Everyone knows that they should avoid buffer overrun bugs these days. But buffer overrun is only one of 19 commonly occuring causes of security vulnerability brought together in Sins of Software Security on Coding Horror.
Besides being a useful checklist for the designer the list gives the number of incidents due to each cause. Thousands in the case of buffer overrun, SQL injection and cross site scripting attacks, only one due to unauthenticated key exchange. No figures are given for usability errors which pretty much defy measurement by this approach as we do not currently have clear cut criteria for usability issues that drive issue of an advisory.
That has to change which is why I was talking about developing laws of usability at Financial Crypto this year.
Rising fast in the charts are integer overflow bugs. For some reason the designers of C compilers commonly design them in such a way that an overflow can result in execution of arbitrary code rather than raising a math exception which is the usual approach.
Update: added link to the book reviewed in the article.
Thursday, January 31, 2008
Coding Horror: Sins of Software Security
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
Saturday, January 26, 2008
Reclaiming heat energy
Today we pay for the power to the data center twice. First to power the racks, then to remove the heat from the building via HVAC. A new technology from Berkeley Labs is intriguing, a more efficient means of turning a heat differential into power.
The explanation is confused, I am pretty sure that Berkeley does not beleive it has found a way to break the second law of thermodynamics as one might imagine from the article. If energy is extracted from the system the hot region must get cooler and the cool region hotter.
Another way to achieve the same effect would be through a steam turbine. This is done in power stations today. In principle one could use a steam turbine to extract energy from a data center without getting up to the boiling point of water by using a liquid with a lower boiling point and operating it at lower pressure. This was investigated by the chemical industry during the 1970s oil price shock but abandonded because their low grade heat sources tended to be contaminated by corosive chemicals. One plant I worked on in the 1980s that made neoprene precursors was continuously disolving its infrastructure.
Now that extracting waste heat from data centers is becomming a major concern I expect new interest in these technologies. Pretty soon we will be seeing heat pipe technology integrated into equipment racks as a matter of course. Why give the energy way when you can recover some of it?
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
Don't you just hate it?
I thought I was doing pretty well with my $252.50 bid in the E-Bay auction for the 700 MHz band. Then at the last minute an auction sniper comes in and ups the ante to $3.2 Billion.
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
Republicans for the Impeachment of Bush?
I blogged earlier on the impending civil war in the GOP as it races to distance itself from the Bush legacy. With the primaries still ahead of them members of Congress are desperate to avoid angering their base, they are also up for election. Once those primaries are over there is a shift in the calculus of self interest that drives most politicians but especialy those that preach self-interest as ultimate good. Time to shout 'man overboard' then throw the liabilty off the ship.
Noonan has undoubtedly been sent to test out the waters, that is the role of pundits in the Republican ecosphere. The party will rebrand itself and attempt to stick the blame for the Bush years on the Democrats.
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
Friday, January 25, 2008
A new iPhone this summer?
Elgan looks at Apple's promise to sell 10 million iPhones by the end of this year and recons that the only way this is possible is to come out with a new model.
I agree, most folk who did not queue up for three days to buy one in the initial rush are increasingly likely to wait for the next model.
The iPhone is pretty neat but it does have a couple of glaring omissions: GPS and 3G. for me GPS would be the killer capability. That means it can be both a phone and a navigator. I know that Apple has added GPS lite via cell tower triangulation but that cutteth it not for me. I need to be able to use the thing to navigate in the car far from cell phone reception.
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
Giuliani wins the DotFuture Manifesto Poll
54% of dotFuture Manifesto readers who voted thought that Giuliani would make the worst President of the choices on offer. Next up was Huckabee on 27%. Kucinich and Nader both scored only 9%. Ron Paul failed to score at all.
The next dFM poll asks the question whether Michael Bloomberg should run for President or not. Curiously, the Draft Bloomberg site poll only gives one option and not the one I was looking for.
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
Getting a slug in early
I have expected the GOP to utterly repudiate Bush the moment he leaves office for a long time. There was signs that this was going to be the case before his 2004 election. The bitterness expressed towards Bush amongst my Republican friends is roughly proportional to their distance from the administration. So it is no suprise that Noonan should break ranks amongst conservative pundits and get a slug in early.
Before long you will start see Fox News mistakenly billing ex-President Bush as a Democrat.
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
How the SocGen Fraud was worked
Bloomberg.com: It was the old matched trades trick. The trader would put in two trades that should have cancelled each other out, one was fake.
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
Thursday, January 24, 2008
Usability failure: Delicious
I have just been trying to register an account at Delicious to test out a report to delicious tag.
Like many entry forms it has a CAPTCHA irritation.
Like many entry forms it requires the CAPTCHA and the password fields to be re-entered if the form is not accepted for any reason - in this case because the username is already taken.
There needs to be a usability law of the form 'Never destroy the user's work'. To do so is gross discourtesy.
This is in part due to a flaw in the forms implementation in the browsers. Even if the Web site is careless with the user's effort, there is no excuse for the browser to throw it away. In time we might fix HTML forms to eliminate this irritation, but for the time being a button that would bring the lost work back would be nice.
Of course support for OpenID would eliminate the need for registration altogether.
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
NPR: Internet Scammers Find a New Approach
Advance fee fraud not giving enough of a return tell people to pay up or you will kill them (NPR audio).
