Al Macintyre: Security

Sun, 22 Dec 2002 08:21:38 GMT

Copy of report referred to in NYT story re: Total Internet Monitoring plan. This link to a September, 2002 draft of "The National Strategy to Secure Cyberspace" appears to be an earlier copy of the report mentioned in today's NYT story about Bush administration plans for centralized monitoring of the Internet.

Link Discuss (Thanks, Tom!)
From [Boing Boing Blog]

Mon, 16 Dec 2002 08:09:43 GMT

I started post here today with my idea for e Bounty Hunting of spammers, virus creators, and other e-unwanteds.

Sat, 07 Dec 2002 19:05:51 GMT

Court to rule on software that copies 'protected' DVDs. New Scientist Dec 7 2002 7:05AM ET [Moreover - Science news]

Interesting case here

The really interesting arguement here is that the copy protection scheme has a humogous loophole or design flaw ... the backups of movies are made at a point in the process when the copy protection scheme is non-functional, so nothing in fact is being spoofed. The courts will have to rule on whether or not it is legal to exploit the stupidity of your adversaries.
I thought copyright law made it legal for us to backup software, but did not make it a right, so that software companies were free to offer stuff that is impossible to backup.
I thought copyright law with respect to software backups allowed multiple backups, but basically ruled that only one copy could actually be running ON THE COMPUTER with ONLY ONE USER per software license.
This article implies that I thought wrong about that, and that we are back to the interpretation that loading software from CD Rom or diskette or Internet download is a violation of copyright law because we are COPYING it from the purchase media into our computer.
I thought copyright law was a bit different for different kinds of media ... software, printed literature, music

Sun, 24 Nov 2002 08:35:24 GMT

[David Fletcher's Government and Technology] has many links of Security Interest: QUOTE

The Center for Democracy and Technology released statements regarding the passage of the Homeland Security act and the draft National Strategy for Securing Cyberspace.
FBI's annual crime report.
Security Focus headline: US gov's 'ultimate database' run by a felon
ITAA and the US Attorney's Office, District of Utah sponsored a Regional Forum on Combating e-Crime and Cyberterrorism.

Fri, 22 Nov 2002 04:53:51 GMT

[Ernie the Attorney] QUOTE - I was at Ochsner hospital today (my teenage daughter was having a benign tumor removed, and everything turned out okay). When she was in the pre-op area I noticed the laptop in the room that was on a rolling cart. It was a Dell laptop with a Wi-Fi antenna and, though the power socket was plugged in, the cart was designed to move around from place to place (obviously after unplugging the power cord).

I asked one of the nurses about the wireless system. She told me that the mobile laptops have been used in the surgery area for about two years, and were now being used throughout the hospital. The wireless laptop has access to the Internet, but the laptop is configured with special software that the hospital uses (and other hospitals use as well) for immediate entry of patient information directly into a central database. This allows the hospital to have the patient's information updated on the computer system in real time.

I asked her what she thought about the system. She said that it had taken her awhile to get used to it. The hospital apparently only sent about four "power users" to be trained and then they trained everyone else. But now that the system was running she said it was very good and only had a few problems. She agreed that it was overall a good thing and would lead to better information about patients and less reliance on paper. But she complained that she still had paper forms to fill out and, in fact, had even more paper forms to fill out because of the new system. She said it this was bourne out of an obsession for "backup." I don't think she really knows what the real reason is, but I wouldn't be surprised if she was right. Hospital administrators live in dread fear of mishandling patient records, or at least of being accused of doing so.

But I digress from the more important point: wireless in hospitals.

I knew that Oschner had started to implement a wireless network because one of our firm's outside computer consultants used to work there and had told me about their initiative. I understand that it is a difficult proposition for a hospital to try something like this, and I'm glad to see that Ochsner is giving it a try. I don't know how they've got their system set up, but I will say this: I booted up my laptop in the patient waiting area (which is admitedly far away from the surgery area, i.e. +500 feet) and didn't pick up any signal. Obviously, in terms of network security, that's a good thing.

UNQUOTE [Ernie the Attorney]

Tue, 19 Nov 2002 20:08:39 GMT

I started a story on Identity Protection, which collects various ideas on what to do to minimize our risk of someone stealing our credit, and what should be done after an incident, beyond the standard advice.

Mon, 18 Nov 2002 08:19:18 GMT

www.netcrimes.net and Misdemeanors is the latest book I have taken a look at. It is written great! Each chapter is a mixture of stories of real problems for real people, showing us what it is to be a victim of out-of-control: cyber-stalking (get help via www.haltabuse.org if you a victim of this); identity-theft (more kinds than I knew about, which means I need to say more in Identity Protection than what was implied by Stop Identity Theft because my Banking Stories may have distorted my vision as to where the greatest threats come from, www.cybersnitch.net has advice how not to become the next such statistic); hostile people out there posting stuff that pretends to be from you; spam; hoaxes; all sorts of frauds; what you ought to do about it, with tons of useful links. Some of these connections will be making their way onto my web site in future postings. Some have already come here, although with a somewhat different spin than that of www.jahitchcock.com J. A. Hitchcock. Here are some wonderful starting points.

www.trf.k12.mn.us/lhs/shutthedoor.html = safety brochure to help schools and law enforcement understand about anonymous e-harrassment and what can be done about it
If you want spam or want more than you already getting, then sign up at www.iwantspam.com
If you sent $ in the mail to some place to buy something that was communicated to you via the Internet, and you now think you have been cheated, prompt contact with postal inspectors can put a scammer in the slammer www.usps.gov/websites/depart/inspect
Got questions about computers and the Internet? Check out http://whatis.techtarget.com and www.askanexpert.com
Do you suspect that there are programs hiding on your computer that should not be there? I not talking viruses & trojans but spyware. Check out www.cexx.org/problem.htm and www.lavasoftusa.com
Let's suppose someone might be impersonating you and behaving in a disreputable manner, you can keep track of yourself online by submitting your first & last name, or your e-mail address to www.tracerlock.com and they will e-mail you when it finds a match (I know I am in a LOT of places legitimately)

Fri, 15 Nov 2002 21:10:08 GMT

[Ernie the Attorney] QUOTE Oops! Honey, I forgot to redact the document! - giving your opponent a document with sensitive information exposed is not a good idea. That's why people use black markers. But what about electronic documents? Anyone ever hear of "meta-data"? Please, people. Let's be careful out there. If you are an attorney and don't know what I'm talking about (especially if you use Microsoft Word) read this. UNQUOTE [Ernie the Attorney]

In earlier posts I have shared how Word documents can contain all sorts of stuff you not want to share, and how unscrupulous people can send you what seems like an innocent document, but it really contains software that acts like a virus to do Industrial Espionage. That is a great link by Ernie to an article on www.law.com about electronic documents in general. It is not just Microsoft stuff you have to manage.

Thu, 14 Nov 2002 18:45:57 GMT

I have added Stop Identity Theft which has my proposed solution to a problem that causes grief to far too many people today.

Thu, 14 Nov 2002 04:33:05 GMT

e Week has a big story on where the jobs are in the USA for computer people.

