February 2008 Archives

I went to Target to buy face wipes tonight... with tax, the total came to $6.66. My immediate compulsion was to buy gum or mints to get around that omen, but I resisted. Instead, I said "that's kind of creepy." The cashier looked up and said "yeah, those wipes are kind of expensive, aren't they?" It was very difficult to stifle a smile at her failure to recognize my attempt to be clever. I guess humor is in the ear of the beholder...

I think the Salon says it best:

"The final Democratic debate produces no miracles for the grouchy former front-runner. Yes, those MSNBC moderators did seem to like Obama better, but even when she's right she sounds wrong."

Perhaps my biggest pet peeve with driving is when people act aggressively to put themselves first, even if only by a car length. As if commuting is a NASCAR event. Guess what, it's not.

Today's example is the ever-popular right turn on red. The legal basis for allowing a right turn on red is found, not in traffic laws, but in energy conservation legislation (see 42 USC 6322(c)(5)). It's purported to save on combustible feel consumption in vehicles because they won't have to sit idle as long. There are, however, a couple caveats.

There's a decent article over on Men's Vogue this month. It provides nice background overview of the device, and also has a brief slideshow that walks through a decent basic kettlebell workout. It's definitely worth checking out, and will only take a few minute to zip through.

All the fearmongering around FISA has got to stop. It's maddening and irrational, based on fantasy, accusation, innuendo, and political gamesmanship. And, honestly, by gamesmanship, I mean unsportsmanlike conduct.

I need your help out there, since economics and finance isn't my strong suit. I'm thinking about cancelling my gym membership. It's costing me about $45/month, which is ridiculous in and of itself (I think Gold's is about half that). I'm only going 1-2 times/month, because I'm doing kettlebells at home in the morning. The kettlebell routines are starting to pay off. The only thing I really use in the gym are free weights for deadlifts and occasional bench press reps (I can't do squats any more because of the avulsion of my C7). However, I supplement the kettlebells with pistol squats and pushups (normal and one-handed against a wall or counter). In the future, when we've settled somewhere, I plan to add a pullup bar (or maybe a finger board, like the Metolius Simulator) and free weights of my own. Anyway...

All that being said, what do you think? Does it sounds like I'm getting my money's worth? Please leave your suggestions in the comments (note, you'll get a login prompt, just put "comment" as the username and leave password blank - this is to stop automated comment spam). And, thank you! :)

I've been diligently working on a few articles, plus fighting a cold, over the last few days, so you'll have to excuse the decreased blog output (or not - feel free to hold a grudge for a while, if it makes you feel better:). Anyway, I ran across a few articles today that were interesting enough to make me want to talk about them. So, here's a hodge-podge of topics, ranging from politics to infosec to cool new technology, including a brief review of the latest book I've read, The End of America: Letter of Warning to a Young Patriot by Naomi Wolf.

"Insanity: doing the same thing over and over again and expecting different results."
Albert Einstein

No Child Left Behind (or funded) has left many kids behind, and it has put the focus in schools on training instead of on education. Training is designed to impart a defined, repeatable skill set in a rote manner without need for thought. Education imparts the ability to think critically and creatively. A well-educated student should be able to take foundation concepts and expand upon them on their own. The current focus on standardized testing does not achieve this objective. Who cares if test scores are improving? It's all pointless and stupid if they aren't able to think when they graduate (IF they graduate).

Fidel resigns, and the President says "The United States will help the people of Cuba realize the blessings of liberty." Well, ok, that's nice, but what about letting us realize the "blessings of liberty" here at home in the good ol' U-S of A? This paradox of advocating freedom and civil liberties abroad while rolling them back at home is quite vexing.

Hat tip to ThinkProgress.

Here are a few of the things that I've been reading lately (cleaning out my Google Reader starred items)... note that I'm working on the lengthy key management post, as promised, just a bit delayed... more to come after that, since I'm finally getting my energy back (it's been a long haul since I got food poisoning a year ago, followed by being terribly run-down in general).

