outside the USA and a very narrow range of countries.
    - Anyone who looks at the popular sites and discussion lists can see that Radio is being sold all over the world.
    - Does this mean that their contract is meaningless, or is there some law that called for putting some phrases in their contract and at some point 100% of Userland executives are going to be in trouble with the government for export violations?
  - Documentation exists but where is the motivation for software vendors to do a good job with it ... how many end consumers bother to read the documentation before they have some kind of a problem?
    - A potential problem exists with the acronyms and new uses for new technology.
    - Can we reasonably expect any new buyer of Radio to know what RSS means?
    - New users see something on other people sites and want to do that on their own sites, but do not know the right terminology for the phenomena. This is like looking up the correct spelling of a word in the dictionary, when you do not even know what the word is. That makes it difficult to pose good questions to the discussion groups, or use search engine to find prior answers.
  - With Radio Referers we can see who is reading our stuff and giving us proper credit for it. We can not see who is quoting us without attribution.
    - I am learning how to give good credit to my sources, but many sites (most recently Slashroot), in combination with the software that I am using, won't let me edit to just do part of their story.
      - It is getting difficult for me to figure out how to do credit when information flows through a series of people before it gets to me.
      - When something is written with a summary statement at the beginning like a journalist story, then it can make sense to copy just the headline with a link to the source for full details, but many beginning webloggers are not that good writers to provide something that can be extracted like that.
      - Some web sites have strict copyright rules, but those rules don't get into the RSS feeds.
    - Many newbies don't give any credit until someone points out to them the need to do so.
- Different people want different things. You can't blame software for being a square peg that you try to put in a round hole. If you want a round peg, buy one.
This does not bode well for the long term health of the Republic.
The bulletin boards taken down by the government that led ultimately to the Steve Jackson case ... those BBSes were not selected at random. There was stuff going on that gave the government reason to suspect criminal behavior. It may or may not have been sufficient probable cause had the case been appealed all the way up the court system, but they did not move in with zero evidence.
- There were criminals using the bulletin boards to trade information on how to break into private computers. Now people can always argue whether hacking is not illegal immoral etc. and what the responsibility of the host of a network has to help authorities catch abusers of the services, but the fact remains that there were serious assaults on the nation's infrastructure, such as a cracker bringing down a 911 service, attacks on computers in hospitals whose work was essential to the health of patients there. Locating the responsible people was no easy task for the early cyber cops.
- Steve Jackson was working on a simulation game about cyber criminal activity. As research for this game, he had employees trying to infiltrate the cyber criminal underworld. Now when a bunch of people sit down to discuss their criminal behavior, the odds are that at least one is a police spy, and at least one is a journalist, but the police spy does not know which one is there as a journalist and which is there as a criminal.
- Journalists need some sources protection so they can get the information they need to do stories, but they also have an obligation to the nation. When we have knowledge of criminal behavior, we ought to make an effort to inform law enforcement of this, or risk being treated as being part of the criminal conspiracy. This applies equally to journalists, authors, game designers, computer professionals.

Thu, 29 Aug 2002 16:33:08 GMT

[Blogfish] QUOTE

Uncover the real WINNT killer.

Last Friday I got to work and was greeted by mr. blue screen. After rebooting a couple of times only to see the message "kernelos32.exe is either missing or corrupt" I asked our sysadmin for help.

"Your Winnt directory is missing" he told me. What? "It's not there. What were you doing that caused this to happen?" That last inquiry has propelled me into a virus hunt that will uncover the real WINNT killer.

Just jotting down one possility I saw on FuzzyBlog:

Microsoft said Thursday that "critical" security lapses in its Office software and Internet Explorer Web browser put tens of millions of users at risk of having their files read and altered by online attackers.

The world's leading software maker said that an attacker, using e-mail or a Web page, could use Internet related parts of Office to run programs, alter data and wipe out a hard drive, as well as view file and clipboard contents on a user's system.