There are a lot of us who are somewhat depressed about the economy, large layoffs all over the place, dot com melt down etc. We can forget that while the economy may be bad overall, there are always places with growth and stability. They move around the country as geography and technology evolves. Some industries have not suffered in the current economy, such as biotechnology, health care, defense spending, which has led to growth in computer jobs some places. e-Week analysed data from the federal Bureau of Labor Statistics and other sources, and concluded that the best areas of the country to relocate to, if you want to be where the computer jobs are:

New York's Capital Region
- Thanks to IBM, Eastman Kodak, Bausch & Lomb, Corning, and other companies, this area was a tech center long before the dot com boom. In 1999, NY ranked 4th in the nation for attracting venture capital, and 3rd for R&D spending. This seven county region, consisting of Albany, Troy and other cities, continues to have a strong economy for growth in computer jobs. One of the newest companies here is looking for experts in bioinformatics, such as analysis of DNA sequences for nanotechnology. Check out www.hightechNY.com for current job openings.
Northern Virginia Beltway

Defense Contractors are booming with approx 5,000 IT jobs going unfilled. Background checks for a good security clearance can take 18 months. Biomedical also has great prospects.

Southern California's Inland Empire

East of Los Angeles created 29,700 new IT jobs in July and 26,000 in August, the highest rate in the nation, because it has become a major center for distribution, thanks to inexpensive land, a diverse industrial base, including industries that are today's drivers of tomorrow's economic growth.

There's an article of tips for relocating, and one on the methodology they used to determine the three top areas.

Mon, 11 Nov 2002 18:00:46 GMT

[Boing Boing Blog] QUOTE

Open spectrum explained for the laity. Seattle Times has run a great story on the group of "lawyers, engineers and telecommunications analysts" who are lobbying the FCC for cognitive radio and open spectrum.

In an ideal world, the FCC would treat the airwaves like a highway system nobody owns and enforce rules governing how people use its lanes without crashing into each other, the group says. And in cases where this isn't possible, the FCC would allow people to drive across other people's "property" as long as they keep a low profile and don't do any damage.
Given this freedom, inventors and entrepreneurs would invent new vehicles and new ways of using the highway, the thinking goes. Consumers would finance the development of the airwaves by buying the devices that suit them best and abiding by the rules of the road that prevent nasty accidents.
But to make this vision a reality, the devices need a slice of the spectrum that would form a virtual park or an airwaves commons where equipment makers and others could experiment. In addition, common protocols — industry standards that allow devices to understand each others' communications — and rules are needed to prevent accidents and to make sure everyone gets a fair shake.

Link Discuss (Thanks, Howard!) [Boing Boing Blog]

Let's hope the FBI crew that's checking up on War Chalkers, also reads this perspective. I also think there may need to be some standards to avoid electronic smog, where equipment is controlled by signals delivered by wireless, but the wireless can also pick up signals from unrelated activity that is sharing the same spectrum. If the controller cannot tell the difference between the authorzed control signals and the unrelated traffic, then something can crash, which can be very dangerous if that something is robotoic, transportation, medical, public services, etc.

Fri, 01 Nov 2002 17:19:12 GMT

Risk Management tips in Oct 2002 Praxis includes ways to hide your e-mail address from spammers, yet still make the obvious to real people (see in my Search Engine Tips the many ways to get at people's e-identity), also what viruses trojans worms etc. threats and Microsoft Vulnerabilities are going around and what you can do to protect yourself.

Tue, 29 Oct 2002 18:50:12 GMT

The Economist: The weakest link. Human failings, in other words, can undermine even the cleverest security measures. In one survey, carried out by PentaSafe Security, two-thirds of commuters at London's Victoria Station were happy to reveal their computer password in return for a ballpoint pen. [Tomalak's Realm]

Sat, 26 Oct 2002 18:04:52 GMT

What I personally fear the most about embedded chips is that

If having this chip makes it easier to find someone who has been kidnapped, then at the same time, having this chip makes it easy for would-be kidnappers to find their victims, chop out the chip from the body, and leave it with a ransom note, so that when the rescuers zoom in on the chip, they find what the kidnappers want them to find. Also kidnappers can browse info about people in a crowd, to match up someone easy to seize with someone who is worth seizing, on the basis of what the embedded chip tells them, when they look up the code number.
Some institutions will begin to require that their employees or customers have this embedded chip as part of their security system.
Potential crooks will think the embedded chip is the only thing they need for access to the facility.
Humans will be assaulted for the purpose of chopping off whatever part of their anatomy is thought to contain the chip, so that the crook can then use a human arm with an embedded chip as the key to try to unlock access to whatever facility they want to break into.
- At one college, it is your thumb that the thieves will want to chop off. http://www.wired.com/news/privacy/0,1848,53912,00.html http://www.vortex.com/privacy.html
It is bad enough now that crooks want to steal my wallet, or break into my home and steal property from me, or steal my identity, but with this technology, future crooks will want to chop off part of my body.

Wired Articles on Privacy:
http://www.wired.com/news/privacy

http://www.wired.com/news/privacy/0,1848,55999,00.html

The initial version of the VeriChipID is the size of a grain of rice. http://www.adsx.com/prodservpart/verichip.html It needs to be activated by a scanner. It gives a code number, that when looked up in a data base, gives whatever info the wearer has decided will be in that data base. However, much more advanced versions are in the pipeline, such as Digital Angel, which combines Global Positioning (GPS) system and monitoring service, to help keep track of people with certain medical conditions, school children, where the legal system needs to keep track of them, and potential kidnap victims. Sex Offenders are branded for life in some states, but not yet with this chip. Perhaps some Catholic Priests need to have the Mark of the Beast added to their anatomy, so parents can scan child care providers before entrusting their children to their care.

http://www.wired.com/news/business/0,1367,50004,00.html

http://www.wired.com/news/privacy/0,1848,55740,00.html

http://www.wired.com/news/school/0,1383,54604,00.html

http://www.wired.com/news/business/0,1367,53075,00.html

Remember Lojack? http://www.lojack.com/ This is a system used to help the police locate stolen vehicles, that have had Lojack installed in advance. Depending on how large Lojack is, and how obvious it is to thieves who might want to remove it during the theft, before the theft is discovered, some people might want this installed on other products of value ... would it interfere with the operation of a computer for example?

Well what we are talking about here is a similar concept embedded in human bodies.

A similar chip has been embedded into pets so animal shelters can identify the owners. Three different companies market these devices. There is some controversy over whether the technology works as advertised.

http://www.gcn.com/archives/sl/1997/November/desk.htm

Several versions of this product, from several companies, are being marketed in Latin America with an GPS that keeps track of where the person is, who has the chip. This can help locate people who have been kidnapped, before the kidnappers remove the chip from their bodies, and it can also be used by kidnappers to help them find their kidnap victims. Kidnapping is big business in South America, and the US State Dept has a travel warning on Columbia due to this. A politician in Brazil has volunteered to be chipped, to demonstrate how safe it is to the people. The capital of Brazil is also the kidnapping capital of Brazil.

http://www.wired.com/news/business/0,1367,52253,00.html

http://www.wired.com/news/business/0,1367,50004,00.html

http://travel.state.gov/colombia_warning.html

http://www.wired.com/news/technology/0,1282,50435,00.html

Wherify makes a bracelet that parents can lock onto children wrists, to allegedly track their physical movement, and their Internet travels, to allegedly keep the children safe, until a kidnapper removes the bracelet. http://www.wherifywireless.com/corp_home.htm If the child strays, does not report in when supposed to, the parents can use the internet to identify the child GPS signal on the map.

http://www.wired.com/news/school/0,1383,54604,00.html If the child encounters a situation he or she has been trained to deal with, like a stranger making certain claims, the child can punch a 911 button to send an alert to the police that is GPS linked. The device can also send out a police alarm if someone tries to forceably remove it, so obviously the criminals have a bit of work cut out for them to jam the signal before they do the removal. http://www.wired.com/news/business/0,1367,55731,00.html

However, the technology exists such that the parents could have software continuously checking on where the child is in transit, to make a little map of all the places the children have been to, and the speed of transition (implying when in a vehicle in excess of speed limit).