This is not the very first time this has come up, I believe Bruce might have blogged it some months ago but could not find the link. But it is worth hearing the audio because the impact of the threat really comes across when you hear the target speaking.
The personal details mentioned in the threat were most likely obtained through the Web, people put all sorts of information about themselves up on facebook. And even if they don't use their name on the site their username is often similar to their email handle.
As a criminal approach goes it does not appear to me to have a high risk-reward ratio. A kleptocracy like Nigeria can tolerate financial frauds but it is rather harder to brush off complaints about death threats. Just as criminals always look for the most profitable, least effort attack, law enforcement are always going to concentrate efforts on the most egregious offenders they have an effective method of policing. That is why Internet chat room pedophiles attract so much attention.
From a prevention point of view this crime is somewhat different to regular advance fee fraud. We can reduce the profitability of the standard advance fee fraud by making it harder to send spam. But this appears to be a highly targetted, boutique attack.
Making a death threat raises the attack to a level that no local law enforcement can ignore. The extortion demand must be paid, traced and the perpetrators arrested.
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
The $7bn Societe General Fraud
The BBC and pretty much every other media outlet is reporting on the $7bn Societe Generale Fraud. What has not yet come to light is a motive.
The facts as we currently know them are that the perpetrator was responsible for placing trades intended to hedge certain positions held by the bank, essentially insuring against loss. According to some reports the rogue trader did not place the hedge trades, according to others he bet on the assets rising rather than hedging in case they fell. The rogue trades were concealled through his knowledge of the compliance department procedures where he had recently worked.
The other agreed fact is that unlike Nicholas Leeson, the man who broke Barings bank, this rogue trader was not motivated by the size of his potential bonus. He was not meant to be making trading decisions at all. He was meant to follow orders and insure the bank's riskier positions. His salary including bonus was of the order of 100,000 ECU. He was not in line for a bonus if his bets paid off.
What is not understood is his motive: "Executives said the trader may not have sought personal gain from the fraudulent deals."
I don't think this is very likely. When $7 billion is missing from the till Inspector Plod and I both agree: money is going to be a motive.
What I do think quite likely however is that the fraud was not caught because the bank did not anticipate that a person in his position might be able to perform fraud for personal gain and did not watch low ranking traders like him as closely as they should have.
So how could you gain from a fraud of this type?
Let us assume that you can place trades and hide them from the compliance office, that you can hide a surplus (but not a catastrophic loss) and that you cannot transfer money out of the account directly.
The first step in the crime then is to make a surplus. To do this you resort to the old insurance fraud trick of not paying for the policy: The risk manager pockets the insurance premium and hopes that the factory does not burn down that year.
It appears that the trader would have easily established a surplus if the assets had gone up instead
Next the cash out. In the dotCrime Manifesto I describe a variation of the Pump and Dump scam in which the criminal takes over a series of Internet brokerage accounts and invests heavily in thinly traded penny stocks. This drives the price of the stocks up allowing the criminal to cash in their previously purchased holdings for a large profit.
I have no evidence that this was the intention in this particular instance but it is a potential means of cashing out a surplus that the bank could and should have anticipated.
Later: What to do about it.
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
What Bill is up to
Dick Morris explains why Bill is in the news such a lot. The gameplan according to Morris:
It makes quite a bit of sense, whether this is the Team Hillary gameplan is another matter. Hillary does not need saturation media coverage, Obama does.
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
Wednesday, January 23, 2008
Help my anti-virus is worse than the disease
Monday was MLK day so I had the kids and took them to see their great uncle. While I was there he asked me if I could take a look at his machine which had become 'a bit slow'.
Older windows machines inevitably feel slow compared to newer ones but this machine was more than just slow. After 30 minutes I was still waiting for AOL to come up. Internet Explorer was AWOL. Hmm, lets try a reboot.
Another twenty minutes and the desktop appears. OK time to start the task manager and start killing off some resource hogs.
Another twenty minutes and I have killed enough processes to be able to get the control panel started. Now the problem becomes evident. Every technician who has ever touched the machine has loaded an anti-virus package onto it. By now there are four separate anti-virus scanners. It also has MSN and AOL loaded and five different programs that hook themselves to launch a server process on startup.
I kill the anti-virus rubbish and suddenly the machine is running at an acceptable rate. I also kill four modem management packages (its on broadband), the unused MSN and anything else I suspect of running an unnecessary resource hog.
Only one of the anti-virus packages was accurately labelled. Comcast and Verizon had both OEM'd an anti-virus core and loaded it onto the machine without warning. I suspect that neither one had an up to date virus signature file but even if they did they are based on an approach the hackers rendered utterly obsolete four years ago. Looking for badness is simply not a viable approach any more. Viruses are old school. Anti-Virus packages are no defense against malware trojans blasted out by the million from a botnet.
What was going on on the machine was that the four anti-virus packages had comandeered every cycle and most of the free memory. I suspect they were spending much of their time scanning and evaluating each other.
The other resource hogs are due to a particularly obnoxious habit of program developers which is certainly more advanced on Windows but far from unique to it. Rather than write a program that works in the normal way: user tells program to run, it runs, user tells it to stop, it stops. The programmer decides for whatever reason to 'integrate' their program into Windows. Icons pop up in the system tray. The application hooks the O/S to run a server on startup which in turn hooks to intercept an undocumented array of system calls.