I'm generally left-leaning these days, except when I'm not. Today on ThinkProgress, Sen. McCain is mocked for his language, but nobody seems interested in his key point: what is the definition of "wealthy"? This is a question that has begun to irk me as I look at the economic stimulus package.

Courtesy my Dad, this is great Friday Funnies stuff! :)

I've finally finished reading Barack's Obama's book The Audacity of Hope: Thoughts on Reclaiming the American Dream. It's taken me far too long, mainly due to the amount of "other" reading I do in a given day (blogs, news, a few weekly print news magazines, and so on). Oh, and of course the whole "work" thing. :)

Suffice to say, I thoroughly enjoyed and recommend this book. Prior to reading the book, I thought Obama seemed like a decent chap, but tended to back John Edwards as a political candidate (you just have to like Edwards' anti-corporate spunk:). With Edwards out, I'm pleased to say that I fully support Barack Obama's efforts for election as the next president of the United States. His book is just that good. Let me explain in more detail.

If you happened to see Good Morning America (ABC) this morning, you probably caught the story "Fast Food: The Fast Track to Organ Damage." Well, let's set the record straight on this typical overhyped story, since it once again represents irresponsible, sensationalist journalism, placing the blame somewhat incorrectly.

I feel like I've been a slack dog when it comes to blogging substantively lately, and it's probably true. Mea culpa. The good news is that I have a few ideas that I'm working on, and will hopefully get to sooner than later. I've recently started a new consulting engagement, so my addition has been detoured by that. With a little luck, I'll get back into form and get some things together.

Reader poll: What do you consider to be cornerstone concepts in security? Please post your thoughts in the comments. Why? Because I'm thinking of starting a new line of security posts "Cornerstone Concepts in Security" - that's why. :) Right now I have "accountability & enforceability" and "data classification" and maybe a couple other ideas, but that's about it, and seem rather pathetic.

What I mean by "cornerstone" concept is this: if you strip down infosec to its foundations, removing all the tech-specific gobbledygook, what does that leave you? What are the core minimum concepts that need to be enacted in an infosec environment? Policies are a core thing, but I don't consider them conceptual. Get what I'm saying? Please let me know what you think.

I also still owe a thought piece on key mgmt... again, mea culpa, coming sooner than later! :)

Hopefully you haven't switched to the new Feedburner feed... it doesn't seem to be feeding very well... please stick with the original feed for now...

Subscribe

First, I'd like to say: AAAARRRGGGGHHHHHH!!! You turn your head for a minute, and those wily politicians slip bad things by. According to The Guardian, our wonderful US Senate has decided to pass a bill granting telecom companies immunity for any role that they may have played in the warrantless wiretapping debacle.

Here are the core reasons why this is absolutely, totally moronic, irresponsible, and down-right stupid (not to mention a threat to national security, thank you very much - transparency limits corruption, which protects the foundations of this country):

1) If the telecom companies didn't do anything wrong, then they don't need immunity.
2) With immunity, people cannot sue, meaning discovery cannot be performed, meaning this super-secret, likely highly illegal program cannot be uncovered, meaning that the felons in the White House cannot be held accountable for their blatant violations of the law and US Constitution.
3) If telecoms did do something illegal, then they need to be held accountable for their spineless acquiescence to the illegal demands of the corrupt Bush administration.

Fortunately, time is still left to make this right! The House version of the bill does not contain telecom immunity. As such, the House and Senate must develop a compromise bill in committee, and then pass it by both houses of Congress.

I urge you to contact your Senators and Representative and demand that they not make this fatal decision. Hold your elected officials responsible!

Find your Representative
Find your Senator

Howdy folks - just a quick note that I've setup my blog subscription through Feedburner. You can use the following links to add it to your RSS reader of choice. I don't know that I'll whack the current feed, but you should still migrate over as I play with things. Sorry for the inconvenience, and thanks for the support!

Subscribe

It's primary election day here in the Mid-Atlantic. If you live in Virginia, Maryland, or Washington D.C., I hope that you'll get out and vote! If you're not sure where to go, then check out "Rock the Vote" for all the info you'll need (click the link on the right for "2008 primary/caucus info").