I never thought viruses actually wiped out hard drives. I never even knew someone who knew someone who had an aunt whose entire hard drive was wiped out. Does this really happen? QUOTE [Blogfish]

Alison

You need to

Check the anti-virus hoax pages to find out what your exact situation is. There are viruses that say you have some problem other than what you really have. There are virus hoaxes that say there is this file that the anti-viruses can't detect & if you find it on your system you need to delete it, but it is really a file you need to run your system, so you follow the hoax instructions, delete the file, and now your system really is crashed. Even though you may be too wise to fall for this, some co-worker might not. Millions of dollars have been ssiphoned from American Businesses because the Nigerian Scam is sent out very much the same way as computer viruses are distributed. Anyone who can fall for a hoax, can fall for a financial con game. I have a lot more faith in the anti-hoax anti-virus vendors than I do in the outfits that supply the software, or the people in charge of computer systems in corporate America.
http://www.vmyths.com/
Truth About Computer Virus Myths & Hoaxes
Check my guide to the basics of personal computer security posted Aug 15. I can send you by e-mail attachment the Word document I am referring to. I just do not want to put into general circulation a working document that has tons of links where I have not asked permission to quote people, and do in fact quote without attribution, because I figured out netiquette after I started on the document.
- Ask me to send you my Computer Security Myths document. I try to avoid sending people as e-mail attachments something I think would be of interest to them, because of the high risk of a virus in any attachment you were not expecting.
I have a few other Security documents I can share. Mac Policy doc is a barely begun outline that spells out the philosophy of what I want to accomplish with my Computer Security Essays. There are some risks that I must not detail because the cyber terrorists have not yet figured out how to do those things. I want to communicate at a level that anyone can understand, non-technical or technical, not talk down to people, avoid bashing any vendor, and avoid getting in an arguement. I will let someone else's documents bash vendor practices that put us at this kind of risk. Getting this work to the web was one of the reasons I started my Radio Weblog. I wanted to learn what could be done, get good at it, then select presentation method. I leaning towards a separate category on a separate host with Instant Outlining.
- There is one that I downloaded from Europe that explains Banking practices and why Identity Theft is so prevalent. Ask for my e-fraud document.
I did a series of messages (#s 3258 3261 3293 3314 3341) at
http://groups.yahoo.com/group/TYR

basically spelling out that the situation with a lack of Internet Privacy has been permitted to deteriorate a lot worse than most people realize, but for each hazard there are things that people can do to mitigate the risks.

I was planning to expand on these but then thought that my Computer Myths approach was a better way to hopefully contribute to customers of computer systems putting an end to this idiocy.

I also plan to incorporate these TYR posts into my eventual FAQ on Computer Security Common Sense.
An earlier effort was via
http://www.TechRepublic.com/forumdiscuss/thread_detail.jhtml?thread_id=20600
go to the archives of http://www.year2000.com/ecommerce and search for the post I made called "Computer Myths"
When you are past this crisis, go visit Internet Storm Watch http://www.incidents.org/isw/iswp.php
- Basically they have software so that people's Firewalls can send copies of Intrusion Logs to this outfit. They merge logs & sort by where the trouble is originating & notify the ISPs of the hackers & work with law enforcement to track the hackers down & put them out of business. This is a beautiful concept & I betcha a lot of people are not aware that this is going on, such as the people making federal government pronouncements these days about computer security.
http://www.radium.ncsc.mil/tpep/epl/epl-by-vendor.html

There is such a thing as a secure computer system.

There is such a thing as a computer system that can be made secure.

Various government agencies, such as the military, have some standards for security that computer systems that they buy & install need to meet. Then a new bunch of people get elected and want nothing to do with the work that was done by their enemy in the political party that was in charge before, and they reinvent the wheel.

Here is a directory of secure systems by vendor.

Some vendors are conspicuous by their absense.

Some vendors that are here, I would study the small print with great interest.

There are technical documents here explaining ..if you get such & such a system that can be made secure ... how to go about doing so.
If you reading this and you really in government, politics, law enforcement, and saying Oh Al, you too cynical, but this stuff is constructive, then prove to me you really are in a position to change policy or to go after the computer criminals (I not going to send some of my stuff to malware creators pretending to be cybercops), I could send you as an e-mail attachment collection of some posts I have made to Government sites soliciting Security Tips, such as what I think needs to be done about Terrorists and Airport Security.
- My Air Security to FBI document is what I posted 10 days after 9/11 after I calmed down and checked phraseology and elegance of my writing.
- My Security Gov document has what I sent to the Gore commission back when there were all the arsons of Black Churches, the terrorist attack in Atlanta GA, and some suspicion that an American airliner had been brought down by a surface to air missile.
- My Cyber TV Word document has collection of places allegedly selling illegal consumer electronics, through spam, which I want to share with any law enforcement that really wants to crack down on such places. When I see spam that seems obviously for some illegal enterprise and they stupid enough to give name of place to send money to, I think in terms of starting such a collection of places to share with law enforcement, if we can ever figure out how not to drown them in millions of spam forwards.
Lobby inside your corporation to get a real computer security audit, or to have your annual financial auditors do a computer security audit. It does not matter if you run your biz on Microsoft Operating System, one of IBM's, Unix, Linux, etc. You can get a competent audit. There are audits designed for major ERP packages. Check out

