Emergent Chaos
A Department of Brand and Integrated Marketing that is.
Bookmark this post:
Over at Sysinternals, Mark posts "Sony, Rootkits and Digital Rights Management Gone Too Far." [Update: If that doesn't work, try Sysinternals Blog; when I checked, it was the first post.] If you're at all technical, read it closely. If you're not, you should at least skim it. The story is that Mark (who knows more about Windows internals than many people at Microsoft) finds evil software on his hard drive, and it turns out that Sony put it there. As you read, look at chunks like:
A look at the Services tab of its process propertieds dialog showed it contains a service named “Plug and Play Device Manager”, which is obviously an attempt to mislead the casual user that stumbles across it in the Services MMC snapin (services.msc) into thinking that it’s a core part of Windows.Ask yourself, is this the way you want someone to be treating you? Is this the way you want to be treated, as a Sony customer?
Also, how could I have missed "Use Sony DRM, Format Your Hard Drive?"
Bookmark this post:
There's a fascinating story at imedia connection, "Why Consumers Trust American Express:"
How has American Express retained its position? Kimberly Forde, an American Express spokesperson, told me that "American Express is very pleased to be recognized by consumers for its ongoing and strong commitment to privacy." Moreover, she felt that American Express had done a lot to build consumer trust: "Trust and security have been the hallmarks of the American Express brand for more than 150 years. Our privacy program is a robust one that addresses the landscape of consumer concerns."I find this fascinating because its a company that's using privacy to their advantage. I've expected that to happen for a while, and its nice to see it being presented in the media. It's also fascinating because privacy here seems to be an assertion without data. Where are the supporting facts that show American Express cares about privacy?American Express sees a return on promoting consumer privacy -- that is, in making "trust and security" a hallmark of the brand. What we can take away from this is that consumer privacy is becoming an added value for a company. This is to say that some organizations are starting realize that they can build customer bases by saying "we protect you from identity theft."
But most interesting (to me) is that I see American Express as horribly anti-privacy. I remember when they bought Connection Machines to do data mining on their customers. I recall being turned down by Amex for a card because my address (a mail service) didn't match their database of acceptable residential addresses. They wanted to see utility bills, or other things that told them where I really lived. Nah. So my perception of Amex is quite different.
I'm guessing that this is another instance of different meanings of privacy: That consumers believe that Amex doesn't sell data about their purchasing habits, where I'm concerned about what they collect, and the shadows of me that they confuse with the real me in making judgments. My data shadow wasn't crisp enough for them, and so they wouldn't loan me money. (It was decidedly crisp enough for others to extend credit on fine terms.)
(Via Chapell.)
Bookmark this post:
In "The endgame on Iraq began a long time ago," Thomas Barnett writes some shocking things:
How on earth is this Zarqawi's worst nightmare? Zarqawi will portray this as the US being unable to fight, unable to prevent chaos, and its all because of his guys with improvised weapons. The US will be humbled, and al-Qaeda will have notched its second superpower.This is Musab al-Zarqawi's worst nightmare: the Americans safe behind their compound walls and everyday he's doing battle against Iraqis, or-more to the point-against Shiites increasingly backed by Iran, no friend to the global Salafi jihadist movement, being as it is exclusively Sunni in make-up. Meanwhile Kurdistan gets stronger and the 'failed state' scenario for Iraq is reduced to its irreducible one-fifth outcome: the 20% of the population that's Sunni live an existence you wouldn't wish upon your worst enemy.
And lets have pity for, and apologize to, that 20% of Iraqis, and think about, right or wrong, who they're going to blame. I think Zarqawi and company are to blame. I think the US had an obligation, after invading, to prevent the country from falling into civil war. George Bush knew that a civil war was likely. If only his son had listened to him. Continuing to quote Barnett:
Accomplish next? What did we accomplish? Iraq has been ripped apart, our allies in Turkey are focused on the Kurish state we built next door, and the Sunnis "live an existence you wouldn't wish upon your worst enemy." It's true that Iraq was the product of Imperial Britian drawing lines on a map, but that doesn't justify Imerpial America coming in and ripping it apart.Pretty it ain't, but realistic it was always. Bush's critics may crow about the 'failure' of 'Jeffersonian democracy,' but that asinine point won't be remembered by history. What will be remembered is that Saddam was taken down, the pretend state of Iraq returned to its constituent parts, and the Middle East was never the same again.
