Monday, December 30, 2002

Pork Chop Express Public Service Announcement

Warning! Warning! Danger Will Robinson! Thanks to the Swedes, we are now all aware of the dangers of the CD-ROM drives in our new computers.

You see, its all big businesses' fault. They haven't warned us that they are planting ticking time bombs, waiting to eject their payload, turning our home computers into a real-life version of Unreal Tournament's Ripper Weapon. More thanks to the Aussies for telling us about this threat. This should be headlines all across the country. How many of you have the new 48x Speed or higher CD-R or CD-RW drives? Not only are they spinning at lethal speeds, we probably need to be warned about the dangerous laser radiation that could leak out after a damaged disk bursts through the outer door of our CD drives and does horrific damage!

"You'll shoot your eye out, kid."

So, what do we do? As the article states: ""Shatter protection should be built into the drives, especially to protect the front door (of the disk drive)," he says. "What happens now is that the door just breaks and comes flying, along with parts of the disk.""

Hmmm....Duct tape? Naw. The discs of death would slice through that like a hot knife through butta.

I know, an aluminum computer case. We mount the CD drives behind the protective plating, and that will stop the shards from penetrating our soft flesh. After all, some countries make light tanks with aluminum armor, and if its good enough for a tank, its good enough for my computer. Opening and closing the drive might turn out to be a problem. Hmph.

Obviously, we all need to work together to solve this problem. In the meantime, I have found this software that will slow down your CD-Drives to a safe speed. in fact, if you read the page this software is on, it even quotes the Aussie article! Yes! Success! Notice the software interface is in all red to show you just how dangerous this is!

Someone call the government, we need regulations to keep CD-Speeds at 1x. If it saves even one life, or one finger cut, we need to enact this legislation now! Let's march on Washington! The Million Person Slow-CD March! Demand that manufacturers slow stuff down! Soon CPUs will be so fast and run so hot that you will have the next Chernobyl on your desktop! BEWARE!

I certainly hope this was a typo in the original article:

"Fortunately, most fast drives can sustain speeds required to fracture the discs, often because reading errors cause them to slow.

That doesn't make much sense, I'm certain they meant to say: "Fortunately, most drives can't sustain...." We might be safe for a bit.

Spread the word, warn the bunnies too!

Saturday, December 28, 2002

Federal Bureau of Information Technology

I came across an interesting article at talking about the FBI's Information Technology Endeavors.

Believe it or not, the FBI was/is one of the most technology "backwards" of the larger well-funded bureaus in the federal government. One of the related articles calls the FBI IT infrastructure like this:

"Trilogy would move the FBI "an enormous step forward," Schumer said. "We need it today, not tomorrow. We needed it yesterday." Schumer described FBI technology as "dinosaur-era" and "fossil technology.""

I'm not a big fan of Charles Schumer, but with what I've been told about the FBI's technology I think he's being pretty accurate.

I know we all have visions from TV (X-Files in particular) and the movies of these large expansive complex all-reaching technologically advanced systems in the law-enforcement, intelligence, and military sections of the government. However, that is far from the actual reality. Most government systems are very 'hodge-podge' with multiple uncoordinated databases and overworked and/or incompetent administrators.

So why do these projects often fail, or take many more years to complete than they should?

One can only theorize, but I have my guesses:

1. The people working in the FBI's IT department are probably underpaid. Even with recent programs that are going to allow the pay scales to step outside the normal federal classifications in order to attract better people, you aren't getting the 'cream of the crop'. Filling out a Federal Application for Employment requires a degree in 'Bureaucracy'. I understand the need for thorough background checks, but have you looked at what you need to fill out? I've also heard that if you aren't an agent, you aren't treated very well at the FBI.

2. Most desirable IT people probably can't meet the stringent security requirements of the FBI. This is a Catch-22 for the bureau. You need people with pristine backgrounds working in an agency that has access to the type of information that is stored at the bureau. Unfortunately, many of the socially mal-adjusted in the IT industry (not ALL of you, just some) have done some pretty heavy experimentation with illegal substances, or tried their hand at 'Cracking' (malicious hacking), or other things that would probably get them on the black-list.