http://www.pentasafe.com ... basically IS security management lets them load this thing that rattles your computer door knobs and gives a report on how many insecure entrances you have, and makes computer security policy reccommendations based on where your biz is most at risk. It does not provide any info that would help the bad guys, and it communicates at a level understandable to non-technical management.
Here is a place for computer security technical professionals

http://groups.yahoo.com/group/e-com-sec/
http://www.ifccfbi.gov

There is a depth to this computer fraud complaint operation that goes beyond what is apparent to most consumers. Law enforcement individuals doing investigations can post here that they are interested in a particular business, web site, suspect, etc. then there are regular searches to see if two or more policepersons expressed an interest in the same suspect, within the last 24 hours & an e-mail is sent to introduce them to each other.

Computer crime is global. The victims are global. Law enforcement personnel could be working in duplicate investigations except for this cooperative venture.
http://www.icsa.net/html/labs/

I think I have the right link here. I found this outfit when researching what firewall to get for my home PC. They have firewalls from 40 some outfits on PCs connected to the internet & they continuously bombard them with every piece of nonsense the malware people come up with. What they are doing is quality testing the fact that the firewalls really do what they are advertised to do. Many popular brand names are conspicuous by their absence from the list of firewalls that do in fact do what they are advertised to do.
One of my computer security e-mail contacts sent me his Computer Security Glossary that spells out his honey pot strategy for keeping an intruder distracted long enough to back trace him. I personally feel people time better spent keeping the intruders out in the first place, but my view is a minority in the West today.
Another contact sent me copy of Halcrow's draft policy on corporate Computer Security Policy.
I am collecting goodies like these, and then can share some with other people making similar collections.

Thu, 29 Aug 2002 07:55:33 GMT

[Bruce's Computing Category] passes on news of Radio's change to referrer visibility. QUOTE

A tiny change in Radio's aggregator makes referer logs more interesting. Please read this if you provide an RSS source for Radio users, and you watch your referer logs. Updated. [Scripting News]

Well I don't watch my referer logs every day, but I do check them from time to time.

UNQUOTE [Bruce's Computing Category]

[Bruce's Place] shares a story QUOTE

Dead Men Tell No Passwords
The man in charge of some of Norway's most precious electronic documents died without divulging the way to access them. A plea to hackers to help crack the system is out. By Michelle Delio. [Wired News]

UNQUOTE [Bruce's Place]

If the security works, why break it? If the documents cannot be accessed, and the only person who knew how to access them died, then it is as if the data was in the man's head and he died. There is something wrong with this picture.

Where I work, I have some computer security responsibilities, but they are not exclusively in my head. With each new boss, I ask if I can give a briefing on what kind of computer security we have, and what to do if I get run over by the proverbial union truck. One of my suggestions is to provide on paper, a list of the most secret passwords to get into such things as computer security itself, then that paper is to go in an envelope in the safe of our corporate lawyer or auditor or some outside firm that we have some confidentiality agreement with, then if anything happens to me or my boss, there is this backup of the most important corporate stuff that is in our brains. When I change the master security access codes, I tell my boss that I did so, and why I did so.

After a new boss has been on board a year or two, I ask if I can give a briefing on the strengths and weaknesses of our computer security. We do get intruder alerts, and I notify the managers involved. For example, executives are out to lunch, and some unknown person is in their office trying different password combinations, then the computer security kicks in and pulls the plug on that work station (you only get a certain number tries to forget your password, then computer security makes certain automatic assumptions), then a few minutes later history repeats at the next office down the hall. Then a few hours later, I am reviewing the system message logs and discover the fact that this was happening. I have made some changes to the system logging so that we discover this kind of stuff faster.

Thu, 29 Aug 2002 06:44:55 GMT

The Bush administration is calling for a centralized Network Operations Center (NOC) to coordinate cyber-security warnings, says this week's e-week. Previously Computer Security has been voluntary and optional, but the feds want corporations to disclose what they are doing, if anything, towards that goal. The feds do not know if there is any such thing as secure wireless technology, and if none, no federal agency is to buy any. I wonder what the military will do to communicate with planes in the sky and ships at sea, if this ban goes into effect.