Why the programer does this is a mystery. You can be pretty sure that while they were perpetrating this monstrosity on the user they spent a great deal of time complaining about the lack of documentation on such features. Never will the question be asked why it is necessary for part of a program that the user may at most use a couple of times needs to run continuously whenever the machine is turned on.
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
Labels: Windows gripes
What a real Police state looked like
Computers piece together millions of shredded Stasi documents (Boing Boing) via Michael Froomkin.
I will blog this later but the key point to bear in mind is that even with the resources of the entire state behind them the Stasi were unable to intimidate the country. Why are people so affraid of the Bushies and Bin Laden?
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
Rudy felled by Talking Points Memo?
Kevin Drum has an interesting graph showing how Rudy's support collapsed in the wake of the 'Shag Fund' story.
Talking Points Memo was not the original source of all the Rudy stories but as with the Alberto Gonzalez story, they quickly became the clearing house for all things Rudy. The Politico broke the story of the hidden security expenses but TPM coined the term 'shag fund' and linked it to Rudy's other skeletons: in particular Rudy's Shag Pad in the emergency control center matching Kerik's shag pad at ground zero. If Rudy crashes in Florida as expected and the crash is due to the Web, it is the second time Josh Marshall has forced a major Republican figure into retirement.
The timing strongly suggests that the 'Shag fund' is part of what did Rudy in, but is it likely that a significant proportion of Florida Republicans get their political news from the Web?
If the Web had an effect it was through its effect on either the establishment media or the Giuliani campaign. I would like to think it was the first since that was the idea I had when I put up the first politics site on the Web in 1992: The Web would provide a feedback loop that would regulate the behavior of the press and make it harder for them to act as partisans for one side.
I suspect that it was more the effect on the campaign than the media though. The Giuliani campaign went into '9/11 overdrive' after the Shag Fund story broke. Watching the Giuliani campaign commercials you might imagine that Rudy had personally defeated Bin Laden in a duel on 9/11.
This quickly became a vicious circle. The 9/11 ads went down terribly with the establishment media who had all read TPM, knew about the shag fund, the shag pad, Kerik and had begun to see Giuliani as an opportunist rather than a national security expert. Negative coverage caused Giuliani's numbers to drop bringing a fresh wave of 9/11 adverts. Pretty soon the only message the campaign was putting out was 'vote for Rudy, he gave a good press conference on 9/11'.
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
Tuesday, January 22, 2008
Teaching Programming
The recent Slashdot 'debates' on whether teaching Java at university is dumbing down the coursework had me thinking about Brian Kernighan's essay Why Pascal is Not My Favorite Programming Language.
Kernighan makes some pretty good points against Pascal, many of which I discovered independently when I first tried to use it for coding a video game and was subsequently forced to use it for a class project. ANSI Pascal was at the time utterly unusable for any serious project because the size of an array was part of its type. There was no way to write a general matrix arithmetic capability in Pascal because you would have to write separate code for arrays of size 2, 3, 4, and so on. String handling was utterly beyond reason.
Pascal became a popular teaching language in spite of these obvious and acknowledged defects. Given the pot shots being taken at Java it is worth remembering how Pascal scored over its competitors in the early to mid 1980s when it became the educational language of choice:
- FORTRAN lacked structured variables, call by reference and structured programming constructs.
- Basic lacked structured programming constructs
- C was considered ugly, in particular the macro processor and the exposure of messy pointer constructs which broke attempts to define a formal semantics as well as being difficult to learn.
- Ada was considered far too complex for use as an introductory language.
- Functional languages such as LISP were not practical on microcomputer class hardware.
- FORTRAN and C compilers were expensive, TurboPascal was dirt cheap.
Pascal was chosen for three reasons then: the compilers were cheap, it supported the language features the courses were meant to teach and it avoided pointers.
These reasons hardly sit well with the reasoning for the claim that teaching Java is destroying Comp Sci by dumbing it down. The only advantage of Pascal over C as a teaching language were cheaper compilers and the lack of pointers
At the time the prejudice against pointers in academia was real. Pointers could not be modeled using any of the formal methods techniques. Pointers were messy, programs that used them tended to be unreliable and difficult to debug.
Pascal did not have the field entirely to itself of course, but the hold outs were for languages that were more like Java than Pascal or C.
MIT has taught programming using LISP in the guise of Scheme for many years, but this probably has more to do with the origin of LISP than its merits as an educational language and course 6.001 is in any case taught as a perisher course. MIT course 6 can get away with it because it is MIT course 6. Most US university departments would be sanctioned for that approach. The students are paying to learn, not to have the professors take an ego trip.
I have also heard of places where smalltalk was taught as the introductory language over Pascal. By the early 90s there were smalltalk environments that would run on a moderately expensive workstation. This approach had become feasible.
The arrival of Java marked the first time ever that a mainstream production programming language was also an acceptable choice as an introductory programming language. It is hardly any wonder that pretty much every introductory course now uses it. Java is clearly the best choice for the task by a long way.
There is a demand for obsolete programming languages. But that alone is not reason for universities to teach them. Most obsolete languages, COBOL, Fortran, etc. should be taught in trade schools if at all. The code you are going to be working with in those languages is almost certainly going to turn out to have been plugged out by a self taught coder, it can be maintained by a self taught programmer.