This is perhaps one of the most innovative solutions I've seen in recent times. PlayPumps combines a merry-go-round with a water well and filtration system to produce clean water for rural African communities without requiring electricity or expensive diesel engines.

Hat tip to GuyKawasaki.

Slashdot has had a couple stories posted in the last couple days about new authentication schemes. The first scheme comes from Carnegie Mellon University, where graduate students have developed a method to cover the input interface with the hand to protect against observational attacks, combined with a graphical password control. The paper is well-written and, though not seemingly reasonable to implement quite yet, poses some interesting ideas. More on it at the following links:
http://it.slashdot.org/article.pl?sid=08/02/08/0452221
http://www.darkreading.com/document.asp?doc_id=145104&WT.svl=news1_2
http://www.andrew.cmu.edu/user/nicolasc/publications/SCH-CHI08.pdf

In other news, a startup named Credentica is featured in an article on Wired discussing their authentication scheme and how it could prove identity with minimal information exchanged. They leverage a cryptographic method to authenticate a transaction without necessarily disclosing identity. This concept seems rather strange in that the whole point of authentication is to reasonably prove an asserted identity. The opening paragraph of the Wired article puts it in a little better perspective:

"Imagine you could prove you were 21 without revealing your date of birth -- or anything else about you, for that matter. Or qualify for a loan without disclosing your net worth. Or enjoy the benefits of e-commerce, e-health and e-government without a moment's fear that you are open to identity theft."

Apparently it's all a bunch of hype and bad counting. TechCrunch has a story on the topic here, and they link to a Wall Street Journal blog post here, and to a story on The Economist here. Personally, I'm disappointed. I was really hoping for a good conspiracy in this election year. Something to distract me from the mudslinging that we've seen the past couple weeks. I mean, football season is over, so I really have nothing better to do with my time. ;)

If for no other reason than to give me a way to vent stress and frustration after commuting, I've decided to start a new series of posts that look at traffic conditions that really irk me. No, I'm not talking about rants on the guy who tried to whip around me at the Yield sign this morning, or the guy who pulled out of the line of merged traffic into the lane ending so as to advance himself 3-4 positions further ahead. Don't get me wrong, those things really tick me off (people are arrogant, short-sighted, and rude when they drive - my view is that most people don't look more than 2" in front of their faces when they get behind the wheel). Instead, I'd like to focus on traffic patterns and flows that could/should be addressed by civil engineers.

Today's target of opportunity is the intersection of the Dulles Toll Road (267) with Reston Parkway.

The ever-so-popular "Black Tuesday" is approaching (Feb 12th), and this month's is going to be a biggie. According to the Microsoft Security Bulletin Advance Notification for February 2008 there are 7 Critical patches (all denoted as addressing "Remote Code Execution" vulns) and 5 Important patches (ranging from DoS to Privilege Escalation and so on). Additionally, according to the MS Security Response Blog there will be 7+2 = 9 updates to Microsoft Update, Windows Update, and Windows Server Update Services (WSUS). Oh, and the monthly malware tool update.

In related news, MS has a new "Security Vulnerability Research & Defense blog" that seems to be pretty cool, if you're into geeky, techie MS vuln/security info.

Get your update servers dialed-in and ready to rumble. I've noticed notes on various 0-days surfacing in the last week or two (if you read my Google feed then you've seen those, too). Yee-har!

Looking for a sure-fire example of why the economic stimulus package - just sent up to the White House by Congress today - will not have the intended effect? According to The Gavel:

"Put hundreds of dollars into the hands of more than 130 million American families including seniors and disabled veterans – who will spend it immediately to reinvigorate the economy"

A word of caution: don't expect these rebates to magically solve anything...

Ever-so-gracious, Gov Romney has dropped out of consideration for the GOP nomination for presidential contender. However, he did so in a manner that just churns my stomach, making it sound like this election is between those who would care for and protect this country and those who would not. Hogwash.