Wednesday = no posts except updates to some stories and categories (access my collection via "Radio url number system") because my health was temporarily impaired (I suspect a new food allergy ... as we get older, our body discovers new things to complain about).

Tuesday topics: Blog Education; Computer Illiteracy; Current Events; Politics; Quality; Tara Sue Grubb vs. Howard Coble;

Fri, 23 Aug 2002 21:12:50 GMT

[Ernie the Attorney] QUOTE

UNQUOTE [Ernie the Attorney]

Here's what I believe / desire.

Capitalism belongs to many shareholders: Employees with decent jobs and investments in 401k or other retirement plans; Stockholders; Management Executives; Creditors; Customers who expect Integrity with respect to product service promises, whether they are on the side of the box of purchase, in the documentation, contract, any advertising. As new rules are imposed, we should have both notification of the rule changes, and able to opt out of whatever arrangement got us there. If a company not like new SEC rules, they should be allowed to offer their shareholders more than the stock is worth, so they can quit being a public company.

Industries should have special protection when they are new, such as Cable TV was protected against Broadcast TV, but this protection should not last forever. As technology advances, the Horse and Buggy Entertainment Industry does not have a Constitutional right to permanent existance.

Contracts need to be in plain English. Incomprehensible Contracts should be automatically null and void until they get re-written. People with disabilities ought to have the right to access to contracts and key documents in a form that they can read or hear. See "Blind of NH" for what reality is instead.

Artists and Writers and other creators of Intellectual Property need to get proper compensation for their labors so as to provide incentive to future quality. Look at it this way, over 300 firemen died in the WTC, but they are not paid enough money to live in NYC without their families having a second job. The people we value, be they teachers or parents, they need to have honest access to enough money for a quality life.

Public Libraries available to everyone regardless of economic status, in which the public can take turns reading what is in the library, and the publishers do get financially compensated because their books are distributed to thousands of libraries all over the planet. Ditto rent a movie at the video store. We are not supposed to make our own personal copies of what we borrowed. We can also have Private Exchanges, whether flea market or auction. We show up with books videos whatever that we are done with, trade them with other people, go home with new selections.

Schools have text books in which they may contract with the publishers for permission to make cheap copies, and pay a royalty for doing so, just like non-profit theatrical performances and churches are allowed to buy one copy of sheet music or a play, make photocopies for all performances, and pay a fee to the publisher based on size of audience and number of performances.

Home Computer technology is still in its infancy with great potential. I say infancy because it is so fragile. How often do you have to reboot your Operating System? When something goes wrong, how fast do you find out what it is and get it fixed with assurance that nothing else will go wrong for a while?

I do not approve of high tech vigilanteism, just as I do not approve of real world vigilanteism.

If it appears like someone is doing improper behavior, prove it in small claims computer court, or gather evidence for a computer crimes court where the suspect can face accuser with both sides access to competent technical witnesses. The state of art of software to catch improper actions is pretty dismal. How often do we have to update our anti-virus protection? How many false positives does spam blocking filters generate?

I do approve of the government attempting to protect the citizenry from future attacks by terrorists. In a war it is sometimes neccessary to do things that would never happen in peacetime. Individuals, who are dedicated to the other side and who will never surrender or stand down, they need to be locked up in perpetuity, but there also needs to be some proof that these people are in fact guilty of being the enemy. It is an extremely slippery slope to allow government to lock people up, with no legal protections such as a defense attorney, based on mere suspicion, or to spy on the people without probable cause as defined by the court system.

Mon, 19 Aug 2002 23:16:21 GMT

The Greenpeace Blog has lots of interesting stuff, and also a few design bugs. I did a post to their comments area, and it still says zero comments. Gilla asks for people to e-mail suggestions to her (him?) but where the e-mail link invokes my old AOL archives (I am now using Eudora for my e-mail).

I can't figure out how to Radio subscribe to [http://weblog.greenpeace.org/ powered by Moveable Type] QUOTE

a comprehensive list of safer ways to avoid invasions of indoor pests.

"Spiders:
Under ideal conditions, do not kill spiders because they help to control pests."

Every web developer should read this book, since more and more people with disabilites access websites and they simply cannot be left out.

also check out their zip code nuclear reactor finder

UNQUOTE [http://weblog.greenpeace.org/]

Lots more good stuff in their archives.