C occupies a slightly different space, there are times when a high level assembly language is what is needed. I would certainly not teach C as an introductory language but it would certainly be something that a systems programmer should know.
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
Padilla gets 17 years
The evidence strongly suggests that Jose Padilla was a very dangerous person who probably deserved the 17 year sentence he has just received.
The question now is just how long he is likely to serve given the obvious flaws in the trial process and the prosecution case. I strongly suspect it will turn out to be rather less than 17 years.
The ongoing legacy of the Jack Bauer years is going to be that the prosecution evidence in every US terrorism prosecution is going to be clouded by credible allegations of torture.
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
What a Giuliani Presidency would mean
The New York Times reports on Giuliani's 'culture of retaliation'.
That is critics, not opponents. Say something that the mayor didn't like and you could expect to have the police arrest you for a 13 year old traffic violation.
These abuses have so far cost over $7 million. Why wasn't Giuliani ever investigated?
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
My Davos Presentation
Thanks to You Tube we can all make podcasts and then talk to folk about our 'Davos presentation' like we were actually there.
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
Saturday, January 19, 2008
Clinton Wins, Edwards loses.
The Nevada cacus results are in. Clinton narrowly edged Obama out to take first place. The much more result significant is Edward's poor showing. Whether he stays or goes his support is going to bleed away unless he picks up a win very soon.
On the Republican side Paul is currently ahead of McCain for second place by 5 votes. Even though the margin is meaningless the impact of comming second rather than third is not. Giuliani again puts in a miserable showing, not much better than Hunter.
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
Friday, January 18, 2008
Note to self
Never buy another Panasonic Camcorder. The drivers they provide are broken.
To import video from the Panasonic GS-500 on Vista do the following exactly:
- Start with the camera turned off and disconnected
- Power through the mains adapter
- Set switch to tape playback mode (NOT PC Connect!)
- Turn on the camera
- Plug the firewire connection in
- Import video should start at this point
The slightest deviation from these instructions will cause the process to fail without explanation or symptom.
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
Labels: videoblogging
Deep thought for the day
Every time I read Atrios he is predicting the imminent failure of the bond insurers.
It is clear that there is real reason to doubt the ability of the insurers to meet their claims. But the insurers have been able to keep their AAA credit ratings in spite of this.
I spend quite a bit of time worrying about liability issues that could arise in security products. If you tell someone that something is safe and it turns out not to be you risk being sued.
Here we have an entire industry of bond rating agencies that are clearly peddling a blatant falsehood without any apparent consequences. AAA ratings should mean that the probability of default is negligible. At the very least we are facing a probability, not a possibility of default.
What type of liability-avoidance pixie dust do the bond rating agencies sprinkle on their product and where can I get some.
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
Apple Air
Opinions on the Apple Air appear to be divided between the 'cool gotta have one' and 'thin is nice but X is better' as Paul Boutin and others argue.
I don't much see the need for a cellular modem as Boutin does, apart from planes where cellular is banned and places like cars where the point is moot, I am out of free WiFi range maybe an hour or two a month. I could see the point if I was regularly going down to NYC on the Acela.
My bigger practical concern is battery life. Whether the battery really lasts five hours or not is rather less important to me than the ability to swap batteries. The flight from Boston to SFO takes six hours. Thats a two battery flight.
My other functional concern is the lack of a touch screen. The Tablet PC is a powerful idea. The iPhone demonstrates that Apple can make superb touch screen devices. Given the choice of the cellular modem capability and the touch screen capability give me the touch screen.
Another thing I think a little suspicious is the price of the flash drive version, flash drives are pricey but a $1300 upcharge is somewhat steep. I suspect that the real issue is supply, nobody would be buying the hard drive model if the price differential was only $600.
The strange thing here is that we can now predict with a pretty high degree of confidence what the next Apple announcements will be
- Price drops on the solid state flash as the supply situation is improved. Once the price differential drops to $300 the hard drive version is discontinued.
- True GPS receiver functionality in iPhone and iPod Touch, thus demolishing the GPS navigation market at a stroke.
- A version of the Air with a G3 cellular modem
- MacBooks with touch screen capabilities to match tablet PC
One idea that I think Apple should look into but doubt that they will is a large screen version of the iPod touch - 5", 12" even. This would provide a platform for Web browsing and video viewing and effectively render Kindle obsolete. the reason I don't think it will happen is that I suspect Bezos will have pitched Jobs on the idea of doing Kindle before doing it himself. Amazon can hardly want to be in that market themselves, its a device they want to exist, not one they want to make themselves.
1 comments Linkworks: FARK del.icio.us StumbleUpon reddit
Thursday, January 17, 2008
New Site Look
As you might have noticed I have changed the look of the site. I have been meaning to get away from the old blogger template for a while. It was based on a blogger template designed for 800 pixel wide screens, pretty small even for a laptop these days. The new, bigger YouTube podcasts were being shrunk to fit.
I have also added a link to the new web site for the book. Some people suggested that I add a page of proposals for student projects based on the ideas in the book which I did.
A couple of casualties of this process are the adwords banner and the old blogroll. I added the adwords banner more out of curiosity than anything. I don't plan to add it back any time soon, not least as it might make my blog a business rather than a hobby and thus outside the scope of my homeowner's liability policy. The blogroll is being added back in pieces.