3. Over administration. I have not found one case of a governmental organization that wasn't filled with upper-level management that weren't either incompetent, micro-managers, over-analyzers, simply concerned with their own agendas and self-promotion, or a combination of any of those. Sure there are diamonds in the rough that will do the right thing, but they are usually surrounded by so much crap they can't help their people no matter how much they would like to. With a lack of stability in management as people try to move around to get promoted, it makes a cohesive strategy difficult to implement. Management tends to 'over-meeting' and 'over-committee' IT people to death as well. They spend more time in meetings than you do getting things done, and often the outcomes of the meetings are very confusing with no clarity on the direction that is to be taken. Also IT personnel probably get conflicting orders on what priorities to set and what to do next. Things shift daily depending on the office political environment and who is on the 'hot-seat' at the time.

4. Purchasing. If you've ever worked in the government sector, you know what a pain it is to try to purchase something. It gets worse the bigger the government. Local is bad enough, state is worse, and federal is almost incomprehensible. There's a reason we used to have $700 hammers, and not all of it was greed on the part of the contractors. Often you request to purchase equipment, and by the time it is delivered its obsolete. Or if you do get it quickly enough, you get it all at once and since you are already understaffed, you can't possibly get it configured and deployed in a decent amount of time.

5. "Management By Magazine". Some upper-level manager reads something cool in a tech-rag, and suddenly that becomes the mega-project of the day, or they have no idea how hard it would be to integrate the product into the current environment. Some slimy salespeople (again, some - not all) in the private sector pushing their vapor- or brokenware doesn't help either.

6. Resistance To Change. "We've always done it this way", or "We can't do that, it doesn't follow guidelines." or "We have to get these forms exactly as they are onto the system". All these are huge hurdles that IT personnel have to overcome to try to implement technology to help people do their own jobs more efficiently. Of course, many of the incompetent are making a good living in the government, and those persons can't have someone making their jobs easier - then they won't have anything to complain about or blame for not getting their work done, all while they take bathroom or smoke breaks every 15-minutes.

Of course, not all of this is unique to government. It occurs in the private sector as well no matter the size of the organization. However, it is so entrenched in the government sector that is would be a Herculean task to get it changed. The person doing the changes would probably also be vilified and blamed for every small problem that happened along the way. Problems will crop-up. They occur in all endeavors worth completing.

The problem is that everyone's looking to their next promotion or election and doesn't want to make anyone unhappy, so they have the impossible task of trying to make everyone happy. Therefore the cycle continues, and I don't know where or how it's going to be broken.

Monday, December 16, 2002

Social Engineering

I have had three opportunities to speak to different audiences on the topic of Social Engineering. The first was at a cybercrime conference here in Central Ohio that included several Law Enforcement personnel from Federal, State, and Local agencies. The next was for the Ohio State Bar Association on December 6th in Cleveland. I'll be repeating the OSBA seminar on the 18th here in Columbus. Social Engineering is the most effective method for intrusion into 'protected' networks. In fact, Security Professionals often make it easier for Social Engineers to succeed.

An article about Authentication Systems for computer networks points out the evolution of methods for assuring that the person requesting certain computer systems are who they say they are. The article mentions Smart Cards, Tokens, Biometrics, and Passwords, and says that the market is still immature. It is interesting that the last sentence of the article reads:

"When administrators do have a choice over which kinds of authentication to use, Rolfe suggests using a risk management approach, balancing the strength of the authentication solution against the costs and other drawbacks involved."

Yes that is the whole secret behind successful Information Technology Security implementation: Risk Management.

Social Engineers attempt to fool people into divulging information that will give them access to whatever systems happens to be the target du jour. You would think that with all these different forms of protection (Smart Cards, Biometrics, etc) it would be very difficult.

It in fact makes it much easier.

Often, IT Professionals institute draconian security measures once they are unleashed and given the power to do so. Forcing password changes every 30 days, along with password complexity requirements so strict that one cannot hope to memorize them, cause people to write them down on big yellow post-it notes attached to their monitors. Hardly secure eh? Easy enough for a Social Engineer who gets himself hired at an organizations cleaning company for a short stint.