There is a big controversy over what the FDA has to say on the subject, with representatives of Applied Digital Solutions site/ad http://www.adsx.com/ mentioned in the article, claiming that different FDA have been telling them contradictory stories.

I have a hard time believing that the Applied Digital Solutions chip was accurately depicted to FDA personnel who told Applied Digital Solutions that this chip did not need FDA approval, if the company proceeded in a certain way in their advertising claims and statements to the media, because Section 201 of the Federal Food, Drug, and Cosmetic Act, implants and other devices that "affect the structure or any function of the body of man or other animals" require government approval. http://www.fda.gov/opacom/laws/fdcact/fdctoc.htm Any foreign object inside human body, for any length of time, has the potential to impact that human's well being, and thus must have FDA approval. Many implants, that have no medical purpose, come under FDA regulation.

However, it is clear from news reports that someone at the FDA did in fact approve the Applied Digital Solutions chip, but not 100%. http://www.wired.com/news/politics/0,1283,55952,00.html

Perhaps we want to invest in Applied Digital Solutions, as there are sure to be lots of people who will want to buy the product, without taking the risks seriously, but suppose there is law suit thanks to major abuse? Be ready to sell the stock real fast. Applied Digital Solutions is also in the news because of conflicts with their auditors, which puts them at risk of being in violation of their restructured loan with IBM Global Credit.

http://www.wired.com/news/ipo/0,1350,52499,00.html

FDA = http://www.fda.gov/ = Food and Drug Administration

Hearing Aids, Contact Lenses, Tattoos, surely are less intrusive on our bodies than embedded chips, but they are in fact covered by FDA regulations. Something does not compute here.
Anything we eat is covered by FDA regulations, with a large chunk of the food chain from agriculture also covered, and packaging of Halloween candy to give to kids
Any medicine we take is covered by FDA regulations
Vitamin Pills and alternative medicine covered by FDA regulations
Medical tools in the home like thermometer or blood pressure measure or know if pregnant are covered by FDA
Chemicals placed on our bodies, like cosmetics, ointments, anti-mosquito repellant, sun tan, you name it, is covered by FDA
Products that emit radiation, are covered by FDA regulations, such as Cell Phones, Lasers, Microwave Ovens, Personal Computers ... but somehow this embedded chip in our bodies which is connected by radio to GPS to track who we are and where we are, is to be exempted from FDA regulations. I have a hard time believing this story.
Safety of nation's blood supplies, from say West Nile or AIDS, is covered by FDA
On-line medicine and imported treatments covered by FDA
Bioterrorism information from FDA web site

FDA Investigator's Concern about potential health risks to humans from having this chip embedded in their bodies:

http://www.wired.com/news/business/0,1367,55626,00.html

The Jacobs family in Florida got a lot of publicity when they got chipped,

http://www.techtv.com/news/culture/story/0,24195,3372523,00.html

then a week later the FDA announced that it was investigating the company, and as a result NASDAQ temporarily put trading of Applied Digital Solutions on hold.

http://www.techtv.com/news/culture/story/0,24195,3384927,00.html

Apparently, during a press briefing of the implications of what had happened with the Jacobs family in Florida, Applied Digital Solutions representatives spoke of the chip being linked to FDA compliant medical data base. The FDA says it is illegal to use the FDA name in such a way that it sounds to be an endorsement of any product.

Any company, that is marketing products that might have government approval implications for some aspects of their products, ought to have its marketing department briefed by appropriate lawyers with respect to what you can say and what you ought not say. It sure sounds like Applied Digital Solutions is not following that safety protocol, which so far has resulted in a whole series of foot in mouth incidents that will probably eventually cost the company millions of dollars in fines, lawsuits, and lost business. I can only conclude that either Applied Digital Solutions management is extremely inexperienced, or deliberately taking serious chances because they think the publicity and scandals will help them much more than any damage.

Additional Links to stories about the Jacobs family.

http://www.techtv.com/news/culture/story/0,24195,3384209,00.html

http://www.techtv.com/news/culture/story/0,24195,3384016,00.html

http://www.wired.com/news/privacy/0,1848,50187,00.html

I have not been following this story in detail, so it is not clear to me what the precise sequence of events are. The news media seems to be implying that of Applied Digital Solutions tried to put something over on the FDA, and the FDA either fell for some of it, or we are already seeing abuses.

Remember Lindows, where that company clicked I agree that everyone has to click to get a product, then in their advertising claimed a relationship that the I agree vendor felt was excessive and sued to have them stop saying that? Well the FDA has a similar gripe, and they are not the only place with gripes.

Allegedly Applied Digital Solutions asked the FDA what they had to do to avoid needing FDA approval, then after FDA told them, they both violated that understanding, and advertised that they had government approval to market the thing. Here is another example of where Applied Digital Solutions actions have triggered a storm of media controversy ... was it deliberate or by mistake?

It sounds to me that if the FDA told them what they had to do to avoid needing FDA approval for the device, and if they complied with those conditions, then they did in fact have government approval from the FDA, and the only problem would be with how they phrased it.

Allegedly Applied Digital Solutions asked various hospitals if they would be willing to provide this chip as a service. 12 hospitals said they interested in exploring what's involved. Allegedly Applied Digital Solutions then claimed the 12 hospitals were now offering the service. http://www.techtv.com/news/culture/story/0,24195,3384209,00.html

This sounds to me to be very sloppy business practice, or outright attempt at fraud, another example of where Applied Digital Solutions actions triggered a storm of media controversy ... was it deliberate or by mistake?

FDA Spokesperson Claim that so long as no medical information is involved in this tracking of human beings, it is not subject to FDA regulation. It is Ok to have it connected to a medical data base, and it is Ok for people to use it to save them in medical emergencies, but so long as the device itself is not gathering medical information about the person it is embedded in, it is not subject to FDA approval.

http://www.newsday.com/ny-fdachip0406.story?coll=ny-homepage-more-breaking-news

The Executive Director of the New York ACLU says that this has enormous potential for benefits at the same time as enormous potential for abuse. I agree with both.