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
Wednesday, January 16, 2008
YouTube - Using the Semantic Web to stop Linkspam
This is the presentation I gave to the World Wide Web Consortium TPAC in November. The basic idea is mark the comment areas of your blog so that Web crawlers that read it can tell what parts you wrote and what might be from a link spammer.
This has some interesting and important consequences for the blog ecology. Commenters become first class participants, search engines can easily and securely locate all the comments made by a single individual across multiple sites. Meta-moderation becomes possible and so on.
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
Reason Magazine on the Ron Paul Newsletters
Reason magazine looks into the question Who Wrote Ron Paul's Newsletters?
Reason is a libertarian magazine. They show pretty conclusively that the racist newsletters were written as part of a strategy to create and exploit racial division. Paul was aware of the newsletters when they came out and defended them when he was running on the Libertarian party ticket for President. It was only later when he decided to run as a Republican again that he disavowed them.
Meanwhile Richard Cohen shows the standards that mainstream Democrats are held to, Cohen accuses Obama of being an anti-semite because he attends a church where the preacher has a magazine that once gave an award to Louis Rarakhan who is an anti-semite. Meanwhile Rudy Giuliani gave a similar award to Gerry Adams, leader of the IRA and it has not merited any establishment press attention.
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
Monday, January 14, 2008
SIM swap fraud
More on the South Africa SIM swap fraud.
The South African bank is refusing to bear the loss. This seems to me to be a very bad move as it destroys the principal value of the bank brand: security.
Customers put their money in banks because they believe the bank will look after it better than they can look after it themselves. If the banks start trying to tell customers that they are responsible for their own security they are going to see a rush for the exits.
1 comments Linkworks: FARK del.icio.us StumbleUpon reddit
Saturday, January 12, 2008
Government by treaty making
One of the undemocratic tactics employed in the crypto wars was the habit the civil service had of attempting to circumvent the legislative process by making a treaty containing the desired terms which would then be presented to Congress or parliament as a fait accompli.
This odious piece by the equally odious Michael Hirsh celebrates the Bush administration's attempt to use this tactic to force a perpetual occupation of Iraq.
"Most significant of all, the new partnership deal with Iraq, including a status of forces agreement that would then replace the existing Security Council mandate authorizing the presence of the U.S.-led multinational forces in Iraq, will become a sworn obligation for the next president. It will become just another piece of the complex global security framework involving a hundred or so countries with which Washington now has bilateral defense or security cooperation agreements."
The Washington Press Corps at its finest: Sorry voters the result in November does not matter, the decisions have been made and cannot be changed. You get no say so you might as well just sit back and watch us present it as a horse race to be judged by our meaningless construct 'character'.
Fortunately the world does not work this way. Bush has neither credibility nor political capital. Attempting to perpetrate this as a fait accompli is likely to result in a public repudiation by Congress. The Democrats will be forced to go on record repudiating the accord by their base. They will put the proposed 'accord' up for a vote in the Senate as if it was a treaty, there is no prospect of the required super-majority being found. The US constitution does not provide for one President to force his successor to continue his policies.
1 comments Linkworks: FARK del.icio.us StumbleUpon reddit
The dotCrime Manifesto: How to Stop Internet Crime: Books: Phillip Hallam-Baker
After three years, the dotCrime Manifesto is out.
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
The PhillCo Trade Show Defender
History repeats itself, first as prank, then as deliberate attack for profit. Once hackers defaced Web sites for fun, today they plant trojans to steal credit card numbers. How long will it be before the Gizmodo prank at CES is turned into a real attack.
Imagine the scene you are in the middle of your trade show pitch to 50 important customers. You are telling them how robust your systems are, how proof from attack etc. Suddenly the 60" plasma TV carrying your presentation shuts itself down.
What has happened here is that a competitor has used a remote to turn off your TV. The remote codes are not authenticated and universal remotes are readily available.
What you need therefore is the PhillCo Trade Show Defender, available for the low, low price of $249.99 per defender kit. Available colors: Black, brown and silver (shown).
Order now and you will receive a second Trade Show Defender entirely free!
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
Facebook 'president' traps French media in web of deceit - Times Online
The Napoleon of the Internet: Times Online
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
Friday, January 11, 2008
Politics in the age of Internet
Racisim is no longer so fashionable as it once was, nor is anti-semitism or gay-baiting acceptable in the mainstream media. Support for brown-shirt type militia movements has never been popular with the mainstream. So politicians who have played these card have had to find ways of dividing their message, saying one thing to one audience and quite another to their 'private' supporters.
Yassr Arafat was reportedly a practictioner of this technique, saying one thing in Arabic and quite another in English. Mainstream Republican politicians following Nixon's 'Southern strategy' use codewords and symbolic guestures to convey a deniable message of support. Reagan was no fool when it came to communications. It was no accident that he began his 1980 Presidential campaign with a 'state's rights' speech at Neshoba county fair.
This use of code-words to say what could not be said in public has an ancient history. According to a piece I heard on the radio recently, the Karma Sutra served as a 'code-book' for erotic but less explicit stories. The educated reader (or listener as story telling was an oral tradition at the time) would know that mention of the girl's ankle bracelets jingling corresponded to a specific copulation position.
But code-words have no power as a political tool unless the key is widely known and understood, at least within the community that the communication is addressed to. More explicit material is also required.