Now any IT Security people reading this are now ready to strangle me. Am I saying that users should be allowed to have one of the three most common passwords: "password", "secret", or "sex"?

No, of course not. There should be some password complexity, but not so terrible that it defeats its purpose in the first place. Sure, the mega-passwords aren't easily cracked with 'l0phtcrack' or 'John The Ripper', but they cause other more undesirable behavior on the part of the user. If you want to make users have passwords like: "O7-21IagtS,Afmv." at least train them to come up with a mnemonic like "On 7-21 I am going to Sydney, Australia for my vacation." And don't make them change them every 30 days. There, I said it.

Yes, yes, people who keep the same passwords for long periods of time are more likely to have given them to someone else, and/or have them used by hackers if they have been 'cracked'. But then again, if they were cracked and they are that complex, you've got bigger problems. Teach them to change them only whenever they think someone has guessed it, or maybe once per year. This way they might actually throw that post-it note away after a few months, and will try to comply with your requests that they will see as more reasonable. Remember, if your users don't think your requests are reasonable for what they perceive the situation, they won't comply or will try to get around your requirements.

How many password systems check to see if an entire departments' users all have the same password? I've seen that at sites with overly complex password requirements. Think about it before you institute your policies.

This relates directly to Social Engineering in that where such draconian (I'm going to try to use that term 10 more times) security measure exist, most users have had login problems at some point. Those problems have probably been very frustrating, and most IT departments I know of treat 'forgotten password' callers like scum, often deriding or speaking to them very condescendingly. Therefore it is not unusual for a "fellow employee" [nudge, nudge, wink, wink] to call another for help, maybe even asking them for their password so that they can get a quick memo typed up, or to leave a help-desk request e-mail. Tokens, Smart Cards, and the like only add to potential confusion. However, if implemented with proper training and forethought these added measures can be effective. Just try not to layer security too deep for the normal user, for you'll end up doing more damage to your security than good.

Sometimes even the IT departments are victims of these draconian methods (9 to go...just kidding, I'll stop now).

Unfortunately on the flip side, many don't have any sort of security at all other than a Firewall at the border. I (and others) call that the "Castle-Wall" mentality of security. No protection for the soft interior, or spies who might be invited in. "Security through obscurity" doesn't work either. This is the mentality of "No one knows we are here" security, or "we're too small" to be bothered with. With identity theft being epidemic, even computers at home can be a treasure trove for identity theft criminals.

So be wary, and be careful. Be just this side of paranoid.

Remember, its "Risk Management".

Author's Note: When I first wrote this article and tried to post it, I received a "Microsoft OLE DB Provider for ODBC Drivers error '80004005' [Microsoft][ODBC SQL Server Driver][SQL Server]Could not allocate space for object 'Items' in database 'blogger' because the 'PRIMARY' filegroup is full. /blog_form-action.pyra, line 54" error. Maybe I need to shorten my articles a bit.

Sunday, December 15, 2002

Nemesis of Itself

If you are looking for the non spoiler review, see the post below this one.

I found a review of Nemesis that pretty much describes how I feel about the movie (other than the author hates Brent Spiner/Data - which I don't).

You can find it at Filmjerk. Be forewarned, it pretty much reveals the details of the whole movie.

Saturday, December 14, 2002

Archenemy of ?

Just got back from seeing Star Trek Nemesis on opening night. No spoiler here. Just overall opinion on the movie.

First off, I'm a big Star Trek fan. I hate the word "Trekkie" or "Trekker", so I refuse to use them. Though the freak show was present at the movie theatre. However, that never detracts from my enjoyment of the movies. I usually go into a movie with extremely low expectations, so I am never disappointed.

I made the mistake of going into this one with higher-than-average expectations.

Big mistake.

How would I describe it?

How can a movie have so much action in some spots yet the whole movie seemed to crawl along?

How could they write a plot with holes so large you could drive an AIRCRAFT CARRIER through them?