Potential benefit and abuse at the same time

National Identity

Potential benefits

Similar to medical alert bracelet ... you wheeled into hospital unconscious, and this thing tells medical professionals what you would have told them had you been conscious, about your medical allergies for example.
Your child is kidnapped, and assuming the kidnappers don't have one of these scanners to locate and destroy the chip and injure your child in the process, the police use GPS to find your child.
Alzheimer's patients who may get lost.
Some felon is supposed to report to authorities regularly, out on bond, or on parole, but of course this only works for criminals who lack the desire to cut up their own bodies to remove the thing. http://www.ptm.com/
Article listing benefits and claiming no risk to privacy. I do not believe the latter claim. http://www.techtv.com/siliconspin/features/story/0,23008,3375490,00.html The article claims that the data bases will be protected using the full state of art, but I know from past experience and education that the state of art is full of holes. Plus, there are various risks I talk about elsewhere in this post.

Potential abuses

Many concerns stated above, such as the risk to having our arm chopped off if the chip is used for something really critical access, such as security key to get into a facility that terrorists or criminals desire to get into.
You walking, minding your own business. Someone scans you, gets your code #s, looks up the data base, and pretty soon there is in your face advertising, tailored to the contents of your data base.
Suppose you win the lottery. A kidnapper could use the chip to locate your child. Start off by searching the internet for info about you, to determine what kids you have and what the code numbers are of any chips in them, then use portable scanners to look at kids in your neighborhood to see which one has the chip for the parent that just got wealthy.
Go through airport security - it sets off some kind of alarm - special legislation needed to say that people with this are allowed to use the nation's airlines. Ok now the homicide bombers seek to manufacture pieces of weapons that can masquerade as this stuff, then a terrorist team takes turns using the privacy of the airplane toilet to dig the pieces out of themselves to assemble their weapon. The initial version is about the size of a grain of rice and needs to be activated by a scanner. It does not have the GPS feature.
Applied Digital Solutions CEO Richard Sullivan said, in an interview, that this could be used to track foreigners in the USA.
- You show up as a tourist, student, business person, or whatever, and have to have this injected into your body, as a condition of being in the country, then you would be treated as a suspected criminal until you leave. Those of us already here might have to show up to some government office to be injected. This way only the real criminals who smuggle themselves into the country and do not voluntarily go to the government offices would not have them.
- I also expect that some criminals would indulge in identity theft and have injected into themselves one of these gadgets with a forged code number that agrees with the person whose identity they are stealing. I wonder how difficult it would be to change the code number so that on different days the criminal will be masquerading as different people.
- Although the company is now downplaying their CEO's remarks, there has allegedly been an effort in the UN to mandate this for keeping track of refugees and other stateless persons.
Electronic Frontier Foundation Attorney speaks out about Issues and Concerns with the VeriChip in http://www.techtv.com/siliconspin/features/story/0,23008,3375488,00.html
Gary Wohlscheid, President of Last Days Ministries http://www.tldm.org/, is comparing this chip to the Biblical Mark of the Beast. http://www.tldm.org/News4/MarkoftheBeast.htm

Thanks to V. of TYR for bringing these links to Al attention. Discuss this at Tech TV also here and here and here. I may have lost track ... many of the Tech TV articles have at the very bottom, links to other articles that are related, then below that there is an area where people have been commenting on these stories. Some of the Wired articles also have space at the bottom for commenting on them.

Fri, 25 Oct 2002 07:56:30 GMT

Anyone stop to consider this guy might be a cop? [Adam Curry: Adam Curry's Weblog]

Well now that he has been arrested we know he really is ex-military, All American deadbeat family abuser. I thought he might be media. The trick was not in getting to the attack site, but in being non-suspicious after an attack. What profession can legitimately be in any community at any time, without anyone questioning them? A news media person.

Stick around, wait for the police to descend on the scene. Show up and try to interview them.

But now we know the sniper team was driving around in a personal attack vehicle disguised as an ordinary auto, so when stopped at a road block, the weapon hidden below the trap door.

Tue, 15 Oct 2002 09:37:48 GMT

I have worked with various different kinds of computer security over the years, but I am no expert at it.

Al Rule # 1 = You cannot padlock a tent or house of cards. Security needs to be built into the foundation of the computer system, preferably via a rock solid operating system.

Al Rule # 2 = Computer data can be accessed by a variety of tools, software hardware and tapping into the flow of data. Just because the software you using cannot see the passwords or unencrypt the data flow does not mean that some other person software cannot do so.

Al Rule # 3 = It is not unusual for purchased computer systems and software to come with back doors left there by developers. You have to do business with reputable firms that do not condone such behavior.

[BlogFish] found insight in [Jon's Radio]

Use Private Keys, no - Use Public Keys, no - ....

Jon Udell is opening a can of worms, I must not look...

I always knew there were ways to encrypt information and I accepted that. Then I was assigned the task of revamping our software licensing process. This required me to choose an encryption method. Choosing an encryption method required me to justify my selection against its alternatives. Justifying my selection required me to understand both my selection and the alternatives that I did not choose.

So I did some reading, and once I understood the difference between Private Key Encryption and Public Key Encryption, I changed my mind. Public Key Encryption surely seemed like the better choice.

If some rogue ex-employee were to take the private key and issue passwords for a discounted price, we could throw out the old key pair and replace it with two new keys. Because one of the keys of the pair is public, we could simply distribute it along with the encrypted information. No need to hard-code the private key in the software, right? No need to require customers to reinstall existing software, right? No need to maintain legacy password generation programs, right? (Anyone who has done this before, please comment...please throw me a clue...)

Yes, I thought I finally had gotten it. Public Key Encryption provides more convenience, more security, more robustness than Private Key Encryption.

I am trying to resist looking at Jon Udell's post. He is questioning his long-held assumption that Public Keys were the way to go.

Remind me why I need a public key. Dick Hardt, founder and now CTO of ActiveState, was prowling around the digital ID conference asking a deceptively simple question: "Why do I need a key pair?" ...
[Jon's Radio]

[BlogFish]

Mon, 14 Oct 2002 08:50:57 GMT

Avoiding the Sniper

Dog News lives in the target zone so I been sending her various thoughts. Here below are some of what I think were my brighter ideas. Some of my ideas may be a bit dumb, but I hope on balance I have shared ideas that Y"all will find worthwhile thinking about. I have updated this mini-essay several times, most recently mid-day Thursday Oct 17. If you want to print it out, figure 5 pages.

She told me about a friend seeing a vehicle that looked exactly what the police were watching the public to be on the look out for, but all the police phone lines were busy, so I suggested calling that into the news media. Have them tail the suspect vehicles until the police clear them. The friend was not able to leave her job, at the time of the witnessing. Another thought is to have standard forms, downloadable from police web site, for witnesses to fill out when something fresh in their mind but access to the police not practical. At the time of the anthrax scare, and at times of bomb threats, we have had similar forms from the police that spell out what should be done when an incident occurs.

Put in perspective that while the sniper has killed 11 people in 11 days, in the same time period there have been 14 unrelated homicides in 5 of the 6 communities where the sniper has been active, while even more people die in traffic accidents (68 a year in DC, 660 in Maryland, 935 in Virginia). This is not really as bad as people in other countries have to put up with all the time. Get a pen pal in another country to understand what it is like for them and see that we might be over-reacting to this latest crime spree.

Is this a good time of year to visit Disneyland? Get away from the daily worries and have a good time somewhere else? Your auto club can probably print out maps of driving routes that take you to interesting places that are not on the sniper past visitations or even close.