For instance, he said "Barack and Hillary have made their intentions clear regarding Iraq and the war on terror. They would retreat and declare defeat." Well, obviously that's not true. "[Declare] defeat" - whatever! But then comes his final blow of FUD:

"...the consequence of that would be devastating. It would mean attacks on America, launched from safe havens that make Afghanistan under the Taliban look like child’s play. About this, I have no doubt."

A pitiful attempt at using the FUD hammer to divide the country once again. Absolutely abhorrent.

Any bets on if he'll be McCain's running mate? Seems a strong likelihood to me. Sheesh.

There have been a ton of stories out since yesterday that Time Warner is planning to split up AOL into a subscription/dialup business and an advertising/platform business. This news has been anticipated for a while, and so is welcome finally. As a former AOLer, I'm glad to see the decision finally broad forward, though it's probably 4-5 years waaaaay too late.

Stories on the proposed AOL split-up:
http://slashdot.org/article.pl?sid=08/02/06/1752230
http://www.huffingtonpost.com/2008/02/06/aol-to-be-split-in-two_n_85338.html
http://www.latimes.com/technology/la-fi-timewarner7feb07,1,3340253.story
http://www.techcrunch.com/2008/02/06/aol-to-split-off-dying-access-subscription-business-whens-that-advertising-ipo/
http://www.newwebmag.com/2008/02/06/aol-to-split-off-dying-access-subscription-business-when%e2%80%99s-that-advertising-ipo/
http://www.siliconvalleywire.com/svw/2008/02/time-warner-to.html
http://www.nytimes.com/reuters/business/reuters-warner.html?_r=2&ex=1360040400&en=975c8c8381810fb7&ei=5088&partner=rssnyt&emc=rss&oref=slogin&oref=slogin
http://www.itpro.co.uk/internet/news/163539/time-warner-to-log-off-from-aol.html

Several additional links from:
http://bigblog.com/web_developer/time-warner-planning-aol-split-1287471394.html

Rich Mogull at Securosis posted his thoughts on the the 5th cable cut incident and its seeming suspicious (check out the conspiracy theories list I've started in comments:). Robert Graham at Errata Security says this is much ado about nothing (but offers his own amusing conspiracy theory). Definitely good reading. Who would be a good authority on the frequency of sea-cable cuts and outages?

This post from Marc Andreessen talks about some of the marketing behind private equity decisions, and how it's resulted in quite the mess. Combine this with the high debt load of Americans, the mortgage situation, and the need for sovereign wealth funds to parachute in money to keep our lenders and banks solvent, and, well, it makes me think that maybe things are as bad as they seem.

My primary concern is with artificially sustaining the industry against the rising tide of recession or, dare I say, depression. I'm beginning to wonder if we're still actually feeling the effects of the Great Depression, in that market control and regulation implemented in the wake of that collapse are now artificially prolonging bad decisions, inflating the market, and preventing an adequate self-correction.

But I'm not an economist... so, take these comments for what they are: concerned speculation.

As mentioned here and here, the undersea cable cut situation is very strange. Even Bruce Schneier thinks so. And he's heard that there may now be a 5th undersea cable incident in the same region. If that ends up being confirmed, then this has to be officially classified as suspicious.

BTW, Iran is not offline, from what I can tell (Bellovin said as much yesterday, though Schneier mistakenly contradicts). See this blog post for proof. The comments in Schneier's blog are intriguing. I guess we'll just have to wait for more info, but this whole situation seems really sketchy. All I know is that our government had better not be behind it. I would not be surprised to learn some day that the cuts occurred to force taking the cables offline for service, allowing the NSA or CIA or similar to put splitters on the lines for monitoring.

Did you set goals for the new year? How're those coming? Better than mine, I hope. :) Dumb Little Man posits an interesting approach to achieving your goals more quickly and effectively: use a goal buddy. Read more about it. The underlying theory is that being accountable to someone you respect for achieving your goals will better motivate you to achieve them.

Leica cameras have a considerable cult following, and are often described as the best in the market. The Leica M8 10.3MP digital camera is no exception to this rule. It's spendy, but according to this Digital Photography Review, it's well worth the investment. Perhaps something to put on your wish list, eh? Not convinced?

