The Falcon's View

Finally, another security post! You must have thought I'd forgotten all about this topic. :) Honestly, I have a few ideas in notes at home, but haven't been motivated to write lately. But that's all about to change as of right now.

I have three different items for you today. First, in "Um, no." I talk about a recent posting on the Symantec Security Response Weblog that is, well, rather moronic. Next, "Don't be stupid." is a quick pointer to another excellent Bruce Schneier blog post on counter-terrorism stupidity. Last, Richard Bejtlich at TaoSecurity has a great list of responses, from worst to best, that measure the degree of proof provided in response to the question "Are you secure?".

This is the first non-fiction book that I've (mostly) read in a while. A lot of my reading is online these days, but it's good to mix it up. I say "mostly" because I skimmed the last third (or so) of the book. Unfortunately, this looked like the more interesting information, but I just couldn't gut it out for another month after spending 2 months on it already.

The book posits a new theory of intelligence. Fundamentally, it's a discussion about the old nature vs. nurture arguments. Flynn puts forth that base intelligence is genetic, but that environment introduces a social multiplier such that intelligence can be increased beyond the base genetic capabilities.

He also talks extensively about how intelligence tests quickly fall out of norm, and thus either require to add a time calculation to compensate, or be re-baselined on a regular basis. In my mind, this is akin to the difference between "real" and "nominal" values in economics. The nominal score would be the actual score in a given year. The real score would be normalized to the year of the last baseline. As part of his model, Flynn includes a method for calculating these offsets.

Overall, I found this book to be quite interesting, though definitely a dry read - especially for someone with at most a hobbyist's background in cognitive psychology. Nonetheless, I would recommend it as what appear to be a very worthy attempt to unify previous theories. Also, for academia, he provides several tests that can be exercised to validate his theories (Flynn says he does theory, not experimentation).

As I sit and see login.facebook.com return "connection reset" - blocking me from logging in so that I can ask a friend a question - I'm caused to reflect on some of the unpardonable sins of sites. The first, and greatest, sin imo is denying access, either through error, fault, or lack of availability. Facebook has been a notoriously unstable site, I've noticed, with 3rd party plugin apps failing all the time. This, however, seems to be the first time that their entire authentication system has failed.

From a security perspective, this gives me an interesting thought: though in the security triad (CIA for Confidentiality, Integrity, and Availability), it seems that availability is perhaps the most annoying attribute to lose. Confidentiality is probably the most costly to lose. And then there's integrity. It's annoying, but perhaps not overly costly (most of the time). Case in point, for the last few days Google Reader has had a tough time with updating the status of various folders. I'm guessing that they're having sort of sync issue across their highly scalable platform. Undoubtedly, some new code push has hosed up the integrity of the status of read messages. This is a minor annoyance that is easily ignored, though, unlike complete lack of availability.

I promised a quick rant, so will just leave it at that.

If ever there was a sign of the times, it's the resurgence of racism in the States. Before I go any farther, let me state up front: I find abhorrent any form of discrimination, whether it be based on race, gender, sexual orientation, religion, or politics. This country (the US) was founded on the concept of freedom for everybody, drawing the line at where your free actions cause injury to others (hence laws). The main point here is that you can have your freedom so long as you don't infringe upon the freedom or rights of others. Fair enough.

All that being said, I'm a little perplexed by recent trends.... nooses and other hateful acts being committed against blacks... the Jena 6 ordeal, where black kids were punished differently than white kids... and racist comments made by politicians and free citizens about people, including Barack Obama. What is up with people?!? Seriously, this sort of behavior is just wacky.

A false positive is a test result that indicates an affirmative response when the actual response is negative. It's also known as a Type I error (Wikipedia has an excellent write-up on Type I and II errors). False positives are problematic in information security because they can result in "the little boy who cried wolf" situations. Meaning, if you start seeing a bunch of alarms and they're always false alarms, you'll start ignoring the alarms. Thieves have been known to use this tactic to trick police or security guards into ignoring alarms so that they can then burglar successfully. In information security, we try to find ways to eliminate false positives, or at least develop methods of validating the data through an alternative method rather than accepting the false positive as accurate. If only the federal government understood the need and importance for doing this.