If you want to get away for a while, consider that while you have a good job, there are hundreds of thousands of people around the country who are out of work. Perhaps you can organize a trade. You get away and live in someone else community for a while, and someone else take over your job and income until you ready to come home. In academia this is called taking a sabattical. Some Professor and family trade homes and jobs with some other Professor and family in some other city. The University has teacher all the time. Professor and family have nice place to live. Basically they trust each other, something like exchange students.

Say, how about exchange students your kids go live in some other city until DC is safer place again? Travel broadens the mind, so it is educational also.

The sniper is not neccessarily someone with police or military training, because so far all the victims have been people who were easy targets for someone who is a good shot, and desires to continue killing random victims. Ask someone who does have relevant training to suggest to you how to avoid being an easy target.

I think that right now, many people in the communities, that the sniper is preying on, could use a police briefing, not on the kind of stuff that the media is demanding, regarding progress or lack of progress finding this serial killer, because past criminals of this nature have gone on killing sprees that have lasted months or years before they got caught. Rather, what I think the people need is community policing meetings briefing the people on how to minimize risk of becoming a next target, and which of these various ideas are most constructive.

I have in the past suggested that Homeland Security Professionals could benefit from a seminar series put on by professionals from other walks of life - health and computer auditors for example. For other posts by me on security topics see my security category, or ask for copies of one of my Word documents on security issues.

Your pooch pals need to be able to run outside while you remain indoors. I can send you attached to e-mail, some of my joke collections that will have you ROFL so much that you won't care about the real world until this is over.
- If you not have much in the way of a back yard for the dog, where you could have a long cable with the leash to it so dog can run back and forth, find a wooded area where you can walk out of sight of the highways.
When you have to be outside, in the role of a pedestrian, do not remain stationary. Walk briskly, not in a straight line, but zig zag. Wear dark clothing, stay in dark shadowed areas, so that you are not an easy target.
- This is directly opposite to the kind of advice I would ordinarily give a bicyclist. Living in Evansville Indiana, where the crime rate is almost zero, so that we have the privilege of laws like it being illegal to play radio so loud in auto that it is annoying to adjacent cars in traffic, a lot of young people seem to be extremely careless about personal safety. I find pre-schoolers in middle of side streets with no look outs for traffic, wearing dark clothing at night. I see college age kids on bicycles, with no lights, just tiny reflectors, no safety helmet, dark clothing, on limited access highways at night, where the speed of the motorists like 50 mph. These kids are accidents looking for an auto to hit them.
- But when a sniper is around, a person needs to emulate these kids.
Perhaps people going about their business in groups, so you guarantee that if a member of the group gets struck, survivors will have some clues to share. Think group of friends, neighbors, co-workers traveling together like a military expedition, with multiple lookouts in all directions, so if you fired upon, there's someone else looking in every direction. Have the group carry a camera to capture clues to share with the police.
So far the sniper has shot at people outdoors, loading car in parking lot of strip mall retail outlets, waiting at a bus stop, mowing yard, at a gas station. So, you need to patronize establishments that have parking garages attached to where ever it is you want to go. Doesn't downtown have an underground garage? Don't some shopping centers have attached parking garages, where you can walk between car and shopping, and be hidden from sniper view at all times? Is there a safe subway system where you can go from indoors to indoors?
- The 10th incident, Monday nite, sounded like it was in the bottom level of an open air split level parking structure, not a real enclosed garage. When I say to park in a garage, I mean one that when you get out of your car, you are not visible outside the garage to some sniper. For the sniper to get you, also have to be inside the garage.
- In answer to one of my questions, dog news has informed me that several shoppers, inside the split level partially covered parking garage, witnessed a man standing behind his Astro Van, quickly taking the shot, and then getting into the van and leaving.
The 4 gas stations were MOBILE SHELL SUNOCO EXXON
You want to patronize one of those brand names on the assumption the next gas station will be a 5th brand name.
MICHAELS CRAFT STORE was location of FOUR of the shootings, either right there, or in a shopping area that had one.
Look up in Yellow pages where they all located.
Mark on a map.
Do not go anywhere close to any other such store.
- After the sniper is apprehended, use that map to assist in deliberately shopping near Michaels Craft Stores so as to undermine whatever economic purpose was why the sniper was frequenting those areas.
- You can hope that the police have all the Michaels Craft Store shopping areas staked out, and are running simulations what to do if this one is the next place the sniper raids.
If you have a vehicle anything close to the description the police looking for, ask them to move it to police impound lot or other place of their choosing, so as to get similar vehicles off the streets and make it easier to find the one and only one left.

Suppose you are a retail commercial store and you want to protect shoppers visiting your establishment. Did you see the police putting a sheet like on a clothes line to protect the crime scene and victim? A shopping center could put something like that up to protect their parking lot patrons from visibility from the highways. Not a permanent structure, but temporary curtains on a split level parking lot. Put stuff in windows of stores like you batten down the hatches to protect against a storm or a riot, so the customers can be inside, not seen through the windows, and thus safe from sniper, while inside.

Shoppers need to be able to have their cars loaded in an enclosed area as they leave the store. It could be like a tent up against the building. Car drives into the tent, gets loaded, drives out. Someone to move the cars who should be wearing bullet proof vest and heavy plastic helmet like riot police, so that they can see where they going, but their head protected from bullet.

Customers arrive. Stop in tent covered area, give car keys to person in the plastic helmet, at which point there is a receipt that identifies car description and who drove it here, helmeted person moves it to parking area, turns in copy of receipt and the keys to person near cashier desk, with identification of parking space added. Customers ready to leave. Identify selves. One of the helmeted workers gets corresponding car keys, with paper saying which parking space that car located, goes to get it, drives it into tent covered area. It gets loaded. Customer leaves.

Customer is never exposed to sniper, except through windows of car, in the scenario that I have described. The only people exposed to sniper are helmeted people who are wearing bullet proof clothing. The cost for this would be minimal. What do curtains, or tent cost, or block up the windows of a store? The cost is the labor for the people wearing the bullet proof clothing. Hey, the economy could use some more people with jobs. Would shoppers be willing to make a donation to a fund for this kind of protection, so they have places they can go with this added peace of mind?

Do you have a drive in garage at your home that is large enough to accomodate a visiting vehicle? If so, use the Internet to order groceries, alternatives to Pizza, other stuff. Each neighborhood could have a weblog category that announces new businesses that have setup e-business services for their community, then webloggers can subscribe to that announcement category, and use it to link to the new announcements. (See Al's Understand Radio News Aggregation if you unfamiliar with this concept.) Sign up as a customer, specify wants, give directions to get to your home - store phones you before making a delivery to make sure someone ready to accept delivery and make payment. Then when this is all over, e-business has had a boost in your area. If sniper not caught any time soon, you have now setup infrastructure that can be used for Christmas shopping.

Business district organizations need to study how to get people from enclosed parking areas to retail establishments, without becoming exposed to the sniper.

Transit systems like buses and taxis need to review where their people wait for them, and find ways for the people to be enclosed, while at same time the drivers able to see when someone is waiting for them.