I saw on C-Span not so long ago that

100% of the US nuclear power plants were tested for terrorist threats.
50% of them failed the test for NORMAL terrorist attacks.
NONE of them passed any test for protection against cyber attacks.
The problem is that control systems, like Air Traffic Control, Water Treatment, etc. were built as stand alone units, with zero consideration for any security other than physical security. Now corporate and government managers are linking those instruments to their computer networks because they want to know what's going on, but many networks are brain brain dead on security, because after all, the information in the networks are not that important to protect, but that is not the case for some of these control systems.
This management philosophy gave us the Challenger disaster.
I fear we are overdue for another disaster.

Fri, 16 Aug 2002 02:27:53 GMT

Computer Security need not be Rocket Science. I have a bunch of links, some of which I have not recently visited, so some might be broken. All of this stuff is excerpted from Al Mac's Computer Security Myths project, not yet ready for prime time sharing. But I thought I would mention a few things in the wake of some contrary views recently published by other voices.

Send an e-mail with any subject heading to mailto:subscribe@talkbiz.com
Within a few minutes you will get back a long e-mail article
Data Security 101 For Small Businesses
From Paul Myers

When we install software on our PCs, sometimes the software vendor thinks they know more about us about what is best for us, so it pays occasionally to do a personal computer security audit. You don't need to be an expert to do this. Just visit http://grc.com/default.htm Shields Up then Test - do both tests, then check FAQ on site. There are many other web sites with similar services.

This story in the Boston Globe examines the reasons why today’s teachers are using computers & the Internet quite heavily everywhere except in the classrooms for their students.

http://www.boston.com/dailyglobe2/329/focus/System_crash+.shtml

Some software vendors sell security software they do not use themselves
http://securityportal.com/closet/closet20000705.html

A business enterprise can organize an audit of all computers on their network using products from companies like http://www.pentasafe.com and in fact ordinary auditors who know nothing about computers can include security in a standard audit. Basically they install software from pentasafe on the client's computer system, it runs a bunch of tests, and generates a report, on such things as passwords too easily guessable, passwords not changed in eons, and other topics that are related to the particular operating system used ... most Microsoft, IBM, and others such as UNIX are supported. The reports do not identify the actual passwords that are not secure, just report card on the degree to which the system is not very secure.

From time to time the government gets interested in computer security and tries to figure out standards that are going to work. In a previous iteration than what is going on right now, the standards were also tested to make sure the security ideas really worked. This led to a system of measuring which computer systems measured up to the security standards. Take a look at http://www.radium.ncsc.mil/tpep/epl/epl-by-vendor.html and see which computer systems are conspicuous by their absense.

The FBI has published a list of the most common computer security errors that everyone, all businesses, tend to repeat. http://www.sans.org/top20.htm There is also a searchable index of known computer security risks at http://cve.mitre.org/cve/ Here's a collection of Security Recommendation Guides from the National Security Agency of the US Government http://nsa1.www.conxion.com/

One of the IBM platforms has a data base system in which business rules can be specified at the file level, such that it does not matter what software tool is used by any user or intruder, the rules cannot be broken. One vendor has taken this to an extreme and offers a system in which the only thing on the system are the business rules, run a business with no commercial software whatsoever. This http://www.erros.co.uk/ can be a bit difficult to wrap your mind around, so check out the review at http://www.400times.co.uk/Documents/ERROS1.htm

Wed, 14 Aug 2002 02:00:52 GMT

e-Privacy assurances in our climate of anti-terrorism legislation is the topic of this e-week column by John Taschek. Ernie the Attorney offers this link to Charles C. Mann Atlantic Homeland Insecurity article on security systemic problems in general, and here is Ernie's earlier post on Security in general. Here are some examples of our general state of Insecurity thinking.