In the past a politician could usually get away with a less than savory past of this type. Today the Internet makes it much more likely that inconvenient material will surface at an inopportune moment. It is quite unlikely that CNN and the other establishment media were unaware of the Ron Paul's racist and anti-semitic newsletters. Romney, Giuliani and Huckabee must have invested at least some dollars in opposition research on Paul. But the establishment media is capricious to say the least in its choice of opposition research to air. Little was heard in the 2000 campaign of Bush's corrupt profits from the construction of the Ranger's stadium and Harken oil. A great deal was heard about Gore's 'deceitful' claim to have visited the Texase wildfires with the director of FEMA rather than the deputy director.
The establishment media would much rather project the story that Obama's campaign proves that race no longer matters in America than admit that Ron Paul's recent past demonstrates the opposite. Pat Robertson's 2000 campaign received a similar free ride for the same reason. The publication of the Ron Paul newsletters on the Internet by The National Review made the story impossible to ignore.
Having read some of the newsletters it is pretty clear to me that they go far beyond criticizing Israel or Israeli policies. The fact that the likes of Dershowitz and Krautheimer regularly make spurious allegations of anti-semitism when they can't win an argument with their opponents does not mean that there are no anti-semites. The Ron Paul newsletters pretty clearly fall into the 'Protocols of the Elders of Zion' category.
The Internet is certainly reducing the power of the establishment media to impose its own narratives on the news but it has not eliminated it. It is highly unlikely that any establishment media reporter will ask Rudy Giuliani about his support for and fundraising for the IRA, a terrorist organization. Huckabee will not be asked how his proposal to remove 1.6 million Palestinians from Gaza and the West Bank differs from the ethnic cleansing we condemned in the Balkans. No mention of the fact will be made that the reason McCain's campaign collapsed last year and was presumed dead was the infamous flack-jacket stroll through a 'normal' Baghdad market which resulted in 21 Iraquis being murdered the next day.
1 comments Linkworks: FARK del.icio.us StumbleUpon reddit
Wednesday, January 09, 2008
Obama blows it
I just do not get the strategy here. Obama has is surrogate asking why Hillary did not cry during Katrina.
Voter's don't want a President who goes weepy in response to events like Katrina. They want the President to care deeply but be capable of holding it all together.
This now gives Clinton an opportunity to come back and point out that the appropriate response to the Bush administration efforts during Katrina would be anger, outrage and not that on the whole she is greatly relieved that her response is not being shown continuously on cable news.
The tears are certainly powerful for Clinton, so why do Obama's advisers want to remind everyone about them for a second news cycle? Ignore it and hope it dies.
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
Clinton wins
If you have not seen the video of Clinton 'tearing up' you should. Reports are vastly misleading. It was without a doubt what won it for her in my mind.
The Clinton campaign had been failing for much the same reason the Gore and Kerry campaigns failed: the voters never got to feel that the highly scripted, risk averse picture of the candidate that the professional consultants were trying to project was authentic. When the mask splipped and the voters got a glimpse of what was behind it they connected with it.
It is also likely that Clinton did benefit from the backlash against the sexist reports in the press. Several Edwards leaning bloggers said his response 'made it easy for them to let go'. Everyone expected the media to be playing the hysterical woman story. They were visibly piling on. Folk who were thinking about a punt on Obama as against racism switched to Hilary.
Clinton was 'teary' and did demonstrate 'emotion' but she was not in tears and she was not emotional. Any candidate out on the trail, whether they have a vagina or not would have been pleased to deliver that performance. But for Hillary it was even more powerful because it completely shattered the press story that she is a cold, calculating, robot. She made the authentic emotional connection to her audience that Gore and Kerry never managed to do.
H/T Talking Points Memo
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
Tuesday, January 08, 2008
Worlds worst victory speech
It might just be me but McCain's victory speech seemed to be the worst ever.
Empty platitude after empty platitude. Tired, empty rhetoric, including that perenial favorite of voing to change and fix broken Washington politics. A promise made by every US politician since they moved the capital to the Potomac.
Just why do the campaigns think that this is helping them? If you have something to say, say it. But always the golden rule is thou shalt not bore.
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
The dangers of amateur red teaming
The BBC reports that Top Gear presenter Jeremy Clarkson was stung after bank prank.
In the aftermath of the recent data breach of two Inland Revenue CD-ROMs containing the bank account details of 23 million UK citizens, Clarkson thought that people should stop the panic. You are perfectly safe, said Clarkson, see here is my own bank account number to prove it.
Oops.
500 quid the poorer due to an unauthorized direct debit from his account to a charity Clarkson is now saying he has learned his lesson, unfortunately though I think he has learned the wrong one.
The lesson people should draw from this is that it is a very bad idea to red team security measures of other people's systems. In the wake of 9/11 the number of people testing the security of airport scanners became a serious nuisance. Red teaming the security of bank security systems with your own money is a very bad idea.
But designing bank security systems that are proof against Jeremy Clarkson is a very good idea. If you can build something so secure that Clarkson cannot break it you are doing something right. Here is a video of Clarkson and friends taking their car to a car wash and, well, setting light to it in the process.
In this video we see the results of Clarkson taking a caravan holiday.
Barclays should consider themselves very lucky that Clarkson did not burn them down.
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
Monday, January 07, 2008
Depressing
Was there ever an occasion when the governments of two countries were each as keen for the other to initiate a war that would be so catastrophic for both. It appears that Iran is attempting to provoke the US Navy.