According to a post by Bruce Schneier, a man in Sweden was unhappy with his son-in-law, who was in the process of divorcing the man's daughter. This soon-to-be-ex-son-in-law was traveling to the US, against the wishes of his wife, which caused disgruntlement. To exact retribution, this older man in Sweden sent an email to the FBI accusing his soon-to-be-ex-son-in-law of being a terrorist, providing flight details and indicating that the son-in-law was en route to meet with his al Qaeda contacts.

Two quick supporting stories for my previous post:

1) The White House actually has the gall to tell Musharaf not to restrict Constitutional freedoms in the war on terror. Who are these people who think "do as I say, not as I do" is acceptable? See Think Progress for the rest of the story.

2) The ACLU Blog has an excellent post titled "Mukasey, Torture and the Abuse of Presidential Power" that runs down some of the growing criticism from conservatives over the Mukasey nomination, the refusal of the White House to reject torture, and the blatant manipulation that seems to be going on. It's really quite scary when nominees and appointees are completely barred from exercising any degree of free speech whatsoever.

D.J. Bernstein, author of qmail and professor at U-Chicago, has released a new paper on qmail security. Though ostensibly about qmail, it's really an exposé on secure coding practices. In the paper, he identifies three fundamental approaches that will met "users' security requirements" within a given program:
1) eliminate bugs
2) eliminate code
3) eliminate trusted code

There's nothing I can say here that isn't better said by DJB in his paper. As such, I highly recommend reading it right away. It's very short (10 pages including the page of references) and very accessible. You do not need to be a programmer or a CompSci major to understand what he is saying.

Well, it seems (as expected) that Democrats are not immune to the powers of corporate greed. According to this story on C|NET News, there is a provision within a financial aid bill introduced on Friday that includes the following:

According to the bill, if universities did not agree to test "technology-based deterrents to prevent such illegal activity," all of their students--even ones who don't own a computer--would lose federal financial aid.

The net effect of this idiocy - designed purely to appease corporate henchmen from out-of-touch-with-reality groups like the MPAA and RIAA - would be increased cost of attendance. With tuition already increasing at a rate more than double inflation, do we really need another reason for those costs to go up?

The courts have already established that it is incumbent upon the damaged party (e.g. MPAA or RIAA) to identify the offenders and seek recompense directly. This proposed law seems to seek to put the responsibility onto the shoulders of 3rd parties who are already struggling to provide basic Internet services for their students. This bill only serves the needs of the greedy corporations, who are living in a bygone era. It will only serve to increase cost of attendance. Plainly put, it's bad legislation.

Call your Congressperson and tell them to vote against the College Opportunity and Affordability Act (COAA).

It's a little after 5am local time and I've been up now for almost 2 hours. No, I'm not suffering from insomnia, nor am I trying to use myself in a sleep deprivation experiment. Rather, the security alarm in the apartment (for which I have no use) has decided to start beeping (rather loudly) about every 30 seconds. I'm sure they gave me directions for the darned thing when we moved in, but that was nearly 3 years ago, and I haven't the foggiest idea where they are.

So, the next logical thing was to call the after-hours maintenance hotline and have the on-call person paged. I say "logical" because the other option that occurred to me ranged between ripping the panel out of the wall to simply cutting the wires.

I called the maintenance hotline and the woman took my info and the nature of the problem and said she'd call maintenance. And then I waited. And waited. And waited. 30 minutes went by and no response. So, I called the hotline again, got the same woman, and she says "I'm sorry, this isn't on our pre-defined list of emergencies." !!!!!!! An alarm, for which I have no remedy, is going off at 3:30am and she won't page the on-call because it's not on her list. To make matters worse, she couldn't be bothered to call me back and tell me this. I had to wait 30 minutes and then call back to find this out. Putting aside the sheer failure in customer service, let's explore the fundamental problem here: inflexibility and a lack of creativity in finding a solution. This minimum wage drone had no motivation to help me.

I don't have much to say on the topic, other than to point you to a very interesting post on the ACLU blog site. This quote jumped out at me:

As the court held in United States v. Robel, "It would indeed be ironic if, in the name of national defense, we would sanction the subversion of one of those liberties … which makes the defense of the Nation worthwhile."