Do we need an Amber for Cops? ... someone calls in some alert, and a signal is sent to all police, irrespective of which agency, informing them of where some event occurred, then they react according to their stations relative to that location and type of event.

Employers need to think about this also. Do your employees drive to work and have their cars in a parking lot visible from the street? Do your people arrive and leave at predictable times? What can you do to make your employees less at risk?

Has Halloween been canceled? What does this do for the kids fun, and the economy of the stores that cater to their business?

Think gift certificates, substitute events, e-halloween, and contests in safe areas with top prize being like trip to Disneyland (something kids want, and also get you out of town for a great trip).

Ask Amtrak for a special evening or weekend trip. Kids from the neighborhood are driven to an enclosed railway station and board a train that will go on a special trip out of town, perhaps with a different return route. Many of the cars will be like neighborhood block parties for groups of people who cannot do outdoor stuff while this scare is going on. Kids visit with the various neighborhoods on the Amtrak trip. Can older kids be connected to the Internet from this?

Stores with web sites combine visitor # onto their web site with a program to print e-gift certificates that can be cashed in after the sniper is caught, in one of several special kids party weekends.

Have some quality time parents and children at home on grand tour of kids friendly web sites. Familes vote which is best in several categories (different, wild, fun, educational) and send them (the kids friendly website organizers) e-gift certificates from the local stores, that can be cashed in at national chains that have outlets in your community.

Result - local commercial economy does not get hurt, parents and kids have quality time, internet innovation is stimulated.

Assuming there is a shopping mall where people can drive into an enclosed garage, and there is some security like I been talking about, a shopping mall could have a Halloween weekend, in which extra security is put on for the weekend. Down the middle of the mall have little shoppes selling halloween related stuff, and each of the main stores provide gift certificate discount coupons, in which the kids have something to cash in when the sniper is no longer an impediment to going shopping. Stores know what to do - buy one get one free coupons.

Have a treasure hunt in the mall ... each store may contribute a clue that is related to the stuff they sell. The first 25 kids per hour to come in with the right answer receive a gift certificate discount coupon or something even better.

Are you annoyed by the Gun control people trying to take advantage of the big scare? The pro-2nd amendment crowd can fight back with a Neighborhood NRA watch ... people who have gun permits, and have had appropriate weapons training, could escort their neighbors on errands, prepared to shoot back at the sniper. Have a web site where people can sign up to have the Neighborhood NRA watch provide them with an armed escort. The police would be asked to swear in these people as temporary deputies with special badges showing that they have been checked out and are trusted to be traveling the city with weapons ready to fight the sniper.

[dws.] Asks QUOTE To: Anyone who publishes material related to the sniper in DC, Please do not give the idiot (sniper) in Washington a title that feeds his/her ego. "The Beltway Sniper" is too glamorous. Refer to him/her with a title that is more fitting, and less likely to be bragged about in prison, such as "The Murdering Coward". UNQUOTE [dws.]

Sun, 13 Oct 2002 21:07:23 GMT

What we have here are some links inspired by me visiting places that are visited by people who also visit my site, showing some interests that we have in common.

Christian stories that never happened.
- I'd like to see something similar on other Religions, because those of us who are not believers can sometimes have a hard time distinguishing truth vs. distortion.
Computer Virus Myths - how to spot them.
- Warning - that site disables the back button.
Darwin Awards for people who have found incredible ways to remove themselves from the gene pool. These are true stories, that someone could easily think were made up.
Discuss Urban Legends.
Electronic tour of artistic renditions of Urban Legends.
- I was not impressed with what I sampled, but different strokes for different folks.
Hoax Identification Education
Hoax Kill Service

Once you find out if a message is a hoax you can send it to a designated email address and their software will then extract the addresses of all previous recipients from the message and inform them all that the message is a hoax.

Humor about Hoaxes.
Latest Urban Legends.
Net Lore and Urban Legends.
Norton Symantec Security Response Directory of e-mail Hoaxes.
Researching Urban Legends.
- This might be where my sister got the idea that the volume of visitors to a website, translated into extra charges for bandwidth. Oh! that Is a true story for this site.
Scam Busters list e-mail chain nonsense and other scams, tips on fighting spam, lots of good links, also including links to info on real computer viruses.
Scope of Urban Legends.
Many people think something is a hoax when it is not. See my Sep 20 post about the plight of a Nigerian woman, sentenced to be stoned to death for the crime of being jilted by the husband of her child, in which I got a flood of referers due to people searching Gooble and other engines for information on the hoax details on this story, so their only hits were on sites that both talked about this real life situation, and some unrelated hoaxes.

Thu, 10 Oct 2002 20:20:23 GMT

[Chicago Sun Times] reports insider identity theft of 5,000 employees of the state of Illinois in which crooks in Indiana, and other states, opened credit card accounts in the names of the victims, then stuck them with the bills for what was purchased on those accounts.

Wed, 09 Oct 2002 22:13:49 GMT

W-O-O-D-Y-S--O-F-F-I-C-E--W-A-T-C-H Volume 7 Issue 47 is really annoyed with Microsoft.

W-O-O-D-Y-S--O-F-F-I-C-E--W-A-T-C-H describes QUOTE security holes in Word so big they defy description. UNQUOTE Subscribe to W-O-O-D-Y-S--O-F-F-I-C-E--W-A-T-C-H for the low down on understanding that Microsoft Security is an Oxymoron. There is a wealth of information in this regular e-newsletter.

Scenario:

Bob has access to a file.
Alice wants it.
Alice sends Bob a document, innocently asking Bob to edit it and return it to her.
When it comes back, it contains the file that Alice wanted, and Bob is none the wiser. Bob cannot block this with anti-virus or any of the usual PC security because this is the way Microsoft Word is supposed to work.
or, Word can "phone home" to Alice web site, delivering what she wants. Bob does not need to send the document back to Alice and she can still get copy of the file she wants.
- Woody showed Microsoft step by step exactly how that could be done, Sep 17, and the latest Microsoft press release is still pretending that this capability is not in their software.
- Oct 5 Woody sent Microsoft a demonstration Word document that when opened, sends Woody the first 230 characters of any file on your PC that he cares to name, to anywhere he cares to send it.
Contrary to Microsoft public statement, Alice does not need to know the absolute path to Bob's file. The person doing the pilfering can use just the name of the file without knowing what directory it is in.
You can go after just about any file, such as the passwords file, so long as you know how Windows organizes these things.
The ability to do this stuff is what Microsoft calls a feature, so obviously, to Microsoft, this is not something they have any commitment to fixing.

W-O-O-D-Y-S--O-F-F-I-C-E--W-A-T-C-H QUOTE

LIES, DAMN LIES, AND MICROSOFT

Man, am I ticked off.

On October 8 - yesterday - I received a copy of Microsoft's

Inside Office Newsletter. Under the headline "Answers to

Concerns About Security in Word" there's a link to

http://www.microsoft.com/technet/security/topics/secword.asp

, where you'll find the same press release Microsoft posted

a month ago about the "confusion and speculation"

surrounding the huge security holes in all versions of

Word. This is the first time Microsoft has notified its

customers about Alex's Document Collaboration Spy problem,

as far as I can tell, and instead of telling something

resembling the truth, all we get is more obfuscation.