The most innocent explanation of this is that Iran considers $100 to be too cheap for a barrel of oil.
It appears that both sides believe that they would win a military confrontation but the loss of life on both sides would be huge.
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
Friday, January 04, 2008
Huckabee comes in fourth in Iowa
So, turns out my prediction for Huckabee was wrong, he came fourth. That's if you count the total vote:
24.5% Obama
20.5% Edwards
19.8% Clinton
11.4% Huckabee (R)
(h/t Making Light)
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
Genlock attack
In the very early days of www.whitehouse.gov a major security concern the Whitehouse staff raised was the possibility that the site might be taken over by hackers. The typical coup plot of the 1970s made capture of the TV station the first priority. Control the news and you control the government.
So the recent case in which a group of Czech hackers inserted a nuclear mushroom cloud burst into a weather forecast should be considered a pretty big deal.
The attack itself was a prank. The hackers climbed a mast carrying a fixed camera that provides a panoramic shot in the daily forecast. A computer was spliced into the picture feed from the camera. When the shot appeared on TV the hackers activated a genlock system that spliced in footage of a nuclear mushroom cloud burst.
As such efforts go: simple but effective.
TV companies have been using similar technology for years. In one infamous incident one TV company used a genlock attack to replace rival Fox News advertising signs in a Times Square broadcast.
We have not yet seen a major cyberwarfare attack, but this is the most likely scenario should one occur: splice either deliberate disinformation (mushroom cloud) into the TV stream or hard hitting propaganda of the type Hamas and Hezbollah supporters regularly splice into hacked Israeli Web sites.
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
Journamalism and the Pack
TPM posts the AP story that Dodd drops presidential bid after failure to break from Democratic pack
'Failure to break from the pack'?
Dodd did not fail to break from the pack, he scored 0.02%. That is not failing to break from the pack, Dodd never came close to reaching the pack. He barely managed to cross the starting line.
Biden is also out but Richards and Thompson are both staying in the race. I don't expect Richards to last much longer but as with Kucinich it does not much matter whether he is in or out. Hopefully the TV stations start only inviting candidates who have either polled 5% or more in the primaries to date or are curently polling above 5% nationally. ABC is almost doing that, but they made the mistake of inviting candidates who place in the top four spots in Iowa or 5% in NH or national polls, that makes little sense when the difference between third and fourth in Iowa was 30% to 2%.
Thompson staying in the GOP race is much more significant, if he had left there could well have been a mass exodous. Instead it looks like the six pack will stick together through Super-Tuesday. That could well mean an acrimonious brokered convention for the GOP.
If the Obama surge continues and Edwards stays in contention we might in theory see a brokered convention for the Democrats as well. I don't think this is likely though. The race will start to tip and when it does there will be a deal.
The biggest loser on the GOP side however was Fox news. It is going to be really hard to see why Paul should be excluded from the Fox news debate when he trounced Giuliani in the actual vote in Iowa, is running far ahead of Thompson in the polls and out-raised the rest of the field in the last quarter. From now on its not only going to be liberals referring to Fox as Faux News.
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit
Wednesday, January 02, 2008
Does Giuliani's cyberwar make any sense?
According to TPM Giuliani has unveiled a new campaign platform: more war. In particular, cyberwar. According to the The New York Sun:
Specifically, Mr. Giuliani will call for a new military surge in Afghanistan, a change in the way America's spies are promoted so that officers are rewarded for finding actionable intelligence and not just the number of agents they recruit, and a new war on Al Qaeda's intricate network of Web sites, sites used both to communicate with its agents in the field and to recruit new jihadis.
Does this make sense?
The Internet is certainly used by terrorist groups just as it is also used by opposition groups that Western governments would like to encourage. Terrorists use the Internet in three main ways:
1) Distributing propaganda
2) Fundraising
3) Perpetrating attacks
Blocking propaganda is a fools errand as a number of Israeli hackers discovered after they targeted pro-Hamas sites on the Web. Pro-Hamas, Fatah and Hezbollah hackers retaliated against Israeli Web sites. The result was far short of a stalemate however. Propaganda distribution through the Internet is not vulnerable to a denial of service attack: supporters will find alternative outlets. But an Internet business is highly vulnerable; no service means no business. Within a very short time the Israeli atackers had run out of targets while their opponents worked their way through the .il zone in alphabetical order. today the original Israeli hackers are expensive consultants to companies being attacked in the cyberwar they provoked.
So the prospects for blocking propaganda? Very poor. Improvements in technology favor defense.
The prospects for blocking fundraising are considerably better. Blocking the flow of funds is by far the most reliable means of bringing a terrorist campaign to an end. The Bader-Meinhof gang spent far more time robbing banks than thinking about politics. The Provisional IRA was able to sustain its campaign for far longer than any other European terrorist group and kill more people because its source of funds from the US was far more reliable than those available to Bader-Meinhof, Action Direkt or even Eta. When the NORAID fund line was finally severed in the aftermath of 9/11 the IRA quickly agreed to a permanent end to hostilities.
Blocking fundraising means proofing the banking infrastructure against the profitable forms of Internet crime. It is an important task that I lay a detailed plan for in The dotCrime Manifesto which became available today.