ACLU Blog: The First and Fifth Amendments are Not Optional

We've had an interesting, though sadly disparaging, thread on the cisspforum this week. I can't post any direct quotes for you, since that would be a violation of the forum guidelines, but I can talk about the issues in a generalized sense. I wish to do this because I find it indicative of some larger problems within the security industry, and in fact within American society at large.

The core point of contention in this thread was whether or not so-called "off-topic" posts were appropriate. The forum guidelines clearly prohibit content that is not related to security. A couple people argued quite vehemently that anything that diverged from that rule should be strictly omitted. This stance seems reasonable, perhaps, at first glance, but it begged a larger question: given the extremely broad subject that is security, how does one gauge whether or not a post is relevant? Moreover, who's opinion holds more weight in answering that question.

Amazon.com has setup a special Black Friday page to track specials that will only be offered the day after Thanksgiving (Nov 23rd this year - my birthday!). According to the announcement, "Amazon.com will be offering hourly deals from 6am to 6pm PST along with thousands of products on sale for a limited time. Also, customers will get gift wrapping for $.99 per item."

Additionally, the following advertising widget will scroll through Lightning Deals on Friday, showing specials as they come and go. So, you may want to bookmark this page and keep an eye out for specials on Friday. :)

My friend, who graciously hosts my web sites (including this blog) on his server for free, is in the process of upgrading Movable Type. As such, there are some bugs still to be worked out. Until they're cleared up, there may be issues with my site, and who knows what else. I'll also not be posting a lengthy review of our recent England trip until I can figure out this new interface and where all the content links went... :)

I'm increasingly incensed by the measures the federal government views as necessary and appropriate to fight terrorism. They've thrown out habeas corpus, exercised extreme rendition and torture, illegally surveilled communication by US Citizens, and taken unilateral action against those perceived as a threat. The government has advocated that we spy on each other and seem increasingly inclined to promote thought homogenization. One need only look at recent elections to see the tone set by Republicans of a false dichotomy philosophy of "with us or against us" -- not allowing that someone opposed to their preferred plan of action could in fact also be in favor and support of the country.

Now there's further evidence that this is coming in a recent bill passed by the House. H.R. 1955 has been described on Slashdot as being a bill that declares the Internet a terrorist threat, and in a way it does. What's more important to note, however, is that this bill is designed to attack ideology that may be considered threatening to the US. It specifically focuses on trying to limit terrorist and radicalist ideology, but it does so under the guise of promoting nationalism.

While a nationalist approach may seem harmless on the surface, it concerns me greatly as just another step toward though policing and homogenization. Now the government wants to overtly tell me what I should think about the country and government. Other groups have even declared that multiculturalism is a threat to national security.

Folks, we need to be vigilant and resist these attempts to homogenize thought. Difference of opinion and the strength to argue one's dissenting point is of vital importance in a Democracy. When we fail to intelligently debate ideas, we stand to lay ourselves open to complete compromise. It seems that the weaker the Administration's footing becomes, the more they want to clamp down on free thought and free speech. Actively resist oppression!

I'm increasingly incensed by the measures the federal government views as necessary and appropriate to fight terrorism. They've thrown out habeas corpus, exercised extreme rendition and torture, illegally surveilled communication by US Citizens, and taken unilateral action against those perceived as a threat. The government has advocated that we spy on each other and seem increasingly inclined to promote thought homogenization. One need only look at recent elections to see the tone set by Republicans of a false dichotomy philosophy of "with us or against us" -- not allowing that someone opposed to their preferred plan of action could in fact also be in favor and support of the country.

Now there's further evidence that this is coming in a recent bill passed by the House. H.R. 1955 has been described on Slashdot as being a bill that declares the Internet a terrorist threat, and in a way it does. What's more important to note, however, is that this bill is designed to attack ideology that may be considered threatening to the US. It specifically focuses on trying to limit terrorist and radicalist ideology, but it does so under the guise of promoting nationalism.

While a nationalist approach may seem harmless on the surface, it concerns me greatly as just another step toward thought policing and homogenization. Now the government wants to overtly tell me what I should think about the country and government. Other groups have even declared that multiculturalism is a threat to national security.