Recycled obfuscation at that.

Only Microsoft would have the unmitigated gall to lie so

blatantly, at this late date, and expect their customers to

swallow it. I use the term lie quite deliberately,

Microsoft is still making statements that it knew then and

knows now are totally false.

YODA tore the press release apart in Woody's Windows Watch

a couple of weeks ago

(<http://www.woodyswatch.com/windows/archtemplate.asp?5-18>).

But YODA only knew part of the story: he didn't know

about the security holes I've been feeding to Microsoft,

and he hasn't seen the gaping exposures other folks have

encountered. The truth is far more devastating than

anything YODA could imagine.

In this issue of Woody's Office Watch, I'm going to show

you specifically how Microsoft is lying to you.

UNQUOTE

and Woody does so, with ample examples.

BACKGROUND

On August 26^th Alex Gantman released to a small community of fellow anti-virus analysts details of a new type of security breach in Word, which has many variations and consequences. He didn’t misuse his discovery but told other computer security specialists through an avenue that Microsoft closely watches. Therefore Alex did notify Microsoft, at the same time as others. Microsoft objects to anyone else being told about security problems with Microsoft products, preferring to be the sole clearing house for information and arbiter of what their customers should know. It was only after Woody published some details in Woody’s OFFICE Watch on September 6th that the mainstream press got a hold of the story.

If you like the no-nonsense straight scoop of W-O-O-D-Y-S--O-F-F-I-C-E--W-A-T-C-H, assuming I have done an adequate job of translating / reviewing the latest news on this Microsoft Security is an Oxymoron front, here are some books to look out for from Woody (Al advertisement for Woody here in appreciation for the great education Al gets from Woddy).

Windows XP All-In-One Desk Reference For Dummies", Hungry Minds http://www.woodyswatch.com/l.asp?0764515489

"Special Edition Using Microsoft Office XP" with Ed Bott, Que

http://www.woodyswatch.com/l.asp?0789725134

"Special Edition Using Microsoft Office 2000" with Ed Bott, Que http://www.woodyswatch.com/l.asp?0789718421

"Woody Leonhard Teaches Office 2000", Que

http://www.woodyswatch.com/l.asp?0789718715

Wed, 09 Oct 2002 06:15:09 GMT

[Eclecticity: Dan Shafer's Web Log] QUOTE

The Problems With Word on OS X Are Worse Than I Imagined

Word has become, for me at least, almost unusable since my upgrade to Jaguar. Here's what Microsoft's MVP support team has to say on the subject:

Unfortunately, Word is not going to work properly under Jaguar unless Microsoft releases a patch for Microsoft Office. The problems have now been analyzed, and the experts have found that Word v.X is not fully compatible with Jaguar, and there is nothing you can do to make it so.

What incredible garbage. Now what am I supposed to do? I have a publisher waiting for a book. They use Word. Their feedback to me is in Word comments, which are frigging broken in Word on Jaguar. Arrogance screws the little guy once again.

UNQUOTE [Eclecticity: Dan Shafer's Web Log]

Well here is a candidate for a souped up Lindows, since Word works on that Linux package. Do your word processing on Star Office for Linux and output the document as RTF standard which Word will accept. Just use Lindows to make the file acceptable to your publishers, and to get at their comments, while you do your real work on the computer of your choice.

Thu, 26 Sep 2002 21:45:52 GMT

[Chicago Sun Times] shares a couple stories about Zero Tolerance of Modern School Administrators:

A Nebraska 7th grader found some marijuana in his classroom and turned it into to the office. He was suspended because, the act of picking it up and carrying it to the authorities constituted possession of marijuana.
A Florida sophomore honor student saw a bag of pills on school grounds and did not follow the example of the Nebraska student because she was afraid of getting in trouble for possession of the contraband in the short distance of carrying it to the authorities. She has been told she will be expelled for failure to do so.

This reminds me of in Illinois where youngsters are encouraged to clean up the environment, but it is illegal for them to remove beer cans and alcohol bottles from the road side, because that means that those empty containers inside their garbage bags constitutes possession of those containers by a minor.

The lesson for these kids is to

Do not touch the illegal substance - drugs, guns, whatever.
Carefully write up a statement of where you saw this illegal substance, in a report to the authorities.
Make sure your report is addressed to the authorities before you leave the scene, so that if an undercover officer sees you seeing the illegal whatever and not picking it up, your statement is part of your defense.
Make a copy of your statement before you turn it in, so that if you later get hassled, you can take your statement to a lawyer, the news media, or where ever your parents think will most embarrass the school authorities into backing down.

Thu, 26 Sep 2002 06:49:28 GMT

Safety of Nuclear Power Plants Again Questioned. VOA Sep 24 2002 9:33PM ET [Moreover - Science news]

We are living in a different world today. In recent years it made sense to

Build a nuclear power plant right next to a major city, because nothing serious likely to go wrong, but now power plants are potential terrorist targets, so we do not want them right next to major cities.
Build an airport in the middle of a major interstate interchange so easy to bring passengers real close to check in counters, but now a truck bomb can take out an airport, so we need a different kind of transportation infrastructure to unload the passengers from ground transport further away from the air tranport, and run everyone through screening suitably distant from buildings that might be major targets of terrorists.

VOA = Voice of America ... there's links here to what headlines VOA is sharing in various places in the world ... an interesting site worth revisiting occasionally.

Africa

Amnesty International protests torture of child prisoners in Burundi
Intervention in Ivory Coast
Uranium Security in Africa - is that an Oxymoron?

Asia - Pacific

China ultimatim to Iraq
North Korea gets special envoy from Pres Bush
a lot of stories I had not seen on local national news

Asia - South and Central

US Troops in Afghanistan discover another chilling al Quaida site.
Dutch and Germans to take over NATO command in Afghanistan when Turkey time runs out.
Iran nervous about US troops near their border with Afghanistan
Suicide terrorists seized an Indian temple, leading to another gunfight.
Terrorists attack a Christian Charity.

Americas

Argentina and Brazil economies still in bad shape
Chilean Appeals court throws out 7 cases against Pinochet
Colombian President visits USA President
Mexican Banker gets record bail
That storm in the Carribean

Middle East
- Britain and Iraq
- China and Iraq
- Kuwait hosts USA military exercises
- Lebanon scandal with Israel
- Palestinians
- USA politics and Iraq
- USA and Pakistan cooperation
USA
- Brushfire in Western USA
- Iraq and Partisan Politics
- Various legislation

Tue, 24 Sep 2002 09:10:42 GMT

I added a small reference directory of "e Discussion Groups": e-commerce; computer security; etc.

Tue, 24 Sep 2002 07:20:48 GMT

[Scott Granneman's Security Category] covers topics of e-law; human stupidity; Microsoft gotchas.

Tue, 10 Sep 2002 19:38:32 GMT

FROM [Ray Ozzie's Weblog]

Tyranny, Terror, and Technology. Some thoughts about the intersection between the challenges confronting business, and those confronting government and society. UNQUOTE Ray Ozzie's Weblog]

This is a dynamite thought provoking essay - I highly recommend it - my words of wisdom pale in comparison.