But nobody should suggest that blocking Internet Crime is going to seriously affect the fundraising capabilities of Al Qaeda which grew rich off the profits from the Afghanistan opium trade. so prospects for blocking Al Qaeda using this approach? Very poor.
That only leaves the use of the Internet to perpetrate attacks. Use of the Internet to intercept and disrupt Al Qaeda communication capabilities is certainly feasible and has been taking place since before 9/11. Giuliani is presenting his ideas as a departure from existing policy. If this is something new rather than a cynical repackaging of existing practice it must mean perpetrating cyber-attacks on Al Qaeda.
Again the there is an asymmetry: the US presents far more targets for the cyber-terrorist than the cyber-terrorist presents to the US. Cyber-defense should be considered a vital national priority. But anyone who imagines that the US can use this as a weapon against Al Qaeda has a profound lack of understanding of the field. We might as well try to use submarine warfare to eliminate Al Qaeda's non-existent fleet than use cyberwarfare against their non-existent Internet infrastructure.
Unless Al Qaeda establishes an infrastructure worth attack the prosepects for this type of cyber-warfare against them is again very poor.
In short, this new speach does not make sense unless either Giuliani does not understand what he is talking about or is trying to work out how to drum up new business for Giuliani Partners when he returns.
2 comments Linkworks: FARK del.icio.us StumbleUpon reddit
Labels: Cyberwarfare, Giuliani
Fatasy Cacusing
Novak predicts the Iowa Cacuses. As ever with the douchebag of liberty it is necessary to take his prognostications with more than a pinch of skepticism, particularly on the Democratic side.
His prediction for the GOP:
1st Place: Mitt Romney
2nd Place: Mike Huckabee
3rd Place: Fred Thompson
4th Place: John McCain
I don't think this is right. Thompson has been running well below Paul in the national polls and its not clear that he offers anything more than a face to put to 'none of the above'. McCain is polling above him and I think Paul could beat both. Huckabee has been outpolling Romney in Iowa and the state that nominated Pat Robertson must be his best shot. I would say:
1st Place: Mike Huckabee
2nd Place: Mitt Romney
3rd Place: Ron Paul
4th Place: John McCain
Admittedly Novak does hedge somewhat and admit that a Paul outcome is a possibility but if you allow for all his hedges and such there are very few plausible outcomes Novak excludes. We do both agree that Giuliani comes fifth and is thus unlikely to place at all.
Needless to say, if Paul places in the top four it will become impossible for Faux News to keep him out of the New Hampshire debate. Paul, Giuliani and Huckabee are in a statistical tie in New Hampshire at 8, 11 and 10 percent.
His prediction for the Democrats:
1st Place: Barack Obama
2nd Place: John Edwards
3rd Place: Hillary Clinton
4th Place: Bill Richardson
Again he hedges, essentially allowing any of the top three candidates to place in any order. I think that he is reading his own hatred of Hilary when he suggests that hardball tactics against Obama may have hurt her. The Democrats are looking for the candidate who can beat the GOP. Barack's biggest liability amongst Democrats is that he is too centrist, too willing to compromise, too willing to capitulate to movement conservative veto threats on every issue.
What it really comes down to in Iowa is organization. Clinton and Edwards have been through Iowa before, Clinton has the longest history and a strong ground game. While some Democrats may be nervous about voting for Clinton thinking what the GOP might attempt to do to her they also know that any Democratic candidate will get the same treatment, if they can call a war hero a coward while running a cocaine snorting draft dodger they can smear anyone. I can't see someone who thinks a woman is unelectable thinking that a black male would be any more electable. So I recon that Clinton and Obama should be reversed:
1st Place: Hillary Clinton
2nd Place: John Edwards
3rd Place: Barack Obama
4th Place: Bill Richardson
Again Novak hedges by remembering the Dean crash, but you can't back every horse.
I think that the more interesting question is for which candidates Iowa represents a 'must win state' and which ones can afford a loss. Romney and Huckabee both need a strong result, neither can afford to do any worse than second, but the pressure is greatest on Romney whose campaign strategy was to win Iowa so convincingly that he looked unbeatable.
Clinton can probably afford to lose Iowa as its not considered part of the Democratic heartland or the battleground states. Obama on the other hand has created a strong expectation of a win. He has to do well to maintain credibility,.
Any candidate that fails to place in Iowa is going to face questions as to whether they are viable. All can survive for the time being but anyone who comes fifth or worse in Iowa and New Hampshire can expect credibility questions. Thompson is currently polling at 2.5% in NH and might well drop out before the poll. That will notch up the pressure on Giuliani who is barely ahead of Huckabee and Paul in New Hampshire. There might even be some folk crossing over to support Paul with a view to dropping Rudy and/or Romney out of the race.
If there are going to be any upsets in either Iowa or NH they are going to come from either Paul or McCain on the positive side (i.e. exceeding expectations) Clinton or Obama on the negative side (i.e. falling far short of expectations).
The bigger bet then is which candidates will still be considered viable by the establishment media after NH. It is quite possible, likely even that Clinton will be the only viable Democrat comming out of NH. I expect that Biden and Richardson will have folded. On the Republican side it is quite likely that Thompson, and Romney will both be out and Giuliani's campaign will be on life support. Admittedly the same has been said of McCain before now, but there is a big difference between polls and real votes. These are real votes.
0 comments Linkworks: FARK del.icio.us StumbleUpon reddit