Folks, we need to be vigilant and resist these attempts to homogenize thought. Difference of opinion and the strength to argue one's dissenting point is of vital importance in a Democracy. When we fail to intelligently debate ideas, we stand to lay ourselves open to complete compromise. It seems that the weaker the Administration's footing becomes, the more they want to clamp down on free thought and free speech. Actively resist oppression!

We had the lovely opportunity last week to visit England. Since we get so little time off, Thanksgiving seemed the best opportunity to go. A large part of our motivation was to visit our friends Matt & Hollie, whom we'd met on the Contiki tour this past August. In addition to visiting friends, we also did some sightseeing and celebrated Thanksgiving and my 32nd birthday. Trip pics are available here.

The trip started Wednesday evening (21st) with an overnight direct flight from IAD to Heathrow. Aside from an obnoxious woman in front of me who tried several times to ram her seat back into my knees - and then complained about it! (resulting in her receiving a duty free voucher) - the flight was uneventful and on time. We tried to get some sleep on the flight, but didn't have much success given the time zone our bodies were used to.

You know, I'm a little confused. Muslim parents can - and frequently do - name their kids Mohammed. So, when those kiddies all vote on naming their classroom teddy bear, choosing the same name, how does this suddenly become an offense to Islam? Of course, it's hard to take a line on this from our official government's standpoint. They skew every criticism as a threat to national security and as material support of terrorism. Does anybody not see how dangerous it is to give religion such a prominent role in government? Corruption occurs regardless, but religion seems to give people that extra little piece of self-justification for perpetrating atrocities and injustices. "God said it's ok." Ayeeeeee....

Awesome. It's so obvious, and yet so brilliant. There's tons of free code out there to setup such a tool, too.

How to Harvest Passwords
Just put up a password strength meter and encourage people to submit their passwords for testing. You might want to collect names and e-mail addresses, too.

Hat tip to guru Bruce Schneier for the find.

I'm feeling a bit hyper and expressive today, so part of the post frenzy. I've just read some very interesting things across multiple topics and wanted to share:
- New earphone line from Shure.
- Ford's diesel-hybrid concept car.
- And, first and foremost, a kind of funny cartoon:

**UPDATE: The teacher has been sentenced to 15 days in jail. Pure insanity. And we chose to invade Iraq.... sheesh!

As mentioned this morning, Sudan is making headlines for absurdity, arresting a teacher on charges of blasphemy for allowing her students to name a teddy bear "Mohammed." I wondered this morning what the deal was. Language Log has a good post providing more info on this insanity.

The Symantec Security Response Weblog has an excellent post up today titled "Honor among thieves?" that talks about free versions of the now-infamous Mpack and IcePack exploit packages containing backdoors and additional redirects. They theorize that this is essentially the premium for getting the packs for free, which is very interesting. In essence, the malware gurus are using an ad revenue model to make money off the packs. This is kind of like the shift from Web 1.0 to Web 2.0 in terms of moving away from relying on product sales to really leverage the long tail available to them. :)

Ok, so some of my thoughts here are tongue-in-cheek, but it's an interesting post nonetheless. Check it out! :)

This whole story is reaching levels of scary absurdity. It's like she's been declared a witch in Salem in 1692. Local mosques have now riled their parishioners to go into the streets chanting "By soul, by blood, I will fight for the Prophet Mohammed" and "No tolerance: Execution" and "Kill her, kill her by firing squad." HELLO, CRAZY PEOPLE!!!

This is precisely the reason that I look upon organized religion so suspiciously. Whether it be the Crusades, or the intolerance in America for anything diverging from a right-wingnut fundamentalist Christian stance, or denials of Science in favor of faith-based idiocy, or this conviction of a teacher for letting her students name a teddy bear after a student in the class -- it's all madness. None of this promotes improved social values. None of this equates to taking care of one another. It's abuse of power by keeping people ignorant and patently manipulating them to act in a manner to prop up corrupted regimes. Utter bullocks.

Protest story is here on CNN.

It's Friday, so here's something funny for you. Here's my favorite quote:

Regardless of the recent upheaval, students throughout the country are learning to accept, and even embrace, the change to their curriculum.

"At first I think the decision to drop the past tense from class is ridiculous, and I feel very upset by it," said David Keller, a seventh-grade student at Hampstead School in Fort Meyers, FL. "But now, it's almost like it never happens."