The US government has several networks never connected to the Internet, accessible only withing physically secure buildings. But they've been infected by computer viruses because humans with lap tops connect to both the Internet and the secure networks, and bypass the security. The weakest link are the government users.
Kerkhoff's Principle: A good crypto system QUOTE should be able to fall into the enemy's hands without disadvantage. UNQUOTE
Encrypting Internet transactions, says Purdue computer scientist Eugene Spafford, QUOTE is the equivalent of arranging an armored car to deliver credit-card info from someone living in a cardboard box to someone living on a park bench. UNQUOTE
Airport Security thinks that protection against car bombings is practical by having cars park 300 feet away from the terminal, but at the same time passengers can be dropped off right in front of the terminal. That does not compute.
Airports have to be evacuated all the time because of security breaches. There is no way to shut down just the portion of the people movement where the problem occurred.
Carjacking is on the rise partly because Automobile Manufacturers have made it more difficult to hot wire an unattended vehicle.
QUOTE Bank Vaults are secure because to break in takes real skill.
Computers are not, because to break in takes practically no skill.
Millions of credit card numbers have been stolen from computer networks. UNQUOTE
German reporters tested a face recognition system, and iris scanner, and nine fingerprint readers. All of them could be spoofed using output from a lap top screen. They photographed an authorized user, blew up the face, cut out the pupils, help the image before their faces like a mask, and the iris scanner was spoofed. An authorized user's fingerprints were lifted from a drinking glass, on a tape pressed against the fingerprint reader, which accepted the data as valid.
A corporation replaced paper ballots with electronic shareholder voting, which was hacked into. Now they cannot reconstruct original votes.
Since 9/11, at least 40 government networks have been cracked by vandals.
People have trouble with passwords so an easy way to do industrial espionage is to offer pornographic web sites to business people in which they need a password. Odds are they would use the same password there as for everywhere else.

Mon, 12 Aug 2002 19:03:49 GMT

I have recently rediscovered some stuff we can do with Radio News Aggregation (subscribing to other web sites whose traffic particularly interests us). Oh yes, I had read the documentation and struggled to understand what it all means. But sometimes the DOING is educational.

Thanks to Dave Winer [Scripting News] link to Ray Ozzie on why weblogs are good for discourse. Yes. Flames don't attract. New ideas do. Weblogs can have a high signal-to-noise ratio. Powerful statements are possible in this medium, where powerlessness rules in discussion fora. In this medium everyone can have the last word. UNQUOTE [Scripting News]

I agree with Ray that architecture can be critical. We see in the Computer Security debate that people are trying the impossible. We have software out there that did not have security considered in the original design, so it is like putting a padlock on a tent, or a house of cards, to make the results secure after the fact, when it is discovered that security should have been there all along.

The power of a network are the number of people connected to it. The value of a fax machine is the fact that millions of other businesses are networked to that technology. With many architectures we have unwanted participants: flames; spam; intruders; other dysfunctional human behavior, that we label as noise getting in the way of useful signal content. Ray is absolutely correct that the signal to noise ratio is extremely high with Blogging. Plus, he does a great job of explaining how the architecture of Blogging makes that a reality.

One downside of this is the risk that Blogging will eat excessive amounts of our time that could be more constructively expended. Just as earlier generations of technological enthusiasts became TV couch potatoes, or in my case I used to spend hours every day dealing with e-mail, because there were hundreds of interesting posts I wanted to read, but I had to wade through a high ratio of spam and virus forwardings to get at the good stuff.

By moving from AOL to Eudora, my e-mail is automatically categorized into that which I can look at any old time, and the more urgent categories. I can always go to the directory of mailboxes and highlighted are which boxes contain e-mail not yet opened.

News Aggregation of Web Site subscriptions has something similar. It comes in, but I do not need to look at it right away, and even if archives from weeks ago get lost, there is a continual stream of new fascinating material for my perusal.

Personal 2 do list ... the last time I backed up my Radio was beginning of July, and since then I have increased my Web Subscriptions to 15, and made some alterations to my Template, let alone the posts here. My desk top dynamics also have changed. My Screen Saver's unused CPU seconds are now working on finding a cure for cancer http://members.ud.com/about/

Mon, 12 Aug 2002 08:32:48 GMT

Security News Blog = another interesting site.

Mon, 12 Aug 2002 04:52:28 GMT

Guide to Real World (as opposed to Internet Virtual Reality) Legal Topics.

We got these Terrorists in custody and we want to throw away the key, but how do the precedents compare to 50 years ago when America feared Loyal Japanese Citizens and wanted them locked up and throw away the key? We think we are justified in locking up Terrorists without any trial, or access to a lawyer, or protections of the Geneva Convention on prisoners of war, and that the people 50 years ago were just racists.

Domestic Issues (Husband Wife as opposed to Homeland Security).

What should we do about these people who kidnap and abuse small children?

Catholic Priests scandal.

Computer Criminals.

Various controversial law suits.

These are hot topics, that Law Scope helps put in perspective for us.

I hate it when a site disables the back button. I want an icon that warns of that also.

Mon, 12 Aug 2002 04:43:27 GMT

CDT's Guide to On Line Privacy.