Well, maybe this will change your mind: Leica has announced a perpetual upgrade program for the M8. According to the Leica site:

"All M8 ever built are suitable for this upgrade. We will take care about collecting the cameras and will also inspect and adjust all camera functions when carrying out the update, As a consequence, each LEICA M8 is given a two-years warranty after the upgrade as if for a brand new camera."

Hat tip to kottke.org.

As I mentioned here, conspiracy theories are arising about the nature of the 4 undersea cable cuts in the past week. Security veteran and sage Steve Bellovin comments on the conspiracies here. His closing quote about sums it up for me:

So — I don't know what happened. As a security guy, I'm paranoid, but I don't understand the threat model here. On the other hand, four accidental failures in a week is a bit hard to swallow, too. Let's hope there will be close, open examination of the failed parts of the cables.

This post is an update of my "Happy New Year" post from New Years Day 2008. As a way to help hold myself to my goals for the year, I'm planning to post a retrospective at the end of each month, or beginning of the next. To that end, today I'll be looking back at my progress against my goals throughout January.

In general, January was a tough month for some areas because I was between consulting gigs. It's always hard to get into a routine and life-rhythm when I'm not getting up first thing in the morning. This situation will be changing in February, thanks in part to starting a new billing gig today (w00t).

Additional pressures are on the horizon. In addition to Hanna expecting, we're looking at needing to replace my 2-door car with something roomier in the next few months. Bigger vehicles are more expensive. We're trying to look at hybrids, but they're often out of stock, requiring payment of full invoice, which would be stupid. The one bright spot is that we'll be moving somewhere locally in June, and it looks like that may mean a reduction in rent, even with a move into a single-family home. That would be nice as every little bit helps.

With that, click through to see detailed comments...

Hanna and I went to see our first official ballet performance last Friday (2/1/08) at the Kennedy Center. The American Ballet Theatre performer The Sleeping Beauty. The music was excellent, the staging and costumes elaborate, lush, and vibrant. Being our first ballet attendance, I wasn't truly sure what to expect. I'd worked modern dance performances while doing tech in college, but this was completely different. For one thing, the point shoes that the women wore made a clacking sound on the floor when they walked around. I was in awe of the amazingly vibrant colors in the scenery and costumes. That alone made it worth attending.

I'm increasingly finding that there's just too much news to share. The easiest way to follow what I'm finding interesting is to subscribe to my Google share feed. Barring that, here are a few stories of interest. BTW, I'm working on a more extensive blog post on encryption key management, which I hope to have up by mid-week, along with a retrospective on how I'm doing thus far on my new year resolutions. :)

Stories of interest (links and comments below):
* Fourth Undersea Cable Taken Offline In Less Than a Week
* Mega-D Botnet Overtakes Storm, Accounts for 32% of Spam
* SSL Is Useless.
* Tesla.
* Free Speech and Net Neutrality: Separating Fact from Fiction

A couple weeks ago, as the NY Giants were completing a rather stunning upset of the Green Bay Packers at Lambeau Field in Green Bay, I told a friend "well, if anybody can give the Patriots a run for their money, it'll be the Giants - look at how close they came to upsetting them in the last game of the regular season." Just call me Nostradamus.

As a general rule, I cheer for NFC teams in the Super Bowl, since my favorite team (MN Vikings) are in the NFC (unless the Steelers are playing, then I cheer for them). This year, however, I was torn. On the one hand, you had to like the underdog role of the Giants. On the other hand, it would have been cool to see a perfect season completed, for only the second time in history, and the first time in the modern era (16-game regular season).

The game last night did not disappoint. I'm still a bit shocked that the G-men pulled it off, actually. Who would have thunk it? Nonetheless, talk about a phenomenal game! Certainly one of the most competitive Super Bowls in recent history. I wish they could all be that way. And, as a former defensive back, I have to say that I thought the defensive play - particularly of the Giants - was outstanding. Congratulations to the Giants, and their fans, for winning Super Bowl XLII!

Married guys will particularly appreciate this music video. :)