We got what we wanted in Iraq, and we triggered plenty of tumult and change in the region. Now that the endgame becomes obvious to critics and supporters alike, the real question we need to ask ourselves is, What do we seek to accomplish next in the region?
Now, Barnett has an interesting theory of a common set of perspectives which he calls "the core." (Everything else is "the gap.") Part of his theory is that the core should "pertube" the gap, that's always riled me. Now I know why. He has no goal. He's an imperialist, and, not liking the Bathist dictatorship, knocks it over, declares we've accomplished something, and thinks that more US meddling is a good idea?
Ummm, how about, and you know, just a thought...maybe we should have figured that out before "perturbing" things. Maybe we should fix what we broke before we go off and think "What better Middle East are we working toward?" Because with friends like this, I don't know that you need enemies.Not, Who do we invade next? Or what do we seek to prevent? But what do we seek to accomplish? What better Middle East are we working toward?
Now, I do think that we need to be working towards a better middle east. Except, following our stellar "wouldn't wish upon your worst enemy" performance, maybe we don't get to imagine that. Unfortunately, the people of the region really don't get to either. Their dictators and clerics do.
Raw, naked exercise of power is not going to win friends for anyone. Perturbation for its own sake, with "the Americans safe behind their compound walls," is going to become the core answer to "why do they hate us?" It may become because we perturb their lives for our own purposes.
Bookmark this post:
In "GE Puffer Stinks of Dr. Strangelove," Kim Cameron writes about his experiences with the new explosive detection machines:
People, I really hated the GE product. It is tiny, and closes around you. I felt seriously claustrophobic. Then it shot bursts of air at me so hard it actually hurt.I have a number of quick thoughts and questions:I had been told there would be "puffs of air", but these were not, by any definition, puffs.
"Puffs" make me think of cigar smoke. Or "Puff the magic dragon". Puffs of wind. But these were hurricane strength blasts.
Meanwhile the machine barks orders like a concentration camp commandant. Where did they get the voice? It speaks in a chilling metallic imperative borrowed from a really bad science fiction movie. In fact it was barely believable that adults would unleash this contraption on anyone.
(Thanks to Gunnar Peterson for the pointer.)
Bookmark this post:
Its that time of year again, when Congress decrees that you shift your clock back an hour to save miniscule amounts of energy. The fine folks of Arizona and Indiana have noticed that Congress doesn't really have the power to regulate time, and don't like playing along.
But if you think about it, time is an essential part of measurement. The official definition of a meter is "length of the path traveled by light in vacuum during a time interval of 1/299,792,458 of a second." Congress actually does have the power (Article 1, section 8) to establish standards of weights and measures. So, given that time is an essential part of how things are measured, and that measurements need to be in alignment with other parts of the solar system, it is actually proper for Congress to muck with the clocks occasionally. They should remember that the computer systems that track time may not be as clever as they would like to be, and be careful.
Anyway, I hope you all enjoyed an extra hour of sleep, and dreamt of a world in which Congress stopped to ask if time is a proper subject of regulation.
Bookmark this post:
From the lovely and talented Glimpse of A Grrl.
Bookmark this post:
Well, I don't know that for sure. But I am pretty sure that Porsche owners overall are healthier than those who don't own Porsches. Maybe you have to control for age.
Similarly, it seems that being a customer of certain companies apparently somehow causes less nastiness to befall ones computing infrastructure.
Jaquith handily, yet unwittingly, summarizes my opinion, and is more polite about it than I am inclined to be at the moment.
Bookmark this post:
If Nick Weaver and Jose Nazario are writing about it, it's probably way over my head, or interesting, or both. I am happy to say this is in the second category.
Bookmark this post:
Posted by AdamIt seems that most everything that one could say about the President of Iran calling for Israel to be wiped off the map has been said. Good articles include Daniel Drezner's "How crazy is Mahmoud Ahmadi-Nejad?" (about the strategy behind the statement), Hossein (Hoder) Derakhshan's "The fundamentalist minority" (about how Iranians feel about the US, and perhaps also Israel), or even an extended discussion of "The Video Game War ," by Jim MacDonald.