How could they write a story that steals so many ideas from prior Star Trek movies? Not an original thought in this one at all.

And how could the Technology seem to go BACKWARDS rather than have advanced in this movie?


Wait for the matinee.

Saturday, December 07, 2002

What Men Will Do For Pr0n

For the uninitiated, 'pr0n' is "leet" for Porn. Yes, I know its obvious, but someone would ask.

These articles are old, but interesting.

First guy breaks into a convenience store to steal some adult magazines. First off, the whole thing is on tape, as the store has cameras. He grabs 5 magazines and then tries to break the glass in the door to get out. Only he can't break the window. So he has to climb out through the roof. Worst thing about it all is that all he had to do was unlock the door. It wasn't a key-lock on the inside, simply a standard switch lock. He must have been staring at the mags the whole time.

The next case is a burglar who breaks into houses to use the computer for porn.

What? His library card expired? Or maybe sitting in your birthday suit amongst the dewey decimal system cards wouldn't work out too well. I can't imagine committing a felony to just surf pr0n. Especially the stuff on the web, which if its any good, you have to pay for. (If you know of some free sites that are good, send links my way - I'll rate them for you.)

This guy rammed his car into granny's house, and then took his clothes off and tried to break in, naked. Granny must have had some real good porn in there. Of course, it was reported that he said he was going to kill someone. Granny probably threw out his complete Hustler magazine collection.

OK - this has nothing to do with pr0n, but could probably be a good story-line for a new adult film. Only instead of the guy stabbing her in the leg with an object hanging from the rearview mirror, he could stab her in the you know with something that was hanging from his...oh nevermind. You don't need a roadmap. Maybe the guys wife did though, one with a low-hanging bridge. (Pun intended)

OK - I used to be a Police Officer. But I don't think that I'd admit chasing a nude man and then losing him. That one would be conveniently forgotten.

Does this make any sense to you at all? You arrest a sicko-creep for having Child Porn on his computer, and you place him under house arrest when he lives across the street from a school? Utterly astounding.

And couldn't these politicians wait until they got back home? Or at least to their own offices? I know politics is boring...but.

Maybe they were just big Bill Clinton fans, and they figured if he can get a hummer while working, they wouldn't get in trouble for a little pr0n surfing.

Friday, December 06, 2002

Choosing PCs Based On Appearance

Now we're told that we are more apt to buy a computer based on its looks rather than what's inside.

Geeze, now we buy computers for the same reason that "swing" voters choose politicians? Looks?

Actually, I would like a cool looking case for my computer as well.

An LCD Panel Monitor too. I already have some cool mice. I'd need to find some sort of designer keyboard.

What I found interesting about the article was that it said that PDA sales were to "young men" before the sleek-style Palm V came out. This allowed the market to expand to non-young-men. Old Men? Old Women? I think they just meant women in general. How chauvenistic of them to say that women buy stuff only if its pretty.

Are There Really People Like This?

The 9th U.S. Circuit Court in San Francisco decided that individuals can't own firearms. They say the 2nd Amendment is for militias only.

Not surprising out of this court.

Let's declare all U.S. Citizens a militia, and be done with it once and for all.

Tuesday, December 03, 2002

Tesla's Legacy

Nikola Tesla was one of the most influential inventor/scientist on modern day life. His genius is not nearly as well known as Alexander Graham Bell and Thomas Edison, however I think that his genius and knowledge far surpassed those two combined.

He viewed a world full of flying machines and electrical devices that were fueled by "broadcast power". Yes, power sent through the air and into whatever device needed it.

Wireless Power is now a reality. Researchers have devised the first devices to use a very limited broadcast method compared to Tesla's World Grid.

I can't wait to see what happens in the next 20 years.

Low-Carb Redux

I frequent a Quake 3 gaming forum, which has evolved from a place to game to a community of people.

We have been having a discussion on low-carb diets when one of the people who had very occasionally posted there, and is a physician. I spent a lot of time crafting a response to his concerns. Rather than repeating them here, I leave it to you to look if you are interested. (The link takes you to page 3 of the thread.)