I believe that beaurocracy, and inter-communications within an organization, is like glue.
- Too much and the enterprise is all gummed up with rules that get in the way of doing the job.
- Too little and everyone is flying off in different directions, counter productive.
- The challenge is to get it just right, so that you have an agile team effort.
  - This is further complicated by the organization fluctuating in size, so you need different strategies for different scales of operation. Also there is a spread of individual skills of participants in the organization, so until you get everyone up to speed on something, there has to be another way of getting the job done. Any time things are changed, there will be transitional confusion.
Organizations can be too large and unwieldy.
- Remember the book The Mythical Man Month, which I consider to be one of the classics on software engineering?
- Basically the permutations of all the different people who need to intercommunicate can bog down some things so that nothing can get done.
- Thus it is essential to organize focus teams and have a hierarchy such that there is no wasted baggage in your structure that gets in the way of a lean and mean team.
An excess of organizations focused on different tasks is good in business.
- Competition leads to better Quality, Features, Economies.
An excess of organizations with overlapping responsibilities is bad in government.
- They can have turf wars that get in the way of them doing what they are supposed to be doing.

Tue, 10 Sep 2002 19:18:17 GMT

FBI warns of potential threats [USA Today : Front Page]

As usual, nothing specific ... if they had something specific they could stop it from happening ... except right before 9/11 both CIA and FBI were independently tailing 2 of the hijackers because of their involvement in a prior terrorist attack on USA and GOV was trying to identify all the conspirators, and what they up to, and build court case, but the 2 hijackers gave their tails the slip and the rest is history. There is a hard balance there to achieve between ability to get a court conviction, round up evidence what going on, (correlate the masses of clues that they get, many of which might be misleading or erroneous), and actually prevent something bad from happening.

Unconfirmed reports of AlQ targeting oil tankers, add that to laundry list of other things identified in past like nuclear power plants, and shipping containers.

Question detainees - risk they will share every fantasy whacko scheme any alQ group ever dreamed up, but was abandoned as impractical.

I sure hope GOV and MIL doing war game simulations into what might go wrong, and keep secret results until they have plugged holes that the simulations uncover.

Historical patterns logic ...

Our enemies hate what West stands for, and international western institutions, so they may target meetings of UN or World Bank.
Pearl Harbor was on a Sunday when Amercian Air Defense at Peace and high religious ethic what do on a Sunday.
Oklahoma City was on the anniversary of Waco because some whacko with no relationship to Waco wanted to do something on that anniversary date.
Well, people who hate us are inspired by bin Laden example, people with no contact with alQ.
- I sure hope long term Foreign Policy goals can include addressing why these people hate us so much, and do something about turning the tide of recruitments into ranks of our enemies, so that potential enemies do not go down that path.

Mon, 09 Sep 2002 19:15:31 GMT

[Adam Curry: Adam Curry's Weblog] QUOTE

I found out via an email exchange that one of the founders of the [newly relaunched] electronic intifada website is Dutch. Arjan El Fassed also posted several comments to yesterday's posting. Of course there are counter posts now as well that is forming a lively conversation.

My advice to Arjan is to re-re-launch electronicintifada as a weblog. Perhaps a multi-user weblog for multiple authors. Currently the site appears to emulate a BigPub and imho detracts from their mission.

As with all aspects of war, be careful not to become what you are fighting against. UNQUOTE [Adam Curry: Adam Curry's Weblog]

This is also like the appearance of impropriety. The enemies are not clearly understood by government intelligence, let alone anyone else. When any group of people discuss something, the odds are that several are police spies, journalists trying to ferret out a story, pure innocents trying to figure out what is going on, and it may be that none of the participants are any of the bad guys, but in a war, the rules of innocent until proven guilty are sometimes altered into round up suspects before someone pulls another 9/11.

Mon, 09 Sep 2002 19:08:41 GMT

[Adam Curry: Adam Curry's Weblog] QUOTE

All dutch helicopter companies, including ours, received a fax from the authorities this morning, warning of 'journalists' that will attempt to proove our natuional security is flawed, by staging an 'air assault' over the country on sept. 11th.

Geez guys, get a life already. I've posted the fax on my dutch weblog.

UNQUOTE [Adam Curry: Adam Curry's Weblog]

I think the threat to National Security is more from Journalists than from Air Companies, from the perspective of doing something stupid.

Many people, who work in Air Companies learned their trade, as military pilots, or have around them people of that patriotic perspective that can provide a sense of balance.

The risk from Air Companies is that in the management of costs, there will be a trade off that sacrifices safety and security.

It is self evident to anyone, who lives in a democracy, that various national monuments and institutions can be seriously hit by something like the Oklahoma City Bombing, if the perpetrators do not care if they get caught, and the only way to protect ourselves is to become a police state.

If you doubt this, show me your credentials (such as a policeman badge) that you have need to know my theories on how bad guys could hit the very stuff that is sacred to our democracy, such as various government buildings and important places to the infrastructure of our economy, and I will tell you how, but not via a public forum.

Now some commentators seem to have an attitude that parallels that of Juvenile Computer Crackers ... hey, here is a weakness not properly protected ... broadcasting it daring someone to find a solution, and meanwhile the bad guys have been delivered of an idea that perhaps they might not have dreamed up for a while, so the article has just made the job of Homeland Security that much more difficult to get done.

This is reminiscent of past wars where journalists pretended to be impartial. Remember Saddam's troops shooting up various air conditioning ducts in downtown Kuwait? Why did they do that? Well some refugees crossing the border to freedom were surrounded by journalists to cover their story, and among other things they said they hid in air conditioning ducts of some office buildings. Saddam's military intelligence was watching Western media and picked up on that information, and other clues about how people were escaping, and some refugees did not make it out safely, thanks to many journalists not understanding that loose lips sink ships.

What we need are private briefings in executive session to Legislators and Homeland Security agency workers, to make sure that they are aware of things that people in other professions can see.

Architectural Design Professionals
Computer Professionals
Journalism Professionals
Public Health Professionals
Security Professionals
Transportation Professionals

Sun, 08 Sep 2002 20:06:48 GMT

On a thread in the e-com-sec discussion group, I asked what are we supposed to do when we get spam from known criminals such as the Nigerian Scam. We have a moral obligation to report criminals to the government, but police seem to be ill equipped to deal with individual internet solicitations of criminal activity. The tip lines are so overwhelmed as it is with more serious issues, that GOV has a serious need for a software magnet to find the key needle clues in their information haystack.

I was basically told that we should treat any spam as spam, forget about trying to deal with criminals the same way as is done in the real world outside of the Internet, and given an interesting link to a back issue of Sysmod's Praxis, which I have previously mentioned on my weblog. It included the following stimulating topics:

Europe's anti-spam legislation.
Microsoft IE patch
The person in personal decisions about the computer you think you own, and stuff stored on it, is not you but Microsoft.
Google Features
Cyber Squatting
Euro Glitches
Euro Zone
Nigeria Scam Clones
Worst Web site (warning: protect your eyes)
Longest domain name

Thu, 05 Sep 2002 21:23:31 GMT

Comment on Al's Radio Doc Sources using Quick Topics. Eventually, Al wants to look into pros & cons of several different commenting systems for Radio, but we have to start some place.