To what Hoder says, I'll add that a great many Israelis remember leaving Iran, including Israel's president, Moshe Katsav who was born in the same city as the former Iranian president Mohammad Khatami. (This detail from the New York Times story, "Iran's President Says Israel Must Be 'Wiped Off the Map'.")
In light of all of that, I'd like to compare and contrast the United States to Iran. As I pointed out in As I explained in "Critical Map of Alaska Disappears," when we wipe something off the map, we're talking about maps and wildlife refuges, not people.
Bookmark this post:
This may be day 45 and mile 76,000 for me, but for the Client it is D-Day for an Important Event (often their year's #1 event, for God's sake); hence my exhaustion and accompanying short temper must be thrust aside ... and downright cheeriness and spirited engagement must become the invariant orders of the day. Besides, such cheeriness, even if feigned, cheers me up first and foremost!(Via Paul Kedrosky's Infectious Greed.)
Bookmark this post:
Before I start on the Star Wars part of today's Friday Star Wars Security blogging, I need to explain who Saltzer and Schroeder are, and why I keep referring to them. Back when I was a baby in diapers, Jerome Saltzer and Michael Schoeder wrote a paper "The Protection of Information in Computer Systems." That paper has been referred to as one of the most cited, least read works in computer security history. And look! I'm citing it, never having read it.
If you want to read it, the PDF version (484k) may be a good choice for printing. The bit that everyone knows about is the eight principles of design that they put forth. And it is these that I'll illustrate using Star Wars. Because lets face it, illustrating statements like "This kind of arrangement is accomplished by providing, at the higher level, a list-oriented guard whose only purpose is to hand out temporary tickets which the lower level (ticket-oriented) guards will honor" using Star Wars is a tricky proposition. (I'd use the escape from the Millennium Falcon with Storm Trooper uniforms as tickets as a starting point, but its a bit of a stretch.)
On to the principle:
Keep the design as simple and small as possible.This well-known principle applies to any aspect of a system, but it deserves emphasis for protection mechanisms for this reason: design and implementation errors that result in unwanted access paths will not be noticed during normal use (since normal use usually does not include attempts to exercise improper access paths). As a result, techniques such as line-by-line inspection of software and physical examination of hardware that implements protection mechanisms are necessary. For such techniques to be successful, a small and simple design is essential.
And so lets look at the energy shield which protects the new Death Star. It is, as General Akbar tells us, projected from a base on the nearby forest moon of Endor. And as you may recall, there were not only extra access paths which required reinforcement, but additional threats which hadn't been considered.
Firstly, why is it on the forest moon at all? Presuming that energy shields follow some sort of power-absorbtion law, the closer the shield is, the less power it will draw. But more importantly, being on the moon means that it is surrounded by forest, rather than cold, hard vacuum. The shield generator becomes harder to protect, meaning that additional protection mechanisms, each of which can fail, are needed.
Presumably, the Empire has power generation technology which drives the Death Star, and also the Star Destroyers. There's no need to rely on a ground-based station. The ideal placement for the energy shield is inside the Death Star, and traveling with it.
But instead, there's this bizarre and baroque arrangement. It probably comes from a fight between the Generals and the Admirals. The Generals wanted a bit of the construction process, and this was the bureaucratic bone thrown to them.
Expensive it was. mmm?
Bookmark this post:
The October 26 on-line edition of American Banker (gotta pay to see it, so no link from me) discusses new technologies as possible enablers of check forging, in an article by Daniel Wolfe, "The Tech Scene: Check Images A New Frontier For Forgery?"
The overall point is that since banks store check images and provide them to customers (thanks in part to Check 21), bad guys can also get their hands on them, increasing the chances of forgery.
Avivah Litan, a vice president and research director at the Stamford, Conn., market research company Gartner Inc., said that an online archive of check images can be a treasure trove for criminals - potentially more valuable than a checkbook or a few cancelled checks. Criminals can see a months-long spending history that could help them use forgeries to emulate a person's spending habits or estimate what check number a victim would be using at a specific time, she said.Banks have underestimated the potential of digital images as a forgery
tool, Ms. Litan said. Banks are more focused on preventing criminals from
using online payment services, such as wire transfers and bill payments,
to steal money from a customer's account."They just haven't realized that online criminals would resort to check
forgery," she said. "Crooks come in to look at your imaged checks to see
what your signature's like. They study the checks, and then they copy the
checks."
Maybe I'm not sufficiently old-school, but I'm more concerned about identity theft being facilitated here. After all, these images often contain exactly the kind of identity-related info crooks want, such as driver's license numbers, since these are often added to the checks by merchants at the time of purchase. Something tells me that these images aren't all encrypted as stored, so from a Bank's point of view there's the reputational hit from having to send out breach notices.
Bookmark this post:
For the last couple of weeks, peddlers have set up shop just outside Chicago's Union Station to sell White Sox paraphernalia. Once the Sox were in the Series, I noticed an interesting phenomenon.
Hats were selling for $10.00 after game two of the series. After game three, they were down to $5.00. After game 4 (the final game, thereby halving the Windy City's exposure to the terrorist threat), they were up to $20.00.
The jump to twenty bucks I understand, but what surprised me was the precipitous drop from $10.00 to $5.00 earlier in the week. Does this mean that the vendor expected a Sox loss, and the subsequent decline in the desirability of his merch? That's a mighty dismal view, for a guy whose team was up two games to none at the time.
Bookmark this post:
Red Herring reports on a claim by Cybertrust that recovering from Zotob cost the average infected company $97,000.
Sounds moderately interesting, until you learn that the industry hardest hit, healthcare, had 74% of its respondents totally unaffected. For financial firms, 93% were totally unaffected. Overall, nearly 90% of firms had no impact. Nada.
Alternative headlines that aren't as spooky?
How about: "Hardest hit firms lose $25,000 to Zotob" or maybe "At $7K, typical finance firm's loss to Zotob barely noticeable".
Bookmark this post:
It occurs to me that when a senior US governement lawyer says:Read Chris Beck's "CBC News: Flyers passing through U.S. have few rights, Arar judge told" for an analysis of how.foreign citizens passing through American airports have almost no rights. At most, Mary Mason told a hearing in Brooklyn, N.Y., passengers would have the right not to be subjected to "gross physical abuse."that they are in direct contradiction to the US Constitution
I remember when I was in Tel Aviv, a strike shut down the airport. Our travel agent found us tickets from Amman to London to Boston. It was only when we had the tickets in hand that we saw a stop in 'DAM.' It turns out DAM is Damascus, Syria. One of our party was Israeli. We joked that it would be no problem: they'd take him off the plane, torture him for a month, and then let him go. No problem. We changed the tickets, because we didn't want to deal with crazy Syrian officials while in a transit lounge.
It's quite sad that the US is treating people in a way that we feared Syria might. There's no moral justification for forcing someone to enter the US, then denying they're legally in the US, while denying them the protection of law against the actions of the government:
If passengers are deemed to be inadmissible, they have no constitutional rights even if later taken to an American prison. Mason told Judge David Trager that's because they are deemed to be still outside the U.S., from a legal point of view.To put it another way, once you give up the rule of law, as Ms. Mason has, it becomes challenging to explain how the actions of the United States differ from those of a kidnapper."Someone who's inadmissible is in the same category as the people that the CIA snatches and grabs from other countries," said Barbara Olshansky, a lawyer for the U.S.-based Center for Constitutional Rights, which is suing a number of U.S. officials on Arar's behalf.
"You are fair game for however executive branch wants to treat you."
Mason said the interpretation means travellers can be detained without charge, denied the right to consult a lawyer, and even refused necessities such as food and sleep.
But beyond sad, this helps derail any hope we have left of being a positive force in the world. How can we tell the Iraqis that they should take our advice about how to build a society when we behave like this?
Bookmark this post:
Bookmark this post:
America's Finest News source reports, "Trick-Or-Treaters To Be Subject To Random Bag Searches:"
"Individuals concealing their identities through clever disguise, and under cover of night, may attempt to use the unspecified threat of 'tricks' to extort 'treats' from unsuspecting victims," Chertoff said. "Such scare tactics may have been tolerated in the past, but they will not be allowed to continue this Halloween."While he would not elaborate on the specific threat, Chertoff said his office had "heard a couple spooky tales," and indicated that there was good reason to believe that Americans face "a very ghoulish scenario" this October.
Bookmark this post:
